Balancing Security and Privacy in Genomic Range Queries

2.1 Genomics

The human genome is composed of around 3.2 billion³ base pairs packed into 23 chromosomes of different size [61]. Each base can be represented by four letters of the genetic code: [A]denine, [C]ytosine, [G]uanine, and [T]hymine, where [A] always bonds with [T] and [G] always bonds with [C]. According to the Human Genome Project (HGP), only around 0.1% of base pairs differ between individuals [9]. Although it is not yet possible to determine or predict exactly where these differences occur, many types of genetic variations can be used to identify an individual and determine one’s susceptibility to diseases and/or sensitivity to drugs. SNPs are the most common type of genetic variation (a.k.a. mutations) among people, which represents a difference in a single base, e.g., an [A] changes to a [C] or a [G]. A variation is classified as an SNP if over 1% of a population does not carry the same nucleotide at a specific position in the DNA sequence [8].

Normally, an SNP data sequenced by, e.g., 23andMe [1], contains two base letters, one per each chromosome. For example, let the genotype of an SNP among Alice’s DNA sequenced result be “AG” at position 169. This means that “A” is on one strand of one chromosome and “G” is on one strand of the other chromosome—naturally the opposite strands have paired “T” and “C,” respectively, at position 169—and another person can have a different genotype at position 169, e.g., “CC.” To represent the genotypes efficiently, we use an 8-bit⁴ integer \(\in ~[0,15]\), instead of representing all two-character combinations of {A,C,G,T}. Thus, we denote a base as \((pos, l)\), where \(pos\) is a non-negative integer \(\lt 3.2 * 10^9\) representing the position of the base and \(l\) is a non-negative integer \(\in ~[0,15]\) representing two base letters from each chromosome at that position.

Due to the relatively small volume of SNPs, a reference genome model that contains only the list of mutations can be used to reduce storage and computation costs. Using a compact reference form, such as the 1,000 Genomes Project variant call format,⁵ the human genome can be represented using only about 120 megabytes, while the entire (raw) representation takes up to 200 gigabytes. In this article, we focus on these two representations: the whole genome and the compact SNP based. We defer other genomic representation formats, e.g., Short Tandem Repeat (STR) and Restriction Fragment Length Polymorphism (RFLP), to future work.

2.2 Cryptographic Commitments

A commitment scheme is a cryptographic primitive that involves a prover and a verifier. The prover first commits to a chosen (secret) value and reveals it later to the verifier. A commitment scheme thus has two phases. In the first, commit, phase, the prover sends a message (commitment) to the verifier committing to a secret value. The commitment must reveal no information about the committed value; this is called the hiding property. In the second, reveal, phase, the prover sends to the verifier a message (decommitment) that reveals the previously committed value. The verifier validates the revealed value against the committed one. The former must uniquely match the latter; this is called the binding property. We denote a commitment using \(Com(z;r)\), where \(Com\) is a commitment scheme, \(z\) is the committed value, and \(r\) is a random bit-string, used as a salt.

In this article, we use two types of commitments: one based on the discrete logarithm problem (DLP) and the other based on a strong cryptographic hash function. For DLP-based commitments, we use the well-known Pedersen [71] and Fujisaki-Okamoto [44] commitment schemes.

A Pedersen commitment is defined in a subgroup of \(\mathbb {Z}_p^*\), where \(p\) is a large prime, albeit any group where the DLP is hard can be used. Let \(\mathbb {G}\) be the group of order \(p\), generated by element \(g\), i.e., \(\mathbb {G} = \langle g \rangle\) with \(o(G) = p\). Two non-identity elements, \(g\) and \(h\), in \(\mathbb {G}\) are used as public key, where \(log_g{h}\) is not known to either the prover or the verifier. To commit to a message \(z \in \mathbb {Z}_p\), a Pedersen commitment is computed as \(Com = Com(z;r) = g^z h^{r}\), where \(r\) is a random number in \(\mathbb {Z}_p\). To decommit, later a prover reveals \(z\) and \(r\) and a verifier checks if indeed \(g^z h^r = Com\).

A Fujisaki-Okamoto commitment is an extension of the Pedersen commitment to the RSA setting. Instead of \(Z^*_P\), it uses \(Z^*_N\), where \(N = PQ\) and \(P, Q\) are distinct primes, such that \(P = 2p+1\) and \(Q = 2q+1\), where \(p\) and \(q\) are also primes. Now, two generators \(g_p\) and \(g_q\) generate each group, \(\mathbb {G}_p\) and \(\mathbb {G}_q\), of prime orders \(p\) and \(q\), respectively; i.e., \(\mathbb {G}_p\) and \(\mathbb {G}_q\) are subgroups of \(\mathbb {Z}_P^*\) and \(\mathbb {Z}_Q^*\), respectively. Generator \(g\) of the group \(\mathbb {G}_{pq}\) is computed using the Chinese Remainder Theorem, such that \(g = g_p \ (\mathrm{mod}\ P)\) and \(g = g_q \ (\mathrm{mod}\ Q)\). Then, \(h\) is computed by \(h = g^{\alpha } \ (\mathrm{mod}\ N)\), where \(\alpha\) is uniformly chosen from \(\mathbb {Z}_{pq}^*\), and \((g,h)\) is set as the public key. To commit a message \(z \in \mathbb {Z}_N\), the Fujisaki-Okamoto commitment is computed by \(Com(z;r) = g^z h^{r} \ (\mathrm{mod}\ N)\), where \(r\) is a random number in \(\mathbb {Z}_{\lambda N}^*\) with a security parameter \(\lambda\). Both Pederson and Fujisaki-Pkamoto commitment schemes are statistically hiding and computationally binding.

Finally, the commitments based on secure cryptographic hash functions rely on the fact that modern hash functions practically reveal no information about the value they hide if they are used with a sufficiently long random salt. In addition, since secure cryptographic hash functions offer weak and/or strong collision resistance properties, the commitments based on such functions are binding. A commitment is of the form \(H(z || r)\), where \(H\) is a cryptographically secure hash function (e.g., SHA2 [12]), \(z\) is the committed value, and \(r\) is a sufficiently long random bit-string.

