Parallelly Running and Privacy-Preserving k-Nearest Neighbor Classification in Outsourced Cloud Computing Environments

Abstract

Classification is used in various areas where k-nearest neighbor classification is the most popular as it produces efficient results. Cloud computing with powerful resources is one reliable option for handling large-scale data efficiently, but many companies are reluctant to outsource data due to privacy concerns. This paper aims to implement a privacy-preserving k-nearest neighbor classification (PkNC) in an outsourced environment. Existing work proposed a secure protocol (SkLE/SkSE) to compute k data with the largest/smallest value privately, but this work discloses information. Moreover, SkLE/SkSE requires a secure comparison protocol, and the existing protocols also contain information disclosure problems. In this paper, we propose a new secure comparison and SkLE/SkSE protocols to solve the abovementioned information disclosure problems and implement PkNC with these novel protocols. Our proposed protocols disclose no information and we prove the security formally. Then, through extensive experiments, we demonstrate that the PkNC applying the proposed protocols is also efficient. Especially, the PkNC is suitable for big data analysis to handle large amounts of data, since our SkLE/SkSE is executed for each dataset in parallel. Although the proposed protocols do require efficiency sacrifices to improve security, the running time of our PkNC is still significantly more efficient compared with previously proposed PkNCs.

1. Introduction

In the era of big data, data mining and machine learning are important tools used to extract valuable information and predict outcomes, and these tools need to be able to analyze large-scale data [1,2]. For the sake of efficiency, large volumes of data are typically analyzed by cloud computing services at large IT companies, such as Amazon and Google [3], where there is ample and easy access to powerful resources for analyzing the plethora of data from a massive number of data owners. From the standpoint of data owners, it is more efficient to have the cloud handle analysis and return the results than attempt to analyze their own data. These days, as parallelly processing utilities, such as Hadoop, are becoming more widely disseminated, it is becoming easier to utilize cloud computing.

Although cloud computing for big data analysis has significant advantages, many companies and users are still reluctant to use these services due to privacy concerns surrounding outsourced cloud computing environments [3] because cloud computing service providers can access and reveal outsourced data, thus causing privacy problems. Even though data owners encrypt their own data before transmission as a preventative privacy-protecting measure, cloud service providers can obtain information regardless just by analyzing access patterns, which are the access records for original data according to computation results.

As for privacy protection techniques, there are secure multiparty computation and homomorphic encryption currently in use. In order to facilitate privacy-preserving computation for secret values in secure multiparty computation, non-colluding parties perform computation with their shares generated from secret values in which the values or the computation results cannot be obtained by any party as long as the parties do not collude. However, since shared data are typically not encrypted, we focus on homomorphic encryption in this paper. Homomorphic encryption is an encryption scheme in which original data can be computed in an encrypted form by a third party, such as a cloud. Partially homomorphic encryption is a type of the homomorphic encryption and allows only one type of operation with an unlimited number of times [4].

Classification is a major data analysis task that is used in a variety of areas, such as medical diagnoses, spam mail detection, and credit evaluation [5,6,7,8,9]. In this vein, k-nearest neighbor classification is popular since it produces efficient results and yields high performance. Given a classified dataset and an unclassified input query, k-nearest neighbor classification selects k data most similar to the input query, which is classified by the majority class of the k data. The target of this present work is to implement a protocol to compute k-nearest neighbor classification privately, which we call privacy-preserving k-nearest neighbor classification (PkNC). Since k-nearest neighbor classification is used for big data analysis wherein the largest parameter is the number of data, it is critical that the communication round (i.e., running time) of PkNC is independent of the number of data.

As shown Figure 1, the proposed PkNC is executed in dual non-colluding cloud servers: a data host (DH) and a cryptographic service provider (CSP). DH receives an encrypted dataset from data owner and an encrypted input query from a querier, and CSP has a decryption key. At a high level, DH runs PkNC with CSP and then it returns the class of the input query based on the dataset in an encrypted form. Our PkNC does not disclose any information about a dataset, an input query, and the resultant class to an adversary as well as even DH and CSP to run PkNC.

In order to compute k data that are most similar to an input query (i.e., k smallest distances between the data and the input query) both privately and efficiently, one existing work [10] proposed a secure k-largest/smallest element (SkLE/SkSE) protocol and applied it to PkNC. The SkLE/SkSE executes at most l rounds where l is the length of an element, meaning that if k elements (distances) with the largest/smallest value are found before the last l-th round, it terminates for efficiency. The existence of different ending points for each input dataset implies that SkLE/SkSE [10] discloses information about the input dataset. In other words, starting from the ($l-1$)-th bit of all input elements, the ending bit of SkLE/SkSE contains the information about k largest/smallest elements. For example, if SkLE to find k largest elements terminates in the first ($l-1$)-th bit, the values of k largest elements are more than $2^{l-1}$. (This case is realistic since l is the effective size to represent an element rather than the maximum size to support in a protocol.) Contrarily, if SkLE terminates in the last 0-th bit, two values of the smallest one in the k largest elements and the largest one in the other elements are equal or their difference is 1.Therefore, it is necessary to protect the ending bit in existing SkLE/SkSE protocol [10].

Table 1. Security comparison of our protocols and existing protocols.

	Secure Comparison Protocol	SkLE/SkSE Protocol
[11]	×	◯
[10]	×	×
$\left[\mathrm{This}\mathrm{work}\right]$	◯	◯

briefly shows the security of our proposed protocols compared with existing protocols.

Moreover, SkLE/SkSE requires a secure comparison protocol, but existing works [10,11] result in information disclosure problems. Specifically, when two input data are unequal, DH sends CSP a vector that consists of random values including 0 or 1. When two input data are equal, however, DH sends CSP a vector that consists of only random values, therefore meaning that CSP learns information about whether two input data are equal or not.

In addition, recently, researchers have proposed many PkNCs, but they are not formally proven [12,13,14] or expose some information about input data. PkNCs that are formally proven [11,15,16], unfortunately, are more inefficient as the volume of data increases, making these unsuitable for big data analysis that must compute large-scale data.

Contributions

In this paper, we propose new secure comparison and SkLE/SkSE protocols that solve the abovementioned information disclosure problems. We subsequently implement PkNC using the proposed protocols and demonstrate through the experiments that our proposals are practical. Firstly, we propose a secure comparison protocol that improves security by solving the information disclosure problem. In short, regardless of whether two input data are equal or unequal, DH sends CSP the similar vector that consists of either random values including 0 or only random values according to a random coin. Our secure comparison protocol guarantees privacy for the input data and results. We present this proposed secure comparison protocol in Section 4.1 and formally prove its security in Section 4.2.

Secondly, we propose a new SkLE/SkSE that improves security by solving the information disclosure problems in existing SkLE/SkSE [10]. To achieve this, the proposed SkLE/SkSE consistently terminates in the last round regardless of the input dataset, meaning that it does not disclose any information about the content of the input dataset. We denote the existing SkLE/SkSE [10] focused on efficiency by the efficient version of SkLE/SkSE (SkLE${}_E$/SkSE${}_E$). Similarly, we denote the proposed SkLE/SkSE to improve security by the secure version of SkLE/SkSE (SkLE${}_S$/SkSE${}_S$), which we present in Section 4.3. The proposed SkLE${}_S$/SkSE${}_S$ secures the privacy regarding the input dataset including the results and hides data access patterns even from DH and CSP. We formally prove its security in Section 4.4.

SkLE${}_S$/SkSE${}_S$ is advantageous because it is highly efficient for large dataset as it executes for each dataset in parallel. In other words, the communication round, which is proportionate to running time, is independent of the number of data, which indicates that it is suitable for big data analysis. It is additionally suitable for PkNC applications with a large k of nearest neighbors since its communication round is independent of the parameter k. In order for existing protocols [11,17] to privately compute k largest/smallest data in the dataset, they must serially run a maximum/minimum protocol to compare all data k times. This means that the communication rounds in these existing protocols grow linearly with the number of data and parameter k. That is, existing works are unsuitable for both big data analysis and PkNC application with a large k.

In order to demonstrate that our proposed SkLE${}_S$/SkSE${}_S$ and secure comparison protocols are practical, we implement PkNC including them and conduct extensive experiments with a real dataset. Figure 2 shows the ratio of the running time of PkNCs for the same volume of data in which our PkNC is much more efficient than existing PkNCs. Specifically, our PkNC takes 4.38 min for 1728 data and 28.95 min for 8124 data. Note that the features of running time of our PkNC is comparable to those of SkLE${}_S$/SkSE${}_S$, since the running time of SkLE${}_S$/SkSE${}_S$ accounts for most running time of our PkNC. The performance of our PkNC is greatly improved in the cloud computing environment, since SkLE${}_S$/SkSE${}_S$ in our PkNC is executed in parallel and the cloud enables numerous simultaneously running parallel operations. In addition, the running time of our PkNC is also independent of k of nearest neighbors like SkLE${}_S$/SkSE${}_S$. We present our PkNC and its experiment in Section 5, where the experimental results support the above arguments.

However, it cannot be denied that our security-enhanced protocols do sacrifice some efficiency. While the existing SkLE${}_E$/SkSE${}_E$[10] runs at most l rounds according to input dataset, our SkLE${}_S$/SkSE${}_S$ consistently runs l rounds regardless, meaning that the number of communication rounds of SkLE${}_S$/SkSE${}_S$ is equal to or more than that of SkLE${}_E$/SkSE${}_E$. Our secure comparison protocol does require one more communication round than the existing comparison protocols [10,11]. Nevertheless, we emphasize that the improved security benefits of our proposed protocols compared to the existing protocols [10,11] outweigh this sacrifice, and our PkNC is undeniably more efficient than existing PkNCs [11,15,16]. Lastly, we summarize the contributions of this paper as follows.

• We propose a secure comparison (SCI) protocol to solve the information disclosure problem in existing works.
• Using the secure comparison, we propose new secure k-largest/smallest element (SkLE/SkSE) protocols, which solve the information disclosure problem and hide data access patterns.
• Using the proposed SkLE/SkSE, we implement a privacy-preserving k-nearest neighbour classification (PkNC) protocol.
• We prove the securities of the proposed protocols formally and demonstrate that the proposed protocols are practical through PkNC experiments with real datasets. In other words, PkNC is suitable for big data analysis to handle large-scale dataset and have large k of nearest neighbors, since it is executed for each dataset in parallel.

