Encrypted user-based algorithm - PRIVACY PROTECTION IN COLLABORATIVE FILTERING BY ENCRYPTED COM

PRIVACY PROTECTION IN COLLABORATIVE FILTERING BY ENCRYPTED COMPUTATION

11.4 Encrypted user-based algorithm

Having all ingredients in place, we now explain how memory-based col-laborative ﬁltering can be performed on encrypted data, in order to compute a prediction ˆr_uifor a certain useruand itemi. Note that although the computa-tions are done on encrypted data, the outcome is of course identical to that of the original collaborative ﬁltering algorithm.

We consider a setup as depicted in Figure 11.1, where userucommunicates with other usersvthrough a server. Furthermore, each user has generated his own key, and has published the public part of it. As we want to compute a prediction for useru, the steps below will use the keys ofu.

user

u server users

Figure 11.1. The setup for the user-based algorithm.

11.4.1 Computing similarities on encrypted data

First we take the similarity computation step, for which we start with the Pearson correlation given in (11.1). Although we already explained in Sec-tion 11.3 how to compute an inner product on encrypted data, we have to re-solve the problem that the iteratoriin the sums in (11.1) only runs overI_u∩I_v, and this intersection is not known to either user. Therefore, we ﬁrst introduce

q_ui=

r_ui−r_u ifb_ui=1, i.e., userurated itemi, 0 otherwise,

and rewrite (11.1) into

s(u,v) = ∑i∈Iquiqvi

∑i∈Iq²_uibvi∑i∈Iq²_vibui

. (11.16)

The idea that we used is that anyi∈Iu∩Iv does not contribute to any of the three sums because at least one of the factors in the corresponding term will be zero. Hence, we have rewritten the similarity into a form consisting of three inner products, each between a vector ofuand one ofv.

The protocol now runs as follows. First, user u calculates encrypted en-tries ε(q_ui), ε(q²_ui), and ε(b_ui) for all i∈I, using (11.14), and sends them to the server. The server forwards these encrypted entries to each other Wim F.J. Verhaegh et al.

179 user v₁,...,v_m. Next, each user v_j, j=1,...,m, computes ε(∑i∈Iq_uiq_v_j_i), ε(∑i∈Iq²_uibvji), andε(∑i∈Iq²_v_j_ibui), using (11.15), and sends these three results back to the server, which forwards them to useru. Userucan decrypt the total of 3mresults and compute the similaritiess(u,vj), for all j=1,...,m. Note that userunow knows similarity values with the othermusers, but he need not know who each user j=1,...,mis. The server, on the other hand, knows who each user j=1,...,mis, but it does not know the similarity values.

For the other similarity measures, we can also derive computation schemes using encrypted data only. For the mean-square distance, we can rewrite (11.2) into

∑i∈Iu∩Iv(r²_ui−2ruirvi+r²_vi)

|Iu∩Iv| =∑i∈Ir²_uibvi+2∑i∈Irui(−rvi) +∑i∈Ir_vi²bui

∑i∈Ibuibvi , (11.17) where we additionally deﬁne rui=0 if bui =0 in order to have well-deﬁned values. So, this distance measure can also be computed by means of four inner products.

The computation of normalized Manhattan distances is somewhat more complicated. Given the setX of possible ratings, we ﬁrst deﬁne for eachx∈X,

b^x_ui= Now, (11.3) can be rewritten into

∑i∈I∑x∈Xb^x_uia^x_vi

∑i∈Ib_uib_vi =∑x∈X∑i∈Ib^x_uia^x_vi

∑i∈Ib_uib_vi . (11.18) So, the normalized Manhattan distance can be computed from |X|+1 inner products. Furthermore, for the numerator a user v can compute

∏x∈Xε(∑i∈Ib^x_uia^x_vi) ≡ε(∑x∈X∑i∈Ib^x_uia^x_vi), and send this result, together with the encrypted denominator, back to useru.

