toward a practical data privacy scheme for a distributed implementation of the smith- waterman...
DESCRIPTION
Examples –Finding Martians –Protein folding GIMPS (Entropia) –Mersenne Prime search United Devices, IBM, DOD: Smallpox study DNA sequencing Graphics Exhaustive Regression Genetic Algorithms Data Mining Monte Carlo simulationTRANSCRIPT
Toward a Practical Data Privacy Scheme for a
Distributed Implementation of the Smith-Waterman
Genome Sequence Comparison Algorithm
Doug SzajdaMike Pohl*
Jason OwenBarry Lawson
1
Large-Scale Distributed Computations
• Easily parallelizable, compute intensive
• Divide into independent tasks to be executed on participant PCs
• Significant results collected by supervisor
2
Examples• seti@home
– Finding Martians• folding@home
– Protein folding• GIMPS (Entropia)
– Mersenne Prime search• United Devices, IBM,
DOD: Smallpox study
• DNA sequencing• Graphics• Exhaustive
Regression• Genetic Algorithms• Data Mining• Monte Carlo
simulation
A Problem• Code is executing in untrusted
environments– Data required for task execution may
be proprietary– Can we find a way to have participants
execute tasks without divulging data?
Related Work (not exhaustive)
• Computing with Encrypted Data– Feigenbaum (1985)– Abadi, Feigenbaum, Killian (1987)
• Secure Circuit Evaluation – Abadi and Feigenbaum (1990)– Sander, Young, and Yung (1999)
Related Work (not exhaustive)
• Privacy Homomorphisms – Rivest, Adleman, Dertouzos (1978)– Ahituv, Lapid, Neumann (1987)– Brickell and Yacobi (1987)
• Multiparty function computation– Yao (1986)– Goldreich, Micali, Wigderson (1987)– Ben-Or, Goldwasser, and Wigderson (1988)– Chaum, Crepeau, and Damgard (1988)
Computing With Encrypted Data
• Alice has x, wants Bob to compute f(x), but does not want to divulge x
• Alice gives Bob E(x) and f’, tells him to return f’(E(x))
• Alice can determine f(x) from f’(E(x)), but Bob cannot determine x from knowledge of E(x), f’(E(x))
In Present Context• Alice has several x values. Asks Bob to
identify those that are significant– Alice doesn’t need f(x), so greater flexibility
in definition of f’ (Sufficient Accuracy)– Post-filtering means that some false
positives are OK.• Lots of Bobs offering computing
services
Adversary (as usual)
• Assumed to be intelligent– Can decompile, analyze, modify code– Understands task algorithms and
measures used to prevent disclosure of data
The Model
• Computation: evaluate f : D -> R• Partition D into subsets Di
• Task T(Di): evaluate f(xi) for all xi in Di
• Each task assigned filter function Gi
– Gi returns indices of interesting xi
Basic Approach• Transform Di, f, Gi into Di’, f’, Gi’• Replace T(Di) with T(Di’) such that
– T(Di’) does not leak additional information about values in Di
– Identifiers returned by T(Di’) contains those that would be returned by T(Di)
– Difference is reasonably small
Reality• Providing required properties is
difficult (impossible for some apps)• Even when possible,
implementation is application specific
• Bottom line: A potential approach, where few (if any) others exist
An Example: Smith-Waterman Genome
Sequence Comparison
Genetic Sequence Alignment
• Comparing sequences over alphabet ∑={A,C,G,T}
• Biologists track evolutionary changes by writing sequences with columns aligned (called an alignment)
• Ex. CTGTTA CAGTTA
Sequence Evolution• Deletion: CTGTTA CTGTA• Insertion: CTGTTA CGTGTTA• Substitution: CTGTTA CAGTTA
indels
Sequence Evolution (cont.)• After several “generations”: CTGTTA CTATGCTCG
• Note: Number of alignments (for pair of realistic length sequences) is huge
Alignment “Types”• Global alignment
– Considers entire sequence• Local alignment
– Considers substrings– Biologists usually consider local
alignments
Measuring Alignments• Scoring function
– +1 if symbols match– -1 if not
• Gap penalty– g(k) = a + b(k-1)– k is gap length (# consecutive dashes in
single sequence)• Alignment score is sum of column
scores minus gap penalties
Smith-Waterman• Dynamic programming algorithm
guaranteed to produce an optimal alignment– Global: O(n2); local: O(n3)
• Widely used by biologists• Implemented on commercial volunteer
distributed computing platforms
Using Smith-Waterman• Significance of Smith-Waterman score
based on probabilistic considerations• Empirical Evidence: Similarity scores of
randomly generated sequences exhibit an extreme value distribution
