Privacy-preserving search for chemical compound databases

Background Searching for similar compounds in a database is the most important process for in-silico drug screening. Since a query compound is an important starting point for the new drug, a query holder, who is afraid of the query being monitored by the database server, usually downloads all the records in the database and uses them in a closed network. However, a serious dilemma arises when the database holder also wants to output no information except for the search results, and such a dilemma prevents the use of many important data resources. Results In order to overcome this dilemma, we developed a novel cryptographic protocol that enables database searching while keeping both the query holder's privacy and database holder's privacy. Generally, the application of cryptographic techniques to practical problems is difficult because versatile techniques are computationally expensive while computationally inexpensive techniques can perform only trivial computation tasks. In this study, our protocol is successfully built only from an additive-homomorphic cryptosystem, which allows only addition performed on encrypted values but is computationally efficient compared with versatile techniques such as general purpose multi-party computation. In an experiment searching ChEMBL, which consists of more than 1,200,000 compounds, the proposed method was 36,900 times faster in CPU time and 12,000 times as efficient in communication size compared with general purpose multi-party computation. Conclusion We proposed a novel privacy-preserving protocol for searching chemical compound databases. The proposed method, easily scaling for large-scale databases, may help to accelerate drug discovery research by making full use of unused but valuable data that includes sensitive information.


Introduction
In recent years, the increasing cost of drug development and decreasing number of new chemical entities have become growing concerns [1]. One of the most popular approaches for overcoming these problems is searching for similar compounds in databases [2]. In order to improve the efficiency of this task, it is important to utilize as many data resources as possible. However, the following dilemma prevents the use of many existing data resources.
Unpublished experimental results have been accumulated at many research sites, and such data has scientific value [3]. Since data holders are usually afraid of sensitive information leaking from the data resources, they do not want to release the full data, but they might allow authorized users to search the data as long as the users obtain only search results from which they cannot infer sensitive information. Likewise, private databases of industrial research might be made available if the sensitive information were sufficiently protected. On the other hand, query compounds are also sensitive information for the users, and thus the users usually avoid sending queries and want to download all of the data in order to conduct search tasks on their local computers. In short, we cannot utilize important data resources because both the data holder and the data user insist on their privacy. Therefore, an emerging issue is to develop novel technology that enables privacy-preserving similarity searches.We show several use cases in the next section.
Let us start by clarifying privacy problems in database searches. In a database search, two types of privacy are of concern: "user privacy" (also known as input privacy) and "database privacy" (also known as output privacy). The first is equal to protecting the user's query from being leaked to others including the database holder. The second is equal to protecting the database contents from being leaked to others including the database user, except for the search results held by the user. Here we firstly consider the case of using no privacy-preserving techniques; namely, the user sends a plain query to the server and the server sends the search result. In this case, the user's query is fully obtained by the server. On the database side, the server's data is not directly leaked to the user. However, there is a potential risk that the user may infer the database contents from the search results. To protect user privacy, a scheme called singledatabase private information retrieval (PIR) has been proposed [4]. The simplest method for achieving PIR is that the user downloads all the contents of the database and searches on his/her local computer. Since this naive approach needs a huge communication size, several cryptographic techniques have been developed, in which the query is safely encrypted/randomized in the user's computer and the database conducts the search without seeing the query. Although PIR is useful for searching public databases, it does not suit the purpose of searching private databases because of the lack of database privacy. Likewise, similarity evaluation protocols keep user privacy [5][6][7] but they do not sufficiently protect database privacy because the server directly outputs similarity scores that become important hints for inferring database contents.
Generally speaking, it is very difficult to keep both user privacy and database privacy, because the database side must prevent various attacks without seeing the user's query. Among them, the following two attacks are major concerns.
• Regression attack Given one data point, the similarity between a target and the data point becomes a strong hint for detecting the target. The accuracy of the detection increases as the number of given data points becomes larger. In fact, a protocol that is not suitably designed may lead to even a small number of queries enabling the database user to detect the target. For example, when the server returns the exact distance between a query and a database entry, the range of the entry is rapidly narrowed as the number of queries increases, and the entry is finally detected uniquely by only almost the same number of queries as the dimension of the entry (see Figure 1 for a detailed explanation). For example, in the case of using theMACCS keys, which are 166 bit structural key descriptors and often used for representing chemical compounds, a database entry is detected by sending only 166 queries. Therefore, it is necessary for the server to return the minimum information that is sufficient for the purpose of the search. In the Thresholding largely improves database privacy section, we will compare success probability of the regression attack for the case when the server returns minimum information (which our protocol aims for) and the other case when the server returns more information (which the previous method aims for).