2.3 Zero-Knowledge Range Proofs

A Zero-knowledge Range Proof (ZKRP) allows a prover to convince a verifier that a committed secret value is within a given range without revealing that value. The three standard zero-knowledge proof (ZKP) properties, completeness, soundness, and zero-knowledge, also hold for ZKRPs. That is, when the secret is in the given range, an honest prover can always convince an honest verifier of the fact, which yields completeness. Meanwhile, no dishonest prover can convince an honest verifier if the secret is not in the range, which yields soundness. Also, the verifier learns nothing from the execution of the protocol about the secret value other than that it lies in the range, which corresponds to zero-knowledge. Non-interactive Zero-knowledge Proofs (NIZKs) are a class of ZKP that requires no interaction between the prover and the verifier. It is well known that NIZK can be constructed from ZKP in a random oracle model using the Fiat-Shamir heuristic [43].

Boudot’s range proof [24] is the first practical construction of ZKRP proposed in 2001. It includes two protocols: one for the extended range and the other for the exact range. In the first, for a requested range \([a,b]\), the prover shows that the secret integer \(v\) resides in \([a - \theta , b + \theta ]\), where \(\theta = 2^{t + l + 1}\sqrt {b - a}\) and \(t\) and \(l\) are security parameters, i.e., with the expansion rate⁶ \(\delta = 2\theta\). In the second protocol, the prover shows that \(v\) resides in the exact requested range, \([a,b]\), i.e., with \(\delta =1\).

Following Boudot, there has been a long line of work on ZKRPs. As mentioned in survey papers [38, 65], ZKRP methods can be classified based on their main characteristics: (1) square decomposition, (2) signature based, (3) multi-based decomposition, and (4) Bulletproofs.

Square decomposition constructions, such as [24, 46, 57], use the fact that any non-negative integer can be represented by the sum of squares. Signature-based constructions [28] are generalized from a zero-knowledge set membership test, by showing that the prover knows a signature on the secret, among the entire set of signatures on integers in the given range. In multi-based decomposition constructions [29, 58], the secret is decomposed by a \(u\)-ary (usually binary) representation and the prover shows that each coefficient is 0 or 1, which proves that the secret value is in a given range. Lastly, Bulletproofs [27] is a technique without a trusted setup phase, unlike other approaches. It uses the binary representation of the secret value and inner product proofs, which lend themselves to smaller proof sizes.

Any ZKRP protocol can be used in our construction. For example, we use Boudot’s range proof [24] as the ZKRP of our main construction (Section 4) and Bulletproofs [27] in the extended version (Section 5). We briefly summarize these protocols below.

Assume that the prover wants to show that a secret value \(v \in [a,b]\) is in \([a-\theta , b+\theta ]\), where \(\theta\) is defined as above. To do so, the prover shows (1) \(v - a \ge -\theta\) and (2) \(b - v \ge -\theta\). To demonstrate (1), the prover writes \((v-a)\) as the sum of the greatest square less than \(v\) and a non-negative number, i.e., \(v - a = v_1^2 + p\), where \(v_1 := \lfloor \sqrt {v - a} \rfloor\) and \(p = (v-a) - v_1^2\). Next, the prover shows, in zero-knowledge, that the commitment to \(v_1^2\) hides a square and the commitment to \(p\) hides a number with the absolute value less than \(\theta\), using the method in [30]. The same procedure is done for (2), but with \(r_1^{\prime }, r_2^{\prime }\) such that \(r_1^{\prime }+r_2^{\prime }=-r\). As a result, the prover shows that \(v \in [a - \theta , b + \theta ],\) where \(\theta = 2^{t + l + 1}\sqrt {b - a}\).

Showing that the secret value \(v\) is exactly in \([a,b]\) is similar. However, it is now shown that the expanded secret value lies in the expanded range of \([a,b]\), which implies that \(v \in [a,b]\). More specifically, the prover first expands \(v\) by computing \(v^{\prime } = v \cdot 2^T\), where \(T = 2(t + l + 1) + |b - a|\). Then it shows that \(v^{\prime } \in [2^T a - \theta ^{\prime }, 2^T b + \theta ^{\prime }]\), where \(\theta ^{\prime } = 2^{t+l+T/2} \sqrt {b-a}\) using the previous protocol with expanded commitment \(Com(z;r)^{2^T}\). Since \(\theta ^{\prime } \lt 2^T\), the verifier is convinced that \(v^{\prime } \in ]2^T\) \(a - 2^T, 2^T b +2^T[ ~\iff ~ v \in ]a-1, b+1[\) so that \(v \in [a,b]\) as \(v \in \mathbb {Z}\).

With Bulletproofs [27], the prover performs ZKRP twice: once for \(v \in [a, a+2^n]\) and then for \(v \in [b-2^n, b]\), in order to show that \(v \in [a,b]\). To show that \(v \in [0, 2^n -1]\), the prover first vectorizes \(v\) to \(n\)-bit value, \(v_L:=(v_1, \ldots , v_n) \in \lbrace 0,1\rbrace ^n\). Then, for \(v_R:=v_L-1^n\), the Hadamard product of \(v_L\) and \(v_R\) is zero, i.e., \(v_L \circ v_R = 0\). To show these properties, the prover needs to show that: \(\begin{align*} \text{(1) the inner product }\langle v_L, 2^n \rangle = v,\text{ (2) }\langle v_L, v_R \circ y \rangle = 0,\text{ and (3) } \langle v_L - 1^n-v_R, y^n \rangle = 0, \text{ for } \forall y \in \mathbb {Z}_p. \end{align*}\) These equalities can be combined into one, by the verifier choosing a random \(z \in \mathbb {Z}_p\) and prover showing that (1) \(\begin{equation} \langle v_L - z \cdot 1^n, y^n \circ (v_R + z \cdot 1^n) + z^2 \cdot 2^n \rangle = z^2 \cdot v + \delta (y,z), \end{equation}\) where \(\delta (y,z) = (z-z^2) \cdot \langle 1^n, y^n \rangle - z^3 \langle 1^n, 2^n\rangle \in \mathbb {Z}_p\). Also, to hide the information about \(v_L\) and \(v_R\), additional blinding terms \(s_L, s_R \in \mathbb {Z}_p^n\) are used, so that the prover sends \({l, r},\) and \(t\) instead, where: \(\begin{align*} {\bf l}:=l(X) & = v_L - z \cdot 1^n + s_L \cdot X, {\bf r}:=r(X) = y^n \circ (v_R + z \cdot 1^n + s_R \cdot X) + z^2 \cdot 2^n \in \mathbb {Z}_p^n[X],\\ & \text{ and } t(X) := \langle l(X), r(X) \rangle \in \mathbb {Z}_p[X]. \end{align*}\) To convince the verifier that the constant term \(t_0\) of \(t(X) = t_0 + t_1 \cdot X + t_2 \cdot X^2\) becomes the right-hand side of Equation (1), i.e., \(t_0 = v \cdot z^2 + \delta (y,z)\), the prover commits to the remaining coefficients, \(t_1, t_2 \in \mathbb {Z}_p\); receives a random point \(x \in \mathbb {Z}_p^*\) from the verifier; and replies the \(t(x)\) value to the verifier. By checking all the commitments and values, the verifier is convinced that \(v \in [0, 2^n-1]\).

