## Secure evaluation of private linear branching programs with medical applications (2009)

Citations: | 21 - 11 self |

### BibTeX

@MISC{Barni09secureevaluation,

author = {Mauro Barni and Pierluigi Failla and Vladimir Kolesnikov and Riccardo Lazzeretti and Ahmad-reza Sadeghi and Thomas Schneider},

title = {Secure evaluation of private linear branching programs with medical applications },

year = {2009}

}

### OpenURL

### Abstract

Diagnostic and classification algorithms play an important role in data analysis, with applications in areas such as health care, fault diagnostics, or benchmarking. Branching programs (BP) is a popular representation model for describing the underlying classification/diagnostics algorithms. Typical application scenarios involve a client who provides data and a service provider (server) whose diagnostic program is run on client’s data. Both parties need to keep their inputs private. We present new, more efficient privacy-protecting protocols for remote evaluation of such classification/diagnostic programs. In addition to efficiency improvements, we generalize previous solutions – we securely evaluate private linear branching programs (LBP), a useful generalization of BP that we introduce. We show practicality of our solutions: we apply our protocols to the privacy-preserving classification of medical ElectroCardioGram (ECG) signals and present implementation results. Finally, we discover and fix a subtle security weakness of the most recent remote diagnostic proposal, which allowed malicious clients to learn partial information about the program.

### Citations

689 | Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
- Paillier
- 1999
(Show Context)
Citation Context ...hat multiplication of an encryption �a� with a constant c can be computed efficiently as �c · a� = �a� c (e.g., with the square-and-multiply method). As instantiation we use the Paillier cryptosystem =-=[26,7]-=- which has plaintext space ZN and ciphertext space Z ∗ N 2, where N is a T -bit RSA modulus. This scheme is semantically secure under the decisional composite residuosity assumption (DCRA). For detail... |

591 | How to generate and exchange secrets - Yao - 1986 |

247 |
Founding cryptography on oblivious transfer, in
- Kilian
- 1988
(Show Context)
Citation Context ...troCardioGram (ECG) signals. In the remainder of the paper, we concentrate on the BP approach (including discussion of related work). Related Work. There is a number of fundamental works, e.g. Kilian =-=[16]-=-, that rely on Branching Programs (BP) “under the hood”. These are general feasibility results that do not attempt to achieve high efficiency for concrete problems. The goals and results of these work... |

187 | The Foundations of Cryptography – Volume 2 Basic Applications - Goldreich - 2004 |

168 | A Generalisation, a Simplification and some Applications of Pailliers Probabilistic Public-Key System
- Damgard, Jurik
- 2001
(Show Context)
Citation Context ...hat multiplication of an encryption �a� with a constant c can be computed efficiently as �c · a� = �a� c (e.g., with the square-and-multiply method). As instantiation we use the Paillier cryptosystem =-=[26,7]-=- which has plaintext space ZN and ciphertext space Z ∗ N 2, where N is a T -bit RSA modulus. This scheme is semantically secure under the decisional composite residuosity assumption (DCRA). For detail... |

164 |
Efficient Oblivious Transfer Protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ... learns s bi i , but nothing about s 1−bi i whereas S learns nothing about bi. We use OT m ℓ as a black-box primitive in our constructions. It can be instantiated efficiently with different protocols =-=[24,2,21,13]-=-. Extensions of [13] can be used to reduce the number of computationally expensive public-key operations to be independent of m. We omit the parameters m or ℓ if they are clear from the context. Garbl... |

158 | FairPlay – A Secure Two-Party Computation System
- Malkhi, Nisan, et al.
(Show Context)
Citation Context ... key in subsequent protocols but does not know to which value this key corresponds. Implementation Details. A point-and-permute technique can be used to speed up the implementation of the GC protocol =-=[23]-=-: The garbled values ˜wi = 〈ki, πi〉 consist of a symmetric key ki ∈ {0, 1} t and πi ∈ {0, 1} is a random permutation bit. The permutation bit πi is used to select the right table entry for decryption ... |

