Secret computation of purchase history data using somewhat homomorphic encryption
 Masaya Yasuda^{1}Email author,
 Takeshi Shimoyama^{1} and
 Jun Kogure^{1}
DOI: 10.1186/s407360140005x
© Yasuda et al; Licensee Springer 2014
Received: 19 March 2014
Accepted: 3 April 2014
Published: 14 October 2014
Abstract
We consider secret computation of purchase history data among two companies of different type of business in order to identify purchase patterns without revealing customer information of each company. Among several privacypreserving approaches, we focus on homomorphic encryption, which is publickey encryption supporting meaningful computations on encrypted data. In particular, we apply the somewhat homomorphic encryption scheme proposed by Brakerski and Vaikuntanathan (CRYPTO 2011), which can support a limited number of both additions and multiplications over polynomials. The main contribution is to introduce a practical packing method in the scheme to efficiently compute the set intersection of purchase history data over packed ciphertexts. Furthermore, we implemented the scheme for several parameters corresponding to various security levels, and demonstrate the efficiency of our packing method. We hope that this work would give the first practical usage of somewhat homomorphic encryption in marketing analysis.
Keywords
Homomorphic encryption LWE assumption Secure inner product Packing method1 Introduction
Recently, in Japan, services with a rewards card (or called a loyalty card) commonly used among companies of different type of business, for example, “Tcard” and “Pontacard”, have been paid to much attention^{a}. As a fascination to use such cards, there are several advantages; For tieup companies, they can have more opportunities to acquire new customers, and obtain market trend data from companies of different type of business. On the other hand, for customers using such a card, they can collect rewards points from companies of different type of business and bring such points together on the only one card. In particular, the biggest advantage is that tieup companies can collect market and customers information exceeding the frame of their own type of business, and to use the information for socalled market basket analysis, which is one of the marketing analyses in order to identify purchase patterns (e.g., to identify what items tend to be purchased together, sequentially or by seasons).
However, at the same time, some problems would be caused in handling customers information among tieup companies. For example, when purchase history data are analyzed, it needs to share both customer ID and purchase history data among tieup companies. In this case, customer information of each company would be revealed to the other companies, and hence some problems related to the customer’s privacy might be feared. Furthermore, since purchase history data of each company are directly related to its own sales, the data should be secret to the other companies (see [23], Section 1 for discussion on these issues).
1.1 Application scenario
Looking back on the above issues, we consider the following scenario; “Assume that there are two tieup companies A and B and they only share their customers ID (e.g., the rewards card number can be used as a customer ID). The two companies A and B have their own customers purchase history data of items X and Y, respectively. Then they would like to know the number of customers who bought both items X and Y in order to identify how much the items are purchased sequentially, without revealing each customer purchase history data to one another”.
1.2 Homomorphic encryption

Additively homomorphic encryption It can support only additions on encrypted data. Paillier scheme [17] and additive ElGamal scheme [7] are typical.

Somewhat homomorphic encryption (SHE) It can support both additions and multiplications on encrypted data, but the number of possible operations is limited. The first construction of such encryption was the BGN scheme [1] based on pairings over elliptic curves. However, the BGN scheme can handle a number of additions but only depthone multiplications. After Gentry’s breakthrough [9,10] of constructing an FHE scheme (see below for FHE), a number of new SHE schemes have been proposed as a building block of FHE, for example, ideal lattices based schemes [911], integers based schemes [6,18], and finally learning with errors (LWE) based schemes [24]. Unlike the BGN scheme, these schemes can handle additions and multiplications of depth greater than one.

