Privacy-preserving k-NN interpolation over two encrypted databases

Our contribution

In this article, we introduce an efficient secure two-party k-NN (STPkNN) interpolation protocol that enables two different data owners to outsource their databases together with the query processing service to the cloud, and allows a query owner to extract the interpolation of the k-nearest neighbors of a query point from the encrypted databases. Our protocol preserves the confidentiality of data, assures the privacy of user’s query point, and hides data access patterns.

The STPkNN protocol can be considered as an extension of the protocol SkNN_m proposed in Elmehdwi, Samanthula & Jiang (2014), that enables a query owner to retrieve the k-nearest neighbors of a query point from a single encrypted database, to two-cloud settings. Briefly, the SkNN_m protocol calculates the k-nearest neighbors in an iterative way by performing the following steps k times: (i) it finds the minimum of the Euclidean distances between the data records and the query point, (ii) it calculates the one of the nearest neighbors that corresponds to the index of the minimum distance, and excludes the corresponding distance from the Euclidean distances. On the other hand, in two-cloud settings, the clouds have to share their local minimums of the Euclidean distances to decide on the global minimum that corresponds the index of the nearest neighbor of two databases at the moment, and remove that record from further iterations. However, it is not trivial to achieve this without revealing which data record corresponds to global minimum to any cloud.

To this aim, we first propose two new security primitives, the Secure Transformation (ST) protocol and the Secure Bit-AND-OR (SBAOR) protocol that enable the clouds to decide on the global minimum and exclude it from the further calculations without revealing data access pattern to any cloud. We show that both protocols protect the confidentiality of the input values which will be in encrypted form, i.e. no information about the input values is leaked to any party during the protocols, and the output is only revealed to one of the parties in the protocols. Briefly, the ST protocol allows the servers to securely transform the encryption of a record under a public key to an encryption of same record under another public key. On the other hand, for given the encryptions of two bit vectors x and y, the SBAOR protocol enables the servers to securely compute the negation of the logical disjunction of all bitwise multiplications x_i · y_i in encrypted form without revealing the bit vectors to any party.

By employing the ST and SBAOR protocols together with the other existing security protocols, we build our main protocol STPkNN that enables a query owner (QO) to extract the interpolation of the k-nearest neighbors of a query point chosen by QO from two different databases outsourced to two different cloud service providers. In the protocol, data owners encrypt their data before outsourcing them to the cloud service providers, and they do not participate in the STPkNN protocol. Thus, no information about the data is leaked to the cloud service providers during the protocol. Besides, our protocol guarantees that any record from both databases or any intermediate result generated in the protocol is not leaked to the cloud service providers. Also, it hides the data access pattern from both data owners and cloud service providers, i.e. the protocol does not reveal the information of which data records were used to produce the interpolation of k-nearest neighbors to any cloud service provider. On the other hand, the STPkNN protocol outputs the interpolation of k-nearest neighbors only to the query owner, and the query owner gets no information other than the interpolation.

We also conduct various experiments on two real-world datasets from the UCI machine learning repository, the cervical cancer (risk factors) dataset and the default of credit card clients dataset, to show the practicability of our protocol in real world scenarios. The experimental evaluation presents that our protocol scales well for the large datasets.

Related works

Due to its usefulness in many application scenarios such as classification, similarity search, and collaborative filtering, the problem of computing the k-nearest neighbors of a query point has been gained a lot of attention in recent years. The early studies mostly focused on how to implement a secure k-NN method between data owner and clients without using cloud systems. Shaneck, Kim & Kumar (2009) proposed a privacy-preserving protocol that employs secure multiparty computation to compute k-NN in horizontally partitioned databases. Besides, they also showed how their protocol can be efficiently used in different application such as outlier detection, classification, and clustering problems. Moreover, Qi & Atallah (2008) proposed a provable secure protocol for the single-step k-NN search problem that enjoys linear computation and communication complexity. Vaidya & Clifton (2005) introduced a privacy-preserving algorithm that performs top-k queries in vertically partitioned data. Additionally, Kantarcoğlu & Clifton (2004) proposed a method that privately calculates the k-NN classification over horizontally partitioned data in the distributed database model. Note that all of the above methods require the data owners to perform the necessary calculations to generate the result, and to return it directly to the query users. However, in our model, the data is outsourced to the cloud in encrypted form instead of being kept by the data owners. All of the computation required to process k-NN queries are performed by the cloud.