97 | Priced oblivious transfer: How to sell digital goods
- Aiello, Ishai, et al.
- 2001
(Show Context)
Citation Context ... learns s bi i , but nothing about s 1−bi i whereas S learns nothing about bi. We use OT m ℓ as a black-box primitive in our constructions. It can be instantiated efficiently with different protocols =-=[24,2,21,13]-=-. Extensions of [13] can be used to reduce the number of computationally expensive public-key operations to be independent of m. We omit the parameters m or ℓ if they are clear from the context. Garbl... |

77 | Non-interactive cryptocomputing for NC1
- Sander, Young, et al.
- 1999
(Show Context)
Citation Context ...not be willing to disclose the underlying algorithms and the corresponding optimized parameters (e.g., because they represent intellectual property). Secure function evaluation with private functions =-=[31,27,18,30]-=- is one way to realize the above scenarios, when the underlying private algorithms are represented as circuits. However, as we elaborate in the discussion on related work, in some applications, such a... |

71 | Cryptographic Techniques for Privacy-Preserving Data
- Pinkas
(Show Context)
Citation Context ...not be willing to disclose the underlying algorithms and the corresponding optimized parameters (e.g., because they represent intellectual property). Secure function evaluation with private functions =-=[31,27,18,30]-=- is one way to realize the above scenarios, when the underlying private algorithms are represented as circuits. However, as we elaborate in the discussion on related work, in some applications, such a... |

66 | A proof of Yao’s protocol for secure two-party computation - Lindell, Pinkas - 2004 |

62 | Extending oblivious transfers efficiently - Ishai, Kilian, et al. - 2003 |

53 | Improved garbled circuit: Free XOR gates and applications
- Kolesnikov, Schneider
- 2008
(Show Context)
Citation Context ... πi〉 consist of a symmetric key ki ∈ {0, 1} t and πi ∈ {0, 1} is a random permutation bit. The permutation bit πi is used to select the right table entry for decryption with the key ki. Extensions of =-=[17]-=- to “free XOR” gates can be used to further improve performance of GC. 2.2 Notation Number Representation. In the following, a (signed) ℓ-bit integer xℓ is represented as one bit for the sign, sign(xℓ... |

43 | Efficient Two-Party Secure Computation on Committed Inputs
- Jarecki, Shmatikov
- 2007
(Show Context)
Citation Context ...s. (This is the transformation approach suggested in [4].) More specifically, we use committed OT, secure two-party computation on committed inputs, and verifiable homomorphic encryption schemes (see =-=[15]-=- for more detailed description). 4 A Technical Omission in [4] w.r.t. Malicious Client In this section, we briefly present and fix a small technical omission, which led to an incorrect claim of securi... |

40 | PhysioNet: Components of a new research resource for complex physiologic signals - Ivanov, Mietus, et al. |

35 | Improved error reporting for software that uses black-box components
- Ha, Rossbach, et al.
- 2007
(Show Context)
Citation Context ...ic programs are very useful tools for automatic data analysis with respect to specific properties. They are deployed for various applications, from spam filters [8], remote software fault diagnostics =-=[12]-=- to medical diagnostic expert systems [29]. The health-care industry is moving faster than ever toward technologies that offer personalized online self-service, medical error reduction, consumer data ... |

35 | Verifiable homomorphic oblivious transfer and private equality test
- Lipmaa
- 2003
(Show Context)
Citation Context ... learns s bi i , but nothing about s 1−bi i whereas S learns nothing about bi. We use OT m ℓ as a black-box primitive in our constructions. It can be instantiated efficiently with different protocols =-=[24,2,21,13]-=-. Extensions of [13] can be used to reduce the number of computationally expensive public-key operations to be independent of m. We omit the parameters m or ℓ if they are clear from the context. Garbl... |

30 | Strong conditional oblivious transfer and computing on intervals - Blake, Kolesnikov - 2004 |

26 | Evaluating branching programs on encrypted data
- Ishai, Paskin
- 2007
(Show Context)
Citation Context ...d, we compare our work with previously-best approaches that are applicable to our setting (see below). Recently, very interesting BP-based crypto-computing protocols were proposed by Ishai and Paskin =-=[14]-=- (and later slightly improved by Lipmaa [22] who also presented a variety of applications). In their setting, the server evaluates his program on client’s encrypted data. The novelty of the approach o... |

