B GIÁO DC VÀ ÀO TO B QUC PHÒNG VIN KHOA HC VÀ CÔNG NGH QUÂN S LNG TH DNG DISTRIBUTED SOLUTIONS IN PRIVACY PRESERVING DATA MINING (Nghiên cu xây dng mt s gii pháp đm bo an toàn thông tin trong quá trình khai phá d liu) Chuyên ngành: Bo đm toán hc cho máy tính và h thng tính toán. Mã s : 62 46 35 01 TÓM TT LUN ÁN TIN S TOÁN HC Hà Ni, 2011 Chapter 1 INTRODUCTION 1.1 Privacy-preserving data ming: An overview Data mining plays an important role in the current world and provides us a powerful tool to efficiently discover valuable information from large databases [Han and Kamber, 2006]. However, the process of mining data can result in a vi o - lation of privacy. As a result, there are a large number of studies has been produced on the topic of privacy-preserving data m i n i n g (PPDM) [ Veryki o s et al., 2004] . These studies deal with the problem of lea r n i n g data mini n g models from the databases, while protecting data privacy at the individual or organizational level. Basically, PPDM can be formed into three following areas [Charu and Yu, 2008]: The first area is privacy-preserving data publishi n g . Studies in th i s area are to allow an organizati o n (party) to publish his data to the miners with a concern that how to p u b l i sh the data so that the a n o nymized data are useful for data mining applications. The second area is the privacy-preserving distributed data mining, the model of this area usually consists of several parties, each party has a private data set. The general purpose is to enable th e parties to mine cooperatively on their joint data sets withou t revealing priva t e information of each party. Here, data coul d be distributed into many p a r t s either vertically or horizontally. The third area is a scenario in whi ch a data miner surveys a large number of users to learn some results based on the user d a t a or collects the user data while protecting the sensitive attributes of these users. 1.2 Contributions Up to now, there are many available solution s to solving the issues in PPDM [Kargupta et al., 2003], [Dowd et al., 2005], [Vaidya et al., 2008] etc. The quality of each solution is evaluated based on the three basic characteristics: pri vacy de- gree, accuracy, and efficiency. But the problem here is that each solution was only used in a particular distributed scenario or i n a concrete data mining algorithm. Although some of them can be applied for mor e than one scenar i o or algorithm but thei r accuracy is lower than a ccep t a b l e requirement. Other solutions reach the accuracy, however, their p r i vacy i s poor . In addition, it is easily to see the lack of PPDM solutions for various practical context as well as well-known data mining techniques. In summary, the key contributions of the thesis are as follows: 1. First work is to intro d u ce a new scenari o for privacy-preserving user data 1 mining called 2-part fully distributed setting (2PFD) and find solution for a family of frequency-based learning algorith m s in 2PFD setting 2. Second work is to develop novel privacy-preserving protocols for frequent itemset mining in vertically distributed data. The important security prop- erty of our pro t ocols is better than the previous protocols’ one in the way that we achieve the full privacy protection for each party. This property does not require the existence of any of trusted parties. In additio n , no collusion of parties can make privacy breaches 3. Third work is firstly to develop a privacy preserving EM-based clusterin g protocol for multi-party model. Our protoco l is mo r e secure th a n th e exi st i n g ones with the coll u si o n resistance. In addition, our protocol works not only for three parties and above but also for two parties. Secondly, we propose a better protocol for the case in wh i ch the d a t a set is horizontally partitioned into only two parts. This protocol requires protecting privacy of the cluster centers. 