Summary of Performance Analysis

The main problem with applying Yao’s solution in the association rule mining application is that Yao’s solution was designed for a single execution of a circuit. It was not designed to repeatedly execute the same circuit with different inputs. Of course this limitation can be solved by representing the association rule mining algorithm as a very large boolean circuit. However, this overhead will make the execution very impractical, since a large volume of data would need to be computed and stored. This is compounded by the fact that the general association rule mining algorithm is very recursive. That is, the output of the current round is dependent on the previous round, leading to redundancies in the garbled circuit. Based on the analysis in this section, we conclude that the fully homomorphic encryption solution provides a more efficient solution compared with Yao’s garbled solution.

6.7 Experimental Evaluation

We implemented a software prototype to test the feasibility of our approach. The prototype was executed on a machine with a 3.40GHz Intel Core i7-2600 with 16GB of memory, running the Linux (3.1.0-1.2) operating system. We used an open source library2 _{of the Smart-Vercauteren fully homomorphic encryption scheme [93] to} enable the cryptographic operations. Using this library we were able to measure the time required for the integer comparison method, which was required for the association rule mining application.

We separated the comparison method into three logical stages of computation, which include: encryption, evaluation and decryption. The data or count value was represented as a vector of bits, which was encrypted by the fully homomorphic encryption scheme. Two integers, represented as bit vectors, were encrypted. In the case of the second integer, the number was converted to Two’s Complement before encryption. Next, the addition circuit was applied to the ciphertext that resulted in a single encrypted bit. Finally, this was decrypted to reveal the output of the circuit. We used different bit vector lengths to obtain an overall view of performance, which included 8, 16 and 32. The timings of encryption, evaluation and decryption are shown in Figures 6.7a, 6.7b, and 6.7c, respectively.

(a)Encryption time (b) Evaluation time (c) Decryption time

Figure 6.7: Execution time of fully homomorphic encryption experiment

These timing results greatly promote the significance of our solution. Apart from the key generation method, there is no other component required to make

this solution complete. Once we have the encryption and decryption keys and the encrypted data, we can evaluate the data according to our circuit and obtain the result. Contrasting this with Yao’s approach, we find that generating the garbled circuit itself is not a complete solution to the privacy preserving association rule mining problem. We also need to allow for many executions of oblivious transfer, which incurs great communication cost. Plus, the garbled circuit must be refreshed each time. For more discussion about comparing the performance of our approach using FHE with Yao’s garbled circuit approach, see Section 6.6.

In the current start-of-the-art fully homomorphic encryption techniques it is difficult to say how secure the cryptosystem is, since the underlying hardness assump- tions are less understood than classical assumptions like RSA or ElGamal. More research is required to test the foundations of the hardness assumptions to adequately determine what system parameters are required.

6.8 Conclusion and Recommendations

In this chapter, a two party privacy preserving association rule mining algorithm was presented, which used new techniques in homomorphic encryption [38, 93, 98]. The protocol was shown to be secure under the semi-honest model of multi-party computation. The security analysis is based on the hardness assumption of the encryption scheme.

The main contribution of this chapter is the use of fully homomorphic encryption to solve the privacy preserving association rule problem. Previous efforts either used some combination of homomorphic encryption and data perturbation, or a Yao’s Garbled Circuit based approach. The former approach lead to trade-offs between accuracy and privacy, while the latter had high communication cost since the generated circuit could not be reused. Our solution does not have the privacy- accuracy trade-off, and once the public key has been transferred it can be reused numerous times.

Future work regarding privacy preserving data mining would include: improving the efficiency by removing unnecessary communication; expanding on the number of parties to a multi-party computation interaction; and applying the fully homomorphic encryption system to other data mining algorithms. More fundamentally, further work is also required to improve both the efficiency and security of the underlying cryptosystem.

Conclusion

Here we summarise the main contributions of this dissertation. After doing so, we will highlight the common theme that is present throughout this thesis, which is to construct privacy preserving protocols for various applications. The purpose of this chapter is to link them all together and ascertain the overall meaning.

7.1 Problem Statement Review

Before we cover the contributions, we recall the general problem statement given in the introduction. This problem statement is as follows: develop and examine privacy preserving protocols for various real-world problems. This can be expressed by the question: can we develop protocols that both give the correct result while maintaining the privacy of the respective parties? This thesis has answered this question by giving numerous applications. We now summarise these contributions and present a big picture view by linking them together.