Fully homomorphic encryption (FHE) It can support “any operations” on encrypted data, including the unlimited number of additions and multiplications. In 2009, Gentry in [9,10] proposed a new method to construct an FHE scheme from the SHE scheme based on ideal lattices, whose method is called bootstrapping. Currently FHE schemes have some problems mainly including slow performance and the big encrypted data size, and hence FHE is believed to need a long way for practical usage (see [6,11] for their implementation results of “pure” FHE schemes, also [12] for the recent work of implementing a “leveled” FHE scheme).
1.3 Previous work
 1.
The trusted assayer generates the public key pk and the secret key sk of the SHE scheme, and distributes only the public key pk to the public.
 2.
Using pk, each company encrypts its own purchase history data (x_{1},…,x_{ m }) or (y_{1},…,y_{ m }), and sends the encrypted data (Enc(x_{1}),…,Enc(x_{ m })) or (Enc(y_{1}),…,Enc(y_{ m })) with customer’s ID to the cloud (using the bitwise encryption). Since all data are protected by encryption, each company’s purchase history data cannot be revealed to one another.
 3.In the ascending order of customer’s ID, the cloud arranges (Enc(x_{1}),…,Enc(x_{ m })) and (Enc(y_{1}),…,Enc(y_{ m })) as in Figure 1. Then the cloud computes the inner product$$ \mathsf{ct} = \sum_{i = 1}^{m} \mathsf{Enc}(x_{i}) \cdot \mathsf{Enc}(y_{i}) $$(1)
on encrypted data (note that ct is the ciphertext of the inner product \(\sum _{i = 1}^{m} x_{i} \cdot y_{i}\) due to homomorphic property), and only sends the encrypted result ct to the assayer. Since the cloud has no the secret key, the cloud cannot learn any information about the purchase history data of each company.
 4.
Using sk, the assayer decrypts the encrypted result ct to obtain the desired inner product \(\sum _{i = 1}^{m} x_{i} \cdot y_{i}\), which enables the assayer to identify purchase patterns of items X and Y.
1.4 Our contributions

Unlike [23], we apply the SHE scheme proposed by Brakerski and Vaikuntanathan [4], which is based on a simplified version of the ringLWE assumption of [14].

We propose a method in the SHE scheme to pack a vector of certain length into a single ciphertext, which enables to efficiently compute a secure inner product. By this method, we can reduce both the encrypted data size and the performance considerably. Hence the SHE scheme with our packing method could be practically used in various applications.

To demonstrate the efficiency, we implemented the SHE scheme with our packing method. While the work [22] only implemented the scheme of lattice dimension 2048, this work gives more detailed implementation results for several lattice dimensions 2048,4096,8192 and 16384. Furthermore, our implementation is optimized by using inline assembly language in C programs, and hence it gives faster performance than the previous implementation results of [16] in the same scheme.
Remark1.
Our method specializes in the structure of the special ring \(\mathbb {Z}[\!x]/(x^{n} + 1)\), which is used in the construction of the SHE scheme of [4] (see Section 2 below for the construction). Therefore, our packing method can be applied in the scheme based on ideal lattices, and the BGV scheme [2] (the performance and the encrypted data size in these schemes are estimated to be almost the same as in this work). On the other hand, our packing method cannot be applied in the BGN scheme [1] since the scheme is based on pairings over elliptic curves. More specifically, our method needs to use certain polynomial transformations in \(\mathbb {Z}[\!x]/(x^{n} + 1)\), but the BGN scheme cannot support such polynomial transformations. Then we only can use the bitwise encryption in the BGN scheme for a secure inner product as in Section 1.3. Furthermore, as discussed in [16], the homomorphic multiplication of the BGN scheme is slower than that of the SHE scheme of [4] under almost the same security level (such as 128bit), and hence the SHE scheme with our packing method is estimated to give much faster performance than the BGN scheme with the bitwise encryption for a secure inner product.
Basic notation The symbols , , and denote the ring of integers, the field of rational numbers, and the field of real numbers, respectively. For a prime number p, the finite field with p elements is denoted by \(\mathbb {F}_{p}\). For two integers z and d, let [ z]_{ d } denote the reduction of z modulo d included in the interval [ −d/2,d/2) (the reduction of z modulo d included in the interval [ 0,d) is denoted by z mod d as usual). For a vector \(\vec {A} = (a_{1}, a_{2}, \ldots, a_{n}) \in \mathbb {R}^{n}\), let \( \vec {A} _{\infty }\) denote the ∞norm defined by maxia_{ i }. Let \(\langle \vec {A}, \vec {B} \rangle \) denote the inner product of two vectors \(\vec {A}\) and \(\vec {B}\). Finally, we let lg(q) denote the logarithm value of an integer q with base 2.
Somewhat homomorphic encryption
In this section, we briefly review the construction and the correctness of the SHE scheme proposed by Brakerski and Vaikuntanathan [4]. The security of the scheme relies on the polynomial LWE assumption defined below, which can be regarded as a simplified version of the ringLWE assumption of Lyubashevsky, Peikert and Regev [14] (see [4], Section 2 for details of the assumption).
Definition1 (Polynomial LWE assumption).
 1.
One samples (a,b) uniformly from (R_{ q })^{2}.
 2.
One draws s←χ uniformly and samples (a,b) by sampling a←R_{ q } uniformly, e←χ and setting b=as+e.
2.1 Construction of the SHE scheme