The recent studies have mostly focused on solutions in cloud computing settings. Wong et al. (2009) proposed an asymmetric scalar-product-preserving encryption (ASPE) scheme that can be employed to construct a secure k-NN protocol. The protocol proposed in Wong et al. (2009) uses a distance comparison function instead of an exact distance calculation. However, the secret key in the protocol should be disclosed to the query users. Zhu, Huang & Takagi (2016) introduced a secure protocol that achieves k-NN query processing on encrypted data without totally revealing the data owner’s secret key to the query user. However, their scheme requires data owners to be involved in the encryption of query points. Hu et al. (2011) proposed a secure traversal framework that can used, together with privacy homomorphism, to achieve secure k-NN query processing protocol. Cheng et al. (2015) proposed a privacy-preserving protocol that employs an encrypted hierarchical index tree to perform k-NN queries over spatial data outsourced to cloud in encrypted form. All three protocols (Hu et al., 2011; Zhu, Huang & Takagi, 2016; Cheng et al., 2015) leak data access pattern to the cloud. On the other hand, Kesarwani et al. (2018) proposed a secure k-NN query processing protocol over encrypted data by utilizing a leveled fully homomorphic encryption scheme. Wu et al. (2019) introduced a privacy preserving k-NN classification scheme over the encrypted cloud database that is secure against known-plaintext attack. Besides, Lei et al. (2020) shed light on the connection between a secure k-NN query processing scheme and a secure range query scheme. Based on this connection, they utilize a secure range query scheme together with a data structure named as random Bloom filter to build a secure k-NN query processing scheme. All three protocols (Kesarwani et al., 2018; Wu et al., 2019; Lei et al., 2020) hide data access pattern as well as preserving the data privacy and query privacy. However, they require the decryption keys to be given the query users. However, in our model, the decryption keys are not shared with the query users.

On the other hand, Elmehdwi, Samanthula & Jiang (2014) tackled with the same problem using homomorphic encryption method. In addition to ensuring the confidentiality of data owners and clients, the protocol proposed in Elmehdwi, Samanthula & Jiang (2014) also achieves to hide data access patterns from the clouds. Moreover, Xu et al. (2017) proposed an efficient secure k-NN protocol which achieves sublinear computational complexity. Similar to Elmehdwi, Samanthula & Jiang (2014), their protocol also achieves hiding of data access patterns using garbled circuits to simulate Oblivious RAM. Furthermore, Guo & Sun (2020) adopted the data structure R-tree to build an efficient k-NN scheme that requires only two rounds of interactions between the client and cloud servers to generate the result. They also utilized the Merkle hash tree techniques to obtain a better k-NN scheme that is secure against even a malicious cloud servers. There are also some studies that engage in location-based query processing over encrypted geospatial data (Lei et al., 2019; Lian et al., 2020). Lian et al. (2020) proposed an efficient k-NN scheme by employing the Moore curves together with the AES encryption scheme, that ensures the spatial data and location privacy.

The aforementioned studies use k-NN methods for either classification or query search applications. Unlike previous solutions, Kalideen, Osmanoglu & Tugrul (2019) proposed an efficient solution for the problem of computing the interpolation of k-NN to a given point in cloud computing settings. However, their solution reveals the knowledge of which data records were used to produce the interpolation to the cloud servers, and leaking such information might not be desired in some application required the data security. Unlike the protocol presented in Kalideen, Osmanoglu & Tugrul (2019), our protocol assures the desired security features, i.e. it hides data access pattern.

Secure two-party k-NN interpolation problem

In our system there are two data owners DO₁ and DO₂ holding two different spatial databases D₁ and D₂, respectively. Each database D_u consists of n records $d_1^{(u)},\dots ,d_n^{(u)}$ such that each record $d_i^{(u)}$ is an m-dimensional spatial vector, i.e. $d_i^{(u)}=⟨d_{i,1}^{(u)},\dots ,d_{i,m}^{(u)}⟩$ where u = 1,2. There are also two cloud pairs (CSP₁^(u), CSP₂^(u)) so that each one is associated with a public key-secret key pair (pk_u, sk_u) of a public key encryption scheme that is semantically secure (Goldwasser & Micali, 1982). As the most of the studies in this field, we also consider each pair of cloud service providers (CSP₁^(u), CSP₂^(u)) as two non-colluding cloud servers, i.e. CSP₁^(u) stores the database and performs most of the homomorphic operations; on the other hand, CSP₂^(u) keeps the secret key and helps CSP₁^(u) to perform the complex operations over the ciphertexts.

In our problem, we assume that each data owner DO_u initially encrypts his database D_u as $E_{p{k}_u}(D_u)$ where $E_{p{k}_u}(D_u)$ consists of the attribute-wise encryptions $E_{p{k}_u}\left(d_{i,j}^{(u)}\right)$ for 1 ≤ i ≤ n and 1 ≤ j ≤ m. Each DO_u then outsources $E_{p{k}_u}(D_u)$ together with the query processing service to CSP₁^(u). Note that the underlying public key encryption scheme should enable cloud servers to perform homomorphic operations over ciphertexts.

There is also an authorized query owner QO who wants to retrieve the interpolation of k-nearest neighbors of a query point Q from both databases D₁ and D₂ stored in CSP₁⁽¹⁾ and CSP₁⁽²⁾, respectively. After QO requests the interpolation, the cloud service providers generate the result by performing required operations over the encrypted databases. This process should output the interpolation of k-nearest neighbors only to the query owner. The query owner should not learn any information other than the interpolation during this process. We denote such process as secure two-party k-nearest neighbors (STPkNN) protocol. We remark that STPkNN protocol should preserve the confidentiality of the records in the databases D₁ and D₂, and protect the privacy of the query point. Moreover, the protocol should hide data access patterns, i.e. it should not reveal the information of which data records were used to produce the interpolation of k-nearest neighbors to any data owner or any cloud service provider.

