How Much Does GenoGuard Really "Guard"? An Empirical Analysis of Long-Term Security for Genomic Data

08/29/2019 ∙ by Bristena Oprisanu, et al. ∙ UCL 0

Due to its hereditary nature, genomic data is not only linked to its owner but to that of close relatives as well. As a result, its sensitivity does not really degrade over time; in fact, the relevance of a genomic sequence is likely to be longer than the security provided by encryption. This prompts the need for specialized techniques providing long-term security for genomic data, yet the only available tool for this purpose is GenoGuard (Huang et al., 2015). By relying on Honey Encryption, GenoGuard is secure against an adversary that can brute force all possible keys; i.e., whenever an attacker tries to decrypt using an incorrect password, she will obtain an incorrect but plausible looking decoy sequence. In this paper, we set to analyze the real-world security guarantees provided by GenoGuard; specifically, assess how much more information does access to a ciphertext encrypted using GenoGuard yield, compared to one that was not. Overall, we find that, if the adversary has access to side information in the form of partial information from the target sequence, the use of GenoGuard does appreciably increase her power in determining the rest of the sequence. We show that, in the case of a sequence encrypted using an easily guessable (low-entropy) password, the adversary is able to rule out most decoy sequences, and obtain the target sequence with just 2.5% of it available as side information. In the case of a harder-to-guess (high-entropy) password, we show that the adversary still obtains, on average, better accuracy in guessing the rest of the target sequences than using state-of-the-art genomic sequence inference methods, obtaining up to 15



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Over the past two decades, the cost of sequencing the human genome – i.e., determining a person’s complete DNA sequence – has plummeted from millions to thousands of dollars, and continues to drop (genome2017org, ). As a result, sequencing has not only become routine in biology and biomedics research, but is also increasingly used in clinical contexts, with treatments tailored to the patient’s genetic makeup (ashley2016towards, ). At the same time, the “direct-to-consumer” genetic testing market is booming (adoption, ) with companies like 23andMe and AncestryDNA attracting millions of customers, and providing them with easy access to reports on their ancestry or genetic predisposition to health-related conditions. Progress and investments in genomics have also enabled public initiatives to gather genomic data for research purposes. For instance, in 2015, the US launched the “All of Us” program (allofus2017, ), which aims to sequence one million people, while, in the UK, Genomics England is sequencing the genomes of 100,000 patients with rare diseases or cancer (genomicsengland, ).

Alas, as more and more genomic data is generated, collected, and shared, serious privacy, security, and ethical concerns also become increasingly relevant. The genome contains very sensitive information related to, e.g., ethnic heritage, disease predispositions, and other phenotypic traits (ayday2013chills, ). Furthermore, even though most published genomes have been anonymized, previous work has shown that anonymization does not provide an effective safeguard for genomic data (gymrek_identifying_2013, ). While some individuals choose to donate their genome to science, or even publicly share it (pgp, ), others might be concerned about their privacy, or fear discrimination by employers, government agencies, insurance providers, etc. (burns_gop_nodate, ).

Worse yet, consequences of genomic data disclosure are not limited in time or to the data owner: due to its hereditary nature, access to one’s sequenced genome inherently implies access to many features that are relevant to their progeny and their close relatives. A case in point is the story of Henrietta Lacks, a patient who died of cancer in 1951. Some of her cancerous cells revealed to be useful for research because of their ability to keep on dividing. Unbeknownst to her family, the cells became the most commonly used “immortal cell line,” and their genome was eventually sequenced and published (landry2013genomic, ). This prompted serious privacy concerns among her family members, even 60 years later (callaway2013hela, ).

Motivated by these challenges, the research community has produced a large body of work aiming to protect genomic privacy and enable privacy-preserving sharing and testing of human genomes (sok, ). Available solutions mostly rely on cryptographic tools, including encryption as well as Secure Computation, Homomorphic Encryption, Oblivious RAM, etc. (aziz2017privacy, ). However, modern encryption algorithms provide security guarantees only against computationally bounded adversary; essentially, their security is assumed to last for 30 to 50 years (enisa, ). While this timeframe is acceptable for most uses of encryption, it is not for genomic data.

To address the problem of “long-term security,” Huang et al. (huang_genoguard:_2015, ) introduce GenoGuard, a tool based on Honey Encryption (HE) (HE2, ) to provide confidentiality of genomic data even in the presence of an adversary who can brute force all possible encryption keys. GenoGuard uses a distribution transforming encoder (DTE) together with symmetric (password-based) encryption. In essence, whenever an attacker would try to decrypt a GenoGuard ciphertext using a wrong password, the decryption will give a wrong but plausible looking plaintext, which we denote as a honey sequence.

HE schemes based on DTE-then-encrypt constructions (as is the case for GenoGuard) only provide security in the message recovery context. That is, having access to the ciphertext only gives an unbounded adversary a negligible advantage in guessing the correct plaintext. However, as first discussed by Jaeger et al. (jaeger2016honey, ), ciphertexts obtained from DTE-then-encrypt HE might still leak a significant amount of information about the plaintexts.

Technical Roadmap. We evaluate GenoGuard security by analyzing ciphertexts obtained using easily guessable (low-entropy) passwords as well as hard (high-entropy) ones. In other words, in both cases, we decrypt a GenoGuard ciphertext using a corpus of passwords and analyze the resulting decryptions (honey sequences). In the low-entropy setting, we consider an adversary who aims to identify the correct sequence among a pool of honey sequences, whereas, in the high-entropy case, one that uses the GenoGuard ciphertext in order to obtain more information about the target sequence as opposed to inference methods for genomic data.

In our experimental evaluation, we show that, under a low-entropy password setting, an adversary who has access to side information about the target sequence can quickly eliminate the decoy sequences in order to have an increased advantage of guessing the correct sequence. This draws attention to the fact that if the attacker obtains a list of known passwords for a user (as passwords are often compromised and/or re-used), together with some side information about the user’s sequence, she can have a significant advantage in guessing the correct sequence.

In the high-entropy setting, not only we observe that access to the GenoGuard ciphertext improves an adversary’s accuracy in guessing SNVs from a target sequence when 10% or less of the target sequence is available to her as side information, but also draws attention to the fact that with enough side information, the adversary can predict a significant part of the target genome just by using state of the art inference methods for genomic sequences.

Contributions. In summary, our paper makes two main contributions. First, under a low-entropy password setting, we formally show that, if the adversary obtains side information about the target sequence, there is a significant lower bound in her advantage. This highlights that the system offers low security when the adversary has access to side information, as supported by empirical evidence. Second, in the high-entropy password setting, we quantify the privacy loss for a user as a result of using GenoGuard, compared to the best inference methods for genomic data; once again, showing that that it is non-negligible.

Paper Organization. The rest of the paper is organized as follows. The next section reviews notions used throughout the paper, then, in Section 3, we introduce GenoGuard. Section 4 presents our evaluation methodology for low and high-entropy settings, while Section 5 reports our experimental results. Finally, after reviewing related work in Section 6, the paper concludes in Section 7.

