Privacy-Preserving Multiparty Protocol for Feature Selection Problem

1 Introduction

1.1 Motivation and related works

Feature selection is one of the typical problems in machine learning. For example, the human genome consists of 3.1 billion base pairs, of which at most a few dozen pairs are said to affect a particular disease. Feature selection extracts a set of features from this very sparse data that match a specific purpose, and the results are used by various machine learning algorithms. We will review the definition of the feature selection problem, its computational complexity, and the approximate solutions that have been proposed so far.

Feature selection is defined by a data set $D$ , a feature set $F$ , and a class set $C$ . Here, in particular, we consider feature $F_{i} \in F$ and class $C$ to be binary, but it is easy to extend the problem to multi-label. Thus, a feature $F_{i}$ and a class for a data $x \in D$ are denoted by by $x (F_{i}), x (C) \in {0, 1}$ , and thus, when $| F | = k$ , the data $x$

is associated with a binary vector of length

k + 1

Given a triple $(D, F, C)$ , the goal of an algorithm is to extract a consistent and minimal $F^{'} \subseteq F$ , where $F^{'}$ is consistent if, for any $x, y \in D$ , $x (F_{i}) = y (F_{i})$ for all $F_{i} \in F^{'}$ implies $x (C) = y (C)$ and a feature set $F^{'} \subseteq F$ is minimal if any proper subset of $F^{'}$ is no longer consistent.

$D$	$F_{1}$	$F_{2}$	$F_{3}$	$F_{4}$	$F_{5}$	$C$
$x_{1}$	1	0	1	1	1	0
$x_{2}$	1	1	0	0	0	0
$x_{3}$	0	0	0	1	1	0
$x_{4}$	1	0	1	0	0	0
$x_{5}$	1	1	1	1	0	1
$x_{6}$	0	1	0	1	0	1
$x_{7}$	0	1	0	0	1	1
$x_{8}$	0	0	0	0	1	1
$I (F_{i}, C)$	0.189	0.189	0.049	0.000	0.000

Table 1: An example dataset shown in [15].

To our knowledge, the most common method for finding features that characterize $C$

is to select features that show higher relevance in some statistical measure. The relevance of individual features can be estimated using statistical measures such as mutual information and Bayesian risk. For example, at the bottom row of Table

1, the mutual information score

I (F_{1}, C)

of each feature

F_{i}

to class labels is described. We can see that

F_{1}

is more relevant than

F_{5}

, since

I (F_{1}, C) > I (F_{5}, C)

. Based on the mutual information score,

F_{1}

and

F_{2}

of Table 1 will be selected to explain

C

. However, looking into

D

more closely, we understand that

F_{1}

and

F_{2}

cannot determine

C

uniquely. In fact, we find

x_{2}

and

x_{5}

with

x_{2} (F_{1}) = x_{5} (F_{1})

and

x_{2} (F_{2}) = x_{5} (F_{2})

whose class labels are different. On the other hand, we can also find the fact that

F_{4}

and

F_{5}

uniquely determine

C

by the formula

C = F_{4} \oplus F_{5}

while

I (F_{4}, C) = I (F_{5}, C) = 0

holds. Therefore, the traditional method based on relevance scores of individual features misses the right answer.

This problem is well known as the problem of interacting features, which has been intensively studied in machine learning research. The literature describes a class of feature selection algorithms that can solve this problem, referred to as consistency-based feature selection [14, 16, 17, 11, 2]. CWC (Combination of Weakest Components) [16] is the most simplest one of these consistency-based feature selection algorithms. CWC is the simplest of such consistency-based feature selection algorithms, and even though CWC uses the most rigorous measure, it shows one of the best performances in terms of accuracy as well as computational speed compared to other methods [15].

1.2 Our contribution

Algorithm	Time	Space
a naive CWC on plaintext [16]	$O (k m n + k log k)$	$O (k m n)$
secure CWC (baseline)	$O (k m n log k + k {log}^{2} k)$	$O (k m n)$
improved	$O (k m n + k {log}^{2} k)$	$O (k m n)$

Table 2: Time and space complexities of the baseline and improved algorithms for secure CWC. Here, the cost of encryption and homomorphic operations (addition, multiplication, and comparison) for arbitrary integers is considered constant.

We extend the feature selection problem to multi-users having their own private datasets and propose the first secure multi-party protocol to jointly compute the feature selection over the entire data without revealing their private information.