Example

In 2016, European Union adopted a new regulation on the protection of personal data, Regulation (EU) 2016/679 of the European Parliament and Of The Council (European-Parliament, 2016). The regulation states that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right’. All of the personal health records that reveal information relating to the past, current or future physical or mental health status of the data subject are considered as personal sensitive data in the regulation. Therefore, the personal health records should be protected against unauthorized parties, i.e. only the one approved by the owner should be able to access to the data.

On the other hand, the processing of health data may be significant to advance research or healthcare practices. Consider a doctor who tries to determine whether a person has a particular hearth disease or not by analyzing the medical records of the person. In addition, the doctor may desire to compare the patient’s medical records with other patients’ presenting similar properties in order to improve diagnostic accuracy. In fact, this comparison enables the doctor to evaluate the validity of some tests, especially when the scores do not match the expected values. Consequently, the doctor can make an accurate diagnosis, if he is allowed to reach the data of other patients in the same region or across the country. Moreover, if the personal health records are stored in the cloud as encrypted in order not to violate the fundamental right of the owner of the records, it will be possible to perform reliable analysis on large datasets.

Let us clarify it with an example. Consider the subset of heart disease data set from UCI Machine Learning Repository depicted in Table 1. There are 10 different instances shown in the table, and each instance is associated with five attributes: ID (patient’s identity), trestbps (resting blood pressure in mm Hg), chol (serum cholesterol in mg/dl), thalach (maximum heart rate achieved), and oldpeak (ST depression induced by exercise relative to rest). Assume the data owner, which can be viewed as hospital in this context, encrypts these attributes, and outsources the encrypted database E_pk(D) together with the future query processing to the cloud. Also, assume there is a doctor who wants to determine whether a specific patient carries risk for a particular hearth disease. Let the medical record of the patient be $Q=⟨150,250,145,3⟩$. The doctor, that will be the query owner in our context, asks the interpolation of k-nearest neighbors of Q from the cloud by providing the encryption E_pk(Q) to the cloud. Then, the cloud determines the interpolation of k-nearest neighbors by searching the encrypted database E_pk(D). For simplicity, let k be 3 for this example. As we observe here, the instances having IDs 1, 7, and 9 will be the 3 nearest neighbors to Q. So, the cloud returns the interpolation $T=⟨141.6,251.6,152.3,2.4⟩$ to the doctor that will benefit from T to make an accurate diagnosis. Consequently, necessary analysis can be carried out without revealing any sensitive information about both his patient and the other patients.

Effect of collaboration on interpolation accuracy

Aguilar et al. (2005) stated that if interpolation models are developed with an insufficient amount of data, they will be less accurate and reliable. Namely, the collaboration between participants affects the accuracy of interpolation models. We here conduct a series of experiments to assess the impact of collaboration between participants on the accuracy of prediction in the interpolation methods. In our experiments, we employ two publicly available datasets from U.S. National Geochemical Survey Database that present sodium (Na) content of the soil in two states: Colorado and Wisconsin. Summary statistics of both data sets are presented in Table 2.

There are various performance evaluation metrics for interpolation methods. We here employed Mean Absolute Error (MAE) and Root Mean Squared Error (RMSE), which are often chosen as evaluation metrics for numerical prediction. The small values of both MAE and RMSE indicate that models will produce results that are more accurate. MAE and RMSE values are calculated as follows;

(1) $$MAE=\left[{\displaystyle \frac{1}{n}\sum _{i=1}^n|p(x_i,y_i)-a(x_i,y_i)|}\right]$$

(2) $$RMSE={\left[{\displaystyle \frac{1}{n}\sum _{i=1}^n{\left(p(x_i,y_i)-a(x_i,y_i)\right)}^2}\right]}^{1/2}$$

where n is the total number of data points in the dataset, p({x_i, y_i}) and z({x_i, y_i}) are predicted and actual values at location ({x_i, y_i}), respectively. The effects of varying k values on MAE and RMSE values are shown in Fig. 1.

We assume that two data holders share all data points in the data set. Both data sets are randomly divided into two parts using sampling without replacement strategy, assuming each party has one of the pieces. In some situations, data holders may not have data in equal proportions. So, we have determined different sharing ratios considering the cases where there is no equal distribution. We specify the β value as the distribution ratio, which means that if one party holds β portion of the data, the other party will hold the remaining portion (1 − β). After several trials, the MAE and RMSE values obtained according to the various number of nearest neighbor counts are shown in the Tables 3 and 4, respectively.

As seen from the results, the smallest MAE and RMSE values are observed when the 10-nearest neighbors are used for all points in each data set. The smallest MAE and RMSE are underlined in the tables. As seen from the Table 3, if only half of the data is available for creating a prediction model, there will be a deterioration in MAE values of 4.31% for the Wisconsin data set and 6.60% for the Colorado data set. It is also possible to observe similar aspects in Table 4 for each split ratio. As observed from the results, the data holder who has less amount of data always produces less accurate predictions. On the contrary, if there is a sufficient amount of data, the predictions generated by the model are more accurate and reliable.