The remainder of this paper is organized as follows. We briefly review existing works in Section 2 and explain preliminary concepts necessary for understanding our work such as system model and adversary model, performance evaluation measures, and functionalities for our proposed protocols in Section 3. In Section 4, we present the proposed secure comparison and SkLE${}_S$/SkSE${}_S$ protocols along with formal proofs. Then, we explain the implementation of PkNC using the proposed protocols and demonstrate their efficiency by analyzing experimental results in Section 5. Lastly, we conclude this work in Section 6.

2. Related Works

Privacy-preserving data analysis was first proposed by Lindell and Pinkas in 2000. In this protocol, there were two parties, each with their own confidential dataset, who wish to extract valuable information in union of their datasets without disclosing information to the other party. Since then, many researchers have become interested in privacy-preserving data analysis, especially PkNC, and have proposed many protocols related to PkNC, which became a hot issue.

The authors of [17] proposed a privacy-preserving k-nearest neighbor (PPkNN) using the Paillier cryptosystem with an additively homomorphic encryption property. The PPkNN guarantees privacy for both a dataset and an input query, including PPkNN results, and hides data access patterns. Once data owners outsource their datasets and a querier sends its query (as with PkNC), cloud servers (i.e., DH and CSP) do not need to communicate with the data owners or the querier. However, the PPkNN returns k data closest to an input query rather than their majority class. The work of [11] improved on the PPkNN in [17] by proposing PPkNN classification (PkNC) to return the majority class of k data closest to an input query as a result, which formally proved its security. However, the comparison protocol in the PkNC discloses information about whether two input data are equal, which we will explain in Section 4.1. We will also demonstrate that our PkNC is more efficient than the PkNC in [11] in Section 5.2.

The work of [18] proposed PkNC in an environment with multiple keys and multiple clouds. Similar to the existing works [11,17], this PkNC guarantees privacy of datasets and an input query along with a result and hides data access pattern. In this use of the PkNC, after data owners upload encrypted data to respective cloud server, they can download and decrypt the encrypted data since they encrypt the data with their own key. In order to run the PkNC, cloud servers first convert the data encrypted with their own key into the data encrypted with the same key by proxy re-encryption, but in doing so, the PkNC exposes class information of k data closest to a query.

The authors of [19] proposed a more efficient PkNC than the scheme in [17] using Paillier and ElGamal cryptosystems. Similar to existing works, the PkNC returns the majority class of k data closest to an input query as a result and provides privacy of a dataset, an input query, a result, and data access patterns. However, the PkNC exposes to a querier classes of the k data closest to an input query rather than only their majority class. The authors in [20] proposed a very efficient PkNC for a large dataset, and this PkNC provides dataset security, key confidentiality, and query privacy as well as hides data access patterns. However, the PkNC does not provide semantic security for an outsourced dataset.

The authors of [21] proposed a very efficient PPkNN for a large dataset using an improved secure protocol for top-k selection and proved its simulation-based security formally. However, in order to improve efficiency, the top-k selection protocol returns an approximate result. In other words, it clusters a dataset using k-means algorithm and then, given a query, it selects several clusters that are closest to the query and computes the closest k data in the clusters. Using the PPkNN to output an approximate result, though, is unsuitable for applications that require an accurate classification result, such as medical diagnoses. The PPkNN also returns k data closest to a query rather than the majority class.

The PkNC in [16] provides not only privacy but also reliability of collected data. By using Blockchain, it assures that a dataset collected by data owners is trustworthy. However, there are efficiency concerns with this protocol as this PkNC requires almost one hour to process only 760 data. In practice, our PkNC is much more efficient, which will be explained in detail later in this paper. There is another PkNC that was presented in [15], which is adaptable for a high-dimensional dataset. While most existing PkNCs deal only with integers, this PkNC allows a dataset and an input query to exist as real numbers. Similar to our PkNC, the running time of the PkNC is independent of k of the nearest neighbors, but in contrast with our proposal, this PkNC requires huge memory to handle large volumes of data. The authors conducted an experiment for only 60 data in a machine with 8 GB RAM. This suggests that it requires large memory hardware, which is unsuitable for data analysis in the era of big data. Finally, the running time is also inefficient compared with our PkNC.

The authors of [22] proposed an efficient and privacy-preserving medical pre-diagnosis scheme based on multi-label k-nearest neighbors. Since a medical user can have multiple diseases at the same time, the scheme is practical. For the sake of efficiency, the scheme selects the dataset related to a medical user using k-means clustering and then performs the diagnosis scheme for the specific dataset. In other words, the scheme exposes data access patterns and cloud parties to run the scheme learn the information about a dataset or an input query. The work of [23] proposed PPkNN for eHealthcare data that combine kd-tree structure with homomorphic encryption. However, the PPkNN returns k data closest to a query as a result rather than their majority class. Moreover, a user must be authorized by data owners before sending an input query and therefore, the scheme is impractical. The authors of [12] proposed PkNC using kd-tree technique and order-preserving encryption, which protects data privacy as well as data access patterns. However, since the scheme also assumes that data owners and users are honest, it is impractical and its application is limited.

PPkNN is used for location-based services. The scheme of [13] that utilizes Moore curve [24] protects the privacy of input data such as location information and ensures the accuracy of a query result. The authors of [25] proposed a verifiable PPkNN that uses network Voronoi diagram [26]. It not only ensures the confidentiality of input data but also verifies the integrity of results. The mechanism in [27] protects the location privacy of the Internet of Connected Vehicles using Intent-based Networking. Using the machine learning ability of the network, it predicts the intent of location accesses and penalizes the malicious access. The authors of [28] proposed a privacy-preserving data sharing scheme on the edge computing service of IoT, which provides data service for IoT devices. The privacy-preserving scheme based on attribute encryption scheme realizes anonymous data sharing and access control. The authors of [29] proposed an online privacy-preserving on-chain certificate status service based on the blockchain architecture, which ensures decentralized trust and provides privacy protection. In other words, the efficient privacy-preserving certificate status check protocol solves the problems of limited block size, high latency, and privacy leakage in comparison to existing works based on the blockchain technology.The work of [30] suggested a feature weighting algorithm to select an informative feature from redundant data. The feature weight is measured with the margin between the sample and its hyperplane, which is more robust to the noise and outliers than existing works.

3. Preliminaries

In this section, we introduce our system model, security definitions, and Paillier cryptosystem as an additively homomorphic encryption scheme. We also explain how to evaluate the performance of a protocol and briefly introduce the functionalities used in our protocols.

3.1. System Model

Our proposed protocols are executed in dual non-colluding cloud servers (Figure 1): data host (DH) and cryptographic service provider (CSP). CSP generates a public key for encryption and a secret key for decryption, then sends the public key to DH. DH, which already has encrypted input data, runs a protocol with CSP. After completing a protocol, DH returns a result in an encrypted form.

In dual non-colluding cloud server model, neither DH nor CSP disclose any information about input data or results. Specifically, since DH runs a protocol for data in an encrypted form, it actually cannot obtain any information about input data or results. Even though CSP decrypts encrypted intermediate results that it receives from DH, it cannot obtain any information about input data or the results since the decrypted data are blinded by a random value. Therefore, as long as DH does not collude with CSP, our protocols ensure that no information about input data or computation results are revealed. The dual non-colluding cloud server model is realistic and reasonable since large IT companies such as Amazon and Google provide cloud computing services that prioritize reputation over gains from collusion.

3.2. Adversary Model and Security Definitions

Semi-Honest Adversary Model: In this paper, we assume that DH and CSP operate within a semi-honest adversary model, in which a compromised party follows a protocol specification but tries to obtain information about an input data and results by analyzing intermediate results. For example, in comparison protocols of existing works [10,11], CSP obtains information about whether two input data are equal by decrypting and analyzing intermediate results received from DH. In SkLE${}_E$/SkSE${}_E$ [10], the information about an input dataset is also exposed by its end point. Creating a protocol in a semi-honest adversary model is a meaningful as the first step toward designing a protocol with stronger security.

Security Definition: In order to formally prove the security of our proposed protocols, we use the security definition of a semi-honest adversary model in terms of two-party computation [31]. Loosely speaking, we demonstrate that a simulator can generate the view of a corrupted party in real protocol execution when given only the input and output [32]. The view of a corrupted party consists of inputs, internal coin tosses, and received messages. If a simulator can generate indistinguishable values from the view of a corrupted party in real execution, then the definition states that the protocol is secure. The definition is as follows [31].

Let $f:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^{*}\times {\{0,1\}}^{*}$ be a functionality, and $f_{DH}(x,y)$ (resp., $f_{CSP}(x,y)$) denote DH’s (resp., CSP’s) element of $f(x,y)$. Let $\pi$ be a two-party protocol for computing f. DH’s (resp., CSP’s) view during an execution of $\pi$ on $(x,y)$, denoted VIEW${}_{DH}^{\pi }(x,y)$ (resp., VIEW${}_{CSP}^{\pi }(x,y)$), is $(x,r,m_1,\dots ,m_t)$ (resp., $(y,r,m_1,\dots ,m_t)$), where r represents the outcome of DH’s (resp., CSP’s) internal coin tosses, and $m_i$ represents the i-th message it has received. DH’s (resp., CSP’s) output after an execution of $\pi$ on $(x,y)$, denoted OUTPUT${}_{DH}^{\pi }(x,y)$ (resp., OUTPUT${}_{CSP}^{\pi }(x,y)$), is implicit in the party’s own view of the execution, and OUTPUT${}^{\pi }(x,y)=($OUTPUT${}_{DH}^{\pi }(x,y),$OUTPUT${}_{CSP}^{\pi }(x,y))$.

Definition 1

(Privacy with respect to semi-honest behavior—general case).We say that π privately computes f if there exist probabilistic polynomial-time algorithms, denoted $S_{DH}$ and $S_{CSP}$ such that

$$\begin{array}{cc}\hfill {\left\{(S_{DH}(x,f_{DH}(x,y)),f(x,y))\right\}}_{x,y}& {\equiv }_c{\left\{(VIE{W}_{DH}^{\pi }(x,y),OUTPU{T}^{\pi }(x,y))\right\}}_{x,y}\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill {\left\{(S_{CSP}(y,f_{CSP}(x,y)),f(x,y))\right\}}_{x,y}& {\equiv }_c{\left\{(VIE{W}_{CSP}^{\pi }(x,y),OUTPU{T}^{\pi }(x,y))\right\}}_{x,y}\hfill \end{array}$$

(2)

${\equiv }_c$ means that two distributions are computationally indistinguishable. Since the functionalities of our proposed protocols are probabilistic, we use the above general case security definition, with which we prove the security of our secure comparison protocol in Section 4.2 and that of SkLE${}_S$ in Section 4.4.