Our proposed method is a two-party protocol based on the fully homomorphic encryption. Here, we briefly explain the related works of homomorphic cryptosystem. Given a public-key cryptosystem, let $E [m]$ be an integer $m$ encrypted with its public key; if $E [m + n]$ (the cipher text of $m + n$ ) can be computed from $E [m]$ and $E [n]$ only with public information, in particular without decrypting $E [m]$ and $E [n]$ , then $E$ is said to be additive homomorphic, and if $E [m n]$ can also be computed from $E [m]$ and $E [n]$ in addition, then $E$ is said to be fully homomorphic. Besides, when any plaintext $m$ can encrypt into any element of a set consisting of sufficiently many ciphertexts and for each execution of encryption, such a ciphertext is chosen probabilistically, $E$ is said to be probabilistic. For a cryptosystem, being probabilistic is required to satisfy the security of ciphertext indistinguishability: given $x_{1}, x_{2}$ and $E [x_{i}]$ when $i$ is secretly selected one of $1$ and $2$ uniformly at random, it is computationally impossible to guess $i$ .

In the last two decades, various homomorphic encryptions have been proposed that satisfy those homomorphic properties. The first (probabilistic) additive homomorphic encryption was proposed by Paillier [12]. Somewhat homomorphic encryption that allows a sufficient number of additions and a restricted number of multiplications have also been proposed [5, 6, 3], and by using these cryptosystems, we can compute more difficult problems, such as the inner product of two vectors. The first fully homomorphic encryption with unlimited number of additions and multiplications was proposed by Gentry [9], and since then, useful libraries for the fully homomorphic encryption have been developed specially for bitwise operations and floating point operations.

TFHE [7, 8] is known as a fastest fully homomorphic encryption specialized for bitwise operations. In this study, we use TFHE to design our algorithm for the multi-party protocols of feature selection problems. We assume that parties $A$ and $B$ have their own private data $D_{A}$ and $D_{B}$ , and $F = {F_{1}, \dots, F_{m}}$ and $C = {0, 1}$ are known. Under the assumption that the parties can use their respective TFHE, say $E_{A}$ and $E_{B}$ , the goal of the parties is to jointly compute the result of CWC algorithm on the plain data $D = D_{A} \cup D_{B}$ , without revealing any other information about $D_{A}$ and $D_{B}$ .

We summarize the results of this work in Table 2. baseline is a naive algorithm that simulates the original CWC [16] over the ciphertexts using TFHE operations. Given $(D, F, C)$ , the essential task of CWC is to sort $F = {F_{1}, \dots, F_{k}}$ in an increasing order of their relevance to $C$ . Using the sorted $F_{i} \in F$ , CWC decides whether or not $F_{i}$ should be selected for $i = 1, \dots, k$ . The resulting features ${F_{i_{1}}, \dots, F_{i_{ℓ}}} \subseteq F$ are the output of CWC.

It is well-known that sorting, the main task in CWC, is one of most difficult problems in secure computation. So we propose an improvement of the baseline algorithm reducing the cost of sorting. We show the time and space complexities for both algorithms in Table 2. This significantly improved the time complexity while maintaining the space complexity. We also implemented the baseline algorithm and examined its running time for real data. As a result, it was confirmed that most of the time was spent on sorting. The implementation of an improved algorithm is a future work.

2 Preliminaries

2.1 CWC algorithm over plaintext

For the dataset $D$ associated with $F$ and $C$ , we generally assume that $D$ contains no error, i.e., if $x (F_{i}) = y (F_{i})$ for all $i$ , $x (C) = y (C)$ . When $D$ contains such errors, these are removed beforehand, then as a result, $D$ contains at most one $x \in D$ with the same feature values.

We describe the original algorithm for finding a minimal consistent features in Algorithm 1. Given $D$ with $F_{i}$ and $C = {0, 1}$ , a data $x \in D$ of $x (C) = 1$ is called a positive data and $y \in D$ of $y (C) = 0$ is called a negative data. Let $n$ be the number of positive data and $m = | D | - n$ . Let $x_{p}$ be the $p$ -th positive data $(1 \leq p \leq n)$ and $y_{q}$ the $q$ -th negative data $(1 \leq q \leq m)$ . Then, the bit string $B_{i}$ of length $n m$ is defined by: $B_{i} [m (p - 1) + q] = 0$ if $x_{p} (F_{i}) = x_{q} (F_{i})$ and $B_{i} [m (p - 1) + q] = 1$ otherwise. $B_{i} [m (p - 1) + q] = 0$ means that $F_{i}$ is not consistent with the pair $(x_{p}, x_{q})$ because $x_{p} (F_{i}) = x_{q} (F_{i})$ despite $x_{p} (C) \neq x_{q} (C)$ . Recall that $F_{i}$ is said to be consistent only if $x (F_{i}) = y (F_{i})$ implies $x (C) = y (C)$ for any $x, y \in D$ . Thus, $| | B_{i} | |$ is defined to be the number of $1$ s in $B_{i}$ .