Notation

We here give the notations used in this paper.

• n, the number of records in each database

• m, the number of the attributes in each record

• $\ell$, the domain size (in bits) of the squared Euclidean distance

• DO_u, the u^th data owner

• D_u, the u^th database

• $d_i^{(u)}$, the i^th record of the database D_u

• QO, the query owner

• Q, the query point

• [x], the encryption of the individual bits of x

• $d_{mi{n}_p}$, the p^th closest record to Q

• (pk_u, sk_u), the public key-secret key pair assigned to the u^th cloud pair

• (CSP₁^(u), CSP₂^(u)), the u^th cloud pair, i.e. the former holds the encryption of the database $E_{p{k}_u}(D_u)$ and the latter holds the corresponding secret key sk_u.

Homomorphic encryption

Homomorphic encryption is an encryption scheme that allows users to perform some mathematical operations on ciphertexts, such as addition and multiplication. This property enables to protect the confidentiality of the data, and makes the encryption scheme a very practical and useful tool in cloud computing, especially for the sensitive data. For that reason, homomorphic encryption schemes have been gaining a lot of attention in recent years. Within this direction, many homomorphic encryption schemes have been proposed (Goldwasser & Micali, 1982; Elgamal, 1984; Boneh, Goh & Nissim, 2005). In this study we use a well-known homomorphic encryption system, the Paillier scheme, to construct our protocols.

Let E_pk(·) be the encryption function with the public key pk and D_sk(·) be the decryption function with the secret key sk. For any given two plaintexts a and b, the Paillier scheme satisfies the following properties:

• Addition: D_sk(E_pk(a + b)) = D_sk(E_pk(a) * E_pk(b) mod N²)

• Multiplication: D_sk(E_pk(a * b)) = D_sk(E_pk(a)^bmod N²)

Note that the Paillier encryption scheme is semantically secure (Paillier, 1999).

Basic security primitives

Here, we briefly explain a set of basic security protocols. In these protocols, it’s assumed that there exist two semi-honest parties P₁ and P₂ joining the protocols, and the Paillier’s secret key is known only to one of them. We will also introduce two new security primitives in “Construction” that will be employed together with the basic primitives given here as building blocks in forming our construction.

Secure bit-AND-OR (SBAOR) protocol

The SBAOR protocol allows the servers to securely compute the negation of the logical disjunction of all bitwise multiplications x_i · y_i in encrypted form without revealing the bit vectors to any party. In the main protocol, it will help the servers to separate the index of the current closest record to the query point from all other records of both databases by assigning the encryption of 1 to that particular index and the encryption of 0 to all other indices. In this way, the servers will be able to calculate the current closest record, and remove the corresponding index from further calculations.

The protocol considers two parties P₁ and P₂ such that the former holds ([x], [y]) and the latter holds the secret key sk, where [x] and [y] are the encryption of individual bits of x and y. The protocol enables the parties P₁ and P₂ to securely compute the encryption $E_{pk}(\overline{A})$ where $\overline{A}=1-A$ and $A=(x_1\cdot y_1)\vee (x_2\cdot y_2)\vee \cdots \vee (x_{\ell }\cdot y_{\ell })$. The output $E_{pk}(\overline{A})$ is only known to P₁, and no information about x and y is revealed to any party during the protocol.

In the protocol, P₁ and P₂ first runs the SM protocol on the inputs E_pk(x_i) and E_pk(y_i) to calculate E_pk(x_i * y_i) for $i\in [\ell ]$ where x_i and y_i are the i-th bits of x and y, respectively. Note that each E_pk(x_i * y_i) is only revealed to P₁. The server P₁ then calculates $E_{pk}(x_1\cdot y_1\vee \cdots \vee x_{\ell }\cdot y_{\ell })$ as follows:

• it initially executes the SBOR protocol together with P₂ on E_pk(x₁ * y₁) and E_pk(x₂ * y₂) to get $E_{pk}(R_1)=E_{pk}(x_1\ast y_1\vee x_2\ast y_2)$,

• it then iteratively runs the SBOR protocol together with P₂ on E_pk(R_i−1) and E_pk(x_i+1 * y_i+1) to get $E_{pk}(R_i)=E_{pk}(R_{i-1}\vee x_{i+1}\ast y_{i+1})\mathrm{f}\mathrm{o}\mathrm{r}i=2\cdots \ell -1$.

Note that the final output of the iterative steps will be $E_{pk}(R_{\ell -1})=E_{pk}(x_1\cdot y_1\vee \cdots \vee x_{\ell }\cdot y_{\ell })$. Finally, P₁ applies the equation $E_{pk}(\overline{R_{\ell -1}})=E_{pk}(1)\ast E_{pk}(R_{\ell -1}{)}^{N-1}$ to compute the final output.