Sequential Modular Composition Theorem: The sequential modular composition theorem [33] is a tool used to analyze the security of a protocol in a modular way [32]. We assume that ${\pi }_f$ is a protocol that computes a functionality f, which calls a subprotocol ${\pi }_g$ to compute a functionality g. The theorem states that, in order to analyze the security of ${\pi }_f$, it suffices to consider executing ${\pi }_f$ in a hybrid model where there is a third party to compute functionality g ideally instead of a party that executes a real subprotocol ${\pi }_g$ [32]. Therefore, in order to analyze the security of a protocol in a modular way, one first proves the security of ${\pi }_g$ and then proves the security of ${\pi }_f$ in a model that allows a party to compute functionality g ideally [32]. One denotes a model to analyze ${\pi }_f$ to call an ideal functionality g instead of ${\pi }_g$ by g-hybrid model. We prove the security of our secure comparison protocol in the $F_{SZP}$-hybrid model in Section 4.2 and that of SkLE${}_S$ in the $(F_{SM},F_{SBD},F_{SCI})$-hybrid model in Section 4.4.

3.3. Paillier Cryptosystem

As a partially homomorphic encryption scheme, we use the Paillier cryptosystem [34] in this paper. The Paillier cryptosystem is a probabilistic asymmetric encryption scheme with semantical security, which means that an adversary cannot learn any information about original data when given its encrypted data. Let $E_{pk}(·)=E(·)$ be the encryption function with a public key $pk$, and let $D_{sk}(·)=D(·)$ be the decryption function with a secret key $sk$, for which we drop the $pk$ and $sk$ for succinctness in this paper. The Paillier cryptosystem also holds additively homomorphic property which allows the addition of original data to be locally computed in an encryption form. In other words, given any two data $a,b\in {\mathbb{Z}}_N$, the following equations [10] are satisfied.

$$\begin{array}{cc}\hfill D(E\left(a\right)*E\left(b\right)mod{N}^2)& =a+bmodN\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill D\left(E{\left(a\right)}^{b}mod{N}^2\right)& =a·bmodN\hfill \end{array}$$

(4)

For succinctness, we drop the $mod{N}^2$ and the $modN$ terms in the remainder of this paper. We stress that alternative additively homomorphic schemes can also be applied to our proposed protocols in lieu of the Paillier cryptosystem.

3.4. Performance Evaluation

We analyze the performance of a protocol in terms of computational costs (i.e., the number of encryptions/decryptions and exponentiations where we assume that encryption and decryption take the same amount of time) and communication costs (i.e., the amount of communication and the number of communication rounds) [10]. Since other operations other than encryption/decryption and exponentiation, such as homomorphic addition, have little influence on efficiency, we do not consider these in computational costs. The amount of communication means the total amount of transmitted data to complete a protocol, which we denote as a multiple of C that is the size of a ciphertext. The number of communication rounds means the communication count executed in parallel [10].

3.5. Notation

For data x with $0\le x<2^l$, we let ${\langle x\rangle }_B=\langle x_{l-1},\dots ,x_1,x_0\rangle$ by the binary representation of the data x, where $x_0$ (resp., $x_{l-1}$) is the least significant bit, denoted by LSB (resp., the most significant bit, denoted by MSB) and $x={\sum }_{j=0}^{l-1}{x}_j·2^j$ for $x_j\in \{0,1\}$ [10]. Similarly, for a ciphertext $E\left(x\right)$ with $0\le x<2^l$, we let ${\langle E\left(x\right)\rangle }_B=\langle E\left(x_{l-1}\right),\dots ,E\left(x_1\right),E\left(x_0\right)\rangle$ by ciphertexts for individual bits of corresponding data x, where $x={\sum }_{j=0}^{l-1}{x}_j·2^j$ for $x_j\in \{0,1\}$ [10]. Let $\overline{x}$ by 1’s complement of data x, which is computed by toggling all bits of data. For example, 1’s complement of binary number 1010 is 0101. Similarly, for a bit $x_i$, we let the complement of $x_i$ by $\overline{x_i}$, which is computed by $\overline{x_i}=1-x_i$ for $x_i\in \{0,1\}$ [10].

$\left[n\right]$ for $n1$ means a set $\{1,2,\dots ,n\}$. For a set $I=\{i_1,i_2,\dots ,i_n\}$, ${\left\{d_i\right\}}_{i\in I}$ means $\{d_{i_1},d_{i_2},\dots ,d_{i_n}\}$. ${\left\{d_i\right\}}_{i\in \left[l\right]}$ can be called a vector d. For a set S, $r{\in }_{R}S$ means that a value r is chosen in the set S uniformly at random. $DH\to CSP:E\left(x\right)$ means that $DH$ sends $CSP$ a ciphertext $E\left(x\right)$. $a·b$ means a multiplication operation in an integer and $E\left(a\right)\ast E\left(b\right)$ means a homomorphic addition mentioned in Section 3.3. Throughout this paper, we let the number of data by n, the size of the Paillier ciphertext by C, and the upper-bound number of bits required to represent data by l, which is less than or equal to the modulus size $\left|N\right|$ of the Paillier cryptosystem (i.e., $l\le \left|N\right|$) [10].

3.6. Referenced Functionalities

In our protocols, calling a subprotocol to compute a functionality is presented as DH and CSP run an interactive protocol with a third party that computes the functionality ideally. Our proposed protocols call multiplication and bit decomposition protocols, for which we introduce secure multiplication functionality $F_{SM}$ and secure bit decomposition functionality $F_{SBD}$ in this subsection. The existing works [17,35] proposed the real protocols that privately compute $F_{SM}$ and $F_{SBD}$ in the dual non-colluding cloud server model mentioned in Section 3.1 and formally proved their security under semi-honest adversary model.

Secure Multiplication functionality $F_{SM}$: $F_{SM}$ receives $\left\{E\right(a),E(b\left)\right\}$ from DH and a secret key $SK$ from CSP, and then it sends $E\left(c\right)$ to DH where $c=a·b$. We define $F_{SM}$ as follows.

$$F_{SM}(\{E\left(a\right),E\left(b\right)\},SK)\to (E\left(c\right),\perp )$$

(5)

The real protocol that privately computes functionality $F_{SM}$ was proposed in [17]. It requires 6 encryptions/decryptions and 2 exponentiations, and $3·C$ bits are transmitted in 1 round.

Secure Bit Decomposition functionality $F_{SBD}$: $F_{SBD}$ receives $E\left(s\right)$ from DH and a secret key $SK$ from CSP, and then it sends $S^{\prime }$ to DH where $S^{\prime }=\{{\langle E\left(s\right)\rangle }_B,{\langle E\left(\overline{s}\right)\rangle }_B\}$. Recall that ${\langle E\left(s\right)\rangle }_B=\langle E\left(s_{l-1}\right),\dots ,E\left(s_1\right),E\left(s_0\right)\rangle$ and $\overline{s}$ is 1’s complement of the data s. We define $F_{SBD}$ as follows.

$$F_{SBD}(E\left(s\right),SK)\to (S^{\prime },\perp )$$

(6)

The real protocol that privately computes functionality $F_{SBD}$ is implemented by adding $E\left(\overline{s_i}\right)=E\left(1\right)\ast {E\left(s_i\right)}^{N-1}$ to the secure bit decomposition protocol proposed in [35]. We omit discussion about the detailed algorithm in this paper as it is trivial. This protocol requires $(3l+1)$ encryptions/decryptions and $(4l+2)$ exponentiations, and $(2l+2)·C$ bits are transmitted in $(l+1)$ rounds.

4. Proposed Secure Comparison and SkLE/SkSE Protocols

As mentioned earlier, if the existing SkLE${}_E$[10] finds k largest elements before the last l-th round, then it terminates. In other words, the existing SkLE${}_E$ [10] exposes information about input dataset because the end points vary according to input data. In this section, we solve this information disclosure problem with our proposed SkLE${}_S$/SkSE${}_S$, whose end point is consistently the same regardless of input dataset, such that SkLE${}_S$/SkSE${}_S$ does not expose any information about the input dataset. In order to construct SkLE${}_S$/SkSE${}_S$, we first propose a secure comparison and inequality (SCI) protocol that does not disclose any information.

4.1. Secure Comparison and Inequality (SCI) Protocol

In this section, we propose an SCI protocol to compare two input data privately. The proposed SCI protocol solves the information disclosure problem that occurred in existing comparison protocols (SMIN of [11] and SCP of [10]), in which at a high level, when two input data are unequal (i.e., one input dataset is larger or smaller than the other), DH sends CSP a vector that consists of random values including 0 or 1. However, when two input data are equal, DH sends CSP a vector that consists of only random values; thus, CSP can learn information about whether the two input data are equal or not. Our proposed SCI protocol does not disclose any information about two input data since DH sends CSP a vector that consists of either random values including 0 or only random values according to a random coin when the two input data are equal as well as when the two input data are unequal.

The secure comparison and inequality functionality $F_{SCI}$ receives $\{S^{\prime },k^{\prime }\}$ from DH and a secret key $SK$ from CSP where $S^{\prime }=\{{\langle E\left(s\right)\rangle }_B,{\langle E\left(\overline{s}\right)\rangle }_B\}$ and $k^{\prime }=\{{\langle k\rangle }_B,{\langle \overline{k}\rangle }_B\}$. Recall that ${\langle E\left(s\right)\rangle }_B=\langle E\left(s_{l-1}\right),\dots ,E\left(s_1\right),E\left(s_0\right)\rangle$ and $\overline{s}$ is 1’s complement of the data s as mentioned in Section 3.5. Then, $F_{SCI}$ sends $\left\{E\right(M),E(D\left)\right\}$ to DH where $E\left(M\right)=E\left(1\right)$ if $s<k$; otherwise, $E\left(M\right)=E\left(0\right)$ and $E\left(D\right)=E\left(1\right)$ if $s\ne k$ or else $E\left(D\right)=E\left(0\right)$. We define $F_{SCI}$ as follows.

$$F_{SCI}(\{S^{\prime },k^{\prime }\},SK)\to (\{E\left(M\right),E\left(D\right)\},\perp )$$

(7)

We present a real protocol to privately compute functionality $F_{SCI}$ in Algorithm 1 and provide an example in

Table 2. Example of Algorithm 1 for SCI protocol ($l=5$).