n: an integer of 2power, which defines the base ring \(R = \mathbb {Z}[\!x]/(\,f(x))\) with the cyclotomic polynomial f(x)=x^{ n }+1 of degree n as in Definition 1. This degree n is often called the lattice dimension.

q: a prime number with q≡1 mod 2n, which defines the base ring \(R_{q} = \mathbb {F}_{q}[\!x]/(\,f(x))\) of ciphertext space. The condition q≡1 mod 2n is not necessary for the scheme construction, but it is required to discuss the provable security [4], Theorem 1.

t: an integer with t<q to determine a plaintext space \(R_{t} = (\mathbb {Z}/t\mathbb {Z})[x]/(\,f(x))\) (t is not necessarily prime).

σ: the parameter to define a discrete Gaussian error distribution \(\chi = D_{\mathbb {Z}^{n}, \sigma }\) with the standard deviation σ, namely, we select each entry in an ndimensional vector by sampling from a Gaussian distribution N(0,σ), and then round it to the nearest integer. In practice, we choose relatively small value such as σ=4∼8.
Key generation We first choose an element R∋s←χ, and sample a uniformly random element a_{1}∈R_{ q } and an error R∋e←χ. Then set pk=(a_{0},a_{1}) with a_{0}=−(a_{1}s+te) as the public key and sk=s as the secret key.
where m∈R_{ t } is considered as an element of R_{ q } in the natural way due to the condition t<q.
Lemma1 (security).
Given (n,q,t,σ), the scheme is provably secure in the sense of INDCPA under the polynomial LWE assumptionPLWE_{n,q,χ}with\(\chi = D_{\mathbb {Z}^{n}, \sigma }\)(see Definition 1 for the definition ofPLWE_{n,q,χ}).
2.2 Correctness of the SHE scheme

(Addition) \(\mathsf {Dec}(\mathsf {ct} \dotplus \mathsf {ct}', \mathsf {sk}) = m + m' \in R_{t}\), and