2.4 Homomorphic Encryption

Homomorphic encryption (HE) is a special type of encryption that allows users to perform certain arithmetic operations on encrypted data such that results are reflected in the plaintext. If it supports both unlimited addition and multiplication of ciphertexts, the HE scheme is called Fully Homomorphic Encryption (FHE). A scheme that supports a limited number of operations of either type is called Somewhat Homomorphic Encryption (SWHE). Finally, a scheme that supports only one operation type (e.g., addition or multiplication) is called Partially Homomorphic Encryption (PHE). We use PHE in this work. (Typically, in terms of computation costs, \(FHE\gt SWHE\gt PHE\).)

There are many PHE schemes, e.g., [32, 33, 34, 41, 45, 53, 66, 68, 69, 73]. For example, the well-known ElGamal encryption scheme [41] is a PHE that supports multiplication, as for any \(m_1, m_2 \in \langle g \rangle\) and random \(r_1,r_2\), \(\begin{align*} Enc(m_1) * Enc(m_2) = (g^{r_1}, m_1*h^{r_1}) * (g^{r_2}, m_2*h^{r_2}) = (g^{r_1+r_2}, m_1*m_2*h^{r_1+r_2}) = Enc(m_1 m_2). \end{align*}\) Another variant of ElGamal [33] is additively homomorphic. In it, \(g^m\) instead of \(m\) is used as the ciphertext. i.e., \(\begin{align*} Enc(m_1) * Enc(m_2) = (g^{r_1}, g^{m_1}*h^{r_1}) * (g^{r_2}, g^{m_2}*h^{r_2}) = (g^{r_1+r_2}, g^{m_1+m_2}*h^{r_1+r_2}) = Enc(m_1 + m_2). \end{align*}\) Another popular PHE is Paillier [69], which also supports addition. In it, \(\begin{align*} Enc(m_1) * Enc(m_2) & = (g^{m_1} r_1^{n} \ (\mathrm{mod}\ n^2)) * (g^{m_2} r_2^{n} \ (\mathrm{mod}\ n^2)) = g^{m_1+m_2} (r_1+r_2)^{n} \ (\mathrm{mod}\ n^2)\\ & =\ Enc(m_1 + m_2), \end{align*}\) where \(r_1, r_2\) are randomly chosen elements in \(\mathbb {Z}_n^*\), for any \(m_1, m_2 \in \mathbb {Z}_n\). Although Paillier is widely used, we show in Section 7 that the additively homomorphic ElGamal (AH-ElGamal) scheme is more efficient in our context. (This is mainly because we only need to check if the ciphertext is the encryption of zero.)

3.1 System Model

The system model includes three types of entities: (1) individuals, (2) sequencing labs, and (3) testers, where each entity’s role is as follows:

We assume a global pre-existing Public Key Infrastructure (PKI) for establishing trust among entities based on certified public keys. Although there would be a multitude of each entity type, we assume (for the sake of clarity) only one individual (Alice), one sequencing lab (\(SL\)), and one tester (\(T\)).

3.2 Security Model

We assume that \(SL\) and \(T\) are certified by a trusted authority and \(SL\) is fully trusted by both Alice and \(T\). Sequencing and preparing digitized genomic data by \(SL\) are performed offline. We assume \(T\) is Honest but Curious (HbC): although it faithfully follows the protocol, it aims to learn more information about Alice’s genome than is required for the test. The ranges queried by \(T\) are considered to be pre-approved by a trusted authority. For instance, the trusted authority provides \(T\) a signed white-list of legitimate ranges or genome positions for all authorized genomic tests. For this reason, Alice is willing to reveal the required genomic data to \(T\) for the given test.

We assume that \(T\) does not trust Alice, since she might supply altered genomic data (whether by modification or omission) in order to influence the outcome of a test. For correct test results, \(T\) needs to ensure that all information Alice supplies is both authentic and complete. To this end, our goal is a secure and private range query protocol, \(\pi\), between Alice and \(T\). \(\pi\) takes \(T\)’s range query \(Q\) and Alice’s set of SNPs \(\mathcal {M}\) as inputs and outputs the response \(\mathcal {M}_Q\) to \(T\), i.e., the set of all SNPs in \(\mathcal {M}\) located in \(Q\). Concrete security goals are:

Caveat: Nucleotides (individual bases) at different positions can be correlated. Some such correlations are well known. Therefore, based on the specific mutations in a given range that Alice reveals to \(T\) as part of a legitimate test, \(T\) could infer genomic information from other regions of Alice’s genome. We believe that such side-channel inference is unavoidable and consider it out of the scope of this work.

4.1 Intuitive Approaches

One trivial approach is to use Alice’s whole genome, \(G_{Alice}\), and let \(SL\) sign all \(g_i\)’s at sequencing time. When \(T\) asks for all mutations in \(Q\), Alice provides all pairs within that range along with their signatures. \(T\) can easily detect if anything is missing since it receives all \(g_i\)’s. Inclusion of fake bases is impossible, as Alice cannot forge \(SL\)’s signatures. This approach provides authenticity and integrity, and leaks no information about bases outside the queried range. However, it has high computation and storage costs because every single base in \(Q\) needs to be signed, sent, and verified. To reduce costs, certain cryptographic methods, such as condensed and aggregated signatures, can be employed, albeit the final cost would be still far from optimal. We refer to [25] for a detailed discussion and comparison of such methods.