• Illegal query attack
Searching with an illegal query often causes unexpected server behaviour. In such a case, the server might return unexpected results that include important server information. To prevent this, the server should ensure the correctness of the user's query.
A schematic view of the privacy-preserving database search problems discussed here is shown in Figure 2.
In the field of cryptography, there have been studies of versatile techniques such as general purpose multi-party computation (GP-MPC) [8] and fully homomorphic encryption (FHE) [9], which enable the design of systems that maintain both user privacy and database privacy. However, these techniques require huge computational costs as well as intensive communications between the parties (see the recent performance evaluation of FHE [10]), so they are scarcely used in practical applications. In order to avoid using such techniques, a similarity search protocol using a trusted third party [11] and a privacy preserving SQL database using a trusted proxy server [12] have been proposed, but those methods assure privacy only when the third party does not collude with the user or the server, which is not convenient for many real problems. As far as we know, no practical method has been proposed despite the great importance of privacy-preserving similarity searching. To overcome this lack, we propose a novel privacy-preserving similarity search method that can strongly protect database privacy as well as user privacy while keeping a significantly low computational cost and small communication size.
The rest of this paper is organized as follows. In the next section, we summarize our achievements in this study. This is followed by the Cryptographic background section and the Method section, where we define the problem and introduce details of the proposed protocol.
In the Security analyses section, both the user privacy and database privacy of the proposed protocol are discussed in detail. In the Performance evaluation section, the central processing unit (CPU) time and communication size of the proposed protocol are evaluated for two datasets extracted from ChEMBL. Finally, we present our conclusions for this study in the Conclusion section.

Our Achievements
Here we focus on similarity search with the Tversky index of fingerprints, which is the most popular approach for chemical compound searches [13] and is used for various search problems in bioinformatics. To provide a concrete application, we address the problem of counting the number of similar compounds in a database, which solves various problems appearing in chemical compound searches. The following model describes the proposed method.
Model 1 The user is a private chemical compound holder, and the server is a private database holder. The user learns nothing but the number of similar compounds in the server's database, and the server learns nothing about the user's query compound.
Here we introduce only a small fraction of the many scientific or industrial problems solved by Model 1.
1 Secure pre-purchase inspection service for chemical compound.
When a client considers the purchase of a commercial database such as a focused library [14], he/she wants to check whether the database includes a sufficient number of similar compounds, without sending his/her private query, but the server does not allow downloading of the database.
2 Secure patent compound filtering. When a client finds a new compound, he/she usually wants to know whether it infringes on competitors' patents by searching the database of patent-protected compounds maintained by third parties. The same problem occurs when the client wants to check whether or not the compound is undesirable.
3 Secure negative results check.
It is a common perception that current scientific publication is strongly biased against negative results [3], although a recent study showed statistically that negative results brought meaningful benefit [15]. Since researchers are reluctant to provide negative results, which often Figure 1 Schematic view showing a large difference in tolerance against the regression attack between two cases: (a) The server's reply is the distance between the attacker's query and the server's data, (b) The server's reply is the binary sign that shows whether or not the distance between the attacker's query and the server's data is larger than the given threshold. The red point represents the server's data and × represents the attacker's query. Prior to the query, the search spaces (white areas) in (a-1) and (b-1) are equal. After the first query has been sent, the search space in (a-2) is limited to the circle whose radius is the distance between the attacker's query and the server's data. On the other hand in (b-2), only the small area of the dashed circle whose radius is the given threshold (gray area) is excluded from the search space. By sending the second query, the attacker knows that one of the two intersections of the two circles in (a-3) is equal to the server's data, while the search space is large in (b-3). Finally, the server's data is detected by sending the third query in (a-4), however in (b-4), the search space is still large, even though the third query is within the given threshold.
include sensitive information, a privacy-preserving system for sharing those results would greatly contribute to reducing redundant efforts for similar research topics. For example, it would be useful to have a system that allows a user to check whether the query is similar to failed compounds that have previously been examined in other laboratories.
In this study, we propose a novel protocol called the secure similar compounds counter (SSCC) which achieves Model 1. The first main achievement of this study is that SSCC is remarkably tolerant against regression attacks compared with existing protocols which directly output the similarity score. Moreover, we propose an efficient method for protecting the database from illegal query attacks. These points are discussed in the Security analyses section.
The second main achievement is that SSCC is significantly efficient both in computational cost and Figure 2 Schematic view of protection of (a) user privacy and (b) database privacy while keeping user privacy. For user privacy, the user's query and the search result which includes the query information must be invisible to the database side during the search task. For database privacy, the server minimizes output information for preventing regression attacks (b-1), and also detects and rejects illegal queries that might cause unexpected information leakage (b-2). These server's tasks must be carried out with the encrypted queries in order to keep user privacy. communication size. We carefully designed the protocol such that it uses only an additive-homomorphic cryptosystem, which is computationally efficient, and does not rely on any time-consuming cryptographic methods such as GP-MPC or FHE. Hence the performance of the protocol is sufficiently high for a large-scale database such as ChEMBL [16], as is shown in the Performance evaluation section.