Input	Functionality	j	$\mathit{E}\left({\mathit{s}}_{\mathit{j}}\right)$	${\mathit{k}}_{\mathit{j}}$	$\mathit{E}\left({\mathit{w}}_{\mathit{j}}\right)$	$\mathit{E}\left({\mathit{x}}_{\mathit{j}}\right)$	$\mathit{E}\left({\mathit{y}}_{\mathit{j}}\right)$	$\mathit{E}\left(\mathit{\gamma }\right)$	$\mathit{E}\left({\mathit{y}}_0\right)$	$\mathit{E}\left({\mathit{z}}_{\mathit{j}}\right)$	$\mathit{E}\left({\mathit{u}}_{\mathit{j}}\right)$	$\mathit{E}\left(\mathit{\beta }\right)$	$\mathit{E}\left(\mathit{M}\right)$	$\mathit{E}\left(\mathit{D}\right)$
(Case 1) $s<k$ $s=26$ $k=29$	$F:s<k$ $(\alpha =0)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(0\right)$	1	$E\left(r\right)$	$E\left(1\right)$	$E\left(1\right)$			$E\left(0\right)$	$E\left(r\right)$	$E\left(1\right)$	$E\left(1\right)$	$E\left(1\right)$
		1	$E\left(1\right)$	0	$E\left(0\right)$	$E\left(1\right)$	$E\left(r\right)$			$E\left(r\right)$	$E\left(r\right)$
		0	$E\left(0\right)$	1	$E\left(r\right)$	$E\left(1\right)$	$E\left(r\right)$	$E\left(0\right)$	$E\left(r\right)$	$E\left(r\right)$	$E\left(r\right)$
	$F:s\ge k$ $(\alpha =1)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(0\right)$	1	$E\left(0\right)$	$E\left(1\right)$	$E\left(1\right)$			$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(1\right)$	$E\left(1\right)$
		1	$E\left(1\right)$	0	$E\left(r\right)$	$E\left(1\right)$	$E\left(r\right)$			$E\left(r\right)$	$E\left(r\right)$
		0	$E\left(0\right)$	1	$E\left(0\right)$	$E\left(1\right)$	$E\left(r\right)$	$E\left(0\right)$		$E\left(r\right)$	$E\left(r\right)$
(Case 2) $s>k$ $s=29$ $k=26$	$F:s<k$ $(\alpha =0)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(1\right)$	0	$E\left(0\right)$	$E\left(1\right)$	$E\left(1\right)$			$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(1\right)$
		1	$E\left(0\right)$	1	$E\left(r\right)$	$E\left(1\right)$	$E\left(r\right)$			$E\left(r\right)$	$E\left(r\right)$
		0	$E\left(1\right)$	0	$E\left(0\right)$	$E\left(1\right)$	$E\left(r\right)$	$E\left(0\right)$	$E\left(r\right)$	$E\left(r\right)$	$E\left(r\right)$
	$F:s\ge k$ $(\alpha =1)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(1\right)$	0	$E\left(r\right)$	$E\left(1\right)$	$E\left(1\right)$			$E\left(0\right)$	$E\left(r\right)$	$E\left(1\right)$	$E\left(0\right)$	$E\left(1\right)$
		1	$E\left(0\right)$	1	$E\left(0\right)$	$E\left(1\right)$	$E\left(r\right)$			$E\left(r\right)$	$E\left(r\right)$
		0	$E\left(1\right)$	0	$E\left(r\right)$	$E\left(1\right)$	$E\left(r\right)$	$E\left(0\right)$		$E\left(r\right)$	$E\left(r\right)$
(Case 3) $s=k$ $s=26$ $k=26$	$F:s<k$ $(\alpha =0)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(0\right)$	0	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$
		1	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		0	$E\left(0\right)$	0	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(1\right)$	$E\left(1\right)$	$E\left(0\right)$	$E\left(0\right)$
	$F:s\ge k$ $(\alpha =1)$	4	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		3	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		2	$E\left(0\right)$	0	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$	$E\left(1\right)$	$E\left(0\right)$	$E\left(0\right)$
		1	$E\left(1\right)$	1	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$			$E(-1)$	$E\left(r\right)$
		0	$E\left(0\right)$	0	$E\left(0\right)$	$E\left(0\right)$	$E\left(0\right)$	$E\left(1\right)$		$E(-1)$	$E\left(r\right)$

for easy understanding. Our SCI returns not only a comparison result ($E\left(M\right)$) but also an inequality result ($E\left(D\right)$), and one of two input datasets is in plaintext form ($k^{\prime }$). However, by modifying the SCI protocol slightly, it is possible to construct a common secure comparison protocol that returns only the comparison result without the inequality result, as well as ensuring that the two input data are all in an encrypted form. We omit discussion about the detailed algorithm because it is out of scope of this paper.

Algorithm 1: Secure Comparison and Inequality (SCI)

Intuitively, DH selects functionality $F(F:s<k$ or $F:s\ge k)$ by a random coin $\alpha$ and computes the functionality on two input data. CSP converts the computation result and returns the converted value ($\beta$) back to DH. Then, DH outputs result based on the converted value according to the random coin $\alpha$ (functionality F) selected by DH. As an idea for the SCI protocol, we modified the existing comparison protocol [10,11] so that an intermediate result of DH would be a vector that consists of either random values including 0 or only random values according to a random coin. We mentioned earlier that the intermediate result of DH in the existing comparison protocols [10,11] is either a vector that consists of random values including 0 or 1 if two input data are unequal or a vector that consists of only random values if two input data are equal. Therefore, when two input data are unequal, we modify 1 in a vector to be a random value. When two input data are equal, we modify one of the random values in a vector to 0 according to a random coin.

In order to avoid the scenario in which the intermediate result of DH becomes a vector that consists of only random values regardless of a random coin $\alpha$ when two input data are equal, we use functionality $F_{SZP}$, which privately computes whether all input data are 0 or not. Functionality $F_{SZP}$ receives ${\left\{E\left(x_i\right)\right\}}_{i\in \left[l\right]}$ from DH and a secret key SK from CSP, and then it sends $E\left(\gamma \right)$ to DH where $E\left(\gamma \right)=E\left(1\right)$ if all $x_i=0$; otherwise, $E\left(\gamma \right)=E\left(0\right)$. We define $F_{SZP}$ as follows.

$$F_{SZP}({\left\{E\left(x_i\right)\right\}}_{i\in \left[l\right]},SK)\to (E\left(\gamma \right),\perp )$$

(8)

We present a real protocol to privately compute functionality $F_{SZP}$ in Algorithm A1 of Appendix A. The protocol requires l encryptions/decryptions and $(l+1)$ exponentiations, and $(l+1)·C$ bits are transmitted in 1 round.

For easier understanding of Algorithm 1, we intuitively explain data without encryption. DH selects functionality F by tossing a random coin $\alpha$ (line 2), where $F:s<k$ if $\alpha =0$; otherwise, $F:s\ge k$. When DH selects functionality $F:s<k$ (resp., $F:s\ge k$), $w_j$ is random if $(s_j,k_j)=(0,1)$ (resp., $(s_j,k_j)=(1,0)$); otherwise, $w_j=0$ (lines 4–9). $x_j=1$ if $s_j\ne k_j$; otherwise, $x_j=0$ (line 10). $y_j=1$ is in the first bit with $s_j\ne k_j$ from the $(l-1)$-th bit and the other $y_j$ are either 0 or a random value (line 11). Let the first bit with $s_j\ne k_j$ from the $(l-1)$-th bit be the t-th bit. Then $y_t=1$, $y_j=0$ for $j=t+1,\dots l-1$, and $y_j$ is the random value for $j=0\dots t-1$.

If s is equal to k, then $\gamma =1$; otherwise $\gamma =0$ (line 14), since $x_j=0$ if $s_j=k_j$; otherwise, $x_j=1$ in line 10. If DH selects $F:s<k$ ($\alpha =0$), it adds $\gamma$ to $y_0$ so that it can send CSP a vector that consists of random values including 0 when $s=k$ and CSP returns $\beta =0$ back to DH (lines 14–18). Note that, even though $\gamma$ is added to the fixed 0-th position of y, CSP cannot know the position since the information about the position is removed by a permutation $\sigma$ (line 23). If DH selects $F:S\ge k$ ($\alpha =1$), it does not add $\gamma$ so that it can send CSP a vector that consists of only random values and CSP returns $\beta =1$ back to DH.

Let the position with $y_j=1$ be the t-th bit. When the selected functionality F is different from the relation of the two input data$,$i.e., either when DH selects $F:s<k$, the relation of two input datasets is $s>k$ or when DH selects $F:s\ge k$, the relation of two input datasets is $s<k$−−−$u_t=0$ and the other $u_j$ are random (lines 19–22). Conversely, when the selected functionality F is same as the relation of two input data$,$i.e., either when DH selects $F:s<k$, the relation of two input datasets is $s<k$ or when DH selects $F:s\ge k$, the relation of two input datasets is $s>k$−−−all $u_j$ are random by adding $w_j$ in line 21. In addition, when two input data are equal ($s=k$) and the selected functionality is $F:s<k$$,$i.e., if the selected functionality F is different from the relation of two input data−−−u is a vector that consists of random values including $u_0=0$ since DH adds $\gamma =1$ to $y_0$ in lines 16–18. If the selected functionality is $F:s\ge k$$,$i.e., when the selected functionality F is same as the relation of two input data−−−u is a vector that consists of only random values. After permutation $\sigma$ of ${\left\{u_j\right\}}_{j\in \{0,\dots ,l-1\}}$, DH sends CSP the permutated vector v (lines 23–24).

CSP returns $\beta =0$ (resp., $\beta =1$) back to DH if it receives a vector that consists of random values including 0 (resp., a vector that consists of only random values). Specifically, CSP decrypts $v_j^{\prime }$ and obtains $v_j$ (line 26). If there is an element with 0 in the vector v, CSP sends $\beta =0$ to DH. If the vector v consists of only random values, CSP sends $\beta =1$ to DH (lines 27-32). Even though the position of an element with 0 in a vector u (line 21) includes information about the first position with $s_j\ne k_j$ or the 0-th bit when $s=k$, CSP cannot learn any information since it is removed by a permutation in line 23. DH privately computes the result M based on the $\beta$ and according to the $\alpha$ selected by DH. Specifically, DH sets the result M to $\beta$ ($M\leftarrow \beta$) if $\alpha =0$ and the complement of $\beta$ ($M\leftarrow 1-\beta$) if $\alpha =1$ (lines 34–38). In conclusion, the result M satisfies the condition $M=(s<k)=(\alpha \oplus \beta$) for input data s and k. DH privately computes inequality result D for input data s and k (line 39).