2. Preliminaries

This section provides some relevant background information used throughout the paper.

2.1. Genomics Primer

Genome. In the nucleus of an organism’s cell, double stranded deoxyribonucleic acid (DNA) molecules are packaged into thread-like structures called chromosomes. DNA molecules consist of two long and complementary polymer chains of four units called nucleotides, described with the letters A, C, G, and T. All chromosomes together make up the genome, which represents the entirety of the organism’s hereditary information; in humans, the genome includes 3.2 billion nucleotides. A gene is a particular region of the genome that contain the information to produce functional molecules, in particular proteins. For instance, the BRCA2 (yoshida_role_2004, ) is a human tumor suppressor gene (it encodes a protein responsible for repairing the DNA), and a mutation in that gene increases significantly the risk for breast cancer (friedenson2007brca1, ). Alleles are the different versions of genes, as organisms inherit two alleles for each gene, one from each parent. The set of genes is also called the genotype. Finally, the haplotype is a group of alleles in an organisms that are inherited together from a single parent (clarke_disentangling_2005, ).

SNPs and SNVs. Humans share about 99.5% of the genome, while the rest differs due to genetic variations. The most common type of variants are Single Nucleotide Polymorphisms (SNPs) (reference_what_nodate, ), which occur at a single position and in at least 1% of the population. More generally, variants at specific positions of a genome are referred to as Single-Nucleotide Variants (SNVs); they may be due to SNPs, to rare variants in the population, or to new mutations. Typically, SNPs and SNVs are encoded with a value in , with denoting the most common variant (allele) in the population, and and denoting alternative alleles.

Allele Frequency (AF). The frequency of an allele at a certain position in a given population is known as Allele Frequency (AF). More specifically, it is the ratio of the number of times the allele appears in the population over the total number of copies of the gene. In a nutshell, it shows the genetic diversity of a species’ population.

Linkage Disequilibrium (LD). LD refers to the non-random association of alleles at two or more positions in the general population, defined as the difference between the frequency of a particular combination of alleles at different positions and the one expected by random association.

Recombination Rate (RR).

The process of determining the frequency with which characteristics are inherited together is known as recombination. This is due to two chromosomes of similar composition coming together and performing a molecular crossover, thus, exchanging the genetic content. Because recombination can occur with small probability at any location along the chromosome, the frequency of recombination between two locations depends on the distance separating them. Therefore, for genes sufficiently distant on the same chromosome, the amount of crossover is high enough to destroy the correlation between alleles 

(li_modeling_2003, ). The recombination rate (RR), as defined in (philips__nodate, ), is the probability that a transmitted haplotype constitutes a new combination of alleles different from that of either parental haplotype. An example of how a haplotype is created by copying parts from the other haplotypes is illustrated in Figure 1.

Figure 1. An example of a haplotype, , built as an imperfect mosaic from . is created by (imperfectly) “copying” parts from , and . Each column of circles represents a SNP locus, with the black and white circles denoting the two alleles – major and minor. (Adapted from (li_modeling_2003, )).

2.2. Markov Chains

A Markov chain is a probabilistic model encoding a sequence of possible events: the probability of each one of them depends only on the state attained in the previous event 

(MarCha, ).

In the context of genomes, a Markov chain can represent a series of SNVs ordered by their positions. In particular, a -th order Markov chain, on genome sequences, can be used to encode a set of SNVs, where the value of each SNV depends on the values of the preceding ones:


2.3. SNV Correlation Modeling

In order to model correlations between SNVs, and perform sequence inference (i.e. predicting the values of SNVs from a sequence), one can use a few different approaches (for more details on various SNV correlations, please refer to (samani_quantifying_2015, )). We choose three models; see next.

Most likely genotype. First, we use a model based on the 1st order Markov chain model from AF and LD. Given allele frequencies (AF) and linkage disequilibrium (LD), we predict each SNV using the highest conditional probability of the SNV occurring. For each SNV, the joint probability matrix is computed taking into consideration the LD with previous one and the AF. If a SNV is not in LD with the previous one, the probability is computed using only the allele frequency. When this model is used for inference, the highest value from the joint probability matrix or the highest probability given by the AF is chosen to predict the specific SNV.

Sampled genotype. The second model is built from the 1st order Markov chain model from AF and LD. For this model, the conditional probabilities are computed in a similar way as in the most likely genotype model. The main difference is in the choice of the value of the SNV, given the three computed probabilities for major homozygous , heterozygous , and minor homozygous allele . A seed is chosen uniformly at random from the interval . If , then choose the SNV to be major homozygous; if , then the SNV is heterozygous; and minor homozygous otherwise.

RR Model. This is a high-order correlation model that relates LD patterns to the underlying recombination rate (Li2213, ). Given a set of sampled haplotypes, , the model relates their distribution to the underlying recombination rate. Given the recombination parameter, , we have:


We use this model to determine the value of a SNP at a given position. At each SNP, is a possibly imperfect copy of one of . Let denote which haplotype is copied at a position . For instance, in the example presented in Figure 1, for , we have . For a generic , each can be modeled as a Markov chain on . Assuming that one part of comes from , the next adjacent part can be copied from any of the haplotypes, and the probability depends on the recombination rates between these two parts. Overall, the probability of a particular haploid genotype can be computed as the sum over all possible event sequences of recombination and mutation that could lead to . Let denote the allele found at position in haplotype , and denote the values of the first positions of haplotype (i.e. the prefix sequence of ). Then, we can compute the conditional probability of an allele , given all preceding alleles as:


2.4. Honey Encryption

Honey Encryption (HE) (HE2, ) is a cryptographic primitive used to provide confidentiality guarantees in the presence of possible brute-force attacks. It is a variant of Password-based Encryption (PBE), in that it also uses an arbitrary string (password) to perform randomized encryption of a plaintext. Its main property is that all decryptions of a ciphertext will yield a plausible-looking plaintext, which is thus indistinguishable from the correct one.

The main building block of HE is the Distribution-Transforming Encoder (DTE). A DTE is a randomized encoding scheme (encode,
tailored on the target distribution. The encode algorithm takes as input a message from the message space , and outputs a value in a set , i.e., the seed space. Whereas, decode takes a seed and outputs a message . A DTE scheme is correct if, for any , decodeencode. The DTE-then-encrypt scheme presented in (HE2, ) applies encode to a message, and then performs encryption using a secure symmetric encryption scheme (e.g., AES). Similarly, to decrypt a ciphertext, one first decrypts using the underlying cipher (e.g., AES), and then applies the decode algorithm.

Terminology. In the rest of the paper, to denote sequences decrypted from GenoGuard, we use the term honey sequences.

Figure 2. Toy example describing the encoding process for a sequence . The green dashed line represents the correct encoding of the sequence. When the final leaf (interval ) is reached, a seed is picked at random from this range.