23 | Oblivious polynomial evaluation and oblivious neural learning
- Chang, Lu
- 2005
(Show Context)
Citation Context ...end, and improve efficiency of the above three protocols [19,4,32]. In addition to circuits and BPs, other (secure) classification methods have been considered, such as those based on neural networks =-=[6,25,28,30]-=-. In our work, we concentrate on the BP representation. Our Contribution and Outline. Our main contribution is a new more efficient modular protocol for secure evaluation of a class of diagnostics/cla... |

23 | Watermark estimation through detector analysis - Kalker, Linnartz, et al. - 1998 |

18 | Efficient binary conversion for paillier encrypted values - Schoenmakers, Tuyls - 2006 |

17 |
Privacy-preserving remote diagnostics
- Brickell, Porter, et al.
- 2007
(Show Context)
Citation Context ... this approach is far inefficient. We achieve malicious security simply by employing efficient sub-protocols proven secure against malicious players. (This is the transformation approach suggested in =-=[4]-=-.) More specifically, we use committed OT, secure two-party computation on committed inputs, and verifiable homomorphic encryption schemes (see [15] for more detailed description). 4 A Technical Omiss... |

17 | A practical universal circuit construction and secure evaluation of private functions
- Kolesnikov, Schneider
- 2008
(Show Context)
Citation Context ...not be willing to disclose the underlying algorithms and the corresponding optimized parameters (e.g., because they represent intellectual property). Secure function evaluation with private functions =-=[31,27,18,30]-=- is one way to realize the above scenarios, when the underlying private algorithms are represented as circuits. However, as we elaborate in the discussion on related work, in some applications, such a... |

17 | Benchmark for MIRACL – Multiprecision Integer and Rational Arithmetic C/C++ Library - Certivox. http: //certivox.org/display/EXT/Benchmarks+and+Subs. Accessed - Scott |

16 | Generating estimates of classification confidence for a case-based spam filter
- Delany, Cunningham, et al.
- 2005
(Show Context)
Citation Context ...ntroduction Classification and diagnostic programs are very useful tools for automatic data analysis with respect to specific properties. They are deployed for various applications, from spam filters =-=[8]-=-, remote software fault diagnostics [12] to medical diagnostic expert systems [29]. The health-care industry is moving faster than ever toward technologies that offer personalized online self-service,... |

16 |
Secure function evaluation with ordered binary decision diagrams
- Kruger, Jha, et al.
- 2006
(Show Context)
Citation Context ...r setting (in applications we are considering, BPs are not wide), and the cost of employed homomorphic encryption operation outweighs the benefit.Most relevant for this work is the sequence of works =-=[19,4,32]-=-, where the authors consider problems similar to ours, and are specifically concerned with concrete performance of the resulting protocols. Kruger et al. [19] observed that some functions are more suc... |

16 | Blind Newton sensitivity attack - Comesana, Perez-Freire, et al. - 2006 |

15 | Time series analysis. Holden-day - Box, Jenkins, et al. - 1976 |

15 | Practical secure evaluation of semi-private functions - Paus, Sadeghi, et al. - 2009 |

14 | SM: Cardiac arrhythmia classification using autoregressive modeling. BioMed Eng OnLine 2002
- Dingfei, Srinivasan, et al.
(Show Context)
Citation Context ...isclosure of details of the classification algorithm to C (as this represents valuable intellectual property of S). We show how tho achieve this by mapping an established ECG classification algorithm =-=[1,9]-=- to secure evaluation of a private LBP, and give implementation results in the full version of this paper [3]. Acknowledgments. We thank anonymous reviewers of ESORICS 2009 for their helpful comments.... |

11 |
Oblivious neural network computing via homomorphic encryption
- Orlandi, Piva, et al.
- 2007
(Show Context)
Citation Context ...end, and improve efficiency of the above three protocols [19,4,32]. In addition to circuits and BPs, other (secure) classification methods have been considered, such as those based on neural networks =-=[6,25,28,30]-=-. In our work, we concentrate on the BP representation. Our Contribution and Outline. Our main contribution is a new more efficient modular protocol for secure evaluation of a class of diagnostics/cla... |