Computation and communication costs: SCI protocol requires $2l$ encryptions/ decryptions and $(4l+3)$ exponential computations, and $2(l+1)·C$ bits are transmitted in two rounds. Specifically, SZP requires l encryptions/decryptions in line 14, and CSP decrypts $v_j^{\prime }$ for $j=0,\dots ,l-1$ in line 26. Exponential computations are executed $3l$ times in lines 9, 11, and 21, and two times in lines 37 and 39. Exponential computations in lines 5 and 7 are excluded since $k_j$ is a public value in $\{0,1\}$. Therefore, the total exponential computations of SCI are $(4l+3)$ including $(l+1)$ times in line 14. The amount of communication is $2(l+1)·C$ bits including $(l+1)·C$ bits in line 14. There are two communication rounds including once in line 14.

4.2. Proof of SCI Protocol

In this section, we denote SCI protocol (Algorithm 1) by ${\pi }_{SCI}$ and prove that ${\pi }_{SCI}$ privately computes $F_{SCI}$ in the $F_{SZP}$-hybrid model. In other words, we demonstrate that ${\pi }_{SCI}$ privately computes $F_{SCI}$ given access to functionality $F_{SZP}$. Intuitively, ${\pi }_{SCI}$ does not disclose any information about the comparison result including the input data to DH and CSP. In other words, the output M of ${\pi }_{SCI}$ satisfies the condition $M=(s<k)=(\alpha \oplus \beta )$ where DH knows a random coin $\alpha$ and not $\beta$ since it receives the $\beta$ from CSP in an encrypted form. Therefore, DH cannot learn any information about the computation result. On the contrary, CSP knows $\beta$ and not $\alpha$ since CSP cannot learn any information about functionality F selected by $\alpha$. This functionality is chosen uniformly at random by DH, and thus, CSP cannot learn any information about the computation result. In terms of proof, the DH simulator can generate the view of DH since DH only sees a random coin and data encrypted with semantically secure encryption scheme. The CSP simulator can also generate the view of CSP, which sees a vector that consists of either random values including 0 or only random values according to a random coin $\alpha$ which is selected uniformly at random.

Theorem 1.

${\pi }_{SCI}$ privately computes $F_{SCI}$ in the $F_{SZP}$-hybrid model in the presence of a semi-honest adversary.

Proof of Theorem 1.

We demonstrate that joint distribution of the view and the output of the real protocol ${\pi }_{SCI}$ is computationally indistinguishable from that of the outputs of simulators and functionality $F_{SCI}$. Specifically, we demonstrate that (1) the view of DH is computationally indistinguishable from the output of the DH simulator, (2) the view of CSP is computationally indistinguishable from the output of the CSP simulator, and (3) the output of the real execution ${\pi }_{SCI}$ is computationally indistinguishable from that of functionality $F_{SCI}$.

(1)

The view of DH in the real protocol ${\pi }_{SCI}$ is as follows.

$$VIE{W}_{DH}^{SCI}(\{S^{\prime },k^{\prime }\},SK)=\{\{S^{\prime },k^{\prime }\},\alpha ,E\left(\gamma \right),E\left(\beta \right)\}$$

(9)

In ${\pi }_{SCI}$, $\alpha$ is a random coin that DH tosses (line 2), $E\left(\gamma \right)$ is a ciphertext returned from $F_{SZP}$ (line 14), and $E\left(\beta \right)$ is a ciphertext received from CSP (line 32). Intuitively, since $E\left(\gamma \right)$ and $E\left(\beta \right)$ are in an encrypted form, the DH simulator can generate the view as random values.

DH simulator $S_{DH}$

Input: The simulator $S_{DH}$ receives input $\{S^{\prime },k^{\prime }\}$ and output $\left\{E\right(M),E(D\left)\right\}$ of DH.

• Simulation

-

The simulator chooses values $r^1$, $r^2$ and $r^3$ uniformly at random, where $r^1{\in }_R\{0,1\}$ and $r^2,r^3{\in }_R{\mathbb{Z}}_{N^2}$.

-

The simulator defines $\{\{S^{\prime },k^{\prime }\},r^1,r^2,r^3\}$ as the view of DH.

-

The simulator outputs the view of DH and halts.

Random coin $\alpha {\in }_R\{0,1\}$ is indistinguishable from random $r^1$${\in }_R\{0,1\}$. Since the Paillier cryptosystem is semantically secure and the ciphertext is less than $N^2$, $E\left(\gamma \right)$ and $E\left(\beta \right)$ are computationally indistinguishable from $r^2$ and $r^3$. Therefore, the view of DH and the output of $S_{DH}$ are computationally indistinguishable.

(2)

The view of CSP in the real protocol ${\pi }_{SCI}$ is as follows.

$$VIE{W}_{CSP}^{SCI}(\{S^{\prime },k^{\prime }\},SK)=\{SK,{\left\{v_j^{\prime }\right\}}_{j\in \{0,\dots ,l-1\}},{\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}\}$$

(10)

In ${\pi }_{SCI}$, ${\left\{v_j^{\prime }\right\}}_{j\in \{0,\dots ,l-1\}}$ is a vector that consists of ciphertexts received from DH (line 24) and ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$ is obtained by decrypting the ${\left\{v_j^{\prime }\right\}}_{j\in \{0,\dots ,l-1\}}$ (line 26). Intuitively, the CSP simulator can generate ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$, which is a vector that consists of either random values including 0 or only random values according to a random coin, and it can generate ${\left\{v_j^{\prime }\right\}}_{j\in \{0,\dots ,l-1\}}$ by encrypting the ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$.

CSP simulator $S_{CSP}$

Input: The simulator $S_{CSP}$ receives a secret key $SK$ as CSP input.

• Simulation

-

The simulator tosses a random coin $c\in \{0,1\}$.

-

If a random coin c is 0, the simulator sets $r_0^4$ to 0 and chooses ${\left\{r_j^4\right\}}_{j\in \{1,\dots ,l-1\}}$ uniformly at random where $r_j^4{\in }_R{\mathbb{Z}}_N$.

-

If a random coin c is 1, the simulator chooses ${\left\{r_j^4\right\}}_{j\in \{0,\dots ,l-1\}}$ uniformly at random where $r_j^4{\in }_R{\mathbb{Z}}_N$.

-

The simulator permutes ${\left\{r_j^4\right\}}_{j\in \{0,\dots ,l-1\}}$ uniformly at random and sets them to ${\left\{r_j^5\right\}}_{j\in \{0,\dots ,l-1\}}$.

-

The simulator computes ${\left\{E\left(r_j^5\right)\right\}}_{j\in \{0,\dots ,l-1\}}$.

-

The simulator defines $\{SK,{\left\{E\left(r_j^5\right)\right\}}_{j\in \{0,\dots ,l-1\}},{\left\{r_j^5\right\}}_{j\in \{0,\dots ,l-1\}}\}$ as the view of CSP.

-

The simulator outputs the view of CSP and halts.

As presented in Algorithm 1 (${\pi }_{SCI}$), ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$ is a vector that consists of either random values including 0 or only random values according to a random coin $\alpha$. Therefore, ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$ is indistinguishable from ${\left\{r_j^5\right\}}_{j\in \{0,\dots ,l-1\}}$. ${\left\{v_j^{\prime }\right\}}_{j\in \{0,\dots ,l-1\}}$ to encrypt ${\left\{v_j\right\}}_{j\in \{0,\dots ,l-1\}}$ is indistinguishable from ${\left\{E\left(r_j^5\right)\right\}}_{j\in \{0,\dots ,l-1\}}$.

(3)

As explained earlier, the result of ${\pi }_{SCI}$ satisfies the condition $M=(\alpha \oplus \beta )=(s<k)$. As shown in Table 2, when $s<k$ ($M=1$) and DH chooses a random coin $\alpha =0$ (resp., $\alpha =1$), then CSP returns $\beta =1$ (resp., $\beta =0$). On the contrary, when $sk$ ($M=0$) and DH chooses a random coin $\alpha =0$ (resp., $\alpha =1$), CSP returns $\beta =0$ (resp., $\beta =1$). Therefore, the result $E\left(M\right)$ of ${\pi }_{SCI}$ is the same as that of $F_{SCI}$. As for $E\left(D\right)$, $x_j=0$ if $s_j=k_j$; otherwise, $x_j=1$ (line 10). If s is equal to k (i.e., all $x_j$ is 0), $F_{SZP}$ returns $\gamma =1$ (line 14) and $D=0$ (line 39); otherwise if s is unequal to k (i.e., there is an element with 1 in a vector x), $F_{SZP}$ returns $\gamma =0$ (line 14) and $D=1$ (line 39). In other words, the result $E\left(D\right)$ of ${\pi }_{SCI}$ is the same as that of $F_{SCI}$. Therefore, the output of ${\pi }_{SCI}$ is computationally indistinguishable from that of $F_{SCI}$. □

4.3. Secure Version of S$\mathit{k}$LE/S$\mathit{k}$SE (S$\mathit{k}$LE${}_{\mathbf{S}}$/S$\mathit{k}$SE${}_{\mathbf{S}}$)

Secure version of SkLE (SkLE${}_S$): In this subsection, we propose SkLE${}_S$ to privately compute k largest elements in an array (i.e., k largest data in a dataset) in which no information is disclosed. The merit of SkLE${}_S$ is that it is very efficient since it is executed for each element in parallel. In order to compute k largest elements privately, the communication rounds of existing protocols [11,17] are proportional to the number of elements and parameter k of nearest neighbors since they serially repeat maximum protocol k times where the maximum protocol serially compares all elements. However, since our SkLE${}_S$ is executed for each element in parallel and computes k largest elements in only one execution, the communication rounds are independent of the number of elements and the parameter k. Therefore, it is suitable for both big data analysis that handles a large volume of data (elements) and PkNC applications with large k of nearest neighbors. Since, for best performance, SkLE${}_S$ needs to simultaneously execute as many operations as the number of elements, performance is greatly improved in the cloud computing environment, which enables numerous parallel operations. In addition, our SkLE${}_S$ solves the information disclosure problem occurring in SkLE${}_E$ [10]. The SkLE${}_E$[10] varies the end points running at most l rounds according to input array where l is the length of an element. This ultimately means that it discloses information about the input array. However, SkLE${}_S$ consistently runs l rounds regardless of input array, and therefore, it does not disclose any information about input array.