3. GenoGuard

In this section, we review GenoGuard (huang_genoguard:_2015, ), along with a security analysis of the framework.

3.1. Construction

GenoGuard is a framework providing long-term confidentiality for genomic data based on Honey Encryption (HE2, ). More specifically, it allows to encode genomic data, encrypt it using a secret password, and store in a database, in such a way that its confidentiality is preserved even against an attacker that can brute-force all possible passwords. In GenoGuard, genomes are represented as a sequence of single-nucleotide variants (SNVs), i.e., values in .

Encoding. The construction uses a DTE scheme optimized for genome sequences. It assigns subspaces of seed space to the prefixes of a sequence , i.e., all the subsequences in the set , where is the length of the sequence. For example, the prefixes of the sequence are . The seed space is the interval , with each seed being a real number in this interval.


be the set of all possible sequences (the plaintext space). To calculate the cumulative distribution function (CDF) of each sequence, a total order

is assigned to all sequences in . For any two different sequences and , we assume that they start to differ at SNV and SNV. If the value of SNV is smaller than that of SNV’, then, , and otherwise. The CDF of a sequence is then calculated as:

where is the probability of the sequence .

The encoding of a sequence can be performed using a perfect ternary tree, as depicted in Figure 2. (Note that the plot was generated using code obtained from GenoGuard’s Github page.222 Each node in the tree represents a prefix of a sequence, and each leaf a complete sequence. Nodes have an interval , where is the depth of the node in the tree and its order at a given depth . The first node has the interval . Depending on the value of the SNV at position , the encoding proceeds from the node that represents with order at depth to depth as follows:

  • If SNV, go to the left branch and attach an interval

  • If SNV, go to the middle branch and attach an interval

  • If SNV, go to the right branch and attach an interval .

In order to compute the conditional probabilities, Huang et al. (huang_genoguard:_2015, ) consider several models and compare their goodness of fit for real-world genome datasets. Specifically, they experiment with Linkage Disequilibrium (LD), Allele Frequencies (AF), building -th order Markov chains on the dataset and recombination rates (RR), and find the latter to perform best.

Finally, when a leaf is reached, a seed is picked uniformly from this range as the encoding of the corresponding sequence, and then fed into a Password-based Encryption (PBE) scheme to perform encryption, using a password chosen by the user.

Decoding. To decode an encoded-then-encrypted sequence, the ciphertext is first decrypted (as per the PBE scheme) using the user-chosen password; this recovers the seed. Then, the decoding process proceeds similar to the encoding one. That is, given the seed , at each step, the algorithm computes three intervals for the three branches, chooses the interval in which the seed falls, and moves down the tree. Once a leaf node is reached, the path from the root to the leaf is outputted as the decoded sequence.

Finite Precision. Note that the Honey Encryption encoding model, as described in Section 3.1, requires the seed space to be a real number domain with infinite precision. In the case of DNA sequences, this would yield a very long floating-point representation, and thus a high storage overhead. Therefore, GenoGuard uses a modification of the DTE scheme for finite precision. Specifically, for a sequence of length , where each SNV takes three possible values, at least bits are needed for storing the sequence. Hence, a storage overhead parameter is selected, and each sequence is encoded over bits. The algorithm works as before, by selecting intervals according to the values of the respective SNVs based on conditional probabilities. The root interval is . At each branch at depth , the algorithm will allocate a seed space of size , and each following step will segment an input interval into three parts of equal size. Hence, any subinterval of the -th node at depth will contain integers.

3.2. Security

Huang et al. (huang_genoguard:_2015, ) evaluate the security of GenoGuard vis-à-vis the probability of an unbounded adversary recovering the encrypted sequence. That is, given the encryption of a message, what is the probability of the adversary recovering the correct message, even if she can brute-force all possible encryption keys for the underlying PBE scheme?

Upper Bound. More formally, they prove an upper bound to the probability an adversary recovers the correct message to be:


where is the original sequence distribution with maximum sequence probability , is a key (password) distribution with maximum weight (i.e., the most probable password has probability ), is the length of the sequence, the overhead parameter, and a parameter depending on and .

Let denote the fraction in Equation 4. Note that is a security loss term, since the upper bound on plaintext recovery probability should be , as an adversary who trivially decrypts the ciphertext with the most probable key and outputs the result can recover the original message with probability . is essentially the security lost due to DTE imperfectness when moving to finite precision, i.e., given by the difference between the original message distribution and the DTE distribution. As shown in (huang_genoguard:_2015, ), for , , , and , is approximately .

Empirical Evaluation. Huang et al. (huang_genoguard:_2015, ) also present an empirical

security analysis based on two experiments. In both, the chromosome 22 of a victim is encrypted using a password pool consisting of numbers from 1 to 1000, with “539” assumed to be the correct one. Then, in order to rule out wrong passwords, the interval size of each of the decrypted sequences is computed. In the first experiment, a genome is encoded by assuming a uniform distribution (i.e., each branch has weight

at all depths), and a PBE scheme is used to encrypt the seed. In the second experiment, GenoGuard is used to encrypt the victim’s sequence. Hence, the size of the interval of a leaf in the ternary tree is proportional to the probability of the corresponding sequence. The results of their experiments, reported in Figure 10 in (huang_genoguard:_2015, )

, show that a simple classifier can distinguish the correct sequence in the first experiment, while, in the second one, it is “buried” among all the decrypted sequences.

4. Evaluation Methods

We now describe our evaluation methods, for both low and high-entropy password settings. Before doing so, we introduce the notation used in the rest of the paper in Table 1.

4.1. Low-Entropy vs High-Entropy Password

We use different approaches for evaluating GenoGuard under two different password types, namely low-entropy and high-entropy passwords. In other words, we encrypt a sequence with GenoGuard using either an easy to guess, low-entropy password (7 bits), or using a harder password with a higher entropy (72 bits).

The difference in the evaluation of the two approaches is given by the adversary’s goal. Specifically, in the low-entropy password case, the adversary attempts to use the side information in order to distinguish the original encrypted sequence among a pool of honey sequences. By contrast, in the high-entropy setting, the adversary uses both the honey sequences and the side information in order to predict the value of each SNV at each position in the target sequence.

Symbol Meaning
MR Message recovery
SI Side information
HEnc Honey Encryption
HDec Honey Decryption
Key space
Message space
Key distribution
Message distribution
Adversary with access to side information
Table 1. Notation.

4.2. Threat Model

We use the same system and threat model presented in the GenoGuard paper (huang_genoguard:_2015, ), i.e., we assume a genomic sequence of a user is to be stored, encrypted, at a third-party database, e.g., a biobank. We consider an adversary that has access to the encrypted data (for instance, she breaks into the biobank and gets access to the encrypted database, or the biobank itself is adversarial) and has access to public knowledge as well as to some side information (as discussed below).

Low-Entropy Password. The main adversarial goal in this case is to identify the target sequence among a pool of honey sequences, using the side information available, i.e. “message recovery” with side information (MR-SI).