4. Forth work is a technique to design pr o t ocols for pr i vacy- preserving multi- variate outlier detection in both horizontally and vertically distributed data. The developed solutions will be evaluated in terms of the degree of privacy protection, correctness, efficiency a n d sca l a b i l i ty. The contributions of thi s t h e- sis are solutions for four pro b l em s in PPDM. Each problem has an independent statement to the others, but they sh a r e a co m m o n fr a m ework. This framework can be simply i m a g i n ed as: we needs to find the knowledge from a distri b u t ed dataset while the privacy preserving of involved parties is must be guaranteed. The difference of each problem is the way we obtain the dataset from distributed parties and the proposed function to keep the privacy informati o n for users. 1.3 Organization of thesis The thesis con si st s of six chapters, 109 pages of A4. Chapter 1 introduces an overview of PPDM and related works. Chapter 2 presents th e basic definitions of secure multi-party computation and the techniques I frequently use. Chapter 3 proposes privacy preserving frequ en cy -b a sed learning protocols in 2PFD. Chap- ter 4 presents two privacy-preserving protocols for distributed mi n i n g of frequent itemsets. Chapter 5 discusses privacy preserving EM-based clustering protocols. Chapter 6 pr esents the technique to design protocols of privacy preserv i n g outlier detection for bot h vertically a n d horizontally distribut ed data, and we gi ve the conclusion in the last section of this thesis. 2 Chapter 2 METHODS FOR SECURE MULTI-PARTY COMPUTATION In this thesis, we use secure multi-party computation (SMC) an d cryptograp h i c tools as t h e building blocks to desig n privacy-preser v i n g data mining protocol s. Before discussing in detai l s, in this chapter, we first review some important defini- tions of SMC. Then, we summarize the techniques which will be used in the next chapters. 2.1 Definitions In this section, we review basic definitions from computational complexity theory and SMC that will be used in this thesis [Goldreich, 2004]. Definition 2.1. Let N be the set of natural numbers. We say the function ǫ(·) : N → (0, 1] is negligible in n, if for every positive integer polynomial poly(·) there exists an integer n 0 > 0 such that for all n > n 0 ǫ(n) < 1 poly(n) The computational indistinguishability is another im portant concept when dis- cussing the security properties of distribut ed pro t ocols [Goldreich, 2004]. Let X = {X n } n∈N is an ensemble indexed by a secu r i ty parameter n (which usually refers to the length of the input), where the X ′ i s are random variables. Definition 2.2. Two ensembles, X = {X n } n∈N and Y = {Y n } n∈N , are compu- tational indistinguishable in polynomial time if for every probabilistic polynomial time algorithm A, |P r(A(X n ) = 1) − P r(A(Y n ) = 1)| is a negligible function in n. I n such case, we write X c ≡ Y , where c ≡ denotes computational indistinguishability. Secure multiparty computation f unct i o n: In a distributed network with n participating parties. A secure n-party computation problem can general l y be considered as a computation of a function: f(x 1 , x 2 , , x n ) → (f 1 (x 1 , x 2 , , x n ), , f n (x 1 , x 2 , , x n )) where each party i knows only it s private input x i . For security, it is required that the privacy of any honest party’s input is protected, in the sense that each 3 dishonest party i learns no t h i n g except its own output y i = f i (x 1 , x 2 , , x n ). If there is any malicious party that may deviate from the protocol , it is also required that each honest party get a correct result whenever possible. Privacy in Semi-honest model: In th e distribut ed setting, let π be an n- party protocol for computing f. Let x denote (x 1 , , x n ). The view of the i th (i ∈ [1, n]) party during an execution of π on x is denoted by view π (x) which includes x i , all r ecei ved messages, and all internal coin flips. For every subset I of [1, n], namely I = {i 1 , , i t }, let f I (x) d en o t e (y i 1 , , y i t ) and view π I (x) = (I, view π i 1 ( x), , view π i t ( x)). Let OUTPUT (x) denotes the output of all parties during the execution of π. Definition 2.3. An n-party computation protocol π for computing f(., , .) is se- cure with respect to semi-honest parties, if there exists a probabilistic polynomial- time algorithm denoted by S, such that for every I ⊂ [1, n] we have {S(x i 1 , , x i t , f I ( x)), f(x))} c ≡ {view π I (x), OUT P UT (x)} This definition states that the view of the parties in I can be simulated from only the parties’ inputs and outputs. If the function is privately computed by the protocol, then