For a subset $F^{'} \subseteq F$ , $F^{'}$ is said to be consistent, if for any $p \in [1, n]$ and $q \in [1, m]$ , there exists $i$ such that $F_{i} \in F^{'}$ and $B_{i} [m (p - 1) + q] = 1$ hold. Using this, CWC removes irrelevant features from $F$ to construct a minimal consistent feature set¹¹1 Finding a smallest consistent feature set is clearly NP-hard due to an obvious reduction from the minimum set cover. .

1: Input: A dataset

D

associated with features

F = {F_{1}, \dots, F_{k}}

and class

C = {0, 1}

2: Output: A minimal consistent subset

S \subseteq F

3: Sort

F_{1}, \dots, F_{k}

in the incremental order of

| | B_{i} | |

4: Let

π

be the sorted indices of

{1, \dots, k}

5: for

i = 1, \dots, k

6: if

F ∖ {F_{π [i]}}

is consistent then

7: update

F \leftarrow F ∖ {F_{π [i]}}

8: end if

9: end for

Algorithm 1 The algorithm CWC for plaintext

In Table 3, we show an example of $D$ and the corresponding $B_{i}$ . Let us consider the behavior of CWC on this example. All $B_{i}$ $(1 \leq i \leq 4)$ are computed as preprocessing. Then, the features are sorted by the order $| | B_{2} | | = 5 \leq | | B_{4} | | = 5 \leq | | B_{3} | | = 6 \leq | | B_{1} | | = 8$ and $π = (2, 4, 3, 1)$ . By the consistency order $π$ , CWC checks whether $F_{π [i]}$ can be removed from the current $F$ . By the consistency measure, CWC removes $F_{2}$ and $F_{4}$ and the resulting ${F_{1}, F_{3}}$ is the output. In fact, we can predict the class of $x$ by the logical operation $¯ ¯¯¯¯¯¯¯¯¯¯¯ ¯ x (F_{1}) \land x (F_{3})$ .

$x_{i} \in D$	$F_{1}$	$F_{2}$	$F_{3}$	$F_{4}$	$C$
$x_{1}$	0	1	1	0	$1$
$x_{2}$	1	0	1	0	0
$x_{3}$	1	1	0	0	0
$x_{4}$	0	1	0	1	0
$x_{5}$	0	0	1	1	$1$
$x_{6}$	1	0	1	0	0
$x_{7}$	1	1	0	0	0

Table 3: An example dataset

D

with

F = {F_{1}, F_{2}, F_{3}, F_{4}}

and

C = {0, 1}

. For

n = 2

and

m = 5

, the bit string

B_{i}

is defined by the value of

x_{p} (F_{i}) = x_{q} (F_{i})

. For example,

B_{1} = (1, 1, 0, 1, 1, 1, 1, 0, 1, 1)

because

x_{p} (F_{i}) = x_{q} (F_{i})

only for the two pairs

(p, q) = (1, 4), (4, 5)

. Similarly,

B_{2} = (1, 0, 0, 1, 0, 0, 1, 1, 0, 1)

B_{3} = (0, 1, 1, 0, 1, 0, 1, 1, 0, 1)

B_{4} = (0, 0, 1, 0, 0, 1, 1, 0, 1, 1)

2.2 TFHE: a faster fully homomorphic encryption

For the privacy-preserving CWC, $D$ is entirely encrypted by a fully homomorphic encryption. We review the TFHE [8], one of the fastest libraries allowing the bitwise addition (this means XOR ‘ $\oplus$ ’) and bitwise multiplication (AND ‘ $\cdot$ ’). On TFHE, any integer is encrypted bitwise: For $ℓ$ -bit integer $m = (m_{1}, \dots, m_{ℓ})$ , we denote its bitwise encryption by $E [m] \equiv (E [m_{1}], \dots, E [m_{ℓ}])$ , for short. These operations are denoted by $E [x] \oplus E [y] \equiv E [x \oplus y]$ and $E [x] \cdot E [y] \equiv E [x \cdot y]$ for $x, y \in {0, 1}$ and the ciphertexts $E [x]$ and $E [y]$ . An encrypted array is denoted in the same way. For example, when $x$ and $y$ are integers of length $ℓ$ and $ℓ^{'}$ , respectively, we abbreviate the bitwise encryption of a sequence of integers, e.g., $E (x, y)$ denotes the following ciphertext.