High-Entropy Password. The main adversarial goal is to obtain as much information as possible about the sequence that was encrypted. Note that this adversarial goal is different from “message recovery,” according to which Huang et al. (huang_genoguard:_2015, ) evaluate GenoGuard’s security (cf. Section 3.2). The main intuition is that, as also hypothesized by (jaeger2016honey, ), using Honey Encryption might actually leak non-negligible information about the sequences encrypted using GenoGuard, even if the adversary cannot correctly recover the full plaintext with non-negligible probability.

4.3. Adversary’s Side Information

As mentioned above, the adversary has access to the victim’s encrypted sequence as well as to public information such as, Linkage Disequilibrium, Allele Frequencies, Recombination Rate (see Section 2.1). In addition, we assume that the adversary may have some side information about the victim.

When referring to side information, note that we do not consider knowledge of common traits from phenotype-genotype associations, e.g., gender, ancestry, or other information about the victim that could be obtained, e.g., from social media. In fact, this is covered by GenoGuard’s guidelines, which state that the user should include as much side information about their genome as possible when performing the encoding. Whereas, even though assuming the user can knowingly enumerate all possible side information is quite a strong assumption, we actually consider the case where the victim undertakes some specific tests, and the adversary learns additional information about the victim from the outcome of those tests. Additionally, the victim might choose to re-encrypt their genome after obtaining the test results in order to incorporate them in the encoding, and the adversary could use the new ciphertext to extract information about the old ciphertext.

In the high-entropy password setting, we also evaluate the case where an adversary has no side information about the target sequence, in order to quantify the information leakage that might occur from using GenoGuard against baseline inference methods for genomic sequences. Overall, we consider different types of side information available to the adversary:

  1. No Side Information: The adversary has access only to the encrypted sequence. (NB: this is only evaluated for the high-entropy password setting)

  2. Sparse SNVs: The adversary has access to SNV values sparsely distributed in the target sequence.

  3. Consecutive SNVs: The adversary has access to values from a cluster of consecutive SNVs in the target sequence.

4.4. Low-Entropy Password

We now formally provide a lower bound for the adversary’s advantage in the case where she obtains side information about the target sequence and encryption is done using a low-entropy password.

We present a lower bound on the adversary’s advantage when she has access to side information about the encrypted sequence and can exhaustively search the message space. We prove the bound formally, building on (jaeger2016honey, ), which shows the impossibility of known-message attack (KMA) security with low-entropy passwords. However, instead of the adversary having access to message-ciphertext pairs, we assume that the adversary has access to (position, value) pairs from the encrypted sequence. The game defining message recovery security with side information is denoted as MR-SI and illustrated in Figure 3.

Given a ciphertext , an adversary , with access to side information, is allowed to guess the message by brute force. The adversary wins the game if her output message is the same as the original message.

MR-SI: If : Return 1   Else: Return 0

Figure 3. Definition of Message Recovery Security with Side Information (MR-SI).

Adversary (C): Let be the Let be the For :    If:       Return

Figure 4. Adversary strategy for MR-SI, having access to pairs of (position, value) from the original message.

Our intuition is that the advantage of the adversary (Figure 4), for a number (, where ) of positions and values, from the original sequence, is equal to the probability that a randomly chosen key that decrypts correctly all values at the given positions, will also decrypt the rest of the sequence, i.e., MR-SIHE,p_m,p_k = . We denote by the number of keys consistent with the positions and values used as side information.

Hence, we use Lemma 4.2 from (jaeger2016honey, ), as follows:

Lemma 4.1 ().


are positive integer-valued random variables such that

and , for , then .


See (jaeger2016honey, ). ∎

Using Lemma 4.1, we can compute the adversary’s advantage as follows:

Theorem 4.2 ().

Let HE be an encryption scheme and . Then, for any , the adversary who obtains at most positions and values from the original sequence will have advantage:


Game 1: Let be the Let be the For :    If:       If : Return 1   Else: Return 0

Figure 5. Game 1, used in the proof of Theorem 4.2.

The advantage , is equal to where Game 1 is defined in Figure 5. This is due to the fact that Game 1 is MR-SI together with Adversary (C). By applying a few transformations to Game 1 and changing the final check, i.e. instead of checking if before returning 0 or 1, it checks if the key is in the subset that decrypts to we obtain an equivalent game, Game 2 (Figure 6). Thus, .

Since , for fixed , the probability that Game 2 will return 1 is . So we have .

We then define Experiment 1 (Figure 7), which shows that the distribution of and for is the same as the distribution in Game 1. Let denote and , where the expectation is taken in Experiment 1. Since all contain at least the key , they all are positive. Thus, by applying Lemma 4.1 we have . Then:

MR-SIHE,p_m,p_k[(^SI)] =

This shows that the security of the systems is weak even with a small number of pairs (position, value) from the target sequence available to the attacker, as opposed to having multiple known ciphertext-plaintext pairs.

Game 2: Let be the Let be the For :    For :      If:        For :     If       If : Return 1   Else: Return 0

Figure 6. Game 2, a transformed version of Game 1.

Experiment 1: Let be the Let be the For :    For :      If:       

Figure 7. Experiment 1, used in the proof of Theorem 4.2.

4.5. High-Entropy Password

We now give an overview of our inference strategy using the GenoGuard ciphertext and discuss the baseline inference methods we evaluate our strategy against.

4.5.1. Baseline Inferences

We compare the performance of our inference strategy to baselines for genomic sequence inference. For these baselines, we assume that the adversary has access only to side information, as discussed in Section 4.3, but not the ciphertext resulting from GenoGuard’s encode-then-encrypt method.

As done by Samani et al. (samani_quantifying_2015, ), we set to infer the value of an unknown SNV, given a probabilistic modeling of genome sequences. More specifically, we use the following models for SNV correlation:

  • B1: 1st order Markov chain model from AF and LD: most likely genotype.

  • B2: 1st order Markov chain model from AF and LD: sampled genotype.

  • B3: RR Model.

4.5.2. GenoGuard Inference Methods

Our method is based on exploiting the similarities between the honey sequences in order to obtain information about the target sequence. More specifically, we use two strategies:

  1. G1. Side information-weighted SNVs: We assign a weight to each of the honey sequences according to the amount of side information contained. We then consider only the sequences with the highest weight and output the most common SNVs among them as our candidate SNVs for the target sequence. In the case of no side information, we consider the most common SNVs across all honey sequences.

  2. G2. Interval and Side information-weighted SNVs: Similar to the previous method, however, we also adjust the weight of each sequence when considering the most common SNVs by the size of the interval that the seed of the respective sequence will fall into. In the case of no side information, we take the most common SNVs from all honey sequences, weighted by the previously mentioned interval size.

(a) #Candidate sequences vs % revealed sparse SNVs from target sequence
(b) Adv’s advantage vs % revealed sparse SNVs from target sequence
Figure 8. Results of our evaluation in the low-entropy setting vis-à-vis an adversary with access to side information in the form of sparse SNVs from the target sequence.