$F_{SkL{E}_S}$ receives a set of encrypted elements ${\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]}$ from DH and a secret key $SK$ from CSP, and then it sends ${\left\{E\left(K_i\right)\right\}}_{i\in \left[n\right]}$ to DH where $K_i=1$ if an element $e_i$ is included in the set of k largest elements; otherwise, $K_i=0$. We define $F_{SkL{E}_S}$ as follows.

$$F_{SkL{E}_S}({\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]},SK)\to ({\left\{E\left(K_i\right)\right\}}_{i\in \left[n\right]},\perp )$$

(11)

An element $e_i$ in an input dataset has auxiliary data that consists of $\{K_i,P_i,C_i\}\in {\{0,1\}}^3$, and SkLE${}_S$ privately computes the set of k largest elements by computing the auxiliary data for each round. $K_i$ is the output of SkLE${}_S$, which indicates whether or not the corresponding element $e_i$ is included in the set of k largest elements. $P_i$ means whether or not the corresponding element $e_i$ is a predicted k-largest element in corresponding round. SkLE${}_S$ finds k largest elements and a predicted k-largest element in the set of candidate elements, where $C_i$ indicates whether or not the corresponding element $e_i$ is included in the set of candidate elements. Once an element $e_i$ is included in the set of k largest elements, it is irreversible. (i.e., $K_i=0\to 1$ but $1\nrightarrow 0$). Similarly, once an element $e_i$ is excluded from the set of candidate elements, it is irreversible. (i.e., $C_i=1\to 0$ but $0\nrightarrow 1$).

In each round, SkLE${}_S$ privately computes auxiliary data for 1 bit of all elements from the $(l-1)$-th bit (MSB) to the 0-th bit (LSB) where l is the length of an element. Resultant k largest elements in an array are the elements $e_i$ with $K_i=1$, which means the elements included in the set of k largest elements. We present a real protocol to privately compute functionality $F_{SkL{E}_S}$ in Algorithm 2 and show an example in

Table 3. Example of Algorithm 2 for SkLE${}_S$ protocol.

j	${\left\{{\langle \mathit{E}\left({\mathit{e}}_{\mathit{i}}\right)\rangle }_{\mathit{B}}\right\}}_{\mathit{i}\in \left[5\right]}$1	${\left\{\mathit{E}\left({\mathit{P}}_{\mathit{i}}\right)\right\}}_{\mathit{i}\in \left[5\right]}$	$\mathit{E}\left(\mathit{M}\right)$
	${\left\{\mathit{E}\left({\mathit{K}}_{\mathit{i}}\right)\right\}}_{\mathit{i}\in \left[5\right]}$	${\left\{\mathit{E}\left({\mathit{C}}_{\mathit{i}}\right)\right\}}_{\mathit{i}\in \left[5\right]}$	$\mathit{E}\left(\mathit{D}\right)$
·	·	·	·
	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	·
7	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right)$
	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(1\right)$
6	$E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right)$
	$E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(1\right)$
5	$E\left(0\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(0\right)$
	$E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(1\right)$
4	$E\left(0\right),E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(1\right)$
	$E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(0\right),E\left(1\right),E\left(1\right),E\left(1\right)$	$E\left(1\right)$
3	$E\left(1\right),E\left(0\right),E\left(1\right),E\left(1\right),E\left(0\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right)$	$E\left(0\right)$
	$E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(0\right),E\left(1\right),E\left(1\right),E\left(0\right)$	$E\left(1\right)$
2	$E\left(0\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(1\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$
	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$
1	$E\left(0\right),E\left(1\right),E\left(0\right),E\left(0\right),E\left(1\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$
	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$
0	$E\left(1\right),E\left(0\right),E\left(1\right),E\left(1\right),E\left(0\right)$	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$
	$E\left(1\right),E\left(1\right),E\left(1\right),E\left(0\right),E\left(0\right)$2	$E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right),E\left(0\right)$	$E\left(0\right)$

Parameters: $k=3, l=8;$ ¹ input: ${\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[5\right]} = \{{\langle E\left(73\right)\rangle }_B,{\langle E\left(54\right)\rangle }_B,{\langle E\left(45\right)\rangle }_B,{\langle E\left(41\right)\rangle }_B,{\langle E\left(38\right)\rangle }_B,\}$; ² output ${\left\{\langle E\left(K_i\right)\rangle \right\}}_{i\in \left[5\right]}$ means {73, 54, 45} are the three largest elements in array {73, 54, 45, 41, 38}.

for easy understanding. Note that DH locally performs all computations in Algorithm 2 except for the interactive protocols for functionalities $F_{SM}$, $F_{SBD}$, and $F_{SCI}$. Recall that n is the number of all elements and l is the upper-bound number of bits required to represent an element $e_i$.

The idea of SkLE${}_S$ is to remove all elements from the set of candidate elements after it finds k largest elements so that it keeps the results equal. Since the existing SkLE${}_E$[10] terminates after it finds k largest elements, it does not need to consider computation of auxiliary data for k largest elements. Since our SkLE${}_S$ does not terminate after finding k largest elements so that it is consistently executed l rounds, it needs a method to keep the results of the k largest elements equal even though it perform the same computation as before finding them. For this, when SkLE${}_S$ finds k largest elements, it removes all elements from the set of candidate elements ($C_i\leftarrow 0$) since k largest elements are found in the set of candidate elements.

For easy understanding of Algorithm 2, we intuitively explain the data without encryption. First, DH initializes auxiliary data $K_i$ and $C_i$ for all elements $e_i$ so that there are no elements in the set of k largest elements (i.e., $K_i\leftarrow 0$), and all elements are included in the set of candidate elements (i.e., $C_i\leftarrow 1$) (lines 2–5). For 1 bit of an element $e_i$, DH and CSP privately compute auxiliary data $P_i$, $K_i$, and $C_i$$\in {\{0,1\}}^3$ in each round (lines 6–24), which consists of the following four steps. We assume DH and CSP compute auxiliary data for the j-th bit of all elements in the $(l-j)$-th round ($j=l-1,\dots ,0$).

Algorithm 2: Secure version of SkLE (SkLE${}_S$)

     (Step 1: lines 7–10) privately computing predicted k-largest element ($P_i$): A predicted k-largest element for the j-th bit is an element $e_i$ where bit 1 exists at least once from the $(l-1)$-th bit to the j-th bit. In other words, a predicted k-largest element for the j-th bit is either a candidate element ($C_i=1$) whose j-th bit is 1 ($e_{i,j}=1$) or a k-largest element ($K_i=1$) in the previous round, which means that $e_{i,j}=1$ exists at least once for $j=l-1,\dots ,j+1$. Therefore, $E\left(P_i\right)$ is computed as follows.

$$E\left(P_i\right)\leftarrow E(e_{i,j}·C_i+K_i)$$

(12)

(Step 2: line 11) privately computing the number of all predicted k-largest elements (s): Since the value of the auxiliary data for a predicted k-largest element is either 0 or 1 (i.e., $P_i\in \{0,1\}$), the number s of all predicted k-largest elements is computed by adding up all of the values as follow.

$$E\left(s\right)\leftarrow E\left({\sum }_{i=1}^n{P}_i\right)={\prod }_{i=1}^{n}E\left(P_i\right)$$

(13)

(Step 3: lines 12–13) privately comparing the number s of all predicated k-largest elements to parameter k of nearest neighbors: For the comparison of s and k, DH and CSP run an interactive protocol with a party to ideally compute functionality $F_{SCI}$ mentioned in Section 4.1. In order to compute $S^{\prime }$ for input of $F_{SCI}$, DH and CSP also run an interactive protocol with a party to ideally compute secure bit decomposition functionality $F_{SBD}$, as mentioned in Section 3.6. We do not present how to compute $k^{\prime }=\{{\langle k\rangle }_B,{\langle \overline{k}\rangle }_B\}$ in this paper because k is a public parameter and $k^{\prime }$ can be computed easily.

(Step 4: lines 14–23) privately computing k largest elements ($K_i$) and candidate elements ($C_i$): As mentioned earlier, a predicted k-largest element is a candidate element whose bit is 1 in the corresponding round. Similarly, let unpredicted k-largest element be a candidate element whose bit is 0 in the corresponding round. DH and CSP privately compute whether or not an element ($e_i$) is included in the set of k largest elements ($K_i$) and the set of candidate elements ($C_i$) according to comparison results (M and D) of the number s of predicted k-largest elements and parameter k. The idea to compute $K_i$ and $C_i$ is to include the predicted k-largest elements to the set of k largest elements if $s<k$ and to exclude the unpredicted k-largest elements from the set of candidate elements if $s>k$. If $s=k$, all predicted k-largest elements are included in the set of k largest elements, and the other candidate elements (i.e., unpredicted k-largest elements) are excluded from the set of candidate elements in order to keep the set of k largest elements as a result since k largest elements are found in the set of candidate elements.

Table 4. Values of $K_i$ and $C_i$ according to the cases in SkLE${}_S$.