Security Analysis of SBAOR: At the beginning of the protocol, the servers P₁ and P₂ execute the Secure Multiplication protocol. As emphasized in “Premilinaries”, the output of the protocol is only revealed to the server P₁, and no information about the plaintexts x_i and y_i is revealed to any party during this protocol. Later, the servers run the Secure Bit-OR (SBOR) Protocol on the inputs E_pk(R_i) and E_pk(x_i+1 * y_i+1). The SBOR protocol outputs the new E_pk(R_i+1) only to the server P₁, and no information about the plaintexts is revealed to any party during the protocol. At the final, the server P₁ only applies some homomorphic operations on the encryption $E_{pk}(R_{\ell -1})$ computed at the previous step. Therefore, the SBAOR protocol protects the confidentiality of the data, i.e. no information about the contents of the encryptions is revealed to any party during the protocol.

Secure Transformation (ST) protocol

The ST Protocol enables the servers to transform the encryption of a record under a public key to the encryption of same record under another public key. In the main protocol, the servers employ ST Protocol to collect the encryptions of local minimums, that indicate the indexes of local closest records of both databases, under the same public key so that they can decide the minimum among them.

The protocol considers three parties ${\mathrm{P}}_1^{(u_1)}$ with the input $E_{p{k}_{u_1}}(t)$, ${\mathrm{P}}_2^{(u_1)}$ with the secret key $s{k}_{u_1}$, and ${\mathrm{P}}_1^{(u_2)}$. The protocol simply aims to transform the encryption of a record t under the public key $p{k}_{u_1}$ to the encryption of t under the public key $p{k}_{u_2}$. Note that no information about t is revealed to any party during the protocol and the output $E_{p{k}_{u_2}}(t)$ is only known to the party ${\mathrm{P}}_1^{(u_2)}$.

Briefly, ${\mathrm{P}}_1^{(u_1)}$ first masks $E_{p{k}_{u_1}}(t)$ with the randomly chosen vector $r^{\mathrm{\prime }}\in Z_N^m$ as $\mu =E_{p{k}_{u_1}}(t)\ast E_{p{k}_{u_1}}(r^{\mathrm{\prime }})$, and sends μ to ${\mathrm{P}}_2^{(u_1)}$ and $E_{p{k}_{u_2}}(r^{\mathrm{\prime }})$ to ${\mathrm{P}}_1^{(u_2)}$. After getting μ, ${\mathrm{P}}_2^{(u_1)}$ first decrypts it as ${\mu }^{\mathrm{\prime }}=D_{s{k}_{u_1}}(\mu )$, then encrypts μ′ with the public key $p{k}_{u_2}$ as $E_{p{k}_{u_2}}({\mu }^{\mathrm{\prime }})$, and finally sends the encryption to ${\mathrm{P}}_1^{(u_2)}$. After receiving the encryption, the party ${\mathrm{P}}_1^{(u_2)}$ first removes the randomness r′ from the encryption $E_{p{k}_{u_2}}({\mu }^{\mathrm{\prime }})$ and gets the encryption $E_{p{k}_{u_2}}(t)$ as $E_{p{k}_{u_2}}(t)=E_{p{k}_{u_2}}({\mu }^{\mathrm{\prime }}-r^{\mathrm{\prime }})$. From the homomorphic property of the underlying encryption scheme, $E_{p{k}_{u_2}}({\mu }^{\mathrm{\prime }}-r^{\mathrm{\prime }})$ can easily be calculated as $E_{p{k}_{u_2}}({\mu }^{\mathrm{\prime }})\ast E_{p{k}_{u_2}}(r^{\mathrm{\prime }}{)}^{N-1}$.

Security Analysis of ST: At the beginning of the protocol, the servers ${\mathrm{P}}_1^{(u_1)}$ randomizes the encryption $E_{p{k}_{u_1}}(t)$ with $r^{\mathrm{\prime }}\in Z_N^m$ before sending it to the server ${\mathrm{P}}_2^{(u_1)}$. So, the decryption computed by ${\mathrm{P}}_2^{(u_1)}$ will be uniformly random in $Z_N^m$. Besides, P ${}_1^{(u_2)}$ locally subtracts the encryption of the randomness r′ under the public key $p{k}_{u_2}$ from the encryption sent by ${\mathrm{P}}_2^{(u_1)}$ by performing some homomorphic operations. Thus, the protocol does not reveal any information about the record t to any party.

Main protocol

In this section, we will give the construction of our main protocol that enables a query owner to extract the interpolation of k-nearest neighbors for a query point of his choice as shown in Fig. 2. As we stated in the “Introduction”, our construction can be viewed as an extension of the protocol presented in Elmehdwi, Samanthula & Jiang (2014) that proposes an efficient solution of the k-nearest neighbor query problem over encrypted database outsourced to a single cloud.

We assume that each data owner DO_u has a database D_u that consists of n records $d_1^{(u)},\dots ,d_n^{(u)}$ where each $d_i^{(u)}$ is m-dimensional vector that lies in $[0,2^{\ell }]$. We also assume that there exist two non-colluding semi-honest cloud service providers, ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ and ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ for each database D_u where ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ is given the encryption of the database D_u and ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ is given the corresponding secret key sk_u.