(Multiplication) Dec(ct∗ct^{′},sk)=m×m^{′}∈R_{ t }
for ciphertexts ct,ct^{′} corresponding to plaintexts m,m^{′}, respectively. However, the scheme merely gives an SHE scheme (not FHE), and its correctness holds under the following condition (see the proof of [16], Lemma 3.3):
Lemma2 (Condition for successful decryption).
is satisfied, where for\(a = \sum a_{i}x^{i} \in R_{q}\)let a_{ ∞ }= maxa_{ i }denote the∞norm of its coefficient representation.
Practical packing method
3.1 Our packing method
In contrast to the packing method of [16], we present a new one. Our method is based on [16], and it can be considered as an extension of the method of [16]. Specifically, we give “two types of packed ciphertexts” in order to make use of the ring structure of the plaintext space R_{ t } for a secure inner product over packed ciphertexts. Now let us define our packing method.
Definition2.
 1.As in the equation (4), set$$\mathsf{pm}_{1}(\vec{A}) := \displaystyle\sum_{i = 0}^{n1} A_{i} x^{i}. $$For sufficiently large t, we consider the above polynomial to be an element of R_{ t }. As well as (5), we then defineas the packed ciphertext of the first type. This type is the same as given in [16].$$\mathsf{ct}_{\text{pack}}^{(1)}(\vec{A}) := \mathsf{Enc}\left(\mathsf{pm}_{1}(\vec{A}), \mathsf{pk}\right) $$
 2.Unlike the first type, setAs the second type, we define$$\mathsf{pm}_{2}(\vec{A}) :=  \displaystyle\sum_{i = 0}^{n1} A_{i} x^{ni}. $$This type is always needed for efficient computation of secure inner product (see Theorem 1 below).$$\mathsf{ct}_{\text{pack}}^{(2)}(\vec{A}) := \mathsf{Enc}\left(\mathsf{pm}_{2}(\vec{A}), \mathsf{pk} \right). $$
Our packing method can pack a vector of length n into a single ciphertext irrespective of types. Hence, compared to coefficientwise encryption, our method can reduce the encrypted data size considerably.
3.2 Secure inner product computation
Due to two types of our packing method, we have the following result on secure inner product computation:
Theorem1 (Secure inner product computation).
Proof.
in R_{ t } since x^{ n }=−1. This completes the proof.
Remark2 (Privacy enhance technique).
Remark3 (Other applications).

private statistic (e.g., sum and standard deviation),

statistical analysis (e.g., covariance), and

distances (e.g., the Hamming distance).
Especially, secure Hamming distance can be applied in privacypreserving biometrics to measure the similarity of two biometric feature vectors on encrypted data. Please see our previous works [19,21] for secure Hamming distance in SHE schemes (note that the work [19] uses the SHE scheme based on ideal lattices of [11]). Furthermore, our method can be applied to efficient computation of multiple Hamming distance values for secure pattern matching (see [20]).
Parameters setting of the scheme
Here we discuss how to choose parameters (n,q,t,σ) of the SHE scheme suitable (maybe not optimal) for the secure inner product (6) over packed ciphertexts, and we give several parameters of more than 80bit security level. For simplicity, we only consider secure inner product between two binary vectors \(\vec {A}, \vec {B}\) of length n. In this case, we can pack each of \(\vec {A}\) and \(\vec {B}\) into a single ciphertext with our packing method (see the below diagram). In the application scenario of Section 1.1, we assume that the number m of customer’s ID is smaller than the lattice dimension n (see our previous work [22] for the case m>n), and two binary vectors \(\vec {A}\) and \(\vec {B}\) represent purchase history data of items X and Y, respectively (note that it is different from the representation of purchase history data in Figure 1).
4.1 Correctness and security
which condition gives a lower bound of q for the correctness.
where c is the constant determined by the attack advantage ε (\(c \approx \sqrt {\lg (1/\varepsilon)/(\lg 2\cdot \pi)}\) by [13]), and we here take c=3.758 corresponding to ε=2^{−64} (only two values 2^{−32}, 2^{−64} are considered for ε in [16], and we take just one of the two values in this paper).
4.2 Chosen parameters and security levels
n  q  t  σ  δ  t _{ Adv }  

(i)  2048  61bit  n  8  1.00499  140bit 
(ii)  4096  65bit  n  8  1.00266  400bit 
(iii)  8192  69bit  n  8  1.00141  775bit 
(iv)  16384  73bit  n  8  1.00075  1554bit 
For chosen parameters (i)(iv) in Table 1, we give the expected running time t_{ Adv } computed by the relation (9) also in Table 1. However, their security analysis seems no longer stateoftheart due to the old NTL implementation. Therefore we remark that the t_{ Adv }data in Table 1 are just at the reference level, but the data tell a rough standard of the security level of each parameter. For example, the parameter (iv) in Table 1 is estimated to have much more than 1000bit security level against the distinguishing attack with advantage ε=2^{−64}.
Implementation results
For the four parameters (i)(iv), we implemented the SHE scheme with our packing method for the secure inner product computation (6). Our experiments ran on an Intel Xeon X3480 at 3.07 GHz with 16 GB memory, and we used our own software library using inline assembly language x86_64 in C programs for all computations in the base ring \(R_{q} = \mathbb {F}_{q}[\!x]/(x^{n} + 1)\) of ciphertext space. Our C code was complied using gcc4.6.0 on Linux. In order to obtain efficient multiplication in R_{ q }, we implemented the Montgomery reduction algorithm for all parameters, and the Karatsuba multiplication algorithm for only the parameter (i), and the multiplication algorithm using the FFT (Fast Fourier Transform) method for (ii)(iv). Actually, our experiments show that the Karatsuba method is about twice faster than the FFT method for the parameter (i). On the other hand, the FFT method is faster than the Karatsuba method for the parameters (ii)(iv) (e.g., it is about 5 times faster for the largest parameter (iv)).