	Candidate (${\mathit{K}}_{\mathit{i}}=0,{\mathit{C}}_{\mathit{i}}=1$)		Non-Candidate (${\mathit{C}}_{\mathit{i}}=0$)
	Predicted    (${\mathit{e}}_{\mathit{i},\mathit{j}}=1$)	Unpredicted    (${\mathit{e}}_{\mathit{i},\mathit{j}}=0$)	${\mathit{e}}_{\mathit{i},\mathit{j}}=1$	${\mathit{e}}_{\mathit{i},\mathit{j}}=0$
$s>k$	$K_i\to K_i$ $C_i\to C_i$	(case 2) $K_i\to K_i$ $C_i\to 0$	(case 5) $K_i\to K_i$ $C_i\to C_i$
$s<k$	(case 1) $K_i\to 1$ $C_i\to 0$	$K_i\to K_i$ $C_i\to C_i$
$s=k$	(case 3) $K_i\to 1$ $C_i\to 0$	(case 4) $K_i\to K_i$ $C_i\to 0$

shows values of $C_i$ and $K_i$ for an element $e_i$ according to each case. (case 1) When $s<k$ (i.e., the number of predicted k-largest elements is less than parameter k), a predicted k-largest element (i.e., an element $e_i$ with $e_{i,j}=1$ and in the set of candidate elements) is included in the set of k largest elements ($K_i\leftarrow 1$) and is excluded from the set of candidate elements ($C_i\leftarrow 0$). (case 2) When $s>k$, an unpredicted k-largest element (i.e., an element $e_i$ with $e_{i,j}=0$ that is in the set of candidate elements) is excluded from the set of candidate elements ($C_i\leftarrow 0$). (case 3) When $s=k$, a predicted k-largest element is included in the set of k largest elements ($K_i\leftarrow 1$) and is excluded from the set of candidate elements ($C_i\leftarrow 0$). (case 4) Then, the other elements in the set of candidate elements (i.e., unpredicted k-largest elements) are excluded from the set ($C_i\leftarrow 0$). (case 5) Since there is no element in the set of candidate elements, the values of $K_i$ and $C_i$ for all elements (i.e., the set of k largest elements and the set of candidate elements) are kept equal for the same computation of $K_i$ and $C_i$. According to Table 4, $E\left(K_i\right)$ and $E\left(C_i\right)$ are computed as follows.

$$\begin{array}{cc}\hfill E\left(K_i\right)& \leftarrow E(K_i+e_{i,j}·C_i·(1-D+D·M))\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill E\left(C_i\right)& \leftarrow E(C_i·(M+e_{i,j}·D·(1-2M)))\hfill \end{array}$$

(15)

     When SkLE${}_S$ cannot determine k largest elements due to the presence of multiple elements with the same value, it returns as a result the elements in the set of candidate elements as well as the set of k largest elements (lines 25–27). For example, when SkLE${}_S$ finds the three largest elements (k = 3) in array $\{1,2,3,3,4,5\}$, it returns the four largest elements $\{3,3,4,5\}$ as a result.

Parallelism: In each round, the proposed SkLE${}_S$ performs computation either for each element in parallel or all elements in common. Therefore, the communication rounds regarding running time is independent of the number of elements. The operations in lines 7–10 and lines 17–23 are computed for each element independently and in parallel. The operations in lines 12–16 are computed once in common regardless of the number of elements. Although just as many homomorphic additions are serially computed as the number of elements in line 11, we do not consider them as computation and communication costs since homomorphic addition has little influence on efficiency, as mentioned in Section 3.4.

Computation and communication costs: SkLE${}_S$ requires $(24n+5l^{\prime }+7)·l$ encryptions/ decryptions and $(8n+8l^{\prime }+9)·l$ exponential computations, and $(12n+4l^{\prime }+7)·l·C$ bits are transmitted in $(l^{\prime }+8)·l$ rounds where l represents the size of an element $e_i$, and $l^{\prime }$ represents the size of the number of elements. Recall that SM requires six encryptions/decryptions and two exponential computations, and $3·C$ bits are transmitted in one round, as mentioned in Section 3.6. Specifically, SM in line 8 requires $6nl$ encryptions/decryptions and $2nl$ exponential computations, and $3nl·C$ bits are transmitted since SMs for n elements are repeated l times. However, the number of communication rounds is l since SMs for n elements are executed in parallel. Likewise, SM operations in lines 18–22 are executed $nl$ times and the operations in lines 11–16 are executed l times, respectively.

Secure version of SkSE (SkSE${}_S$): SkSE${}_S$ privately computes k smallest elements without disclosing information about an input array or results. In conclusion, SkSE${}_S$ is constructed by inputting 1’s complement of an input array to SkLE${}_S$ as follows.

$$SkSE\left({\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]}\right)=SkLE\left({\left\{{\langle E\left(\overline{e_i}\right)\rangle }_B\right\}}_{i\in \left[n\right]}\right)$$

(16)

In order to construct SkSE${}_S$, we followed a similar process to SkLE${}_S$ in this section, and then reached the above conclusion. For more details, please refer to [10].

4.4. Proof of S$\mathit{k}$LE Protocol

In this section, we denote SkLE${}_S$ protocol (Algorithm 2) by ${\pi }_{SkL{E}_S}$ and prove that ${\pi }_{SkL{E}_S}$ privately computes $F_{SkL{E}_S}$ in the $(F_{SM},F_{SBD},F_{SCI})$-hybrid model. Since SkSE${}_S$ is constructed by SkLE${}_S$, we do not prove the security of SkSE${}_S$. We demonstrate that ${\pi }_{SkL{E}_S}$ privately computes $F_{SkL{E}_S}$ given access to the functionalities $F_{SM}$, $F_{SBD}$, and $F_{SCI}$. Intuitively, ${\pi }_{SkL{E}_S}$ does not disclose any information about an input array and results to DH and CSP since DH receives randomized ciphertexts from functionalities and CSP does not receive any data.

Theorem 2.

${\pi }_{SkL{E}_S}$ privately computes $F_{SkL{E}_S}$ in the $(F_{SM},F_{SBD},F_{SCI})$-hybrid model in the presence of a semi-honest adversary.

Proof of Theorem 2.

We demonstrate that joint distribution of the view and the output of the real protocol ${\pi }_{SkL{E}_S}$ is computationally indistinguishable from that of the outputs of simulators and functionality $F_{SkL{E}_S}$. Specifically, we demonstrate that (1) the view of DH is computationally indistinguishable from the output of the DH simulator and (2) the output of DH in ${\pi }_{SkL{E}_S}$ is computationally indistinguishable from output of DH in $F_{SkL{E}_S}$. We do not consider the view and output of CSP because it does not receive any messages.

(1)

We define DH’s view of the real protocol ${\pi }_{SkL{E}_S}$ as follows.

$$\begin{array}{cc}\hfill VIE{W}_{DH}^{SkL{E}_S}(\left\{{\langle E\left(e_i\right)\rangle }_B\right\}& {}_{i\in \left[n\right]},SK)=\{{\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]},{\left\{E\left(u_i\right)\right\}}_{i\in \left[n\right]},\{{\langle E\left(s\right)\rangle }_B,{\langle E\left(\overline{s}\right)\rangle }_B\},\hfill \\ \hfill & \{E\left(M\right),E\left(D\right)\},E\left(\alpha \right),{\left\{E\left(v_i\right)\right\}}_{i\in \left[n\right]},{\left\{E\left(w_i\right)\right\}}_{i\in \left[n\right]},{\left\{E\left(C_i\right)\right\}}_{i\in \left[n\right]}\}\hfill \end{array}$$

(17)

All data in DH’s view are received from functionalities except for input ${\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]}$. Specifically, $\{{\langle E\left(s\right)\rangle }_B,{\langle E\left(\overline{s}\right)\rangle }_B\}$ are received from $F_{SBD}$ in line 12, $\left\{E\right(M),E(D\left)\right\}$ are received from $F_{SCI}$ in line 13, and the other data are received from $F_{SM}$. Intuitively, since DH sees the only data encrypted with a semantically secure encryption scheme, we can simulate DH’s view.

DH simulator $S_{DH}$

Input: The simulator $S_{DH}$ receives input ${\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]}$ and output ${\left\{E\left(K_i\right)\right\}}_{i\in \left[n\right]}$ of DH.

• Simulation

-

The simulator $S_{DH}$ chooses values ${\left\{r_i^1\right\}}_{i\in \left[n\right]}$, ${\left\{r_i^2\right\}}_{i\in \{0,\dots ,l-1\}}$, ${\left\{r_i^3\right\}}_{i\in \{0,\dots ,l-1\}}$, $r^4$, $r^5$, $r^6$, ${\left\{r_i^7\right\}}_{i\in \left[n\right]}$, ${\left\{r_i^8\right\}}_{i\in \left[n\right]}$, ${\left\{r_i^9\right\}}_{i\in \left[n\right]}$ uniformly at random where the values are in ${\mathbb{Z}}_{N^2}$.

-

The simulator defines $\{{\left\{{\langle E\left(e_i\right)\rangle }_B\right\}}_{i\in \left[n\right]},{\left\{r_i^1\right\}}_{i\in \left[n\right]},\{{\left\{r_i^2\right\}}_{i\in \{0,\dots ,l-1\}},{\left\{r_i^3\right\}}_{i\in \{0,\dots ,l-1\}}\},\{r^4,r^5\},r^6,{\left\{r_i^7\right\}}_{i\in \left[n\right]},{\left\{r_i^8\right\}}_{i\in \left[n\right]},{\left\{r_i^9\right\}}_{i\in \left[n\right]}\}$ as the view of DH.

-

The simulator outputs DH’s view and halts.

${\left\{E\left(u_i\right)\right\}}_{i\in \left[n\right]}$ are computationally indistinguishable from ${\left\{r_i^1\right\}}_{i\in \left[n\right]}$ since the Paillier cryptosystem is semantically secure and its ciphertext is less than $N^2$. Similarly, the other data in the view of DH are computationally indistinguishable from the simulator’s outputs. Therefore, the distribution of DH’s view is computationally indistinguishable from outputs of the simulator $S_{DH}$.

(2)

Let ${\pi }_{SkL{E}_S}$ compute auxiliary data for the j-th bit of all elements in the ($l-j$)-th round ($j=l-1,\dots ,0$). It is clear that a predicted k-largest element will be larger than other elements for the j-th bit because, from ($l-1$)-th bit to j-th bit, a predicted k-largest element has bit 1 at least once but the other elements are all 0. Predicted k-largest elements include k largest elements in the corresponding round. As shown in case 1 of Table 4, when $s<k$, predicted k-largest elements are included to the set of k largest elements ($K_i\leftarrow 1$). The prior k-largest elements remain the same since the predicted k-largest elements include them. When $s=k$, predicted k-largest elements are included in the set of k largest elements ($K_i\leftarrow 1$) as shown in Case 3. In addition, the other candidate elements (i.e., unpredicted k-largest elements) are excluded from the set of candidate elements ($C_i\leftarrow 0$) as shown in Case 4, so that k largest elements remain the same as in case 5. Since all elements in the set of k largest elements are larger than the other elements, output of ${\pi }_{SkL{E}_S}$ is computationally indistinguishable from that of functionality $F_{SkL{E}_S}$.