Initially, each DO_u encrypts his database D_u as $E_{p{k}_u}\left(d_{i,j}^{(u)}\right)$ where 1≤ i ≤ n and 1≤ j ≤ m. Each DO_u then outsources the encryptions of the database, together with the future query service to the clouds, i.e. DO_u gives $E_{p{k}_u}\left(d_{i,j}^{(u)}\right)$ to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ and his secret key sk_u to ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$. When the query owner (QO) wants to retrieve the interpolation of the k-nearest neighbors for a query point Q, he produces two encryptions of his query point Q as $E_{p{k}_1}(Q)=⟨E_{p{k}_1}(q_1),\dots ,E_{p{k}_1}(q_m)⟩$ and $E_{p{k}_2}(Q)=⟨E_{p{k}_2}(q_1),\dots ,E_{p{k}_2}(q_m)⟩$ using the public keys of the data owners DO₁ and DO₂, respectively; and gives each encryption $E_{p{k}_u}(Q)$ to the corresponding cloud service provider ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$.

After receiving the encryption $E_{p{k}_u}(Q)$, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ runs the SSED protocol together with the corresponding server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on the input $(E_{p{k}_u}(Q),E_{p{k}_u}\left(d_i^{(u)}\right))$ where $E_{p{k}_u}\left(d_i^{(u)}\right)=⟨E_{p{k}_u}\left(d_{i,1}^{(u)}\right),\dots ,E_{p{k}_u}\left(d_{i,m}^{(u)}\right)⟩$ for 1 ≤ i ≤ n, and obtains the encryption of the squared Euclidean distance between Q and $d_i^{(u)}$ as $E_{p{k}_u}\left(e_i^{(u)}\right)$ where $e_i^{(u)}=|Q-d_i^{(u)}{|}^2$. From the SSED protocol, $E_{p{k}_u}\left(e_i^{(u)}\right)$ is revealed only to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$.

Opposite to the protocol proposed in Kalideen, Osmanoglu & Tugrul (2019), instead of sending the encryptions $E_{p{k}_u}\left(e_i^{(u)}\right)$ to the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ where 1 ≤ i ≤ n, that reveals the information of which indexes being used to compute the interpolation to ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ securely runs the SBD protocol with the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on the inputs $E_{p{k}_u}\left(e_i^{(u)}\right)$ to compute $[e_i(u)]=⟨E_{p{k}_u}\left(e_{i,1}^{(u)}\right),\dots ,E_{p{k}_u}\left(e_{i,\ell }^{(u)}\right)⟩$, the encryptions of the individual bits of $e_i^{(u)}$. Note that $\left[e_i^{(u)}\right]$ is only revealed to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$.

After this stage, the servers produce the interpolation of the k-nearest neighbours of the query point Q in an iterative way. In each iteration:

• Each pair of servers ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ and ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ securely calculate the encryptions of the individual bits of the minimum value $\left[e_{min}^{(u)}\right]$ among $\left[e_1^{(u)}\right],\dots ,\left[e_n^{(u)}\right]$ by running the protocol SMIN_n. Note that $\left[e_{min}^{(u)}\right]$ is only revealed to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$.

• Each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ then locally calculates the encryption of e_min from $\left[e_{min}^{(u)}\right]$ as

$$E_{p{k}_u}\left(e_{min}^{(u)}\right)=\prod _{i=0}^{\ell -1}{E}_{p{k}_u}{\left(e_{min,i}^{(u)}\right)}^{2^{\ell -i-1}}=E_{p{k}_u}(e_{min,1}^{(u)}\times 2^{\ell -1}+\dots +e_{min,\ell }^{(u)}).$$

• At this stage of the protocol, the servers ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ and ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(2)}$ have $E_{p{k}_1}\left(e_{min}^{(1)}\right)$ and $E_{p{k}_2}\left(e_{min}^{(2)}\right)$ as the encryption of the minimum distances. Now, the servers apply the following steps to decide the minimum among $e_{min}^{(1)}$ and $e_{min}^{(2)}$:

• – the servers ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(2)}$ with the input $E_{p{k}_2}\left(e_{min}^{(2)}\right)$, ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(2)}$ with the secret key sk₂, and ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ securely runs the ST protocol to compute the encryption of $e_{min}^{(2)}$ under the public key pk₁. Note that $E_{p{k}_1}\left(e_{min}^{(2)}\right)$ is only known to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$.

• – the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ now executes the SBD protocol with the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(1)}$ on the inputs $E_{p{k}_1}\left(e_{min}^{(1)}\right)$ and $E_{p{k}_1}\left(e_{min}^{(2)}\right)$ to compute $\left[e_{min}^{(1)}\right]$ and $\left[e_{min}^{(2)}\right]$ where $\left[e_{min}^{(u)}\right]=⟨E_{p{k}_1}\left(e_{min,1}^{(u)}\right),\dots ,E_{p{k}_1}\left(e_{min,\ell }^{(u)}\right)⟩$. From the SBD protocol, $[e_{min}^{(1)}]$ and $[e_{min}^{(2)}]$ are only revealed to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$.

• – ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ then runs the SMIN protocol with ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(1)}$ on the inputs $[e_{min}^{(1)}]$ and $[e_{min}^{(2)}]$, and gets $[e_{min}]=\left[min\{e_{min}^{(1)},e_{min}^{(2)}\}\right]$.

• – after getting [e_min], ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ locally calculates the encryption of e_min as

$$E_{p{k}_1}(e_{min})=\prod _{i=0}^{\ell -1}{E}_{p{k}_1}(e_{min,i}{)}^{2^{\ell -i-1}}.$$

• – the servers ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ with the input $E_{p{k}_1}(e_{min})$, ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(1)}$ with the secret key sk₁, and ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(2)}$ securely runs the ST protocol to compute the encryption of e_min under the public key pk₂. Note that $E_{p{k}_2}(e_{min})$ is only known to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(2)}$.

• After identifying the minimum e_min among $e_{min}^{(1)}$ and $e_{min}^{(2)}$, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ locally computes the encryption of difference $(e_{min}-e_i^{(u)})$ for each i as $E_{p{k}_u}\left({\lambda }_i^{(u)}\right)=E_{p{k}_u}(e_{min}-e_i^{(u)})=E_{pk}(e_{min})\ast E_{pk}{\left(e_i^{(u)}\right)}^{N-1}$.

• Each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ then randomizes $E_{p{k}_u}\left({\lambda }_i^{(u)}\right)$ as $E_{p{k}_u}\left({\alpha }_i^{(u)}\right)=E_{p{k}_u}{\left({\lambda }_i^{(u)}\right)}^{r_i^{(u)}}=E_{p{k}_u}({\lambda }_i^{(u)}\ast r_i^{(u)})$ where $r_i^{(u)}$ is a random number in Z_N. It is a fact that only one is the encryption of zero among all 2n encryptions $E_{p{k}_u}({\alpha }_i^{(u)})$ and all others are the encryptions of some random numbers where i = 1 … n and u = 1, 2.

• Each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ securely runs the SBD protocol with the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on the inputs $E_{p{k}_u}\left({\alpha }_i^{(u)}\right)$ to compute $\left[{\alpha }_i^{(u)}\right]=⟨E_{p{k}_u}\left({\alpha }_{i,1}^{(u)}\right),\dots ,E_{p{k}_u}\left({\alpha }_{i,\ell }^{(u)}\right)⟩$, the encryptions of the individual bits of ${\alpha }_i^{(u)}$. Note that $\left[{\alpha }_i^{(u)}\right]$ is only revealed to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$.

• After getting the encryptions $\left[{\alpha }_i^{(u)}\right]$, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ runs the SBAOR protocol with the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on $\left[{\alpha }_i^{(u)}\right]$ and [1] for each i where $[1]=⟨E_{p{k}_u}(1),\dots ,E_{p{k}_u}(1)⟩$, and gets $E_{p{k}_u}\left({\beta }_i^{(u)}\right)=E_{p{k}_u}\left(\overline{{\alpha }_i^{(u)}\cdot 1}\right)$. Note that one of the encryptions among all $E_{p{k}_u}\left({\beta }_i^{(u)}\right)$ is $E_{p{k}_u}(1)$ and the remaining encryptions are $E_{p{k}_u}(0)$ where i ∈ [n] and u = 1,2. Furthermore, if ${\beta }_j^{(v)}=1$, then $d_j^{(v)}$ is the closest record to Q from both databases.

• ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ securely runs the SM protocol with ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on the inputs $E_{p{k}_u}\left({\beta }_i^{(u)}\right)$ and $E_{p{k}_u}\left(d_{i,j}^{(u)}\right)$ to compute ${\beta }_{i,j}^{\mathrm{\prime }(u)}=E_{p{k}_u}({\beta }_i^{(u)}\ast d_{i,j}^{(u)})$, for 1 ≤ i ≤ n and 1 ≤ j ≤ m. Then, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ can now calculate the encryption of its candidate for the first closest record $d_1^{\mathrm{\prime }(u)}$ as $E_{p{k}_u}\left(d_1^{\mathrm{\prime }(u)}\right)=⟨E_{p{k}_u}\left(d_{1,1}^{\mathrm{\prime }(u)}\right),\dots ,E_{p{k}_u}\left(d_{1,m}^{\mathrm{\prime }(u)}\right)⟩$ where $E_{p{k}_u}\left(d_{1,j}^{\mathrm{\prime }(u)}\right)={\prod }_{i=1}^n{\beta }_{i,j}^{\mathrm{\prime }(u)}$. As we stated before, since only one of the encryptions among all $E_{p{k}_u}\left({\beta }_i^{(u)}\right)$ is $E_{p{k}_u}(1)$ and the remaining are $E_{p{k}_u}(0)$, one of the encryptions $E_{p{k}_u}\left(d_1^{\mathrm{\prime }(u)}\right)$ will be the encryption of zero and the other one will be the encryption of nonzero number that will be the first closest record.

• ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(2)}$ with the input $E_{p{k}_2}(d_1^{\mathrm{\prime }(2)})$, ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(2)}$ with the secret key sk₂, and ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ securely runs the ST protocol to compute the encryption of $d_1^{\mathrm{\prime }(2)}$ under the public key pk₁. Note that $E_{p{k}_1}\left(d_1^{\mathrm{\prime }(2)}\right)$ is only known to ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$.

• ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ now can calculate the encryption of the first closest record as $E_{p{k}_1}(d_{mi{n}_1})=E_{p{k}_1}\left(d_1^{\mathrm{\prime }(1)}\right)\ast E_{p{k}_1}\left(d_1^{\mathrm{\prime }(2)}\right)$. From the homomorphic property of the underlying encryption scheme, $E_{p{k}_1}\left(d_1^{\mathrm{\prime }(1)}\right)\ast E_{p{k}_1}\left(d_1^{\mathrm{\prime }(2)}\right)=E_{p{k}_1}(d_1^{\mathrm{\prime }(1)}+d_1^{\mathrm{\prime }(2)})$, and since one of them is zero, $E_{p{k}_1}(d_1^{\mathrm{\prime }(1)}+d_1^{\mathrm{\prime }(2)})$ will be the encryption of the first closest record from both databases.

• As the final step of the first iteration, the first closest records d_min1 should be excluded from the further iterations. To this aim, each ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ securely executes the SBOR protocol with ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(u)}$ on the inputs ${\beta }_i^{(u)}$ and $E_{p{k}_u}\left(e_{i,h}^{(u)}\right)$ where 1 ≤ i ≤ n and $1\le h\le \ell$. As the output of the protocol, ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(u)}$ gets the encryptions of renewed distances as $E_{p{k}_u}\left(e_{i,h}^{(u)}\right)=E_{p{k}_u}({\beta }_i^{(u)}\vee e_{i,h}^{(u)})$. Observe that if ${\beta }_j^{(u)}=E_{p{k}_u}(1)$ for a particular j, the corresponding distance $e_j^{(u)}$ will take the maximum value, i.e. $\left[e_j^{(u)}\right]=⟨E_{p{k}_u}(1),\dots ,E_{p{k}_u}(1)⟩$. On the other hand, if ${\beta }_i^{(u)}=E_{p{k}_u}(0)$, the SBOR protocol will have no effect on $e_i^{(u)}$.

Because our protocol outputs the interpolation of the k-nearest neighbors of the query point Q, the server ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ does not need to keep all the nearest records separately. Instead, it gradually builds the interpolation, i.e. after each iteration, ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ adds the current closest record $E_{p{k}_1}(d_{{min}_p})$ to the previous sum $E_{p{k}_1}(S_{p-1})=E_{p{k}_1}(d_{mi{n}_1}+\dots +d_{mi{n}_{p-1}})$ as $E_{p{k}_1}(S_{p-1})\ast E_{p{k}_1}(d_{mi{n}_p})$, and gets the current sum $E_{p{k}_1}(S_p)=E_{p{k}_1}(d_{mi{n}_1}+\dots +d_{mi{n}_P})$.

After k iterations, ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ will have the sum $E_{p{k}_1}(S_k)=E_{p{k}_1}(d_{mi{n}_1}+\dots +d_{mi{n}_k})$ as the encryption of the sum of the k-nearest neighbors of the query point Q. ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ then computes the randomization of the encryptions as ${\gamma }_j=E_{p{k}_1}(S_{k,j})\ast E_{p{k}_1}(r_j)$ where r_j are random numbers in Z_N and 1 ≤ j ≤ m. ${\mathrm{C}\mathrm{S}\mathrm{P}}_1^{(1)}$ then sends γ_j to ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(1)}$ and r_j to the query owner. Upon receiving γ_j, ${\mathrm{C}\mathrm{S}\mathrm{P}}_2^{(1)}$ decrypts them as ${\gamma }_j^{{}^{\prime }}=D_{s{k}_1}({\gamma }_j)$ and sends the decryptions to the query owner. The query owner QO then computes the sum of k-nearest record as $S_{k,j}^{{}^{\prime }}={\gamma }_j^{{}^{\prime }}-r_j$ where 1 ≤ j ≤ m. As the final step, QO computes the interpolation of k-nearest neighbors of Q as $⟨S_{k,1}^{\mathrm{\prime }}/k,\dots ,S_{k,m}^{\mathrm{\prime }}/k⟩$.

Security analysis

In this section, we will give the security analysis of the protocol shown in Algorithm 3. As we emphasized above, the data owners encrypt their data before outsourcing them to the cloud. Since they use the Paillier encryption scheme which is semantically secure, the data is not leaked to any cloud service provider. On the other hand, at the first step of Algorithm 3, the query point Q is encrypted before given to the corresponding cloud service providers. Similarly, since the underlying encryption scheme (the Paillier cryptosystem) is semantically secure, the query point Q is not revealed to any data owner or any cloud service provider.