Another intuitive approach is to use Alice’s SNP-represented genome, \(\mathcal {M}\), and let \(SL\) sign all \(m_i\)’s at sequencing time. This would substantially reduce storage and computation costs due to the relatively small volume of SNPs. However, it introduces the completeness problem, since nothing prevents Alice from omitting some (or all) SNPs when she sends \(T\) the mutations and signatures on \(Q\). To prevent any omissions and ensure correct ordering of mutations, \(SL\) can sign tuples consisting of two adjacent mutations sorted in ascending order, as suggested by [39]. However, this entails revealing two tuples that contain mutations in positions immediately beyond both lower- and upper-range boundaries, respectively. Due to the general sparsity of genomic mutations, this could leak a substantial amount of sensitive information to \(T\).

4.2 Proposed Approach

Assume that Alice gives her physical DNA sample (\(Bio_{Alice}\)) to \(SL\) to obtain a digital representation of her genome in the form of SNPs. \(SL\) forms the SNP representation \(\mathcal {M}=\lbrace m_1, m_2, \ldots , m_n\rbrace\) by comparing Alice’s genome to a reference genome, as discussed in Section 2.1. Now, \(SL\) adds two special mutations, \(m_0\) and \(m_{n+1}\), to represent the lower and upper genome boundaries. At the end of the sequencing process, Alice receives the list: \(\begin{align*} \hat{\mathcal {M}}=\lbrace m_0,m_1, m_2, \ldots , m_n,m_{n+1}\rbrace = \mathcal {M} \cup \lbrace m_0, m_{n+1}\rbrace . \end{align*}\) For the special sentinel mutations \(m_0\) and \(m_{n+1}\), positions \(pos_0\) and \(pos_{n+1}\) are integers out of the normal human genomic position range, i.e., \(pos_0 = -\infty \lt 0\), \(pos_{n+1} = +\infty \gt N\), and the base letters \(l_0\) and \(l_{n+1}\) are dummy letters of the same sizes.

Alice also receives the lists of signatures, \(\Gamma = \lbrace \gamma _{0}, \gamma _{1}, \ldots , \gamma _{n}\rbrace\), and salts, \(Salt\), used to generate these signatures. To show the ordering of mutations without revealing additional information on boundary ones, \(SL\) signs the tuple of commitments for each adjacent mutation, instead of signing each mutation, i.e., \(\gamma _i = Sign(sk_{SL},Tup_i)\), for \(\forall i\). Each tuple consists of four commitments for the adjacent mutations and their positions: \(\begin{align*} Tup_i = (Com(pos_i; s_{i,1}), Com(m_i; s_{i,2}), Com(pos_{i+1}; s_{i+1,1}), Com(m_{i+1}; s_{i+1,2})) \end{align*}\) for some commitment scheme \(Com\) and salts \(s_{i,j}\) for the \(i\)th SNP and \(j=1,2\). The latter two commitments for \(pos_{i+1}\) and \(m_{i+1}\) are reused in the next tuple, \(Tup_{i + 1}\). This can be done in the offline phase between \(SL\) and Alice.

In the online phase, Alice returns the mutations within the queried range \(Q\), along with the corresponding signatures and salts. She also generates two range proofs for the positions of the first mutations outside the queried range: one for the mutation with the highest position below the lower bound of \(Q\) and the other for the mutation with the lowest position above the upper bound of \(Q\). Alice sends these proofs and corresponding commitments of those positions. Denoting all SNPs in \(Q\) as \(\mathcal {M}_Q = \lbrace m_{k+1}, \ldots , m_{k+j}\rbrace\), Alice sends \((\mathcal {M}_Q, Salt_Q, \Gamma _Q, C_{k}, C_{k+j+1}, l, h)\) to \(T\), where \(\begin{align*} Salt_Q &= \lbrace s_{k+1}, \ldots , s_{k+j}\rbrace = \lbrace (s_{k+1,1},s_{k+1,2}), \ldots , (s_{k+j,1}, s_{k+j,2})\rbrace , \\ \Gamma _Q &= \lbrace \gamma _{k}, \gamma _{k+1}, \ldots , \gamma _{k+j}\rbrace , \\ C_{k} &= (Com(pos_{k}, s_{k,1}), Com(m_k, s_{k,2})), \\ C_{k+j+1} &= (Com(pos_{k+j+1}, s_{k+j+1,1}), Com(m_{k+j+1}, s_{k+j+1,2})),\\ l \leftarrow \texttt {NIZKRP_}&\texttt {Prove}\lbrace (pos_{k},s_{k,1}) \mid C_{k,1} = Com(pos_{k}, s_{k,1}) \wedge pos_{k} \lt a \rbrace \\ h \leftarrow \texttt {NIZKRP_}&\texttt {Prove}\lbrace (pos_{k+j+1},s_{k+j+1,1}) \mid C_{k+j+1,1} = Com(pos_{k+j+1}, s_{k+j+1,1}) \wedge pos_{k+j+1} \gt b \rbrace , \end{align*}\) where \(l\) and \(h\) are the proofs for the non-interactive zero-knowledge proof of range proof (NIZKRP). \(T\) reconstructs intermediate tuples using received mutations and salts, and boundary tuples using received \(C_k\) and \(C_{k+j+1}\), as follows: \(\begin{equation*} \begin{aligned} Tup_i &:= (Com(pos_i;s_{i,1}), Com(m_i; s_{i,2}),Com(pos_{i+1}; s_{i+1,1}), Com(m_{i+1}; s_{i+1,2}))\\ & \text{ for } i=k+1, \ldots , k+j-1,\\ Tup_{k} &= (C_k, Com(pos_{k+1};s_{k+1,1}), Com(m_{k+1}; s_{k+1,2})),\\ Tup_{k+j} & = (Com(pos_{k+j};s_{k+j,1}), Com(m_{k+j}; s_{k+j,2}), C_{k+j+1}). \end{aligned} \end{equation*}\) Then, \(T\) verifies the signatures using \(SL\)’s public key and NIZKRP proofs \(l,h\) with the boundaries of \(Q\), \(a,\) and \(b\); i.e., \(T\) sees if (1) \(Verify(pk_{SL}, Tup_i, \gamma _i)=1\) for all \(i = k, \ldots , k+j\); (2) \(\texttt {NIZKRP_Verify}(C_{k,1}, l) = 1\); and (3) \(\texttt {NIZKRP_Verify}(C_{k+j+1,1}, h) = 1\), and it aborts if any of those fails. Otherwise, it proceeds with the test using received \(\mathcal {M}_Q\). Figures 1 and 2 show offline and online phases, respectively. Communication and computation costs are reflected in Table 2.