privacy of each party’s input data is protected. In this thesis, we focus on designing privacy-preserving protocols in the semi-honest model. The formal definition of the security protocol in th e malicious model can be found in [Goldreich, 2004]. In this thesis, we also use composition theorem for the semi- honest model that its discussion and proof can be found in [Goldreich, 2004]. Theorem 2.1 (Composit i o n theorem). Suppose that g is privately reducible to f, and that there exists a protocol for privately computing f. Then there exists a protocol for privately computing g. 2.2 Secure computation Secret sharing: S ecr et sharing refers to any method by which a secret can be shared by multiple parties in such a way that no party knows the secret, but it is easy to construct the secret by combining some parties sha r es. For example, Shamir secret sharing scheme [Shamir, 1979] or the secure mean sharing protocol will be described in Chapter 5. Variant ElGamal Cryptosystem: Our Protocols in Chapter 3 and 4 are based on the standard variant of the ElGamal encryption scheme. ElGamal encryption is semantically secure u ‘ nder the deci si o n a l Diffie-Hellman (DDH) assumption [Boneh, 1998]. The computations are carried out in Z p and the message space is 4 Z q , where p and q are prime, and q|(p − 1) . We briefly review the variant of the ElGamal encryption scheme as follows. Let G be a cyclic group of order q (G is a sub group of Z ∗ p ). Let g be a generator of G, f ∈ g is ran d o m l y selected, and x be uniformly chosen in [1, q − 1]. In ElGamal encryption schema, x is a private key and the public key is h = g x . Each user securely keeps their own private keys, other wi se public keys are publicly known. To encrypt a message m using the public key h, one randomly chooses k in [1, , q − 1] and then computes the ciphertext C = ( C 1 = f m h k , C 2 = g k ). The de- cryption of the ciphertext C with the private key x can be executed by computing f m = C 1 (C x 2 ) −1 , and find m from f m . Decisional Diffie-Hel l m a n Assumption. For uniformly random a, b, c ∈ [0, q− 1], the DDH assumption is that {g a , g b , g ab } c ≡ {g a , g b , g c } Oblivious polynomial evaluation (OPE)[Naor and Pinkas, 1999]: This problem involves a sender (Alice) and a receiver (Bob) . The sen d er ’ s input is a polynomia l P(y) =  k i=0 a i y i of degree k over some finite field F and the re- ceiver’s input is an element x ∈ F (the degree k of P is public). The p r o t ocol is such that the receiver obtains P (x) wit h o u t learning anything else abou t the polynomial P , and the sender learns nothing. In other words, an OPE protocol is to compute the following function: (P (y), x) → (∅, P(x)) Secure scalar product sharing (SSP): Assume that two vectors A = (a 1 , , a n ) and B = (b 1 , , b n ) ar e owned by two corresponding parties Alice and Bob. A privacy-preserving scalar product sharing protocol is to allow Alice to learn r A and Bob to learn r B , where r A and r B are random integers, called shares, between 0 and M − 1 such that r A + r B mod M = A · B (where A · B ∈ [0, M]).In other words, a SSP protocol is to compute the following function: (A, B) → (r 1 , r 2 )|r 1 + r 2 = A · B Privately computing ln x [Kantarcioglu, 2005]: In secure multi-party mean computation, we need to be able to privately share ln x, where x = x 1 + x 2 with x 1 known to P 1 and x 2 known to P 2 . Thus, P 1 should get y 1 and P 2 should get y 2 such th a t y 1 + y 2 = ln x = ln (x 1 + x 2 ). In other words, a protocol for computing ln (x) is to construct the following function: (x 1 , x 2 ) → (y 1 , y 2 )|y 1 + y 2 = ln (x 1 + x 2 ) 5 Chapter 3 PRIVACY PRESERVING FREQUENCY-BASED LEARNING IN 2PFD SETTING 3.1 Introduction In this chapter, we consider privacy p r eser v i n g frequency-based learning in a so- called 2-part fully distributed setting (2PFD). In this scenario, the dataset is distributed across a larg e number of users i n which each record is owned by two different users, one user only knows the values for a subset of attributes, while the other knows th e values for the remaini n g attributes. A miner ai m s to lea r n frequency-based models from their data, while preserving each user’s sensitive attributes. Some solutions based on ran d o m i za t i o n techniques can address this problem, but suffer from the tradeoff between privacy and accuracy. In this chap- ter, we develop a cryptog r a p h i c method that ensures each user’s privacy without loss of accuracy. Our key contribution is the privacy preserving frequency com- putation method in 2-part fully dist r i b u t ed setting. To illustrat e the app l i ca b i l i ty of this method, we used i t to build the privacy preserving protocol for the naive Bayes classifier learning and sh ow its other applications. The experimental results show that our protocol is very efficient. 