The majority-voting measure can also be computed in the above way, by deﬁning Privacy Protection in Collaborative Filtering by Encrypted Computation

180

which can again be computed in a way as described above. Furthermore, d_uv=

∑

i∈I

b_uib_vi−c_uv.

Finally, we consider the weighted kappa measure (11.5). Again, o_uv can be computed by deﬁning Furthermore,euvcan be computed in an encrypted way if useruencrypts pu(x) for allx∈Xand sends them to each other userv, who can then compute

∏

∈X

∏

y∈Y

ε(p_u(x))^p^v^(y)w(x,y)≡ε(e_uv), (11.22) and send this back toufor decryption.

11.4.2 Computing predictions on encrypted data

For the second step of collaborative ﬁltering, userucan calculate a predic-tion for item iin the following way. First, we rewrite the quotient in (11.9) into ∑v∈Us(u,v)q_vi

∑v∈U|s(u,v)|bvi. (11.23) So, ﬁrst user u encrypts s(u,vj) and |s(u,vj)| for each other user vj, j = 1,...,m, and sends them to the server. The server then forwards each pair ε(s(u,vj)),ε(|s(u,vj)|) to the respective user vj, who computes ε(s(u,vj))^q^{v ji}ε(0)≡ε(s(u,vj)qvji) and ε(|s(u,vj)|)^b^{v ji}ε(0)≡ε(|s(u,vj)|bvji), where he uses reblinding to prevent the server from getting knowledge from the data going back and forth to userv_j by trying a few possible values. Each uservjnext sends the results back to the server, which then computes

∏

and sends these two results back to useru. Userucan then decrypt these mes-sages and use them to compute the prediction. The simple prediction formula of (11.10) can be handled in a similar way.

Wim F.J. Verhaegh et al.

181 The maximum total similarity prediction as given by (11.11) can be handled as follows. First, we rewrite

∑

∈U_i^x these|X|results back to the server, which then computes

∏

m these results and determines the ratingxthat has the highest result.

11.4.3 Time complexity revisited

The effect of encryption on the time complexity of computing the similari-ties and predictions, is as follows.

The time complexity to compute (11.16) and (11.17) is determined by the server, which has to forward for each user u, O(|I|) encrypted items to all users vj. This can be done in a total of O(|U|²|I|) steps, which equals the time complexity of the unencrypted case. For (11.18) and (11.20),O(|I||X|) encrypted items have to be forwarded for each useruto all usersv_j, giving a total ofO(|U|²|I||X|) steps, which is a factorO(|X|)more than in the unen-crypted case. Finally, for the weighted kappa statistic we ﬁrst needO(|I||X|) steps per pairu,vto computeouvin (11.21), and secondly we need to compute e_uv. The latter takes for eachu,O(|U||X|)steps for the server to forward the encrypted itemsε(pu(x))to all other usersvj, andO(|X|²)steps for all users vj to compute (11.22). Note that the latter users can do so in parallel, and hence the total time complexity of computing all kappa statistics is given by O(|U|²|I||X|+|U|²|X|+|U||X|²).

For the prediction formulas, encryption does not have an effect on the time complexity. Formulas (11.23) and the encrypted version of (11.10) still require O(|U|)steps per useruand itemifor the work done by the useruhimself and the server, giving a total time complexity ofO(|U|²|I|). The time complexity to compute (11.24) in an encrypted way is determined by the server, which has to calculate O(|X|)products (11.25) over O(|U|) entries for each useru and itemi, giving a total time complexity ofO(|U|²|I||X|).

Although the time complexity is not much affected, we note that the run time of course will increase, because of the more demanding computations on Privacy Protection in Collaborative Filtering by Encrypted Computation

182

encrypted data. This overhead is determined by the length of the encryption key.

Dans le document Intelligent Algorithms in Ambient and Biomedical Computing (Page 189-193)