• Significance threshold p chosen so that probability random score > p is small (typically <0.003)
A Smith-Waterman Task• Pairwise comparison of two sets of
sequences, A and B– A : proprietary sequences– B : sequences from public database
• Returned: indices of well-matched pairs
• Notation: T(A,B,s,g,p)
Our Transformation• Offset sequences: compare relative
distances b/w specific nucleotide • U: GCACTTACGCCCTTACGACG
– F(U,A) = {3,4,8,3}– F(U,C) = {2,2,4,2,1,1,4,3}– F(U,G) = {1,8,8,3}– F(U,T) = {5,1,7,1}
Modified Tasks• U: GCACTTACGCCCTTACGACG
F(U,C) = {2,2,4,2,1,1,4,3}• V: GCACTCGCCACTTAGCACG
F(V,C) = {2,2,2,2,1,2,5,2}
• Apply S-W to F(U,C) and F(V,C)– Scoring function, gap penalty– “Goodness” threshold
Intuition• Similar sequences should have similar
offsets– Consider effects of indels, substitutions
• False positives can be reduced– Consider multiple nucleotides
• I.e., assign A and C info to distinct participants– Good match if both tasks indicate
significance
Using Multiple Nucleotide Literals
• Maximum method– One task for each of A,C,G,T – Result significant if any of the four says so
• Adding method– One task for each of A,C,G,T, results passed
to fifth participant – Result significant if sum of four scores
indicates significance• Costs reduced in either case
Security?
Recall…1. T(Di’) does not leak additional
information about values in Di2. Identifiers returned by T(Di’)
contains those that would be returned by T(Di)
3. Difference is reasonably small
Data Privacy?• Property 1 fails: adversary will know all
info about a single nucleotide literal• Conditional entropy gives rough estimate
of amount of information leaked– Bits leaked: 2N - (N - C∂ ) log 3
• C∂ is # of occurrences of ∂ in sequence– Ex. N = 600, C∂ = N/4 487 bits (of 1200)
leaked (713 bits of uncertainty remain)
Analysis• Clearly, our scheme does not provide
provable security, but it does suggest two questions:
1. Can an adversary determine additional symbols (and if so, how many)?
2. How much information leakage is too much in this context?
“4 out of 5 [Biologists] Agree”
• Given only the position of a single nucleotide literal:
1. No additional elements can be inferred
2. There is no “biologically useful” information that can be inferred
• Given current understanding of the structure and function of the genome
An Extension• Sequences can be “masked”
– For each task, choose random binary mask
– Remove from sequence all “zeroed” elements
• Our experiments suggest mask with “1” in 90% of positions works well
Does it Work?• In general, yes
– Strong correlation between our scores and S-W
– Not as sensitive as Smith-Waterman• Some weak matches missed
• Statistical inference techniques show:– Very few false positives ( < 10-4)– Very few false negatives (often none)
Simulation Results• Well-matched sequences artificially
generated– Substring mutated over several generations– Placed at random location into random
sequences• Scoring function as given earlier (1, -1)• Gap penalty: g(k) = 2 + 1(k-1)
• 10000 comp, no mask, maximum method for determining significance
• Sequence length 600-800, matching portion length 300, average of 52.5 subs and 52.5 indels
• 10000 comp, no mask, adding method for determining significance
• Sequence length 600-800, matching portion length 300, average of 52.5 subs and 52.5 indels
• 1000 comp, no mask, maximum method for determining significance
• Sequence length 2000, matching portion length 1000, average of 150 subs and 150 indels
• 1000 comp, 90% mask, maximum method for determining significance
• Sequence length 1000-1300, matching portion length 500, average of 86.25 subs and 86.25 indels
Conclusions• Introduced notion of sufficient accuracy• Presented a strategy for enhancing data
privacy in important real-world application
• Present important real-world app that requires privacy and is efficiently parallelizable– These are relatively rare– Potential first entry for benchmark suite of
apps for privacy study
In the Future• Solution is less than ideal
– Lack of formal privacy model / provable security– Need more testing on real genetic data
• But it’s a start– General problem is difficult, this is a potential
avenue of attack– Smith-Waterman requires more careful study in
this context • Application behavior vs. application configurations