E (x, y) \equiv (E [x], E [y]) \equiv ((E [x_{1}], \dots, E [x_{ℓ}]), (E [y_{1}], \dots, E [y_{ℓ^{'}}]))

By the elementary operations $E [x] \oplus E [y]$ and $E [x] \cdot E [y]$ , TFHE allows all arithmetic and logical operations. Here, we describe how to construct the adder and comparison operations. Let $x, y$ be $ℓ$ -bit integers and $x_{i}, y_{i}$ be the $i$ -th bit of $x, y$ respectively. Let $c_{i}$ be the $i$ -th carry-in bit and $s_{i}$ is the $i$ -th bit of the sum $x + y$ . Then, we can get $E [x + y]$ by the bitwise operations of ciphertexts using $s_{i} = x_{i} \oplus y_{i} \oplus c_{i}$ and $c_{i + 1} = (x_{i} \oplus c_{i}) \cdot (y_{i} \oplus c_{i}) \oplus c_{i}$ . Based on the adder, we can construct other operations like subtraction, multiplication, and division. For example, $E [x - y]$ is obtained by $E [x + (- y)]$ , where $(- y)$ is the bit complement of $y$ obtained by $y_{i} \oplus 1$ for all $i$ -th bit. On the other hand, we also review the comparison. We want to get $E [x < ? y]$ without decrypting $x$ and $y$ where $x < ? y = 1$ if $x < y$ and $x < ? y = 0$ otherwise. Here, we can get the bit $x < ? y$ as the most significant bit of $x + (- y)$ over ciphertexts. Similarly, we can compute the encrypted bit $E [x = ? y]$ for the equality test.

Adopting those operations of TFHE, we design a secure multi-party CWC. In this paper, we omit the details of TFHE (see e.g., [7, 8]).

3 Algorithms

3.1 Baseline algorithm

We propose our baseline algorithm, which is a privacy-preserving version of CWC. In this subsection, we consider a two-party protocol, where a party $A$ has his private data and outsources the computation of CWC to another party $B$ , but our baseline algorithm is easily extended to a multi-party protocol where more than two parties cooperate one another to select features with the joint data. During the computation, party $B$ should not gain other information than the number $n$ of positive data, the number $m$ of negative data and the number $k$ of features. Note that party $A$ can conceal the actual number of data by inserting dummy data and telling the inflated numbers $n$ and $m$ to $B$ . The algorithm can distinguish dummy data by adding an extra bit indicating the data is a dummy iff the bit is $1$ . For each class the values of features and dummy bit of data in the class are encrypted by public key of $A$ and sent to $B$ .

The algorithm consists of three steps: Computing encrypted bit string $E (B_{i})$ , sorting $E (B_{i})$ ’s and executing feature selection on $E (B_{i})$ ’s.

Since all data in this subsection is encrypted by public key of $A$ , we omit the description of the encryption function $E$ to simplify presentation.

3.1.1 Computing $B_{i}$

We can compute $B_{i} [m (p - 1) + q]$ by $(x_{p} (F_{i}) \oplus x_{q} (F_{i})) \lor x_{p} (d) \lor x_{q} (d)$ , where $x (d)$ represents the dummy bit for data $x$ . $(x_{p} (F_{i}) \oplus x_{q} (F_{i}))$ becomes $0$ iff $F_{i}$ is inconsistent for the pair of $x_{p}$ and $x_{q}$ . The part “ $\lor x_{p} (d) \lor x_{q} (d)$ ” is added to make the whole value $1$ when one of the data is a dummy. It takes $O (k m n)$ time and space in total.

3.1.2 Sorting $B$ ’s

We can compute $| | B_{i} | |$ in encrypted form by summing up values in $B_{i}$ in $O (m n log (m n))$ time (noting that each operation on integers of $log (m n)$ bits takes $O (log (m n))$ time). Instead we can set an upper bound $b_{m a x}$ of the bits used to store consistency measure to reduce the time complexity to $O (m n b_{m a x})$ .

Then sorting $B$ ’s in the incremental order of consistency measures can be done using any sorting network in which comparison and swap are conducted in encrypted form without leaking the information about ordering of features. Note that, in this approach, the algorithm has to spend $Θ (m n + log k)$ time to swap (or pretend to swap) two bit strings and original feature indices of $log k$ bits regardless that two features are actually swapped or not. Since this is the heaviest part in our baseline algorithm, we will show how to improve it. Using AKS sorting network [1] of size $O (k log k)$ , the total time for sorting $B_{i}$ ’s is $O (m n b_{m a x} + (m n + b_{m a x} + log k) k log k)$ .

In our experiments we use a more practical sorting network of Batcher’s odd-even mergesort

[4] of size

O (k {log}^{2} k)

. Recently, a simple oblivious radix sort [10] in

O (k log k)

algorithm under the assumption that the bit length of each integer is constant.

3.1.3 Selecting features

Let $(F_{π (1)}, \dots, F_{π (k)})$ be the sorted list of features. We first compute a sequence of bit strings $(Z_{2}, \dots, Z_{k})$ of length $m n$ each such that $Z_{i} [h] = ⋁_{j = i}^{k} B_{π (j)} [h]$ for any $2 \leq i \leq k$ and $1 \leq h \leq m n$ , namely $Z_{i}$ is the bit array storing cumulative or of each position $h$ for $B_{π (i)}, B_{π (i + 1)}, \dots, B_{π (k)}$ . The computation takes $O (k m n)$ time and space.