5. Experimental Evaluation

In this section, we present the datasets used for the experimental evaluation and the results obtained for both evaluation methods, i.e., low-entropy and high-entropy passwords.

5.1. Dataset

We use the Phase III data from the HapMap dataset, i.e., the third release from the HapMap project.333 HapMap was an international project (international2003international, ), run between 2002 and 2009, aimed at developing a haplotype map of the human genome, and describe the common patterns of human genetic variation. The HapMap data has been made publicly available and used for various research purposes, e.g., to research genetic variants affecting health, disease and responses to drugs and environmental factors, etc.

The Phase III release increased the number of DNA samples to 1,301 and included 11 different populations. In our experiments, we select data from three populations:

  1. ASW (African ancestry in Southwest USA),

  2. CEU (Utah residents with Northern and Western European ancestry from the CEPH collection),

  3. CHB (Han Chinese in Beijing, China).

We sample 50 sequences at random from each of them, for a total of 150 sequences.

For all three populations presented above, we test the same SNVs positions.

5.2. Low-Entropy Password

5.2.1. Experiment Overview

We use the following strategy for our evaluation:

  1. Encrypt a sequence using GenoGuard’s DTE-then-encrypt method: for each of the 150 sequences, we select and encrypt 1,000 positions from chromosome 13, with a storage overhead (the same as in the experimental evaluation of GenoGuard), using a low-entropy password.

  2. Decrypt the ciphertext, using the top 10,000 most common passwords released by Daniel Miessler444 (with the encryption password in the set), to obtain plausible looking honey sequences;

  3. Exclude the sequences which do not contain the side information.

  4. Output the number of remaining sequences, given how many of the possible passwords match the side information.

5.2.2. Adversary’s Advantage.

The performance of the adversary is calculated as the probability of the adversary guessing the target sequence within the remaining pool of honey sequences.

5.2.3. Sparse SNVs from the Target Sequence

Figure 7(a) illustrates how the log number of candidate sequences decreases with more side information available. With 1% side information (10 SNVs), the number of sequences that match the side information reduces to approximately 44 on average across the three populations. Figure 7(b) shows the increase of the adversary’s advantage, averaged over 1000 rounds, vis-à-vis the number of SNVs available to her. 2.5% side information (25 SNVs) gives the adversary an advantage of approximately 80% on average for the ASW and CEU populations and close to 90% for the CHB population. With more side information, the adversary’s advantage increases to over 90% for all populations.

(a) #Candidate sequences vs % revealed consecutive SNVs from target sequence
(b) Adv’s advantage vs % revealed consecutive SNVs from target sequence
Figure 9. Results of our evaluation in the low-entropy setting vis-à-vis an adversary with access to side information in the form of a cluster of consecutive SNVs from the target sequence.
(a) ASW
(b) CEU
(c) CHB
Figure 10. Inference accuracy results in the high-entropy password setting for all three populations for side information available to the attacker in the form of sparse SNVs from the target sequence.

5.2.4. Consecutive SNVs form the Target Sequence

When the adversary has access to side information as a cluster of consecutive SNVs, she needs more side information to achieve comparable results to the Sparse SNVs case. Figure 8(a) shows the decrease of the log number of candidate sequences with increasing side information available. We observe the fastest decrease in the number of sequences with increasing side information available is for the ASW population when less than 10% of the sequence available. Figure 8(b) shows the increase of the adversary’s advantage, averaged over 1000 rounds, vis-à-vis the number of SNVs available to her. The increase in the adversary’s advantage is slower as well, with an average of 70% across the three populations for 20% of the sequence available to the attacker.

5.3. High-Entropy Password

5.3.1. Experiment Overview

The brute-force experiment presented in GenoGuard indicates that, when decrypting the same ciphertext with multiple passwords, the correct sequence would be “buried” among the incorrect ones. Hence, there is some similarity between the original sequence and the honey sequences.

As a result, we set to quantify the corresponding privacy loss, i.e. how much more information does an adversary obtain via access to ciphertext encrypted using GenoGuard obtains, compared to one that was not.

Overall, we use the following evaluation strategy:

  1. Encrypt a sequence using GenoGuard’s DTE-then-encrypt method: for each of the 150 sequences, we select and encrypt 1,000 positions from chromosome 13, with a storage overhead , using a random, high-entropy password (approx. 72 bits).

  2. Decrypt the ciphertext, using the top 10,000 most common passwords released by Daniel Miessler, to obtain plausible looking honey sequences;

  3. Infer the victim’s sequence using the honey sequences.

5.3.2. Accuracy

To measure the performance and assess the potential leakage that access to the GenoGuard ciphertext might yield, we measure the accuracy as the number of correctly guessed SNVs over the total number or SNVs guessed.

Figure 11. Difference in accuracy between the best performing GenoGuard and baseline inference methods, vis-à-vis an adversary with side information of sparse SNVs from the target sequence, in the high-entropy password setting.
Figure 13. Difference in accuracy between the best performing GenoGuard and baseline inference methods, vis-à-vis an adversary with side information in the form of consecutive SNVs from the target sequence, in the high-entropy password setting.
(a) ASW
(b) CEU
(c) CHB
Figure 12. Inference accuracy results in the high-entropy password setting for all three populations for side information available to the attacker in the form of a cluster of consecutive SNVs from the target sequence.

5.3.3. Sparse SNVs from the Target Sequence

Figure 10 shows the inference results in this case for the three population groups, averaged over 1,000 rounds. In the case where no side information is available to the attacker, for all populations, the attacker can infer approximately 2% more of the target sequence from the GenoGuard ciphertext than just by using baseline inferences based on the population. For the ASW population (Figure 9(a)), over 80% of the target SNVs are guessed correctly with 2.5% (25 SNVs) or more of the target sequence available to the attacker. For the CEU population (Figure 9(b)), approximately 79% of the target SNVs are guessed correctly with 2.5% of the original sequence available to the attacker and over 83% of the target SNVs are guessed correctly with 5% (50 SNVs) or more are available. In the case of the CHB population (Figure 9(c)), the accuracy is of the GenoGuard inference is the lowest among the three populations, with over 73% accuracy in the cases where 2.5% SNVs are available to the attacker. The accuracy surpasses 80% for the CHB population when 10% or more of the target SNVs are available to the attacker.

In Figure 13, we illustrate the difference between the best performing inference method using the GenoGuard ciphertext and the best performing baseline inference method. On average, having access to the GenoGuard ciphertext improves the inference accuracy. The peak of the improvement in accuracy (approximately 15%) over the baseline models can be observed when the attacker has access to 5% sparse SNVs from the target sequence. After this, we can see a decline in this difference with increasing SNVs available for the attacker, as the baseline inference becomes more accurate with more information available. In fact, for the CHB population, the best performing baseline (B3) for the case when 20% of the target sequence is available to the attacker provides an accuracy comparable to the GenoGuard inferences (83.8).