Fig. 1.

View Figure

Fig. 2.

View Figure

Table 2.

View Table

Table 2. Communication and Computation Costs, Where \(n\) = (Number of Alice’s SNPs) and \(j\) = (Number of Mutations in \(Q\) )

4.3 Security Analysis

Assume a non-empty \(\mathcal {M}_Q = \lbrace m_{k+1}, \ldots , m_{k+j}\rbrace\) for some non-negative integers \(k\) and \(j\). \(T\) checks the authenticity of \(m_i \in \mathcal {M}_Q\) by verifying the received signatures \(\Gamma _Q=\lbrace \gamma _i\rbrace _{i=k}^{k+j}\) using the reconstructed tuples \(\lbrace Tup_i\rbrace _{i=k}^{k+j}\). The links between two adjacent tuples prevent Alice from excluding any mutations. Also, \(T\) ensures completeness by verifying the two NIZKRP proofs, which shows that the commitments for the boundary positions hide the integers beyond the queried range. This allows Alice to maintain the privacy of all mutations outside \(Q\).

Now, suppose that \(\mathcal {M}_Q\) is empty; i.e., Alice has no SNPs within \(Q\). Then, Alice sends one tuple \(Tup_l\) for some \(l\), of the form \((Com(pos_l), Com(m_l), Com(pos_{l+1}), Com(m_{l+1}))\) such that \(pos_l \lt a\) and \(pos_{l+1} \gt b\) and its signature \(\gamma _l\) to \(T\). \(T\) verifies \(\gamma _l\), which satisfies authenticity, and checks the ZKPs that committed values are outside \(Q\), ensuring completeness and Alice’s privacy.

One special case occurs when there are no mutations before position \(a\) and/or after position \(b\). The required range is large enough and it reveals all SNPs to conduct the test with \(m_{k} = m_0\) and/or \(m_{k+j+1} = m_{n+1}\). Since sentinel commitments are indistinguishable from other commitments, our security goals are also achieved in this case. In summary:

• Goal 3.2. Authenticity is based on the security of the underlying digital signature scheme used by \(SL\) to sign tuples.

• Goal 3.2. Completeness is achieved by sequential linking of elements, allowing \(T\) to detect any omissions.

• Goal 3.2. Alice’s Privacy holds due to the use of ZKP and the \(hiding\) property of commitments, which reveals no information about either mutations’ positions or mutations outside \(Q\).

5.1 Size- and Position-hiding Private Substring Matching Protocol (SPH-PSM) [37]

First, Alice generates a public-private key-pair for an AHE scheme and encrypts each base of her genome using the public key. \(T\) computes the additive inverse of each base in its specific test pattern and encrypts each inverse using Alice’s public key.

In the online phase, Alice sends the entire encrypted genome to \(T\). For each position where the pattern locates, \(T\) homomorphically adds its encrypted pattern to Alice’s encrypted base. Then, \(T\) adds the resulting values and returns the final (encrypted) sum to Alice. Alice decrypts received ciphertext using her private key and learns the test result. The decrypted result is 0 if Alice’s genome matches the test pattern; it is a random value otherwise. During the whole process, \(T\) does not learn any information on Alice’s genome or the test result.

5.2 Secure SPH-PSM (S-SPH-PSM)

In SPH-PSM, Alice can modify her digitized genome and influence the test result, since SPH-PSM does not guarantee authenticity or integrity of Alice’s genome. To prevent this, we design secure SPH-PSM (S-SPH-PSM) and let \(SL\) act as a certification authority for the genomic data.

When \(SL\) sequences Alice’s DNA sample (\(Bio_{Alice}\)), it encrypts the hash of each base using an AHE scheme, under Alice’s public key.⁷ Then, it signs the hash of each ciphertext—along with its position—using its private key and sends the list of ciphertexts and corresponding signatures to Alice.

The online phase is similar to SPH-PSM, except that \(T\) verifies the signatures and checks authenticity and integrity of ciphertexts on the positions required for the test. Figures 3 and 4 show the offline and online phases of S-SPH-PSM, respectively.

Fig. 3.

View Figure

Fig. 4.

View Figure

S-SPH-PSM also ensures authenticity and completeness via signing of both ciphertext and its position. \(T\) can detect omissions or rearrangements, as it verifies signatures for all consecutive positions in the range. Also, to prevent accidental matches, we hash both the position and the base letter when encrypting the bases, as in the AH-ElGamal-based protocol [37].

5.3 Efficient and Secure SPH-PSM (ES-SPH-PSM)

We design efficient and secure SPH-PSM protocol (ES-SPH-PSM) to improve efficiency. We use SNPs instead of the whole genome representation and our techniques proposed in Section 4. Offline and online phases of this protocol are given in Figures 5 and 6, respectively. In the former, we add special sentinel SNPs and sign the tuples of adjacent bases, as in Section 4, whereas the tuple consists of commitments of position and the ciphertext of each SNP instead. \(SL\) sends to Alice the encrypted genomic data and signatures along with the salts used for the commitments. In the online phase, \(T\) verifies “all” received tuples and computes multiple results for all possible starting positions. The computational complexity of this approach is \(\mathcal {O}(nm)\), where \(n\) is the size of Alice’s genome and \(m\) is the number of bases in the pattern that \(T\) holds. This is because SNP positions are hidden, unlike in the whole genome representation. (See unoptimized commented out pseudo-code in Figure 6.)

Fig. 5.

View Figure

Fig. 6.

View Figure

However, this computational cost can be significantly improved and reduced to \(\mathcal {O}(n)\) with some optimizations. First, \(T\) performs an initial calculation as before by matching the first \(m\) (encrypted) SNPs with its \(m\) (encrypted) inverses of the pattern. \(T\) then keeps the sum of this operation in a temporary result. Since most encrypted inverses and SNPs are reused in the next computation and they are aggregated, using the temporary result helps reduce the computational cost. That is, the next result is computed by subtracting the first encrypted SNP and adding the next encrypted SNP to the previous result. For each computation, the temporary result is stored in the result list with randomization. Whenever the pattern and Alice’s SNPs match, the aggregated result will be an encrypted zero. When Alice receives randomly permuted results, she sees if any of the decrypted results are zero (see Figure 6).