For feature selection, we simulate Algorithm 1 on encrypted $B$ ’s and $Z$ ’s. In addtion we use two $0$ -initialized bit arrays, $R$ of length $k$ and $S$ of length $m n$ . $R [i]$ is meant to store $1$ iff the $i$ -th feature (in sorted order) is selected. $S$ is used to keep track of the cumulative or for the bit strings of the currently selected features. Namely, $S [h]$ is set to $⋁_{α = 1}^{ℓ} B_{π (j_{α})} [h]$ if $ℓ$ features ${F_{π (j_{1})}, \dots, F_{π (j_{ℓ})}}$

have been selected at the moment.

Suppose that we are in the $i$ -th iteration of the for loop of Algorithm 1. Note that $F ∖ {F_{π (i)}}$ is consistent iff $⋀_{h = 1}^{m n} (Z_{i + 1} [h] \lor S [h])$ is $1$ . Since we keep the $i$ -th feature iff $F ∖ {F_{π (i)}}$ is inconsistent, the algorithm sets $R [i] = \neg ⋀_{h = 1}^{m n} (Z_{i + 1} [h] \lor S [h])$ . After computing $R [i]$ , we can correctly update $S$ by $S [h] \leftarrow S [h] \lor (R [i] \land B_{π (i)} [h])$ for every $1 \leq h \leq m n$ in $O (m n)$ time.

Since each feature is processed in $O (m n)$ time, the total computational time is $O (k m n)$ .

3.1.4 Summing up analysis

The bottleneck of computational time is $O (m n b_{m a x} + (m n + b_{m a x} + log k) k log k)$ of the sorting step. Since CWC works with any consistent measure, we do not have to use $| | B_{i} | |$ in full accuracy, and thus, we assume that $b_{m a x}$ is set to be a constant. Under the assumption, we obtain the following theorem.

Theorem 1

We can securely simulate CWC in $O (k m n log k + k {log}^{2} k)$ time and $O (k m n)$ space without revealing the private data of the parties under the assumption that TFHE is secure.

According to the discussion above, computing $B_{i}$ for all features takes $O (k m n)$ time and space, sorting features takes $O (m n b_{m a x} + (m n + b_{m a x} + log k) k log k) = O (k m n log k + k {log}^{2} k)$ time, and selecting features takes $O (k m n)$ time. Finally, party $B$ computes in $O (k log k)$ time an integer array $P$ with $P [h] = R [h] \cdot π (h)$ , which stores the original indices of selected features. Party $B$ randomly shuffles $P$ and sends to party $A$ as the result of CWC. Therefore, we can securely simulate CWC in $O (k m n log k + k {log}^{2} k)$ time and $O (k m n)$ space. $□$

3.2 Improvement of secure CWC

1: Assumption:

E_{A}

and

E_{B}

are

A

’s and

B

’s public key encryption functions that are homomorphic for addition and probabilistic, respectively.

A

generates random

r_{x}, r_{y}

and sends

(E_{B} [x + r_{x}], E_{B} [y + r_{y}])

and

(E_{A} [r_{x}], E_{A} [r_{y}])

B

B

generates random

r_{x}^{'}, r_{y}^{'}

and sends

π (E_{B} [x + r_{x} + r_{x}^{'}], E_{B} [y + r_{y} + r_{y}^{'}])

and

π (E_{A} [r_{x} + r_{x}^{'}], E_{A} [r_{y} + r_{y}^{'}])

A

A

obtains

π (E_{B} [x], E_{B} [y])

Algorithm 2 Mix network between

A

and

B

for integer array, e.g.,

(x, y)

1: Preprocess: Parties

A

and

B

jointly compute

F = (F_{1}, \dots, F_{k})

where

F_{i} = (F_{i}, | | B_{i} | |, B_{i})

for

i

-th feature

F_{i}

2: Assumption: Party

A

possesses the encrypted

F

B

’s public key

E_{B}

3: By the mix network,

A

obtains a shuffled

F

with a secret permutation

π

B

A

sorts all pairs

(F_{i}, | | B_{i} | |)

F

by the increasing order of

| | B_{i} | |

A

sends the sorted

F_{i_{j}}

with random noise

r_{i_{j}}

E_{B} (F_{i_{1}} + r_{i_{1}}, \dots, F_{i_{k}} + r_{i_{k}})

B

sends

π (F_{i_{1}} + r_{i_{1}}, \dots, F_{i_{k}} + r_{i_{k}})

A

A

moves each

B_{i}

to its correct position by

π (F_{i_{1}}, \dots, F_{i_{k}}) = (F_{j_{1}}, \dots, F_{j_{k}})

A

executes CWC for the sorted

F

and obtains the cipher bit

E_{B} [b_{i}]

where

b_{i} = 1

iff

F_{i}

is selected.