Cryptographic background
Additively homomorphic encryption scheme In this paper, we use an additive-homomorphic cryptosystem to design our protocol. The key feature of the additive-homomorphic cryptosystem is that it enables to perform additive operations on encrypted values. Therefore, intuitively, any standard computation algorithm can be converted into the privacy-preserving computation algorithm, if operations used in the standard algorithm can be replaced by additions.
More formally, we use a public-key encryption scheme (KeyGen; Enc;Dec), which is semantically secure; that is, an encryption result (ciphertext) leaks no information about the original message (plaintext) [17]. Here, KeyGen is a key generation algorithm for selecting a pair (pk, sk) of a public key pk and a secret key sk; Enc(m) denotes a ciphertext obtained by encrypting message m under the given pk; and Dec(c) denotes the decryption result of ciphertext c under the given sk. We also require the following additive-homomorphic properties: • Given two ciphertexts Enc(m 1 ) and Enc(m 2 ) of messages m 1 and m 2 , Enc(m 1 + m 2 ) can be computed without knowing m 1 , m 2 and the secret key (denoted by Enc(m 1 ) ⊕ Enc(m 2 )).
• Given a ciphertext Enc(m) of a message m and an integer e, Enc(e⊕m) can be computed without knowing m and the secret key (denoted by e ⊗ Enc(m)).
For example, we can use either the Paillier cryptosystem [18] or the "lifted" version of the ElGamal cryptosystem [19] as such an encryption scheme; now the second operation ⊗ can be achieved by repeating the first operation ⊕. We notice that the range of plaintexts for those cryptosystems can be naturally set as an integer interval [−N 1 , N 2 ] for some sufficiently large N 1 , N 2 >0; therefore, the plaintexts are divided into positive ones, negative ones, and zero.

Non-interactive zero-knowledge proof
Below, we discuss the following situation: A user (a prover) wants to make a server (a verifier) convinced that a ciphertext c generated by the user corresponds to a message m in {0, 1}, but does not want to reveal any information about which of 0 and 1 is m. This can be achieved by using a cryptographic tool called non-interactive zeroknowledge (NIZK) proof. In the present case, it enables the user to generate a "proof" associated with c, so that: • If m is indeed in {0, 1}, then the server can verify this fact by testing the proof (without knowing m itself).
• If m ∉ {0, 1}, then the user cannot generate a proof that passes the server's test.
• The server cannot obtain any information about m from the proof, except for the fact that m ∈ {0, 1}.
(See [20] for a general formulation.) Besides the existing general-purpose NIZK proofs, Sakai et al. [21] proposed an efficient scheme specific to the "lifted" ElGamal cryptosystem, which we use below. (See Section 1 of Additional File 1 in which we give the brief description of the NIZK proofs [21].)

Method
The goal of this study is to design a protocol between a user and a server that enables the user to obtain the number of compounds in the server's database that are similar to the user's target compound. Here, a fingerprint of compound is modeled as p ∈ {0, 1} (i.e., a bit string of length ℓ). An equivalent way to refer to p is the set of all indices i where p i = 1. We denote such a set by p. The similarity of two compounds p, q is then measured by Tversky index which is parameterized by a, b > 0 and is defined as: Tversky index is useful since it includes several important similarity measurements such as Jaccard Index (JI, which is exactly TI 1,1 and also known as Tanimoto Index) and Dice index (which is exactly TI 1/2,1/2 ) [22]. First, we introduce the basic idea and two efficient techniques for improving database privacy. Then, we describe our full proposed protocol.

Basic idea
We firstly consider the simplest case that the user has (the fingerprint of) a target compound q as a query and the server's database consists of only a single fingerprint p. The case of a larger database is discussed later. The goal here is to detect whether or not the Tversky index of p and q is larger than a given threshold 1 ≥ θ > 0. The main idea of our approach is to calculate the score from encrypted fingerprints p and q by an additivehomomorphic cryptosystem. The score is non-negative if and only if the Tversky index of p and q is at least θ. Now since |p \ q| = |p| − |p ∩ q| and a similar relation holds for |q \ p|, the score (1) is positively proportional to where l 1 = c(θ -1 − 1 + a + b), l 2 = ca, l 3 = cb and any positive value c. We assume that the parameters and the threshold for the Tversky index are rational numbers denoted by a = μ a /g, b = μ b /g and θ = θ n /θ d , where μ a , μ b , g, θ n and θ d are non-negative integers. By using c = gθ n g −1 under this assumption, l 1 , l 2 and l 3 become non-negative integers where g is the greatest common divisor of g(θ d − θ n ) + θ n (μ a + μ b ), θ n μ a and θ n μ b .
Motivated by this observation, we define the following modified score, called the threshold Tversky index: Definition 1 Given parameters a and b and a threshold θ for the Tversky index which are rational numbers denoted by a = μ a /g, b = μ b /g and θ = θ n /θ d where μ a , μ b , g, θ n and θ d are non-negative integers, then the threshold Tversky index TI α,β,θ = TI α,β,θ (p ∩ q) for fingerprints p and q is defined by and non-negative integer parameters l 1 , l 2 and l 3 are defined by where g is the greatest common divisor of g(θ d − θ n )+θ n (μ a +μ b ), θ n μ a and θ n μ b .
By the above argument, we have TI a,b (p, q) ≥ θ if and only if TI α,β,θ (p, q) ≥ 0. Therefore, the user can know whether or not his/her target compound q is similar (i.e., TI α,β (p, q) ≥ θ) to the fingerprint p in the database, by obtaining only the value TI α,β,θ (p, q).
In the protocol, the bits of the user's target fingerprint q and the value |p| held by the server are both encrypted using the user's public key. Since TI α,β,θ (p, q) can be computed by the addition of these values and multiplication by integers, the protocol can calculate (without the secret key) a ciphertext of TI α,β,θ (p, q), which is then decrypted by the user. For simplicity, we will abuse the notation and write TI(p, q), TI(p, q) without subscripts a, b, θ when the context is clear.
We emphasize that our protocol does not use timeconsuming cryptographic methods such as GP-MPC and FHE, and data transfer occurs only twice during an execution of the protocol. Hence, our protocol is efficient enough to scale to large databases.