To maintain the size-hiding property, we add \(m\) additional results, encryption of random values, so that the number of results is always \(n\), independent of the pattern size. The pattern’s position-hiding property still holds by randomly shuffling multiple results before they are sent to Alice. For completeness, Alice can just reveal the boundary positions, \(pos_0\) and \(pos_{n+1}\). In ES-SPH-PSM, we achieve orders of magnitude efficiency improvement with the same security and privacy guarantees.

5.4 Flexible, Efficient, and Secure SPH-PSM (FES-SPH-PSM)

Genomic tests whose nature is known (e.g., immunity) often operate on a small range of the genome and may be public. This allows efficiency gains by querying only the mutations located in that small range. Our proposed techniques in Section 4 can be applied as in ES-SPH-PSM to preserve security goals for Alice’s genome with adjustable privacy for the pattern. To keep the pattern’s privacy (size- and position-hiding properties), a wider range including the required range can be used. The offline phase of the FES-SPH-PSM protocol is the same as the one of ES-SPH-PSM, so presented in Figure 5, and the online phase is in Figure 7. The two main differences are (1) \(T\) now queries a range, and (2) Alice provides encrypted mutations only in that range with NIZKRP proofs for boundary values.

Fig. 7.

View Figure

Tables 4 and 5 show the computation and communication costs of each SPH-PSM variant.

Table 4.

View Table

Table 4. Operation Complexity of Each SPH-PSM Variant

Table 5.

View Table

Table 5. Data Transfer Complexity of Each SPH-PSM Variant

5.5 Discussion

Different Test Result Learner. One may question the need for security in SPH-PSM since Alice learns the test result. From a legal point of view, genomic data, as well as the result, have to be authentic. To support such cases, SPH-PSM can be updated as follows: Alice’s role in the protocol can be divided into two: genome owner (Alice) and test requester (e.g., court). Now, when \(SL\) encrypts the mutations, it uses the public key of the latter. The rest of the protocol remains the same, but \(T\) sends the encrypted result to the court, not to Alice. As a result, the court gets only the (correct) Boolean result for the test, and also Alice keeps her privacy by not revealing the whole genomic data either to \(T\) or to the court.

Genomic Similarity Testing. In genomic tests, sometimes not an exact match but a similarity score needs to be calculated (e.g., some paternity tests). S-SPH-PSM in Section 5.2 can be modified to support such tests by simply not aggregating the result in one ciphertext. Specifically, consider two input genomes for the similarity test and one of the parties (Alice) learns the result. In this case, both parties encrypt their genomes under Alice’s public key and send it to \(T\), which homomorphically adds received ciphertexts for each position, shuffles the order, and sends the shuffled list to Alice. Alice checks for similarity by decrypting each entry and counting the number of decrypted zeros.

6.1 Genomic Range Query Protocol

For \(SL\)’s signatures, we use the Elliptic Curve Digital Signature Algorithm (ECDSA) with elliptic curve secp256r1, as its signatures are relatively short (512-bit), compared to other schemes with the same security level (256 bits). For commitments, we use the Fujisaki-Okamoto (FO) commitment scheme [44] that allows us to create Boudot’s range proofs [24]. Parameters used for these commitments are \(s=552\), and, for range proofs, \(t=128\), \(l=40\). For mutation commitments, we use a secure cryptographic hash function, SHA2-256 [12], with 128-bit salts. A tuple is computed as (2) \(\begin{equation} [\; FO(pos_i, s_{i,1}), SHA2(m_i, s_{i,2}), FO(pos_{i+1}, s_{i+1,1}), SHA2(m_{i+1}, s_{i+1,2})) \;] \end{equation}\) with randomly generated salts \(s_{i,1}\) in \(Z_{\mathcal {N}}^*\), where \(\mathcal {N}\) is a composite number with two 512-bit prime factors, and 128-bit salts \(s_{i,2}\) for \(SHA2\).

To implement the commitments and range proofs, we used the code from [10]. We also used the Bouncy Castle [5] crypto library for cryptographic primitives, e.g., hash functions and signatures, and Java’s SecureRandom class [7] for generating salts. The code for offline and online phases was written in Java and was evaluated on a PC with an Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz chip and 16GB of RAM.

6.2 SPH-PSM Variants

For the SPH-PSM variants, we use Pedersen commitments [71], the additively homomorphic variant of ElGamal [41] (AH-ElGamal), and Bulletproofs [27] for the NIZKRP in FES-SPH-PSM. The structures of a tuple for ES-SPH-PSM and FES-SPH-PSM are similar to the tuple (2) in Section 6.1 of the secure range query protocol, except \(FO\) is replaced with Pedersen commitments, while \(SHA2\) commitments are replaced with encrypted bases. The same ECDSA setting is used for \(SL\)’s signatures as in the previous section.

Our codebase is in Golang [3], evaluated on a server with 64 Intel(R) Xeon(R) CPUs E5-4610 v2 @ 2.30GHz and 128GB of RAM. We modified the official Golang implementation for ElGamal to implement an AH-ElGamal. As in the previous section, we use the official Golang crypto library for SHA256 and ECDSA with the curve secp256r1 for hashing and digital signatures, respectively; we also use the range proof code from [10].

7.1 Synthetic Genomic Data Generation

For the experiments, we generated synthetic genomic data with \(3\cdot 10^9\) bases for the whole genome and \(3\cdot 10^6\) bases for SNP representations. Each base pair is structured with a 32-bit integer to represent its position and an 8-bit integer for a combination of two base letters. Eight-bit integers are defined with alphabetical order of combinations, i.e., 0 = “AA,” 1 = “AC,”\(\ldots ,\) 15 = “TT.” For the evaluation of Section 7.2, we used a single type of SNP (“AA”) since our measurements do not depend on the specific SNP type. For SPH-PSM variants, we generated necessary genomic files before each experiment and let each experiment read the required files during the evaluation. To generate a synthetic genomic file, we input the total size of the data n; starting and ending positions, s and e, of the pattern; and a Boolean variable isSNP to check if it is for SNP representation or the whole genome representation. Note that which base letters are used does not affect the evaluation result. For simplicity, we generate bases with “AA” for all other positions and bases with “TT” for the positions in [s,e]. For \(T\)’s pattern (marked with n = 0), we generate bases with “TT” for the positions in the range [s,e]. If isSNP is True, we generate bases for every 1,000 positions, whereas we generate bases for all integers if it is False.