3.2 Privacy preserving frequency mining in 2PFD setting 3.2.1 Problem formulation The frequ en cy computation problem in 2PFD can be formulated into the m o r e simple problem as follows. Assume that there are n pairs of user s (U i , V i ), each U i has a binary number u i and each V i has a binary numb er v i . The pri vacy-preserving frequency com- putation problem is to allow a miner t o compute f =  u i v i without disclosing any informa t i o n abou t u i and v i . In other words, we need a privacy -p r eser v i n g protocol for constructing the following function: (u 1 , v 1 , , u n , v n ) →  u i v i The definitio n notation implies th a t each pair U i and V i provide inputs u i and v i to the protocol, and the miner receive output  u i v i without any other information. 6 3.2.2 Definition of privacy The definition of privacy given below can be viewed as a simplification of the general definition in the semi-hon est model [ Go l d r ei ch, 2004], Basical l y, the defi- nition states that the computation is secure if the joint view of t h e miner and the corrupted users (the t 1 users U i and the t 2 users V i ) during the execution of the protocol can be effectively simulated by a simulator, based on what the miner and the corrupted users have observed in the protocol using only the result f, the corrupted users’ knowledge, and the publi c keys. Therefore, the miner and the corrupted users can not learn anything from f. 3.2.3 Frequency mining protocol Our protocol is designed based on the homomorphic property of a variant of El- Gamal encryption [Hir t an d Sako, 2000]. The privacy of our protocol is based on the semantic property of ElGamal encryption scheme under the DDH assumption, which has been introduced in the previo u s chapter. Let p and q be two primes such that q|(p − 1), let G be a subgroup of Z ∗ p of order q, and g is a generator of G. In the proposed protocol, we assume that each user U i has private keys x i , y i uniformly chosen from {1, , q − 1}, and public keys X i = g x i , Y i = g y i . Each user V i has private keys p i , q i and public keys P i = g p i , Q i = g q i . We note that computations in this thesis always take in Z p . We define X = n  i=1 X i P i = g x and Y = n  i=1 Y i Q i = g y where x = n  i=1 (x i + p i ) and y = n  i=1 (y i + q i ). In the proposed protoco l , X and Y are known by all users. Our protoco l presented in 3.1. 3.2.4 Correctness and Privacy Analysis In t h e thesis, we proved the correctness of the protoco l and we showed that under the semantic security property of the ElGamal encryption scheme, our prot ocol preserves each user’s privacy in the semi-honest model. Theorem 3.1. The protocol presented in figure 3.1 correctly computes the fre- quency value f =  n i=1 u i v i as defined in Subsection 3.2.1. Theorem 3.2. Assuming that f < n, the protocol in Figure 3.1 preserves the privacy of the honest users against the miner and up to 2n − 2 corrupted users. In cases with only two honest users, the conclusion remains correct as long as two honest users do not hold the attribute values of the same record. 7 • Phase 1. Each user U i does as follows: – Randomly choose k i from {1, , q − 1}. – Computes C (i) = (C (i) 1 , C (i) 2 ) = (g u i X k i i , g k i ) – Send C (i) to the miner • Phase 2. Each user V i does the follows: – Get C (i) from the miner – Randomly choose r i from {1, , q − 1} – if v i = 0 then compute R (i) = (R (i) 1 , R (i) 2 , R (i) 3 )=(X r i i X q i , g r i , Y p i ) – if v i = 1 then compute R (i) = (R (i) 1 , R (i) 2 , R (i) 3 )=(g u i X r i +k i i X q i , g r i +k i , Y p i ) – Send R (i) to the miner. • Phase 3. Each user U i does as follows: – Get R (i) from the miner. – Compute K(u i , v i ) = (K (i) 1 , K (i) 2 ) = (R (i) 1 (R (i) 2 ) −x i