Database security enhancement techniques against regression attack
As discussed in Introduction section, the server needs to minimize returned information in order to minimize the success ratio of the regression attack. That is, the ideal situation for the server is that the user learns only the similarity/non-similarity property of fingerprints p and q, without knowing any other information about the secret fingerprint p. This means that only the sign of TI(p, q) should be known by the user. However, in our basic protocol, the value of TI(p, q) is fully obtained by the user; Database privacy is not protected from regression attacks. (See the Security analyses section for details.) In order to send only the sign of TI(p, q) , we firstly considered using a bit-wise decomposition protocol [23] for extracting and sending only the sign bit of TI(p, q) . Although this approach is ideal in terms of security, the protocol requires more than 30 rounds of communications, which is much more efficient than using GP-MPC or FHE, but rather time-consuming for large-scale databases. Therefore, here we propose the novel technique of using dummy replies, which requires only one round of communication while sufficiently minimizing information leakage of p. In the proposed technique, besides its original reply t = Enc (TI(p, q)) , the server also chooses random integers 1 , ..., n from a suitable interval and encrypts those values under the user's public key pk. Then the server sends the user a collection of ciphertexts t, Enc( 1 ), ..., Enc( n ) that are shuffled to conceal the true ciphertext t, as well as the number s d of dummy values k with k ≥ 0. The user decrypts the received n + 1 ciphertexts, counts the number s c of non-negative values among the decryption results, and compares s c to s d . Now we have TI(p, q) ≥ 0 if and only if s c − s d = 1; therefore, the user can still learn the sign of TI(p, q) , while the actual value of TI(p, q) is concealed by the dummies. We have confirmed that the information leakage of p approaches zero as the number of dummies becomes large; see the Security analyses for pudding dummies section for more detailed discussion. (We have also developed another security enhancement technique using sign-preserving randomization of TI(p, q) ; see Section 2 of Additional File 1 for details.) Database security enhancement technique against illegal query attack Illegal query attacks can be prevented if the server can detect whether or not the user's query is valid. To keep user privacy, the server must conduct this task with-out obtaining more information than the validity/ invalidity of the query. In fact, this functionality can be implemented by using the NIZK proof by Sakai et al. [21] mentioned in the Non-interactive zero-knowledge proof section. The improved protocol requires the user to send the server a proof associated with the encrypted fingerprint bits q i , from which the server can check whether q is indeed a valid fingerprint (without obtaining any other information about q); the server aborts the protocol if q is invalid. Here we use the "lifted" ElGamal cryptosystem as our basic encryption scheme to apply Sakai's scheme. (We note that if we require the user to send Enc(−|q|) used by server's computation, then another NIZK proof is necessary to guarantee the validity of the additional ciphertext, which decreases the communication efficiency of our protocol. Hence our protocol requires the server to calculate Enc(−|q|) by itself.) The formal definition of the valid query is given in the Database privacy in malicious model section.

Secure similar compounds counter
For the general case that the database consists of more than one fingerprint p, we propose the protocol shown in Algorithm 1 to count the number of fingerprints p similar to the target fingerprint q. In the protocol, the server simply calculates the encryption of the threshold Tversky indices for all database entries and, as discussed above, replies with a shuffled collection of these true ciphertexts and dummy ciphertexts, as well as the number s d of nonnegative dummy values. Then the value s c − s d finally obtained by the user is equal to the number of similar fingerprints p in the database.
Algorithm 1 The secure similar compounds counter (SSCC) • Public input: Length of fingerprints ℓ and parameters for the Tversky index θ = θ n /θ d , a = μ a /g, b = μ b /g • Private input of a user: Target fingerprint q • Private input of a server: Set of fingerprints P = {p (1) , ..., p (M) } 1 (Key setup of cryptosystem) The user generates a key pair (pk, sk) by the key generation algorithm KeyGen for the additive-homomorphic cryptosystem and sends public key pk to the server (the user and the server share public key pk and only the user knows secret key sk).
He/she also generates v as a vector of proofs. Each proof vi is associated with Enc(q i ).
3 (Query of entry) The user sends the vector of ciphertexts E nc(q k ) and the vector of proofs v to the server as a query.
4 (Query validity verification) The server verifies the validity of E nc(q k ) by testing the vector of proof v. If v does not pass the server's test, the user cannot move on to the next step.
ii. The server calculates a ciphertext t j of threshold Tversky index TI(p (j) , q). c