B

decrypts

b_{i}

and obtains the selected features

F_{j} = π^{- 1} [F_{i}]

to be shared with

A

Algorithm 3 Improved secure CWC over ciphertext

Figure 1: Improved secure CWC. (1): Parties $A$ and $B$ jointly compute $B_{i}$ and $| | B_{i} | |$ for each feature $F_{i}$ . (2) and (3): $A$ obtain a shuffled data by the mix network between $A$ and $B$ . (4): $A$ sorts $F_{i}$ by $| | B_{i} | |$ . (5): $B$ receives the rank of $F_{i}$ with a random noise $r_{i}$ and returns their permutation to $A$ . (6): $A$ moves the bit string $B_{i}$ according to the information from $B$ . (7): $A$ and $B$ jointly compute the selected features by $π^{- 1}$ and selected features over the renamed space.

The task of sorting is a major bottleneck for CWC in secret computation presented above. The reason is that pointers cannot be moved over ciphertexts. For example, consider the case of secure integer sort. Let the variables $x$ and $y$ contain integers $a$ and $b$ , respectively. Here, by performing the secure operation $a < ? b$ , the result is obtained as $a < ? b = c \in {0, 1}$ . Using this logical bit $c$ , we can swap the values of $x$ and $y$ in $O (1)$ time satisfying $x < y$ by the secure operation $x \leftarrow c \cdot a + ¯ c \cdot b$ and $y \leftarrow ¯ c \cdot a + c \cdot b$ .

However, in the case of CWC, each integer $i$ of feature $F_{i}$ is associated with the bit string $B_{i}$ . Since any $x$ cannot be decrypted, we cannot swap the pointers appropriately. Therefore, the baseline algorithm swaps $B_{i}$ itself. As a result,the computation time for sorting increases to $O (m n k {log}^{2} k)$ . We improve the time complexity to $O (m n k + k {log}^{2} k)$ .

Since the improved algorithm uses the mix network mechanism [13] as a subroutine, we first give a brief overview of the mix network.

The purpose of a mix network is, given an encrypted sequence $(E [x], E [y])$ , to obtain a random permutation $π (E [x], E [y])$ , where $E [x]$ and $E [y]$ are re-encrypted and shuffled. Recall that $E$ is a probabilistic encryption. Thus, we cannot know how they were shuffled by comparing $π (E [x], E [y])$ and the original $(E [x], E [y])$ . Among two parties $A$ and $B$ , the mix network can be realized using the public key encryption of $A$ and $B$ . We show such a mix network in Algorithm 2. We can assume that $A$ cannot know any information about the permutation without decryption.

Using the mix network, we propose the improved secure CWC (Algorithm 3) reducing the time complexity to $O (m n k + k log k)$ . An example run of Algorithm 3 is illustrated in Fig. 1. As shown in this example, the party $A$ can securely sort $k$ randomized features in $O (k log k)$ time and then swap each associated bit string of length $n m$ in $O (k m n)$ time. After this preprocessing, the parties obtain a minimal consistent features decrypting the output of CWC. Finally, we obtain the following result.

Theorem 2

Algorithm 3 can securely simulate CWC in $O (k m n + k {log}^{2} k)$ time and $O (k m n)$ space without revealing the private data of the parties under the assumption that TFHE is secure.

The party $B$ shuffles $F$ by a permutation $π (F_{1}, \dots, F_{k}) = (F_{i_{1}}, \dots, F_{i_{k}})$ . The parties communicate only in the step 5 and 6. $B$ can decrypt any $E_{B} [F_{i} + r_{i}]$ , but due to the added noise, he cannot know anything about $F_{i}$ . On the other hand, $A$ obtains the plaintext $π [F_{i}]$ , but he cannot compute $π^{- 1}$ . Thus, the parties cannot get the rank of the original feature $F_{i}$ from each party’s information alone. Therefore, the protocol of Algorithm 3 is as secure as TFHE. On the other hand, the time and space complexities are clear because the algorithm moves $B_{i}$ of length $m n$ at most $O (k)$ times. It follows that the time complexity is reduced to $O (k m n + k {log}^{2} k)$ . $□$

4 Experiments

We implemented our baseline algorithm in C++ using TFHE library for bitwise operations on fully homomorphic encryption. The experiments were conducted on the machine with Intel Core i7-6567U (3.30GHz) and 16GB RAM. In the following, $m$ (resp. $n$ ) is the number of positive (resp. negative) data and $k$ is the number of features.