5.3.4. Consecutive SNVs form the Target Sequence

In Figure 12, we illustrate the accuracy of the inference methods across the three populations when the adversary obtains, as side information, a cluster of consecutive SNVs, averaged over 1,000 rounds. For the ASW population (Figure 11(a)), the accuracy of inferred SNVs from the correct sequence using the GenoGuard ciphertext is over 73% for 2.5% or more of the target SNVs available as side information, and over 80% when 10% or more of the sequence is available to the attacker. The GenoGuard inference for the CEU population (Figure 11(b)) is over 70% when 2.5% or more of the target sequence is available to the attacker. For the CHB population (Figure 11(c)), the GenoGuard inferences have the lowest accuracy across the three populations, obtaining 70% or more accuracy only when 5% or more of the target sequence is available to the attacker.

Figure 13 shows the difference between the best performing GenoGuard inference method and the best performing baseline inference method. On average, the inference using the GenoGuard ciphertext gives better accuracy than the baseline methods, but overall less than the previous case where sparse SNVs are available as side information. In this case, the peak in the improvement of accuracy compared to the baseline methods is approximately 7%, on average, across the three populations, when 5% of the target SNVs are available to the attacker. For the CHB population, when 20% of the sequence is available as side information to the attacker, we observe, as in the case of sparse SNVs, that the best performing baseline inference method (B3) obtains a comparable accuracy to that of the GenoGuard inferences (73).

5.4. Take-Aways

Overall, our experimental evaluation shows that, when the adversary has access to some side information, access to a ciphertext encrypted using GenoGuard can help her recover a remarkably high percentage of the SNVs from the target sequence or significantly increase her advantage in recovering the correct sequence.

Therefore, users need to include as much side information as possible when encrypting their genomic sequence. However, this prompts a parallel problem, with respect to how much that user is willing to publicly share (as this information is saved together with the ciphertext), considering that even without access to the GenoGuard ciphertext, it can enable attackers to correctly predict most of the target genome.

6. Related Work

In this section, we review relevant prior work on genome privacy and honey encryption.

6.1. Genome Privacy

Re-identification. Genomic data is hard to anonymize, due to the genome’s uniqueness as well as correlations within different regions. For instance, Gymrek et al. (gymrek_identifying_2013, ) demonstrate that surnames of genomic data donors can be inferred using data publicly available from recreational genealogy databases. They also discuss how, through deep genealogical ties, publishing even a few markers can lead to the identification of another person who might have no acquaintance with the one who released their genetic data. In follow-up work, Erlich et al. (Erlich690, ) show that a genetic database which covers only 2% of the target population can be used to find a third-cousin of nearly any individual.

Membership inference. Homer et al. (homer_resolving_2008, ) present a membership inference attack in which they infer the presence of an individual’s genotype within a complex genomic DNA mixture. Wang et al. (wang2009learning, ) improve on the attack using correlation statistics of just a few hundreds SNPs, while Im et al. (im2012sharing, ) rely on regression coefficients. Shringarpure and Bustamante (beacon_SB, ) perform membership inference against the Beacon network.555Beacons are web servers that answer questions e.g. “does your dataset include a genome that has a specific nucleotide at a specific genomic coordinate?” to which the Beacon responds yes or no, without referring to a specific individual; see: They use a likelihood-ratio test to predict whether an individual is present in the Beacon, detecting membership within a Beacon with 1,000 individuals using 5,000 queries. Also, Von Thenen et al. (von_Thenen200147, ) reduce the number of queries to less than 0.5%. Their best performing attack uses a high-order Markov chain to model the SNP correlations, as described in (samani_quantifying_2015, ). Note that, as part of the attacks described in this paper, we use inference methods from (samani_quantifying_2015, ) as our baseline inference methods.

Data sharing. Progress in genomics research is dependent on collaboration and data sharing among different institutions. Given the sensitive nature of the data, as well as regulatory and ethics constraints, this often proves to be a challenging task. Kamm et al. (kamm_new_2013, ) propose the use of secret sharing to distribute data among several entities and, using secure multi-party computations, support privacy-friendly computations across multiple entities. Wang et al. (Wang2015, ) present GENSETS, a genome-wide, privacy-preserving similar patients querying system using genomic edit distance approximation and private set difference protocols. Then, Chen et al. (chen_princess:_2017, ) use Software Guard Extensions (SGX) to build a privacy-preserving international collaboration tool; this enables secure and distributed computations over encrypted data, thus supporting the analysis of rare disease genetic data across different continents. Finally, Oprisanu and De Cristofaro (oprisanu2018anonimme, ) present a framework (“AnoniMME”) geared supporting anonymous queries within the Matchmaker Exchange platform, which allows researchers to perform queries for rare genetic disease discovery over multiple federated databases.

Privacy-friendly testing. Another line of work focuses on protecting privacy in the context of personal genomic testing, i.e., computational tests run on sequenced genomes to assess, e.g., genetic susceptibility to diseases, determining the best course of treatment, etc. Baldi et al. (baldi2011countering, ) assume that each individual keeps a copy of their data and consents to tests done in such a way that only the outcome is disclosed. They present a few cryptographic protocols allowing researchers to privately search mutations in specific genes. Ayday et al. (ayday_protecting_2013, ) rely on a semi-trusted party to store an encrypted copy of the individual’s genomic data: using additively homomorphic encryption and proxy re-encryption, they allow a Medical Center to privately perform disease susceptibility tests on patients’ SNPs. Naveed et al. (naveed14, ) introduce a new cryptographic primitive called Controlled Functional Encryption (CFE), which allows users to learn only certain functions of the (encrypted) data, using keys obtained from an authority; however, the client is required to send a fresh key request to the authority every time they want to evaluate a function on a ciphertext. Overall, for an overview of privacy-enhancing technologies applied to genetic testing, we refer the reader to (sok, ).

Long-term security. As the sensitivity of genomic data does not degrade over time, access to an individual’s genome poses a threat to her descendants, even years after she has deceased. To the best of our knowledge, GenoGuard (huang_genoguard:_2015, ) is the only attempt to provide long-term security. GenoGuard, reviewed in Section 3, relies on Honey Encryption (HE2, ), aiming to provide confidentiality in the presence of brute-force attacks; it only serves as a storage mechanism, i.e., it does not support selective retrieval or testing on encrypted data (as such, it is not “composable” with other techniques supporting privacy-preserving testing or data sharing). In this paper, we provide a security analysis of GenoGuard. In parallel to our work, Cheng et al. (cheng, )

recently propose attacks against probability model transforming encoders, and also evaluate them on GenoGuard. Using machine learning, they train a classifier to distinguish between the real and the decoy sequences, and exclude all decoy data for approximately 48% of the individuals in the tested dataset.