Parameter settings of the protocol
Decrypting an encrytion of too large value needs huge computation cost if the lifted-ElGamal cryptosystem is used. Therefore, in order to keep the consistency and efficiency of the protocol, the range of TI(p, q) should not be too large. i.e., the integer parameters l 1 , l 2 and l 3 in the threshold Tversky index should not be too large. In fact, this will not cause a problem in practice; For example, the parameters become l 1 = 9, l 2 = l 3 = 4 for computing TI 1, 1, 0.8 which is a typical setting of a chemical compound search. In this case, a minimum value and a maximum value of TI(p, q) is -664 and 166 for 166 MACCS keys, which is a sufficiently small range. (See Section 3 of Additional File 1 for details.)

Security analyses
In this section, we evaluate security of SSCC by several approaches.
In the area of cryptology, the following two standard security models for two-party computation have been considered: • Semi-honest model : Both parties follow the protocol, but an adversarial one attempts to infer additional information about the other party's secret input from the legally obtained information.
• Malicious model : An adversarial party cheats even in the protocol (e.g., by inputting maliciously chosen invalid values) in order to illegally obtaining additional information about the secret.
We analyze user privacy and database privacy in both the semi-honest and malicious models. For the database privacy, we firstly compare attack success ratios for the case of using our method which aims to output a binary sign and the other case of using the previous methods which aim to output a similarity score, and show that outputting a binary sign improves database privacy. We also evaluate security strength of our method against a regression attack by comparing attack success ratios for the case of using dummies and the ideal case that uses a versatile technique (such as GP-MPC and FHE) to output a binary sign, and show that the security strength for the case of using dummies is almost the same as the ideal case under realistic settings.

User privacy
The semantic security of the encryption scheme used in the protocol (see the Additively homomorphic encryption scheme section) implies immediately that the server cannot infer any information about the user's target fingerprint q during the protocol. This holds in both the semi-honest and malicious models.

Thresholding largely improves database privacy
We mentioned in the introduction section that minimizing information returned from the server reduces success ratio of regression attack. Therefore, SSCC aims for "ideal" case in which the user learns only the sign of TI(p, q) during the protocol. The previous methods that compute Jaccard Index aim for the "plain" case, in which the user fully learns the value TI(p, q). Here we evaluate the efficiency of the thresholding by comparing success probabilities of regression attack for those two cases. We consider the general case in which the user is allowed to send more than one query and those queries are searched by Jaccard Index. We also suppose that the database consists of a single fingerprint p in order to clarify the effect of thresholding.
The goal of an attacker is to reveal p by analysing the results returned from the server. It is generally effective for the attacker to exploit the difference between the two outputs obtained by sending two different queries. In fact, when the server returns TI , TI(p, q) -TI(p, 0) becomes positive if and only if p i = 1, where q = (0, ..., q i = 1, ..., 0) and 0 = (0, ..., 0). This means that the attacker can reveal any bit in p by sending the single query after sending the first query 0. Therefore, p can be fully revealed by sending only ℓ + 1 queries. On the other hand, there is no deterministic attack for revealing p from only the sign of TI , because two different inputs do not always lead to different outputs. Since we know of a linear algorithm that fully reveals p in response to at most 2ℓ queries after making a "hit" query q such that TI(p, q) > 0, here we evaluate database privacy by the probability of making at least one hit query when the user is allowed to send x queries. (See Section 4 of Additional File 1 for details.) This probability is denoted as where f p , defined as follows, is the probability that the user makes one hit query with a single trial when p is given. Since publicly available 166 MACCS keys are the most popular fingerprint for chemical compound searches, we set ℓ to 166. From the results shown in Figure 3, we can see that the probability of making a hit query is sufficiently small for practical use even though the user is allowed to send a million of queries. Considering that the user learns p by using no more than ℓ + 1 queries when he/she learns TI , we can conclude that database privacy is dramatically improved by thresholding. In other words, the proposed protocol, which aims to output only the sign of the similarity score, has stronger security than other previous methods, which directly output similarity scores.