Sizes The size of \(\mathsf {pk} = (a_{0}, a_{1}) \in {R_{q}^{2}}\) is 2n·lg(q)≈31.2 KB, and the size of sk=s∈R_{ q } is n· lg(q)≈15.6 KB. A fresh ciphertext has two elements in the ring R_{ q }, and hence its size is 2n·lg(q)≈31.2 KB. Therefore the size of packed ciphertexts \(\mathsf {ct}_{\text {pack}}^{(1)}(\vec {A})\) and \(\mathsf {ct}_{\text {pack}}^{(2)}(\vec {B})\) is about 31.2 KB, respectively. In contrast, the nonfresh ciphertext ct given by (6) has three ring elements, and its size is about 46.8 KB. Note that the size of a nonfresh ciphertext depends on the number of its ring elements, whose number can be increased by homomorphic multiplications. However, in this paper, we only consider up to three elements for the computation (6), which can be calculated by only one homomorphic multiplication.

Performances The key generation (excluding the prime generation) ran in about 1.89 milliseconds (ms), the packed encryption of a binary vector of length less than n=2048 took about 3.65 ms, the secure inner product computation (6) took about 5.31 ms, and finally the decryption took about 3.47 ms.
Parameters  Packed  Secure inner  Decryption 

encryption  product  
(i)  3.65 ms (31.2 KB)  5.31 ms (46.8 KB)  3.47 ms 
(ii)  23.03 ms (66.6 KB)  34.34 ms (99.8 KB)  22.17 ms 
(iii)  48.07 ms (141.3 KB)  71.25 ms (212.0 KB)  46.35 ms 
(iv)  107.25 ms (299.0 KB)  159.45 ms (448.5 KB)  103.94 ms 
Conclusions
We proposed a new packing method in the SHE scheme based on the polynomial LWE assumption for efficient computation of the inner product over packed ciphertexts, which can be used for the set intersection computation in marketing analysis. According to our implementation, our method enables to compute a secure inner product between two binary vectors of length n=2048 (resp. 4096, 8192, and 16384) in 5.31 ms (resp. 34.34, 71.25, and 159.45 ms). Furthermore, by dividing vectors into blocks of length n, we can pack vectors of length m into ⌈m/n⌉ ciphertexts and compute the inner product over packed ciphertexts. In the case of n=2048 and m=10,000, we need ⌈m/n⌉=5 packed ciphertexts and it also takes about 5×5.31=26.55 ms for a secure inner product between two binary vectors of length m=10,000. These performances are practical in real life, and hence we hope that the SHE scheme with our packing method would be used in various applications mainly including marketing analysis. However, our packing method can be used between only two parties, and hence our future work is to develop a new method which can be applied to the set intersection computation among more than three parties.
Endnote
^{a} This is a full version paper of the work [22] presented at the Forum on Information Technology (FIT2013).
Declarations
Acknowledgements
The authors would like to thank the anonymous reviewers for their useful and helpful comments to improve the paper.
Authors’ Affiliations
References
 Boneh, D., Goh, EJ., Nissim, K.: Evaluating 2DNF formulas on ciphertexts Theory of Cryptography–TCC 2005. In: Lecture Notes in Computer Science, pp. 325–341. Springer, (2005)
 Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Innovations in Theoretical Computer Science–ITCS 2012, pp. 309–325. ACM, (2012)
 Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Foundations of Computer Science–FOCS 2011, pp. 97–106. IEEE, (2011)
 Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ringLWE and security for key dependent messages. In: Advances in Cryptology–CRYPTO 2011. Lecture Notes in Computer Science, pp. 505–524. Springer, (2011)