6.2. Honey Encryption

Juels and Ristenpart (HE2, ) introduce Honey Encryption (HE) as a general approach to encrypt messages using low min-entropy keys such as passwords. HE, reviewed in Section 2.4, is designed to yield plausible-looking ciphertexts, called honey messages, even when decrypted with a wrong password. In a nutshell, it uses a distribution-transforming-encoder (DTE) to encode a-priori knowledge of the message distribution, aiming to provide message recovery security against computationally unbounded adversaries. It was originally designed to encrypt credit card information, RSA secret keys, etc. (tyagi2015honey, ).

Message recovery security can be defined as follows (jaeger2016honey, ): given a message encrypted under a key whose maximum probability of taking on any particular value is at most , an unbounded adversary’s ability to guess the correct message, even given the ciphertext, is at most plus a negligible amount. However, Jaeger et al. (jaeger2016honey, ) discuss deficiencies of message recovery security as per modern security goals. More specifically, not only they prove the impossibility of known-message attack security in the case of low-entropy keys, but also mention that schemes meeting message recovery security might actually leak a significant amount of information about the plaintexts, even if the adversary cannot correctly recover the full message with non-negligible probability. Although this serves as an inspiration to our work, note that the context of our evaluation is different, as in the low-entropy setting, we show that a lower bound also applies to the adversary’s advantage when partial information from the target sequence is available to the attacker, compared to having pairs of ciphertext and plaintext. Another work studying attacks against HE is that by Cheng et al. (cheng, ), which we have reviewed above.

Honeywords. Before Honey Encryption (HE2, ), Juels and Rivest (juels2013honeywords, ) introduced the concept of “honeywords” to improve the security of password databases. They propose adding honeywords (false passwords) to a password database together with the actual password (hashed with salt) of each user. This way, an adversary who hacks into the password database and inverts the hash function cannot know whether she has found the password or a honeyword.

Wang et al. (wang2018security, ) present an evaluation of the honeyword system (juels2013honeywords, ), finding it to be vulnerable to a number of attacks. More specifically, an adversary that wants to distinguish between real and decoy passwords can do so with a success rate of 30% compared to an expected 5%. In the case of a targeted attack, when the adversary is assumed to know some personal information about the user, they show that the adversary’s success rate is further improved to about 60%. Our attacks differ from those in (wang2018security, ), first, as they target the honeywords system (juels2013honeywords, ), while we focus on Honey Encryption (HE2, ), and in particular its application to GenoGuard (huang_genoguard:_2015, ). Moreover, their attack only aims to identify the correct password from a given password pool, while we also examine the case when the correct password is not found within the tried passwords.

7. Conclusion

Motivated by the decreasing cost of genomic sequencing and the related arising privacy challenges, the research community has produced a large body of work on genomic privacy. Most of the techniques focus on cryptographic tools, but fail to address the need for long term confidentiality for genomic data. In fact, GenoGuard (huang_genoguard:_2015, ) is the only tool available for ensuring the long term encryption needed for genomic data (sok, ).

In this paper, we set to determine whether GenoGuard can be safely used as an encryption tool, quantifying the additional privacy leakage arising from using it. We analyzed GenoGuard under two scenarios, based on the encryption password, for an adversary which has access to side information about the target sequence in the form of some values of SNVs from the target sequence. First, we assumed that the user encrypts his genomic sequence using a low-entropy, easily guessable password. In this case, we found that the adversary can easily exclude decoy passwords from the pool of possible passwords, and can guess the correct sequence with high probability by having access to 2.5% sparse SNVs or 20% or more consecutive SNVs from the target sequence.

Second, we assumed that the user encrypts his sequence using a high-entropy password. In this case, since elimination of decoy passwords might not yield any sequence, we use the honey sequences to obtain as much information as possible from the target sequence, exploiting the similarity between the original sequence and the honey sequences (huang_genoguard:_2015, ). We then compared the sequence obtained from the honey sequences to state-of-the-art methods from genome sequence inference in order to observe the privacy leakage. Even with no side information available to the attacker, the sequence obtained from the honey sequences had a 2% improvement on average over all tested baseline methods. With side information in the form of sparse SNVs from the target sequence, the improvement in accuracy compared to the baseline inference models raises to up to 15% on average when 5% of the target sequence is available to the attacker, predicting more than 82% (on average) of the target sequence correctly. When the attacker obtains consecutive SNVs from the target sequence, the accuracy of the attacker decreases slightly from the previous case, yielding 73% accuracy when 5% of the target sequence is known, with an average improvement of 7% over the baseline methods.

In conclusion, we argue that the research community should invest more resources toward the design of long-term encryption tools for genomic data. Overall, GenoGuard could be a viable solution when the user incorporates all side information into the encryption. However, given the fact that all this information needs to be stored together with the ciphertext, it also prompts the question of how much is a user willing to disclose, considering that only the baseline methods can predict, with high accuracy, the correct sequence (e.g. with 20% sparse SNVs available to the attacker, her accuracy is, on average, over 82%). Users who have already used GenoGuard for long-term encryption purposes need to be aware that if further genomic information can be obtained by the attacker, it will severely diminish the security of the system.

As part of future work, we plan to analyze the security of GenoGuard for side information arising from kinship associations.

Acknowledgments. This work was supported by a Google Faculty Award on “Enabling Progress in Genomic Research via Privacy Preserving Data Sharing,” the European Union’s Horizon 2020 Research and Innovation program under the Marie Skłodowska-Curie “Privacy&Us” project (GA No. 675730), and the Swiss National Science Foundation (Grant 150654).