Security analyses for padding dummies
We showed that the output privacy in the "ideal" case is significantly improved from the "plain" case. Here we experimentally evaluate how the actual situation of our proposed protocol is close to the "ideal" case.
Before going into detail analyses, let us discuss how to generate dummies. It is ideal for the server privacy to generate a dummy according to the same distribution where TI(p, q) is generated from. However, this is not realistic because TI(p, q) is determined by both p and q which is user's private information. Therefore, in our analyses, we assume that a dummy is generated from uniform distribution over possible values of TI(p, q) . For example, if possible values of TI(p, q) is {1, 2, 3, 4, 5}, dummies are randomly selected from any one of them. The purpose of padding dummies is to mitigate the risk of leaking TI(p, q) . In order to clarify the effect of the use of dummy values, we concentrate on the basic case; the database contains a single p, and there exist k possible values of TI(p, q) . i-th value of the k possible values arises as the true TI(p, q) according to the probability w i . Namely, true TI(p, q) is generated from the multinomial distribution with k different probabilities w = w 1 , ...,w k , while dummies are generated from the multinomial distribution with equal probability 1/k. To conduct stringent analyses, we assume that the user knows w, and he/she also knows that dummies are uniformly distributed over k possible TI(p, q) .
The security provided by our protocol can be formalized in the following manner. First we recall that, in our protocol, the server computes encryption of TI(p, q) and encryption of dummy values 1 , ..., n , and then sends the user the n+1 encrypted values as well as the number of positive dummy values in 1 , ..., n . For the purpose of formalizing the security, we introduce a "fictional" server that performs the following: It first receives the encrypted values TI(p, q) , 1 , ..., n from the real server. Secondly, it gets the sign of TI(p, q) . (We note that a real server cannot do it since it requires unrealistic computational power that breaks the security of the encryption scheme, so this is just fictional for the sake of mathematical definition.) Thirdly, it generates another dummy value TI randomly, and independently of the values of TI(p, q) , 1 , ..., n (except for the sign of TI(p, q) ), in the following manner: • If TI(p, q) is positive, then TI is chosen randomly from positive values.
• If TI(p, q) is negative, then TI is chosen randomly from negative values.
Finally, the fictional server sends the user an encryption of TI (instead of TI(p, q) ) as well as the encrypted 1 , ..., n and the number of positive values in 1 , ..., n . We note that, when the user receives a reply from the fictional server, the user can know the sign of TI(p, q) which is the same as that of TI , but cannot know any other information on TI(p, q) since TI is independent of TI(p, q) . In the setting, the following property can be proven: Theorem 1 Suppose that the user cannot distinguish, within computational time TIME, the sets of decrypted values of ciphertexts involved in outputs of the real server and of the fictional server. Then any information computable within computational time TIME from the decryption results for output of the real server is equivalent to information computable within computational time TIME′ from the sign of TI(p, q) only, where TIME′ is a value which is close to TIME.
Proof Let A be an algorithm, with running time TIME, which outputs some information on the decrypted values for an output of the real server. We construct an algorithm A which computes, from the sign of TI(p, q) only, an information equivalent to the information computed by A . The construction is as follows; from the sign of TI(p, q) , A generates dummy values by mimicking the behavior of the fictional server, and then A inputs these dummy values to a copy of A , say A * , and gets the output of A * . Now if the output of A is not equivalent to the output of A , then the definition of A implies that the probability distributions of the outputs of A with inputs given by the decrypted values for outputs of the real server and of the fictional server are significantly different (since A * used in A is a copy of A ); it enables the user to distinguish the two possibilities of his/her received values by observing the output of A , but this contradicts the assumption of the theorem. Therefore, the output of A is equivalent to the output of A as claimed. Moreover, the computational overhead of A compared to A is just the process of generating dummy values by mimicking the behavior of the fictional server; it is not large (i. e., TIME′ is close to TIME as claimed) since the serverside computation of our proposed protocol is efficient. Hence, the theorem holds. Figure 3 Upper bounds of the probabilities that the user has at least one hit query out of making 1, 10, ..., 10 6 queries. Note that the hit query becomes the critical hint for revealing database information. Each line shows the results with one of the four different thresholds.
Roughly rephrasing, if the assumption of the theorem is true for a larger TIME, then the actual situation of our proposed protocol becomes closer to the "ideal" case provided we focus on any information available from efficient computation. As a first step to evaluate how the assumption is plausible (i.e., how the value TIME in the assumption can be large), we performed computer experiments to show that some natural attempts to distinguish the actual and the fictional cases do not succeed, as explained below.
In this experiment, we evaluate the security of our protocol by comparing the probabilities that the user correctly guesses the value TI(p, q) in two cases: The case in which the user makes a guess based only on a prior knowledge w, and the other case in which the user makes a guess based on the observation of the search result under the condition that he/she knows w.