Table 5 shows the time for computing $B_{i}$ in three different sizes of $m n$ . As the theoretical time bound $O (m n)$ suggests, the time linearly increases to the size of $m n$ . We note that $B_{i}$ can be computed independently from other $B_{j}$ with $i \neq j$ , and thus, thery can be computed in parallel.

Table 5 shows the time for computing $| | B_{i} | |$ while changing the size of $m n$ and upper bound $b_{m a x}$ of bits to store consistency measures. Since there are $O (m n)$ additions to a $b_{m a x}$ -bits integer, the time complexity is $O (m n b_{m a x})$ . We can observe that the time per addition linearly increases to $b_{m a x}$ . Note that the computation of $| | B_{i} | |$ for all features can be conducted in parallel.

$m n$	time [sec]
100	6.04
500	30.06
1000	60.14

Table 5: Time for computing

| | B_{i} | |

$m n$	$b_{m a x}$	time [sec]	time per addition [sec]
100	7	27.624	0.28
500	9	175.826	0.35
1000	10	394.967	0.40

Table 4: Time for computing

B_{i}

’s

Table 7 shows the time for swapping a pair of data in the sorting procedure. Since the theoretical time complexity is $O (m n + b_{m a x} + ⌈ log k ⌉)$ , the time is mostly dominated by $m n$ .

Since the whole procedure of sorting takes a long time, we estimate it from the time for a single swap in Table 7. Table 7 shows the estimated total time for sorting $B_{i}$ ’s with OEM sort. Here we assume that all the swaps are conducted in serial (without utilizing parallelism of sorting network).

$k$	$m n$	$b_{m a x}$	$⌈ log k ⌉$	time [sec]
10	100	7	4	8.88
10	500	9	4	39.59
10	1000	10	4	78.05
50	100	7	6	9.05
50	500	9	6	39.73
50	1000	10	6	78.04
100	100	7	7	9.10
100	500	9	7	39.93
100	1000	10	7	77.94

Table 7: Estimated total time for sorting

B

’s with OEM sort.

$k$	$m n$	# swaps	time [sec]
10	100	63	559.57
10	500	63	2494.23
10	1000	63	4917.40
50	100	543	4911.44
50	500	543	21573.39
50	1000	543	42376.26
100	100	1471	13386.10
100	500	1471	58732.62
100	1000	1471	114646.80

Table 6: Time for swapping a pair of data

Table 8 shows the time for feature selection from sorted list of $B_{i}$ ’s. The results follow the theoretical time complexity $O (k m n)$ .

$k$	$m n$	time [sec]
10	100	111.96
10	500	558.17
10	1000	1114.24
50	100	589.35
50	500	2941.07
50	1000	5919.71
100	100	1179.06
100	500	5952.54
100	1000	11867.00

Table 8: Time for feature selection from sorted list of

B_{i}

’s

Table 9 summarizes the time for each step of our baseline algorithm under the assumption that the parallelism is not used. The table shows that the sorting part is the bottleneck.

$k$	$m n$	Step 1 [sec]	Step 2 [sec]	Step 3 [sec]
10	100	60.37	835.81	111.96
10	500	300.59	4252.49	558.17
10	1000	601.41	8867.07	1114.24
50	100	301.85	6292.64	589.35
50	500	1502.95	30364.69	2941.07
50	1000	3007.05	62124.61	5919.71
100	100	603.70	16148.50	1179.06
100	500	3005.90	76315.22	5952.54
100	1000	6014.10	154143.50	11867.00

Table 9: Time for each step. Step 1: Computing

B_{i}

’s. Step 2: Sorting

B_{i}

’s. Step 3: feature selection.

As we can see from the experimental results (e.g. Table 9), most of the computational time of the baseline algorithm is spent on sorting. Thus, the implementation of the improved secure CWC is an important future work. Although we have implemented a two-party protocol, our algorithm including the improved secure CWC can be easily extended to general multiparty protocols.

