The rest of this thesis is organized as follows. Chapter 2 describes the back-ground on the data mining algorithms and the cryptosystem forming the basis of our proposed protocols. Chapter 3 introduces the proposed proto-col for securely perform distributed association rule mining on private. We present the other protocol for privacy-preserving decision tree learning on Chapter 4. Chapter 5 gives concluding remarks and outlines direction for future work.
Chapter 2 Background
2.1 Homomorphic Encryption
Homomorphic encryption is the scheme that allows computations to be car-ried out on ciphertext. The decryption of computation results match the outcome of operations performed on the plaintext. The concept of homo-morphic encryption, or privacy homomorphism was first proposed to the sci-entific community in 1978 by Ronald Rivest, Leonard Adleman and Michael Dertouzos. A semantically secure homomorphic encryption scheme was de-veloped and proposed by Shafi Goldwasser and Silvio Micali in 1982. In 2009, Craig Gentry proved that a completely homomorphic encryption scheme is possible.
Rivest, Aldeman and Dertouzos developed their theory based on the fact that the existing security and encryption systems severely limit the ability to manipulate data after it is encrypted and turned into ciphertext. Without the development of a homomorphic solution, “sending” and “receiving” data are the only function that can be accomplished with encrypted data. The biggest concern was the level of computing that processes the encrypted request on
the encrypted data. This manipulation may reduce the security level of the encryption scheme.
With the advent and rapid expansion of cloud computing, a feasible ho-momorphic encryption method is crucial. Otherwise, the risk is too high to entrust sensitive data to a cloud computing service provider. If a service provider can access data in their decrypted form, the data can directly ex-pose to malicious users. [6] proved that homomorphic encryption is viable, though the amount of computation time is a concern.
In [6], the author outlined how to create an encryption scheme that can allow data to be securely stored in a cloud environment where the owner can utilize the computational power of the cloud provider to manipulate the encrypted data. There are three main steps in [6]. An encryption scheme is constructed that is “bootstrappable”. In this step, a somewhat homomorphic encryption scheme can work with its own decryption circuit. Next, an almost-bootstrappable public key encryption scheme is built using the idea of ideal lattices. Finally, the schemata are simplified, while maintaining the property of being bootstrappable.
Although [6] created a completely homomorphic encryption scheme, it remains impractical. Homomorphic encryption has evolved to be mostly se-cured against chosen plain-text attacks, but securing against chosen cipher-text attacks remains a problem. In addition to the security issue, the fully homomorphic schemes are so complex that the time factor has precluded their usage in many applications. Somewhat homomorphic encryption sys-tems have been developed to address at least the time factor, using only the most efficient portions of a completely homomorphic encryption scheme.
In this thesis, we apply homomorphic encryption in realistic world. In other words, efficiency should be taken into considerations. We use partial
homomorphic encryption as our mainly used encryption scheme and combine protocols design to realize the privacy-preserving data mining process. There are several efficient partial homomorphic cryptosystems:
2.1.1 Unpadded RSA
If the RSA public key is modulus m and exponent e, then the encryption of a message x is given by E(x) = xe mod m. The homomorphic property is then
E(x1)· E(x2) = xe1xe2 mod m = (x1x2)e mod m = E(x1· x2).
2.1.2 ElGamal
In a group G, if the public key is (G, q, g, h), where h = gx, and x is the secret key, then the encryption of a message m is E(m) = (gr, m· hr), for some random r ∈ {0, 1, · · · , q − 1}, the homomorphic property is then
E(x1)· E(x2) = (gr1, x1· hr1)(gr2, x2· hr2) = (gr1+r2, (x1· x2)hr1+r2).
2.1.3 Goldwasser-Micali
In Goldwasser-Micali cryptosystem, if the public key is the modulus m and quadratic non-residue x, then the encryption of a bit b is E(b) = xbr2mod m, for some random r ∈ {0, 1, · · · , m − 1}. The homomorphic property is then
E(b1)· E(b2) = xb1r21xb2r22 = xb1+b2(r1r2)2 = E(b1⊕ b2).
2.1.4 Benaloh
If the public key is the modulus m and the base g with a blocksize of c, then the encryption of a message x is E(x) = gxrcmod m. for some random
r ∈ {0, 1, · · · , m − 1}. The homomorphic property is then
E(x1)· E(x2) = (gx1rc1)(gx2rc2) = gx1+x2(r1r2)c = E(x1+ x2 mod c).
2.1.5 Paillier Cryptosystem
The Paillier Cryptosystem [7] is a public key encryption scheme based on modular arithmetic, created by Pascal Paillier. The homomorphic property in Paillier cryptosystem is additive homomorphism as follow:
Ek(x)× Ek(y) = Ek(x + y).
Encryption
To encrypt a message using the Paillier cryptosystem, a public key must be established first.
To construct the public key, one must choose two large primes, p and q, then calculate their product, n = p·q. Then a semi-random, nonzero integer, g, in Zn2, must be selected so that the order of g is a multiple of n in Z∗n2. Thus, the public key is (n, g).
The steps of encryption is as follows:
1. Create a message, m, with m∈ Zn.
2. Choose a random, nonzero integer, r∈ Z∗n. 3. Compute c≡ gm· rn mod n2.
Decryption
1. Define L(u) = (u− 1)/n.
2. Calculate L(gλ(n) mod n2) = k.
3. Compute µ≡ k−1 mod n2. 4. m≡ L(cλ(n)mod n2)· µ mod n.
Our proposed protocols use additive homomorphic scheme to securely sum up the encrypted results, so we take Paillier cryptosystem as our en-cryption scheme. Also, Table 2.1 shows the key size recommended by NIST for security consideration, we implement our system with 1024-bit key size.
Table 2.1: NIST Recommended Key Size Symmetric Key Size
Association rule mining is a process that help find the confidential rules from a large amount of data. The problem can be defined as follows:
Let I = {i1, i2...in} be a set of items. Let T = {t1, t2...tn} be a set of transactions, where each ti ⊆ I. Given an itemset X ⊆ I, a transaction ti
contains X if and only if X ⊆ ti. An association rule is an implication of the form X ⇒ Y where X ⊆ I, Y ⊆ I, and X ∩Y = ∅. The rule has support s in the transaction database DB if s% of transactions in D that contain X∪ Y . The association rule holds in the transaction database D with confidence c if