 Chen, Y., Nguyen, P.: BKZ 2.0: better lattice security estimates. In: Advances in Cryptology–ASIACRYPT 2011. Lecture Notes in Computer Science, pp. 1–20. Springer, (2011)
 Coron, JS., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryption over the integers with shorter public keys. In: Advances in Cryptology–CRYPTO 2011 Lecture Notes in Computer Science, pp. 487–504. Springer, (2011)
 Cramer, R., Shoup, V., Schoenmakers, B.: A secure and optimally efficient multiauthority election scheme. In: Advances in Cryptology–EUROCRYPT 1997. Lecture Notes in Computer Science, pp. 103–118. Springer, (1997)
 Damgård, I., Pasto, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Advances in Cryptology–CRYPTO 2012. Lecture Notes in Computer Science, pp. 643–662. Springer, (2012)
 Gentry, C.: A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009)
 Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Symposium on Theory of Computing–STOC 2009, pp. 169–178. ACM, (2009)
 Gentry, C., Halevi, S.: Implementing Gentry’s fullyhomomorphic encryption scheme. In: Advances in Cryptology–EUROCRYPT 2011. Lecture Notes in Computer Science, pp. 129–148. Springer, (2011)
 Gentry, C., Halevi, S., Smart, N.: Homomorphic evaluation of the AES circuit, pp. 850–867. Springer, (2012)
 Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWEbased encryption. In: RSA Conference on Topics in Cryptology–CTRSA 2011. Lecture Notes in Computer Science, pp. 319–339. Springer, (2011)
 Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Advances in Cryptology–EUROCRYPT 2010. Lecture Notes in Computer Science, pp. 1–23. Springer, (2010)
 Micciancio, D., Regev, O.: Worstcase to averagecase reduction based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MATHMathSciNetView ArticleGoogle Scholar
 Naehrig, M., Lauter, K., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Proceedings of the 3rd ACM workshop on Cloud computing security workshop–CCSW 2011, pp. 113–124. ACM, (2011)
 Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Advances in Cryptology–EUROCRYPT 1999. Lecture Notes in Computer Science, pp. 223–238. Springer, (1999)
 van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Advances in Cryptology–EUROCRYPT 2010 Lecture Notes in Computer Science, pp. 24–43. Springer, (2010)
 Yasuda, M., Shimoyama, T., Kogure, J., Yokoyama, K., Koshiba, T.: Packed homomorphic encryption based on ideal lattices and its application to biometrics. In: Modern Cryptography and Security Engineering–MoCrySEn 2013. Lecture Notes in Computer Science, pp. 55–74. Springer, (2013)
 Yasuda, M., Shimoyama, T., Kogure, J., Yokoyama, K., Koshiba, T.: Secure pattern matching using somewhat homomorphic encryption. In: Proceedings of the 5th ACM workshop on Cloud computing security–CCSW 2013, pp. 65–76. ACM, (2013)
 Yasuda, M., Shimoyama, T., Kogure, J., Yokoyama, K., Koshiba, T.: Practical packing method in somewhat homomorphic encryption. In: Data Privacy Management and Autonomous Spontaneous Security. Lecture Notes in Computer Science, pp. 34–50. Springer, (2014)
 Yasuda, M., Shimoyama, T., Yokoyama, K., Kogure, J.: A customer information analysis between enterprises using homomorphic encryption (in Japanese). In: Forum on Information Technology–FIT 2013, pp. 15–22. IPSJ, (2013)
 Yasuda, M., Yajima, J., Shimoyama, T., Kogure, J.: Secret totalization of purchase histories of companies in cloud (in Japanese). In: 29th Symposium on Cryptography and Information Security–SCIS 2012 number 3D2. IEICE, (2012)
Copyright
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.