10 | Generalized universal circuits for secure evaluation of private functions with application to data classification
- Sadeghi, Schneider
- 2008
(Show Context)
Citation Context |

9 |
Cryptographic key length recommendation
- Giry, Quisquater
- 2009
(Show Context)
Citation Context ... skip §2.1 and continue reading our notational conventions in §2.2. We denote the symmetric (asymmetric) security parameter with t (T ). Recommended sizes for short-term security are t = 80, T = 1248 =-=[10]-=-. 2.1 Cryptographic Tools Homomorphic Encryption (HE). We use a semantically secure additively homomorphic public-key encryption scheme. In an additively homomorphic cryptosystem, given encryptions �a... |

8 |
Real-time classification of ECGs on a PDA
- Rodríguez, Goni, et al.
- 2005
(Show Context)
Citation Context ...matic data analysis with respect to specific properties. They are deployed for various applications, from spam filters [8], remote software fault diagnostics [12] to medical diagnostic expert systems =-=[29]-=-. The health-care industry is moving faster than ever toward technologies that offer personalized online self-service, medical error reduction, consumer data mining and more (e.g., [11]). Such technol... |

7 | Private branching programs: On communication-efficient cryptocomputing, Cryptology ePrint Archive, Report 2008/107, 2008, available at: http://eprint.iacr.org
- Lipmaa
(Show Context)
Citation Context ...approaches that are applicable to our setting (see below). Recently, very interesting BP-based crypto-computing protocols were proposed by Ishai and Paskin [14] (and later slightly improved by Lipmaa =-=[22]-=- who also presented a variety of applications). In their setting, the server evaluates his program on client’s encrypted data. The novelty of the approach of [14] is that the communication and client’... |

7 |
Practical secure function evaluation
- Schneider
- 2008
(Show Context)
Citation Context ...r setting (in applications we are considering, BPs are not wide), and the cost of employed homomorphic encryption operation outweighs the benefit.Most relevant for this work is the sequence of works =-=[19,4,32]-=-, where the authors consider problems similar to ours, and are specifically concerned with concrete performance of the resulting protocols. Kruger et al. [19] observed that some functions are more suc... |

6 | Privacy-preserving classifier learning
- Brickell, Shmatikov
- 2009
(Show Context)
Citation Context ...n is presented in §3.5. Further, in §4, we discover and fix a subtle vulnerability in the recent and very efficient variant of the protocol for secure BP evaluation [4] and secure classifier learning =-=[5]-=-. Finally, we apply our protocols to the privacy-preserving classification of medical ElectroCardioGram (ECG) signals (§5).2 Preliminaries In our protocols we combine several standard cryptographic t... |

4 | Efficient pointwise and blockwise encrypted operations - Bianchi, Piva, et al. - 2008 |

3 |
Enhancing privacy in remote data classification. New Approaches for Security, Privacy and Trust in Complex Environments
- Piva, Caini, et al.
- 2008
(Show Context)
Citation Context ...end, and improve efficiency of the above three protocols [19,4,32]. In addition to circuits and BPs, other (secure) classification methods have been considered, such as those based on neural networks =-=[6,25,28,30]-=-. In our work, we concentrate on the BP representation. Our Contribution and Outline. Our main contribution is a new more efficient modular protocol for secure evaluation of a class of diagnostics/cla... |

3 | Certicom proposal to revise SEC 1: Elliptic curve cryptography, version 1.0 - Brown - 2005 |

3 | Bolton-Smith C. An investigation of the relationship between antioxidant vitamin intake and coronary heart disease in men and women using logistic regression analysis - Todd, Woodward |

2 | Standards for efficient cryptography, SEC 2: Recommended elliptic curve domain parameters - SEC00b - 2000 |

1 | Time series modeling of heart rate dynamics - Bennett, Christini, et al. - 1993 |

1 | A neurocomputational model for prostate carcinoma detection - Niederberger |

1 | Standards for efficient cryptography, SEC 1: Elliptic curve cryptography - SEC00a - 2000 |