For the first case, the user's best strategy for guessing TI(p, q) is to choose the i 0 -th possible value, where ( In this case, the success probability of the guess is w i 0 . Let us consider the best strategy for the second case. As described above, we consider an practical case that n dummy values 1 , ..., n chosen from the k possible values uniformly at random, and the user makes a guess from the received n + 1 shuffled values 1 , ..., n , TI(p, q) . Now suppose that the user received the i-th possible value a i times for each 1 ≤ i ≤ k (hence k i=1 a i = n + 1). Since the choices of 1 , ..., n are independent of TI(p, q) , the probability that the user received i-th possible value a i times for each 1 ≤ i ≤ k and that TI(p, q) is i 0 -th possible value is n! a 1 ! · · · a k !k n .
Therefore, the conditional probability that TI(p, q) is the i 0 -th possible value, conditioned on the set of the user's received values, is This implies that the user's best strategy is to guess that TI(p, q) is the i 0 -th possible value, where We estimated success probabilities of user's guess for the both cases by simulation experiments. Here we assumed typical case when TI 1,1,0.8 and 166 MACCS keys are used. In this case, k = 831 and we performed the experiments for n = 831 × 10 0 , 831 × 10 1 , ..., 831 × 10 4 on three different distributions of TI(p, q) which were obtained by the following schemes: 1 We randomly selected one fingerprint q from ChEMBL and calculated TI(p, q) for all the entries in ChEMBL and used the observed distribution as w. In our experiment, 177159-th fingerprint was selected as q (referred as w ChEMBL-177159 ).
2 The same scheme as 1) was used when q was 265935-th fingerprint (referred as w ChEMBL-265935 ). 3 We randomly selected a value from 1, ..., k for m times and count frequency of i as h i and set w i = h i /m (referred as w random ). We used k × 5 as m.
All the distributions used here are shown in Section 6 of Additional File 1.
We performed 100, 000 trials for each experiment. Each trial consisted of choosing 1 , ..., n uniformly at random; choosing TI(p, q) according to w; deciding the user's guess i 0 by formula (3) and formula (4) respectively (we adopted a uniformly random choice if there were more than one such i 0 ); and checking whether or not TI(p, q) was the i 0 -th possible value for both rules (i.e., the user's guess succeeded). The results of the experiment are given in Table 1; they show that the user's attack success probability became significantly close to the ideal case when a sufficiently large number of dummies were used; therefore, our technique of using dummies indeed improves the output privacy.
Security analyses for padding dummies for the case when the user is allowed to send more than one query One might suspect that the attacker can detect the true TI(p, q) by sending the same query twice and finding the value which is appeared in both results. However, this attack does not easily succeed if n is sufficiently larger than k (i.e., ideally, all possible values of TI are covered by sufficient number of dummies), and we consider that k is not too large in practice as we discussed in Parameters settings of the protocol section.
In order to evaluate the security achieved by the padding dummies for the case when the user is allowed to submit L queries, we performed following analyses. Here we evaluate the security achievement by comparing the case of using our protocol based on the padding dummy and the ideal case of returning only the sign of TI(p, q) . In order to perform rigorous analyses, we assume the most severe case in which the attacker keeps sending the same query L times. For this case, the probability that TI(p, q) is the i 0 -th possible value after sending L queries on condition that frequency of i-th possible value of j-th query a (j) This implies that the user's best strategy is to choose i-th possible value which maximizes equation (5). As mentioned above, we compared the success ratio of the attack based on the above strategy and the ideal success ratio when the user makes the guess only from the given distribution w. We also assumed more realistic case that user did not know the exact distribution of dummy but knew the distribution that was similar to the actual distribution the server used. For the evaluation of this case, we generated dummies from the distribution u, which was slightly different from uniform distribution, while the user assumed that dummies were generated from uniform distribution. u was generated as follows: We performed the experiment for L = 1, 10, 10 2 , ..., 10 5 , n = 831 × 10, 831 × 50, 831 × 10 2 and δ = 0, 0.05, 0.1, 0.15, 0.2 based on the same approach used in the evaluation of single query security. i.e., for each trial, n dummies were randomly chosen according to u (note that u was equal to uniform distribution when δ = 0), true value TI(p, q) was selected according to w and the attacker's guess was made based on the equation (5). We performed 10, 000 trials for each triplet of L, n and δ. Those experiments were conducted for the same three distributions: w ChEMBL-177159 , w ChEMBL-265935 and w ChEMBL-random . We compared the success ratio of the attack and the ideal success ratio when the user made the guess without seeing search results. The results are shown in Figure 4. The success ratio of user's attack decreased as the number of dummies increased and became closer to the ideal value when the sufficient number of dummies are given, even for the case that a large number of queries were sent. Although an efficient method for dummy generation remains as a future task, the results also show that hiding the distribution of dummy is significantly effective for protecting database privacy and the user has to know it with high accuracy in order to steal extra information from the server.