References

[1] M. Ajtai and E. S. J. Komlós (1983) An $O (n log n)$ sorting network. In STOC, pp. 1–9. Cited by: §3.1.2.
[2] H. Almuallim and T.G. Dietteric (1994) Learning boolean concepts in the presence of many irrelevant features. Artif. Intell. 69 (1-2), pp. 279–30. Cited by: §1.1.
[3] N. Attrapadung, G. Hanaoka, S. Mitsunari, Y. Sakai, K. Shimizu, and T. Teruya (2018) Efficient two-level homomorphic encryption in prime-order bilinear groups and a fast implementation in webassembly. In ASIACCS, pp. 685–697. Cited by: §1.2.
[4] K.E. Batcher (1968) Sorting networks and their applications. In AFIPS Spring Joint Computing Conference, pp. 307–314. Cited by: §3.1.2.
[5] D. Boneh, E.J. Goh, and K. Nissim (2005) Evaluating 2-DNF formulas on ciphertexts. In TCC, pp. 325–341. Cited by: §1.2.
[6] Z. Brakerski, C. Gentry, and V. Vaikuntanathan (2012) (Leveled) fully homomorphic encryption without bootstrapping. In ITCS, pp. 309–325. Cited by: §1.2.
[7] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène (2020) TFHE: fast fully homomorphic encryptionover the torus. Journal of Cryptology 33, pp. 34–91. Cited by: §1.2, §2.2.
[8] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène (August 2016) TFHE: fast fully homomorphic encryption library. Note: https://tfhe.github.io/tfhe/ Cited by: §1.2, §2.2, §2.2.
[9] C. Gentry (2009) Fully homomorphic encryption using ideal lattices. In STOC, pp. 169–178. Cited by: §1.2.
[10] K. Hamada, K. C. D. Ikarashi, and K. Takahashi (2014) Oblivious radix sort: an efficient sorting algorithm for practical secure multi-party computation. In IACR Cryptol. ePrint Arch., pp. 121. Cited by: §3.1.2.
[11] H. Liu, H. Motoda, and M. Dash (1998) A monotonic measure for optimal feature selection. In ECML, pp. 101–106. Cited by: §1.1.
[12] P. Paillier (1999) Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT, pp. 223–238. Cited by: §1.2.
[13] K. Sampigethaya and R. Poovendran (2006) A survey on mix networks and their secure applications. Proceedings of the IEEE 94 (12), pp. 2142–2181. Cited by: §3.2.
[14] K. Shin, D. Fernandes, and S. Miyazaki (2011) Consistency measures for feature selection: a formal definition, relative sensitivity comparison, and a fast algorithm. In IJCAI, pp. 1491–1497. Cited by: §1.1.
[15] K. Shin, T. Kuboyama, T. Hashimoto, and D. Shepard (2017) SCWC/slcc: highly scalable feature selection algorithms. Information 8 (4), pp. 159. Cited by: §1.1, Table 1.
[16] K. Shin and X.M. Xu. (2009) Consistency-based feature selection. In KES, pp. 28–30. Cited by: §1.1, §1.2, Table 2.
[17] Z. Zhao and H. Liu (2007) Searching for interacting features. In IJCAI, pp. 1156–1161. Cited by: §1.1.

Privacy-Preserving Multiparty Protocol for Feature Selection Problem

Authors

Privacy-preserving feature selection: A survey and proposing a new set of protocols

Privacy-Preserving Feature Selection with Secure Multiparty Computation

Privacy-Preserving Maximum Matching on General Graphs and its Application to Enable Privacy-Preserving Kidney Exchange

Consistent Nonparametric Different-Feature Selection via the Sparsest k-Subgraph Problem

Privacy Preserving K-Means Clustering: A Secure Multi-Party Computation Approach

Sparsification and feature selection by compressive linear regression

Secure Two-Party Feature Selection

1 Introduction

1.1 Motivation and related works

1.2 Our contribution

2 Preliminaries

2.1 CWC algorithm over plaintext

2.2 TFHE: a faster fully homomorphic encryption

3 Algorithms

3.1 Baseline algorithm

3.1.1 Computing $B_{i}$

3.1.2 Sorting $B$ ’s

3.1.3 Selecting features

3.1.4 Summing up analysis

Theorem 1

3.2 Improvement of secure CWC

Theorem 2

4 Experiments

References

Privacy-Preserving Multiparty Protocol for Feature Selection Problem

Authors

Related Research

Privacy-preserving feature selection: A survey and proposing a new set of protocols

Privacy-Preserving Feature Selection with Secure Multiparty Computation

Privacy-Preserving Maximum Matching on General Graphs and its Application to Enable Privacy-Preserving Kidney Exchange

Consistent Nonparametric Different-Feature Selection via the Sparsest k-Subgraph Problem

Privacy Preserving K-Means Clustering: A Secure Multi-Party Computation Approach

Sparsification and feature selection by compressive linear regression

Secure Two-Party Feature Selection

This week in AI

1 Introduction

1.1 Motivation and related works

1.2 Our contribution

2 Preliminaries

2.1 CWC algorithm over plaintext

2.2 TFHE: a faster fully homomorphic encryption

3 Algorithms

3.1 Baseline algorithm

3.1.1 Computing Bi

3.1.2 Sorting B’s

3.1.3 Selecting features

3.1.4 Summing up analysis

Theorem 1

3.2 Improvement of secure CWC

Theorem 2

4 Experiments

References

3.1.1 Computing $B_{i}$

3.1.2 Sorting $B$ ’s