  • [1] E. A. Ashley. Towards precision medicine. Nature Reviews Genetics, 17(9):507–522, 2016.
  • [2] E. Ayday, E. De Cristofaro, J.-P. Hubaux, and G. Tsudik. The Chills and Thrills of Whole Genome Sequencing. IEEE Computer, 2015.
  • [3] E. Ayday, J. L. Raisaro, J.-P. Hubaux, and J. Rougemont. Protecting and Evaluating Genomic Privacy in Medical Tests and Personalized Medicine. In ACM Workshop on Privacy in the Electronic Society, 2013.
  • [4] M. M. A. Aziz, M. N. Sadat, D. Alhadidi, S. Wang, X. Jiang, C. L. Brown, and N. Mohammed. Privacy-Preserving Techniques of Genomic Data – A Survey. Briefings in Bioinformatics, 2017.
  • [5] P. Baldi, R. Baronio, E. De Cristofaro, P. Gasti, and G. Tsudik. Countering Gattaca: Efficient and Secure Testing of Fully-Sequenced Human Genomes. In ACM Conference on Computer and Communications Security, 2011.
  • [6] J. Burns. GOP Bill Could Force Employees To Undergo DNA Tests Or Pay Huge Fines., 2017.
  • [7] E. Callaway. HeLa publication brews bioethical storm. Nature, 2013.
  • [8] F. Chen, S. Wang, X. Jiang, S. Ding, Y. Lu, J. Kim, S. C. Sahinalp, C. Shimizu, J. C. Burns, V. J. Wright, E. Png, M. L. Hibberd, D. D. Lloyd, H. Yang, A. Telenti, C. S. Bloss, D. Fox, K. Lauter, and L. Ohno-Machado. PRINCESS: Privacy-protecting Rare disease International Network Collaboration via Encryption through Software guard extensionS. Bioinformatics, 33(6), 2017.
  • [9] H. Cheng, Z. Zheng, W. Li, P. Wang, and C.-H. Chu. Probability model transforming encoders against encoding attacks. In USENIX Security, 2019.
  • [10] G. M. Clarke and L. R. Cardon. Disentangling Linkage Disequilibrium and Linkage From Dense Single-Nucleotide Polymorphism Trio Data. Genetics, 171(4), 2005.
  • [11] I. H. Consortium et al. The international HapMap project. Nature, 426(6968):789, 2003.
  • [12] Y. Erlich, T. Shor, I. Pe’er, and S. Carmi. Identity inference of genomic data using long-range familial searches. Science, 362(6415):690–694, 2018.
  • [13] B. Friedenson. The BRCA1/2 pathway prevents hematologic cancers in addition to breast and ovarian cancers. BMC cancer, 7(1), 2007.
  • [14] Genomics England. 100,000 Genome Project., 2019.
  • [15] M. Gymrek, A. L. McGuire, D. Golan, E. Halperin, and Y. Erlich. Identifying personal genomes by surname inference. Science, 339(6117), 2013.
  • [16] N. Homer, S. Szelinger, M. Redman, D. Duggan, W. Tembe, J. Muehling, J. V. Pearson, D. A. Stephan, S. F. Nelson, and D. W. Craig. Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays. PLOS Genetics, 4(8), 2008.
  • [17] Z. Huang, E. Ayday, J. Fellay, J. P. Hubaux, and A. Juels. GenoGuard: Protecting Genomic Data against Brute-Force Attacks. In IEEE Symposium on Security and Privacy, 2015.
  • [18] H. K. Im, E. R. Gamazon, D. L. Nicolae, and N. J. Cox. On Sharing Quantitative Trait GWAS Results in an Era of Multiple-Omics Data and the Limits of Genomic Privacy. The American Journal of Human Genetics, 90(4), 2012.
  • [19] J. Jaeger, T. Ristenpart, and Q. Tang. Honey encryption beyond message recovery security. In EUROCRYPT, 2016.
  • [20] A. Juels, T. Ristenpart, and E. Oswald. Honey Encryption: Security Beyond the Brute-Force Bound. In EUROCRYPT, 2014.
  • [21] A. Juels and R. L. Rivest. Honeywords: Making password-cracking detectable. In ACM Conference on Computer and Communications Security, 2013.
  • [22] L. Kamm, D. Bogdanov, S. Laur, and J. Vilo. A new way to protect privacy in large-scale genome-wide association studies. Bioinformatics, 29(7), 2013.
  • [23] J. J. Landry, P. T. Pyl, T. Rausch, T. Zichner, M. M. Tekkedil, A. M. Stütz, A. Jauch, R. S. Aiyar, G. Pau, N. Delhomme, et al. The genomic and transcriptomic landscape of a HeLa cell line. G3: Genes, Genomes, Genetics, pages g3–113, 2013.
  • [24] N. Li and M. Stephens. Modeling linkage disequilibrium and identifying recombination hotspots using single-nucleotide polymorphism data. Genetics, 165(4), 2003.
  • [25] N. Li and M. Stephens. Modeling Linkage Disequilibrium and Identifying Recombination Hotspots Using Single-Nucleotide Polymorphism Data. Genetics, 165(4), 2003.
  • [26] A. Mittos, B. Malin, and E. De Cristofaro. Systematizing Genome Privacy Research: A Privacy-Enhancing Technologies Perspective. Proceedings on Privacy Enhancing Technologies, 1, 2019.
  • [27] National Human Genome Research Institute. The Cost of Sequencing a Human Genome., 2017.
  • [28] M. Naveed, S. Agrawal, M. Prabhakaran, X. Wang, E. Ayday, J.-P. Hubaux, and C. Gunter. Controlled Functional Encryption. In ACM Conference on Computer and Communications Security, 2014.
  • [29] NIH. The All of Us Research Program., 2019.
  • [30] J. R. Norris. Markov Chains. Cambridge University Press, 1998.
  • [31] B. Oprisanu and E. De Cristofaro. AnoniMME: bringing anonymity to the Matchmaker Exchange platform for rare disease gene discovery. Bioinformatics, 34(13), 2018.
  • [32] Personal Genome Project., 2018.
  • [33] R. M. Philips. What is the rate of recombination?, 2018.
  • [34] G. H. Reference. What are single nucleotide polymorphisms (SNPs)?
  • [35] S. S. Samani, Z. Huang, E. Ayday, M. Elliot, J. Fellay, J. P. Hubaux, and Z. Kutalik. Quantifying Genomic Privacy via Inference Attack with High-Order SNV Correlations. In IEEE Security and Privacy Workshops, 2015.
  • [36] S. S. Shringarpure and C. D. Bustamante. Privacy Risks from Genomic Data-Sharing Beacons. The American Journal of Human Genetics, 97(5), 2015.
  • [37] N. P. Smart, V. Rijmen, B. Gierlichs, K. G. Paterson, M. Stam, B. Warinschi, and G. Watson. Algorithms, Key Size and Parameters Report.˙download/fullReport, 2014.
  • [38] N. Tyagi, J. Wang, K. Wen, and D. Zuo. Honey Encryption Applications. 6.857. Computer and Network Security, Massachusetts Institute of Technology, 2015.
  • [39] N. von Thenen, E. Ayday, and A. E. Cicek. Re-Identification of Individuals in Genomic Data-Sharing Beacons via Allele Inference. bioRxiv, 2017.
  • [40] D. Wang, H. Cheng, P. Wang, J. Yan, and X. Huang. A Security Analysis of Honeywords. In NDSS, 2018.
  • [41] R. Wang, Y. F. Li, X. Wang, H. Tang, and X. Zhou. Learning Your Identity and Disease from Research Papers: Information Leaks in Genome Wide Association Study. In ACM Conference on Computer and Communications Security, 2009.
  • [42] X. S. Wang, Y. Huang, Y. Zhao, H. Tang, X. Wang, and D. Bu. Efficient Genome-Wide, Privacy-Preserving Similar Patient Query Based on Private Edit Distance. In ACM Conference on Computer and Communications Security, pages 492–503, 2015.
  • [43] Yahoo Finance. Global Direct-to-Consumer Genetic Testing Market 2019-2023 — 16CAGR Projection Over the Next Five Years., 2019.
  • [44] K. Yoshida and Y. Miki. Role of BRCA1 and BRCA2 as regulators of DNA repair, transcription, and cell cycle in response to DNA damage. Cancer Science, 95(11), 2004.