Database privacy in malicious model
For our protocol, the difference between the malicious and semi-honest models is that in the malicious model the user may use an invalid input q whose components q i are not necessarily in {0, 1}. If the user chooses q in such a way that some component q i is extremely large and the remaining ℓ − 1 components are all zero, then TI(p, q) will also be an extreme value (distinguishable from the dummy values) and depend dominantly on the bit p i ; therefore, the user can almost surely guess the secret bit p i . Since our protocol detects whether or not q i is a bit value without invading user privacy, it can safely reject illegal queries and prevent any illegal query attacks, including above case.

Performance evaluation
In this section, we evaluate the performance of the proposed method on two datasets created from ChEMBL.

Implementation
We implemented the proposed protocol using the C++ library of elliptic curve ElGamal encryption [24], in which the NIZK proposed in the previous study [21] is also implemented.
For the implementation, we used parameters called secp192k1, as recommended by SECG (The Standards for Efficient Cryptography Group). These parameters are considered to be more secure than 1024-bit RSA encryption, which is the most commonly used public-key cryptosystem. The implementation of Owing to the limitation of the range of plaintext, the implementation here does not include sign-preserving randomization. For the purpose of comparison, we also implemented a GP-MPC protocol by using Fairplay [25]. In order to reduce the circuit size of the GP-MPC, we implemented s simple task that computes the sign of Tversky index between a query and a fingerprint in the database, and repeated the task for all the fingerprints in Table 1 The experimental success ratios of the user's guess based on the server's return and the prior distribution of true value (n = 813, the database. Thus the CPU time and data transfer size of the implementation is linear to the size of database.

Experimental setup
The Jaccard index along with the threshold θ = 0.8 were used for both protocols. For SSCC, we used 10,000 dummies. These two implementations were tested on two datasets: one, referred to as ChEMBL 1000, was the first 1000 fingerprints stored in ChEMBL, and the other, referred to as ChEMBL Full, was 1,292,344 fingerprints in the latest version of ChEMBL. All the programs were run on a single core of an Intel Xeon 2.9 GHz on the same machine equipped with 64 GB memory. To avoid environmental effects, we repeated the same experiment five times and calculated average values.

Results
The results are shown in Table 2. Despite the proposed method including elaborate calculation like the NIZK proof, we can see from the results that both the CPU time and communication size of the proposed method are significantly smaller than those of the GP-MPC protocol. Furthermore, it is clear that SSCC provides industrial-strength performance, considering that it works, Figure 4 The comparison of the experimental success ratios of the user's guess based on the server's return as well as the prior distribution of true value when the user sends many queries (δ = 0, ..., 0.2), and success probability based only on a guess from the prior distribution (ideal value). TI 1, 1, 0.8 (k = 831) is assumed and results are calculated for three different numbers of dummies (n = 831 × 10, 831 × 50, 831 × 10 2 ) when the user sends L = 1, 10, ..., 10 5 queries and three different distributions: w ChEMBL−177159 and w ChEMBL−265935 are actual distributions of TI 1, 1, 0.8 on ChEMBL obtained by querying two randomly selected fingerprints from ChEMBL, w rand is obtained by randomly selecting a value from 1, ..., k for m = 5 × 831 times and dividing each observed frequency by m.
even on a huge database like ChEMBL Full, taking no more than 167 s and 173 s for the server and client respectively. The experiment on ChEMBL Full by using GP-MPC did not finish within 24 hours. Since both CPU time and communication size are exactly linear to the size of database for the GP-MPC protocol, the results of ChEMBL Full for GP-MPC are estimated to be more than 1600 hours for both sides and 3 Gbyte data transfer from client to server, considering the results of ChEMBL 1000.
By using simple data parallelization, the computational speed will be improved linearly with the number of CPUs. Since all the programs were run on the same machine there was almost no latency for the communication between the two parties in these experiments. Therefore, GP-MPC, whose communication size is huge, is expected to require far more time when it runs on an actual network that is not always in a good condition. The other important point is that SSCC requires only two data transfers, which enables data transfer after off-line calculation. On the other hand, GP-MPC must keep online during the search because of the high communication frequency. We also note that it took less than 100 MB to compile SSCC, while GP-MPC required more than 16 GB. Considering these observations, SSCC is efficient for practical use. It is known that several techniques improve the performance of GP-MPC and the previous work by Pinkas et al. [26] reported that Free XOR [27] and Garbled Row Reduction [26], which are commonly used in state-of-the-art GP-MPC methods [28][29][30][31], reduced running time and communication size by factors of 1.8 and 6.3 respectively when a circuit computing an encryption of AES was evaluated. Though these techniques are not implemented in Fairplay, we consider that GP-MPC is yet far less practical for the large-scale chemical compound search problem compared to our method which improved running time and communication size by factors of 36, 900 and 12, 000.

Conclusion
In this study, we proposed a novel privacy-preserving protocol for searching chemical compound databases. To our knowledge, this is the first practical study for privacy-preserving (for both user and database sides) similarity searching in the fields of bioinformatics and chemoinformatics. Moreover, the proposed method could be applied to a wide range of life science problems such as searching for similar single-nucleotide polymorphism (SNP) patterns in a personal genome database. While the protocol proposed here focuses on searching for a number of similar compounds, we are examining further improvements of the protocol such as the client being able to download similar compounds; we expect this on-going study to further contribute to the drug screening process. In recent years, open innovation has been attracting attention as a promising approach for speeding up the process of new drug discovery [32]. For example, research on neglected tropical diseases including malaria has been promoted by the recent attempt to share chemical compound libraries in the research community. In spite of high expectations, such an approach is still limited to economically less important problems on account of privacy problems [33]. Therefore, privacy-preserving data mining technology is expected to be the breakthrough promoting open innovation and we believe that our study will play an important role.

Additional material
Additional File 1: Supplementary text (pdf).