7.2 Secure Genomic Range Queries

We used \(3\cdot 10^6\) SNPs for the experiment. The entire offline phase, including commitments and signature generations, took 4.2 hours on the aforementioned platform. We note that this process can be easily parallelized. Times for individual operations are:

• Fujisaki-Okamoto commitment: 3.5 ms

• Boudot’s range proof: 47.7 ms for proof generation and 37 ms for validation

• SHA2 commitment: 0.3 ms (including salt creation) and 0.1 ms for validation

Salts can be alternatively (re-)generated using a seed and a Pseudorandom number generator (PRNG), or HKDF [54], a simple key derivation function based on HMAC [20], to reduce the storage cost. Verification cost incurred by \(T\) scales linearly with the number of SNPs in \(Q\), while verification cost of the range proof is dominated by signature verification, as shown in Figure 8.

Fig. 8.

View Figure

7.3 SPH-PSM Variants

To assess the computational efficiency of AH-ElGamal, we first compared it to Paillier [69], a well-known additive PHE scheme, using its popular implementation [6]. Figure 9 shows the comparison of AH-ElGamal and Paillier for each operation. Since we do not use the full decryption operation and only check if a ciphertext is encryption of zero, results show that AH-ElGamal is significantly more efficient for all operations used in SPH-PSM variants. Thus, we use AH-ElGamal for a homomorphic encryption scheme in the rest of the evaluation.

Fig. 9.

View Figure

For individual operations, computation times averaged over 10 executions were as follows:

• Salt Generation: 2.7 \(\mu\)s

• Hash Computations: 4.8 \(\mu\)s for \(H(pos_i, l_i)\), 3.9 \(\mu\)s for \(h2 := H(pos_i, e_i)\), and 10.4 \(\mu\)s for \(h3 := H(Tup_i)\)

• Digital Signature Generation: 91.1 \(\mu\)s for \(sig1 := Sign(h2)\) and 70.2 \(\mu\)s for \(sig2 := Sign(h3)\)

• Digital Signature Verification: 171.4 \(\mu\)s for \(Verify(sig1)\) and 157.6 \(\mu\)s for \(Verify(sig2)\)

• Commitment Generation: 511.5 \(\mu\)s

• Range Proof (for FES-SPH-PSM): Bulletproofs [27]: 262.2 ms for proof generation and 168.0 ms for validation Signature-based [28]: 1,324.6 ms for proof generation and 1,299.4 ms for validation

We use the most efficient range proof scheme, Bulletproofs, for NIZKRP in the rest of the evaluation.

Next, we measured the effects of the optimization described in Section 5.3 for both ES-PSH-PSM and FES-SPH-PSM. We used \(10^8\) bases for Alice’s genome and \(10^7\) bases for \(T\)’s pattern. Figure 10 shows that it lowers test completion times drastically, which confirms that even complex tests can be performed fast using this optimization. It also shows that FES-SPH-PSM is much more efficient than ES-SPH-PSM, i.e., when the location of the test pattern is public.

Fig. 10.

View Figure

To measure the overhead of adding security to SPH-PSM, we compared computation costs of SPH-PSM and S-SPH-PSM. We implemented the algorithm from [37] in GoLang and compared the cost for offline phases. We compared only the offline phases because the online phases are almost the same and the only difference—signature verifications—depends on the pattern size, which is relatively small to the whole genome size. Since these signing operations are independent, we use multi-threading to parallelize them and reduce delay. Results in Figure 11 show that the overhead of adding security is negligible compared to the cost of homomorphic encryption operations for the whole genome.

Fig. 11.

View Figure

For the online phase, we vary the number of markers and use the whole genome. Figure 12 shows the results: test completion time for S-SPH-PSM grows linearly with the number of markers in Alice’s genome compared to SPH-PSM. This is because \(T\) verifies signatures within the range of its markers. ES-SPH-PSM and FES-SPH-PSM benefit from the optimization and their runtimes are comparable to that of SPH-PSM, even though they add security and reduce data transfer by three orders of magnitude.

Fig. 12.

View Figure

To show that proposed constructs can be parallelized, we implemented multi-threading for offline and online phases of SPH-PSM variants. We believe that this is reasonable as a consumer-facing sequencing lab would be equipped with high-end storage and computing devices capable of handling massive amounts of genomic data. Figure 13 shows a comparison between single-threading and multi-threading with the increasing number of bases for S-SPH-PSM and ES-SPH-PSM. Since each signature generation and verification are independent, parallelization greatly lowers the computation time. Specifically, S-SPH-PSM offline and online phases using multi-threading are 32 and 12 times faster, respectively, compared to using a single thread. Similarly, the offline phase of ES-SPH-PSM is 32 times faster using multi-threading with over \(10^7\) bases. In contrast, multi-threading only slightly improves the online phase of ES-SPH-PSM, since signature verification is the only operation that can be parallelized.

Fig. 13.

View Figure

8.1 Secure and Private Range Queries over Sparse Integers

Let \(\mathcal {D}\) be a domain set of consecutive integers from \(A\) to \(B\), i.e., \(\mathcal {D}=[A,B] \subseteq \mathbb {Z}\), for some \(A,B \in \mathbb {Z}\). Though there are many ways to mathematically define a sparse set [22, 59, 80], informally, we call a subset \(\mathcal {X}\) of a set \(\mathcal {D}\) sparse if \(\frac{|\mathcal {X}|}{|\mathcal {D}|}\) is small. Note that our approach also works for the improper subset \(\mathcal {X}\), i.e., when \(\mathcal {X}=\mathcal {D}\); however, it is more meaningful in terms of privacy if the subset \(\mathcal {X}\) is sparse in \(\mathcal {D}\).

We assume Alice and Bob act as a replier and a querier, respectively. Alice has a sparse subset \(\mathcal {X}\) of \(\mathcal {D}=[A,B]\), with \(n\) integers, and Bob has a range query \(Q=[a,b]\) such that \(A \le a \le b \le B\) to receive all integers in \(\mathcal {X} \cap Q\); i.e., if Alice’s sparse set is \(\mathcal {X} = \lbrace x_1, x_2, \ldots , x_n\rbrace\), then Bob wants to receive all \(x_i\)s such that \(a \le x_i \le b\).