Hiding data access patterns: SkLE${}_S$ hides data access patterns for k largest ones of all elements. Informally, SkLE${}_S$ performs either the same computation for each element or a common computation for all elements. Specifically, auxiliary data $P_i$, $K_i$, and $C_i$ regarding k largest elements are computed by the same equations regardless of result (lines 7–10 and lines 17–23). The other computations in lines 11–16 are executed for all common elements. Since all data are encrypted with semantically secure encryption schemes, and therefore no information is disclosed, SkLE${}_S$ is secure against data access pattern attacks. □

5. Implementation and Experimental Results of Privacy-Preserving $\mathit{k}$-Nearest Neighbor Classification

In order to demonstrate the efficiency, we implemented a privacy-preserving k-nearest neighbor classification (PkNC) using the proposed SkLE${}_S$/SkSE${}_S$ and SCI protocols. Our extensive experiments contained real datasets, and we compared the experimental results with the results from existing PkNC experiments [11].

5.1. Privacy-Preserving $\mathit{k}$-Nearest Neighbor Classification

Given an unclassfied input query and a classified dataset, k-nearest neighbor classification selects k data most similar to the input query and classifies the unclassified input query by the majority class of the k selected data. Typically, PkNC algorithm consists of the following three steps.

• Step 1: computing distances between an input query and data in a dataset.
• Step 2: selecting k smallest distances.
• Step 3: computing the majority class of k data corresponding to the k smallest distances.

Table 5. Running time ratio by steps in our PkNC

	Step 1	Step 2		Step 3	Total
		SBD	SkLE${}_{\mathit{S}}$
Ratio	5%	9%	75%	11%	100%

shows the ratio of running time broken down by steps in our PkNC when applying SkLE${}_S$/SkSE${}_S$. Since the running time of SkLE${}_S$/SkSE${}_S$ accounts for most of the PkNC running time, the features of SkLE${}_S$/SkSE${}_S$ lead to those of PkNC in terms of running time. In order to improve the efficiency of PkNC, it is significant to compute step 2 efficiently. For more details about our PkNC algorithm, refer to Algorithm A2 in Appendix B.

As mentioned earlier, SkLE/SkSE has an efficient version (SkLE${}_E$/SkSE${}_E$) that focuses on efficiency and a secure version (SkLE${}_S$/SkSE${}_S$) that improves security. When comparing the secure version and the efficient version in terms of communication rounds related to running time, the secure version requires $2l$ communication rounds more than the efficient version in the worst case scenario. Despite this, we emphasize again that the security of the secure version is much improved.

5.2. Implementation and Experimental Results

We implemented PkNC to apply SkLE${}_S$/SkSE${}_S$ and SCI using the Paillier cryptosystem [36] as an additively homomorphic encryption scheme in C++. Then, we conducted an experiment on two Linux machines for DH and CSP. The Linux system features an Intel Core i7-4790 CPU 3.60 GHz processor and 15 GB RAM running Ubuntu 18.04 LTS. In particular, the machine has four cores and runs eight parallel operations via hyper-threading technology [37].

In order to show performance of our PkNC applying the proposed SkLE${}_S$/SkSE${}_S$ clearly, we conducted experiments with the Car Evaluation dataset used in existing work [11] and the Mushroom dataset from the UCI machine learning repository [38]. The Car Evaluation dataset [39] consists of 1728 data with six attributes and four classes, and the Mushroom dataset [40] consists of 8124 data with twenty-two attributes and two classes.

We first ran our PkNC for k = 1000 with the Car Evaluation dataset, which took 4 min 23 s when the key size is 1024 bits and the number of threads is 8.

Table 6. Running time comparison of our PkNC and the existing PkNCs.

	Number of Data	Running Time
[16]	760	61.8 min
[15]	60	5.4 min
[11]	1728	12 min
$\left[\mathrm{This}\mathrm{work}\right]$	1728	4.38 min

compares running times of our PkNC and existing PkNCs. These results verify that our PkNC, when utilizing SkLE${}_S$/SkSE${}_S$ and SCI protocols, is very efficient. Starting the above experiment, we varied the parameters such as the k of nearest neighbors, key size, the number of data, and the number of threads for parallel operations. At last, we compared and analyzed the resultant running times to that of existing PkNC [11], which is the most efficient of the previous protocols in Table 6.

Figure 3 shows the running times of our PkNC applying SkLE${}_S$/SkSE${}_S$ and an existing PkNC [11] for the k of nearest neighbors. It shows that the running time of our PkNC is independent of k as SkLE${}_S$/SkSE${}_S$. Since the existing PkNC runs a minimum protocol k times in order to privately compute k data with the smallest value, its running time rapidly increases for parameter k, but since SkLE${}_S$/SkSE${}_S$ in our PkNC privately computes k smallest data via only one execution regardless of k, our PkNC is independent of parameter k. Specifically, the existing PkNC took 12.02 min to 55.5 min as k increases from 5 to 25, and we expect that it would take more than one hour for k values exceeding 25. However, our PkNC took roughly 4.4 min regardless of parameter k. Therefore, our PkNC is much more efficient for k than the existing PkNC thanks to the efficiency of SkLE${}_S$/SkSE${}_S$.

Figure 4 shows the running time of our PkNC applying SkLE${}_S$/SkSE${}_S$ and the existing PkNC [11] for key size. It shows that the running time of our PkNC gradually increases in comparison with the existing PkNC. As the key size increases from 512 bits to 1024 bits, while running time of the existing PkNC rapidly increases 9.98 min to 66.97 min, our PkNC increases 1.2 min to 4.38 min. For 2048 bits of key size, our PkNC took only 27.2 min. Therefore, our PkNC is more efficient than the existing PkNC for key size.

Table 7. Communication amount and network delay of our PkNC and the existing PkNC [11] in 10 Mbps LAN.

	Communication Amount (Megabytes)	Network Delay (s)
[11]	154.78	123.82
$\left[\mathrm{This}\mathrm{work}\right]$	54.72	43.77

illustrates the amount of communication for our PkNC versus an existing PkNC [11] when key size is 1024 bits. It shows that the communication amount of our PkNC is roughly one-third of that of the existing PkNC. Specifically, while the existing PkNC needs to transmit data of 154.78 megabytes, our PkNC transmits only 54.72 megabytes. By assuming a common 10 Mbps LAN environment, while the network delay for the existing PkNC was 123.82 s, the delay for our PkNC is only 44 s.

     We also conducted an experiment for much more data than the Car Evaluation dataset (n = 1728) used in existing PkNC [11]. Even though the number of data in the Mushroom dataset (n = 8124) is more than the Car Evaluation dataset by 4.7 times, the running time of our PkNC is less than 30 min, which is more efficient than the existing PkNC with $k=15$. Therefore, our PkNC is more efficient than the existing PkNC for the number of data.

Figure 5 shows the running time of our PkNC for the number of threads (parallel operations). It implies that the performance of our PkNC is highly improved in the cloud computing environment to enable numerous parallel operations. This is because the proposed SkLE${}_S$/SkSE${}_S$ is executed for each dataset in parallel, as mentioned in Section 4.3. In other words, the figure shows that the running time decreased by half as the number of threads doubled. Specifically, our PkNC took 23.5 min for only one thread without parallel operations. When the number of threads doubled, its running time decreased roughly by half. That is, for our experiment, it took 11.4 min for two threads. Likewise, when the number of threads doubled, it took 5.3 min for four threads. However, when the number of threads reached eight, its running time decreased by slightly less than half since our machines used in the experiment have four cores and allow eight parallel operations via hyper threading technology. For more than eight threads, the running time ceased to decrease since our machines allow for at most eight parallel operations. This implies that performance of our PkNC, including SkLE${}_S$/SkSE${}_S$, can be improved greatly if it is executed in the cloud, where more parallel operations are allowed and supported.

However, our PkNC with SkLE${}_S$/SkSE${}_S$ applied requires a little more running time than the existing PkNC [10] with SkLE${}_E$/SkSE${}_E$, which focuses on efficiency but reveals some information. By our observations, the running time of our PkNC roughly increased by 11% in comparison with the existing PkNC [10]. The first reason for this is that SkLE${}_S$/SkSE${}_S$ requires 2l communication rounds more than SkLE${}_E$/SkSE${}_E$ as mentioned in Section 5.1. The second reason is that our SkLE${}_S$/SkSE${}_S$ consistently terminates in the last round regardless of an input dataset, while the earlier SkLE${}_E$/SkSE${}_E$ can terminate before the last round, or in the worst case scenario, it terminates in the last round according to an input dataset. In other words, the number of rounds for the proposed SkLE${}_S$/SkSE${}_S$ is more than or equal to that of the earlier SkLE${}_E$/SkSE${}_E$. The last reason is that our SCI protocol requires one more communication round than the existing comparison protocols [10,11]. However, we emphasize that the security of our SkLE${}_S$/SkSE${}_S$ is improved in comparison to that of SkLE${}_E$/SkSE${}_E$. Therefore, SkLE${}_S$/SkSE${}_S$ and SkLE${}_E$/SkSE${}_E$ should be selected in regards to the trade-off between security and efficiency. Nevertheless, we emphasize that the running time of our PkNC with SkLE${}_S$/SkSE${}_S$ applied is even more efficient than that of the existing PkNCs [11,15,16].

6. Conclusions

Data mining and machine learning are highly significant tools necessary for the analysis of large-scale data to return meaningful information. In order to handle large volumes of data efficiently, using outsourced cloud computing services has emerged as a viable option but that can lead to privacy problems, which is a pressing concern to resolve. Therefore, we focused on a privacy-preserving k-nearest neighbor classification (PkNC) in outsourced cloud computing environment. To this end, we proposed SkLE${}_S$/SkSE${}_S$ and SCI protocols to solve the information disclosure problems of SkLE${}_E$/SkSE${}_E$ and secure comparison protocols in the existing works [10,11]. We formally proved the securities of our SkLE${}_S$/SkSE${}_S$ and SCI protocols via the simulation paradigm. Then, we implemented PkNC to apply the proposed protocols in C++ and conducted extensive experiments with real datasets. Although the proposed SkLE${}_S$/SkSE${}_S$ and SCI protocols sacrifice some efficiency to improve security, our PkNC with the relevant protocols applied is still more efficient than the existing PkNCs.

The efficient and private algorithms, such as SkLE${}_S$/SkSE${}_S$ that are executed parallelly and disclose no information in outsourced cloud computing environments, will play an important role in improving the efficiency of big data analysis. We will continue, therefore, to study privacy-preserving big data analysis techniques in our future work with specific regard to improving SkLE/SkSE and proposing a privacy-preserving secure maximum/minimum protocol. By applying these protocols to big data analysis techniques like clustering, we will to contribute research on efficient and privacy-preserving big data analysis.