X y i , R (i) 3 Y x i ) – Send K(u i , v i ) to the miner • Phase 4. The miner does as follows: – Compute d = n  i=1 K (i) 1 K (i) 2 – Find f from {0, 1, , n} that satisfies g f = d – Output f Figure 3.1: Frequency mining protocol 3.2.5 Efficiency of frequency mining protocol: The computatio n a l cost of each user U i in the first phase and in the third phase are 2 and 3 modular exponentiations, respectively. The com p u t a t i o n a l cost of each user V i in the second phase is at most 3 modular exponentiations. The miner uses 2n modu l a r multiplications and at most n comparisons. For evaluating the efficiency of the protocol in practice, we conducted an experiment using the C# language on a PC. We measur e the computation cost of the protocol for n from 1000 to 5000. Befor e executing the protocol, we generate the pairs of keys for each user, with the size of p and q set at 1024 bits and 160 bits, and compute values X and Y . The results show that the average time used by each U i for computing the first-phase messages and the third-phase messages are about 21ms and 29ms, respectively. Each V i needs about an average 32ms to compute her messages. The miner’s time are very efficient and nearly linearly related to n such as when n = 5000, the miner uses only about 460 ms for the computation. 8 3.3 Frequency-based Learning in 2PFD Setting The method of frequency mining is very useful in privacy preserving data mining applications that its learn i n g is based on frequency such as naive Bayes, associ a t i o n rules mining, ID3 learnin g , Pearson correlation a n a l y si s et c. In this thesis, we demonstrated the useful of frequency mining method by using it as a primi t i ve to design a privacy-preserving protocol for naive Bayes learning. 3.4 An improvement of frequency mining protocol 3.4.1 Improved frequency mining protocol A problem of the frequency mi n i n g protocol is th a t a sing l e client may be able to d i sr u p t the system. Thus, our purpose is to improve the frequency mini n g protocol. That is, only a set S of t user pairs can obtain the frequency without requiring the presence of all users, where t ≥ k, k is the defined thr esh o l d . We expand the idea of threshold decryption system [Noack and Spitz, 2009] to solve the above problem. For a (n, k) threshold scheme, the basic idea is that a private key is shared among n users by using a (n, k)-Shamir secret sharing, so that only a set T of k users involves in the protocol, miner can decrypt a ciphertext by using Lagrange interpolat i o n with o u t exp l i ci t l y recon st r u ct i n g th e private key. In proposed protocol, we assume th a t two key seeds x 0 and p 0 ∈ [1, q − 1] are shared among n user s U i and n users V i by a (n, k)-Sh a m i r secret sharing. Shares owned by U i and V i are x i = f(i) and p i = h(i) respectively, where f(x) and h(x) are the r a n d o m polynomials of degree (k − 1) ∈ Z q such that f(0) = x 0 and h(0) = p 0 . Thus, each user U i has the key p a i r (x i , X i = g x i ) and V i has (p i , P i = g p i ). In our protocol, H = g x 0 +p 0 is announced as the general public key. The detailed phases of the improved frequency mining are presented in Figure 3.7 3.4.2 Protocol Analysi s Different fr o m the previous protocol, the private keys y i and q i of the improved protocol are temp keys that are chosen at the encry p t i n g time. The general keys Y replaced by g and X replaced by H. This protocol preserves privacy of each user gainst up to 2k − 2 corrupted users. In the improved protocol, the computational complexity of these users increases a modul a r exponentiation. The computational complexity for miner is nearly equal to the previous protocol. 3.5 Conclusion In this chapter, we p r o posed a method for privacy preserving frequency-based learning in 2PFD setting, which has not been investigated previously. Basically, the proposed method is based on ElGamal encryption scheme, and it can provide 9 [...]... 