Security goals are the same as in Section 3: authenticity, completeness, and privacy:

8.2 Construction and Its Security

We now describe a concrete construction that meets our stated goals. We assume a trusted offline authority called \(Auth\) (as \(SL\) in Section 4) that facilitates trust among the protocol participants. The offline phase is for \(Auth\) to authorize Alices’s sparse integer set \(\mathcal {X}\) and the online phase where Alice and Bob interact is for Bob to get integers in \(\mathcal {X} \cap Q\). Similar to Section 4, \(Auth\) first chooses two additional integers outside of \(\mathcal {D}\) to indicate the boundaries and random salts for commitments. It then commits each element in \(\mathcal {X}\), makes adjacent commitments in a tuple, and signs those tuples. Since only one commitment is required for each element, the overall size of salts being sent is halved. In the online phase, Alice chooses the elements in \(Q\) and computes two commitments for the sentinel values outside of \(Q\) and the two range proofs for them. Bob’s computation cost is also reduced since the number of commitments is halved. As shown in Figure 14, NIZKRP steps for checking \(x_{k} \lt a\) and \(x_{k+j+1} \gt b\) show that any integers (other than the returned ones) are out of range, as integers are sorted before they are committed. Detailed offline and online phases are described in Figures 15 and 16, respectively. We now give a proof sketch of security and privacy for the proposed construction:

Fig. 14.

View Figure

Fig. 15.

View Figure

Fig. 16.

View Figure

9.1 Genomic Privacy

Several recent survey papers [18, 23, 64, 76] overview recent advances in genomic privacy. In this section, we list the techniques used in this domain and their related work. Secure multi-party computation (MPC) allows two or more parties to jointly compute a function on their private inputs without revealing any information, other than the output of the function. For example, [51] utilizes oblivious transfer (OT) and oblivious circuit evaluation to compute the edit distance and Smith-Waterman similarity score to measure the similarity between two DNA sequences. [19] uses a variant of Private Set Intersection (PSI), PSI Cardinality, which reveals only the size of the intersection over two input sets, for paternity tests by observing the sizes of DNA fragments cut by restricting enzymes. It also shows how to use Authorized PSI for personalized medicine, where an authority authorizes the markers to be checked in the DNA. [36] uses an Android smartphone to store encrypted genomic data and PSI techniques to provide results of personal medicine, paternity, and ancestry tests using the smartphone as the end-user computation device. [81] utilizes secret-sharing-based MPC techniques to compute minor allele frequencies (MAFs) and chi-squared statistics in the context of Genome-Wide Association Study computation and the Hamming distance between two genomic datasets. To improve the efficiency of edit distance computation, [78] approximates the edit distance by compressing genome sequences to sets and privately computing the set difference size (or the threshold of the set difference size) using garbled circuit and OT techniques.

Homomorphic Encryption (HE) is another popular tool for privacy in genomic tests. For example, [14] uses so-called Partial HE (see Section 2.4) and dynamic programming techniques to compute the edit distance of two DNA sequences without revealing their sequences to each other, which is later improved in [15]. Subsequently, [31] suggests a way to compute the edit distance on encrypted genomic data using Somewhat HE (see Section 2.4). [52] constructs a secure genomic data query architecture with third parties, where one party stores and computes encrypted genomic data—e.g., storage and processing unit (SPU)—while the other party manages the keys used to encrypt and decrypt genomic data. It uses the additively homomorphic property of the Paillier [69] cryptosystem to secure count query. Similarly, [16] suggests an architecture for disease susceptibility tests, with a third-party SPU. This technique utilizes Paillier Partial HE and proxy re-encryption [21] so that only the two parties who receive the partial secret keys from the patient can participate in the test; i.e., SPU homomorphically computes the test on the encrypted DNA and partially decrypts the result, such that the medical center can obtain the final result by partial decryption of the message received from SPU. These ideas are further refined in [17] and [35], which showed that [17] can be more efficiently implemented by using additively homomorphic Elliptic Curve-based ElGamal and simpler encoding method of genomic data. [72] presents a method to search encrypted biomedical data stored in the server using Bloom filters and HE, so that the user can perform the search query to the server. [55] uses a ring-based FHE scheme [60] to encrypt genomic data and demonstrates common genomic computations over encrypted data, e.g., Pearson Goodness-of-Fit test, the \(D^{\prime }\) and \(r^2\) measures of linkage disequilibrium, the Estimation Maximization (EM) algorithm for haplotyping, and the Cochran-Armitage Test for Trend. [82] and [77] also assume encrypted genomic data with an FHE [47] on an untrusted public cloud. [82] focuses on the chi-square statistics and proposes two protocols for secure division operation, while [77] suggests a framework for estimating the P-value of exact logistic regression parameters over encrypted data. [48] shows how to construct an index tree of the genomic data and send the index tree to the cloud server after encryption with Paillier; the server then traverses the encrypted tree according to the encrypted query from a query initiator using secure function evaluation via an interactive protocol using Yao’s garbled circuits [79].

9.2 Range Query Security

Range query completeness was explored in the context of outsourced databases where the data owner assigns query handling to a cloud-based data publisher. The latter, if malicious, can reply to a range query with incomplete and/or fake results. To counter such misbehavior, [50] focused on minimizing privacy leakages on data attributes using data partitioning algorithms that are aware of the distribution of query ranges. [70] developed methods based on continual linking of elements and collision-resistant hash functions to prevent malicious actions. [56] used Merkle hash and B\(^+\) trees, as well as aggregated signatures, to provide authenticity and integrity (with less strict privacy requirements than [70]) and improve efficiency in the dynamic database case.

Other cryptographic range query techniques incorporated so-called range proofs. Early examples of range proofs include [26, 30, 62]. [62] uses the bit-length of the committed value to prove that the number is in the range \([0, 2^k-1],\) where \(k\) is the number of bits in that committed value. [26] only proves that the committed value lies in a wider range: \([-a, 2a]\), instead of \([0, a]\). [30] convinces a verifier that the committed value lies in a range with the expansion rate of \(2^{t+l+1}\), where \(t\) and \(l\) are security parameters. [24] proposes two efficient protocols for proving that the committed value that is in \([a, b]\) lies in \([a - \theta , b + \theta ],\) where \(\theta = 2^{t + l + 1}\sqrt {b - a}\) and \(t\) and \(l\) are security parameters. The second protocol (that uses Fujisaki-Okamoto commitments [44]) is the one we used in this article; it has the expansion rate of 1. [28] proposes range proofs based on set membership protocols by extending the \(u\)-ary notation and proving that the secret \(z \in [0, u^l-1]\).