2nd edition [Han and Kamber, 2006] Han, J and Kamber, M (2006) Data Mining: Concepts and Techniques 2nd ed (The Morgan Kaufmann Series in Data Management Systems) Morgan Kaufmann Publishers [Han and Ng, 2007] Han, S and Ng, W K (2007) Multi-party privacy-preserving decision trees for arbitrarily partitioned data International Journal of Intelligent Control and Systems, 12(4):351–358 [Hirt and Sako, 2000]... Cryptology and Information Security: Advances in Cryptology, pages 125–132 SpringerVerlag 26 [Naor and Pinkas, 1999] Naor, M and Pinkas, B (1999) Oblivious transfer and polynomial evaluation In STOC ’99: Proceedings of the thirty-first annual ACM symposium on Theory of computing, pages 245–254 ACM [Noack and Spitz, 2009] Noack, A and Spitz, S (2009) Dynamic threshold cryptosystem without group manager Network... objects and n attributes that take values as real numbers, denote the sample mean vector of X by X, the sample covariance matrix of X by C(X), and the ith row of X by X(i) Statistical methods [Hodge and Austin, 2004] for multivariate outlier detection is to compute the Mahalanobis distance: d2 = (X(i) − X)T C −1 (X)(X(i) − X) i for i = 1, , N A large distance indicates that observation is an outlier... protocol is less than the support count preserving protocol For evaluating the efficiency of the protocol in practice, we provide an experiment to evaluate the performance of the proposed protocols that run in the C# language on a PC computer As communication complexity depends on the network performance and physical distance of two parties, we simply considered parties as threads that exchange data directly... (2) = (X)T (X) 2 Using the linear transformation to compute (C (1) , C (2) ) → C −1 (X) 3 Using SPP protocol to compute the Mahalanobise distances 6.5 Experiments We provide an experiment to evaluate the performance of the proposed protocols that run in the C# language on a PC computer As communication complexity depends on the network performance and physical distance of two parties, we simply considered... that A and B belong to the range [0, M ], the multi-party mean computation protocol presented in Figure 5.1 Input: Each Pi (1 ≤ i ≤ n) has (xi , mi ) Output: The parties obtain the value A/B 1: Each Pi uniformly chooses ri and ki from [0, M ], then computes ui = xi + ri mod M and vi = mi + ki mod M , and sends ui and vi to Pn n n 2: Pn computes u = i=1 ui mod M and v = i=1 vi mod M 3: Each Pi randomly... Sako, 2000] Hirt, M and Sako, K (2000) Efficient receipt-free voting based on homomorphic encryption In Proceedings of EuroCrypt 2000, LNCS series, pages 539–556 Springer-Verlag [Hodge and Austin, 2004] Hodge, V and Austin, J (2004) A survey of outlier detection methodologies Artif Intell Rev., 22:85–126 [Kantarcioglu, 2005] Kantarcioglu, M (2005) Privacy-preserving distributed data mining and processing... modeling Knowledge and Information Systems, pages 68–81 [Lindell and Pinkas, 2000] Lindell, Y and Pinkas, B (2000) Privacy preserving data mining In Advances in Cryptology (CRYPTO’00), pages 36–53 [Markus and Patrick, 1996] Markus, M and Patrick, H (1996) Some remarks on a receipt-free and universally verifiable mix-type voting scheme In Proceedings of the International Conference on the Theory and Applications... b1 , Pn obtains an and bn a1 + an = α ln (u − r mod M ) mod M b1 + bn = α ln (v − k mod M ) mod M where α is a public constant used to make all elements integer 7: Pn computes sn = bn − an mod M and sends it to P1 ; P1 computes s1 = sn + b1 − a1 mod M and broadcasts it to all parties 8: Finally, all parties can calculate µ = exp(s1 /α) Figure 5.1: Privacy preserving multi-party mean computation The... Alice and Bob Alice has a set X1 of N1 objects and Bob has a set X2 of N2 objects The protocol is given in Figure 6.2 21 Input: Alice and Bob have the data set X (1) and X (2) , respectively Output: the Mahalonobise distance of each object 1 The parties use the secure sharing mean protocol to compute X 2 The parties share the matrix C(X) by using the secure mean sharing protocol Alice obtains C (1) and . DISTRIBUTED SOLUTIONS IN PRIVACY PRESERVING DATA MINING (Nghiên cu xây dng mt s gii pháp đm bo an toàn thông tin trong quá trình khai phá d liu) Chuyên ngành: Bo đm toán hc cho máy. data, and ea ch message m is 12 changed to g m before encrypting . D ecr y p t i o n need to be jointly performed by al l parties. Rerandomization technique [Markus and Patrick, 1996]: A rerandomiza- tion. r i and k i from [0, M], then computes u i = x i + r i mod M and v i = m i + k i mod M, and sends u i and v i to P n 2: P n computes u =  n i=1 u i mod M and v =  n i=1 v i mod M 3: Each P i randomly