Faster Private Rating Update via Integer-Based Homomorphic Encryption

Abstract

In encryption-based privacy-preserving recommender systems (PPRS), the user sends encrypted ratings to the server. An encrypted rating vector can have thousands of ciphertexts, causing a communication overhead. In some encryption-based PPRS proposed in the literature, if a user wants to rate a single item, he/she is required to send the entire rating vector to hide which item was rated. A user’s rating value and the item that is being rated both should remain private. This can be seen as a variant of the classical PIR-write problem. The goal is that each time a user wants to modify any data block, the communication should be minimal from the user.

In encryption-based PPRS, the ratings are required to be encrypted using homomorphic schemes so that the server can generate recommendations. Arjan proposed a private rating update protocol for the recommender system applications, whereas Lipmaa and Zhang gave a protocol for a more general database scenario. We propose a hybrid approach that combines the advantages of each protocol, yielding a more efficient protocol. Our approach has constant user-side computation, and it reduces the communication and computation overhead at the server-side compared to previous approaches.

A Secure Bit Decomposition (SBD)

In SBD protocol there are two sub-protocols: Encrypted_LSB() and SVR(). In our proposed work, we have made some changes in these sub-protocols to make it work using the HE1N scheme. First, the Encrypted_LSB() routine takes two inputs: a ciphertext of an encrypted integer and an integer in plaintext, and returns the encrypted least significant bit of the encrypted integer passed to it. The two observations that this sub-protocol follows are:

Observation-I. For any given x, let \(y = x+r \mod N\), where r is a random number in \(\mathbb {Z}_n\). Here the relation between y and r depends on whether \(x+r \mod N\) leads to an overflow or not. y is always greater than r if there is no overflow. Similarly, in the case of overflow y is always less than r.

Observation-II. For any given \(y = x+r \mod N\), where N is odd, the following property regarding the least significant bit of x always hold:

$$ x_0= {\left\{ \begin{array}{ll} \lambda _1 \oplus \lambda _2,&{} \text {if { r} is even}\\ 1 - (\lambda _1 \oplus \lambda _2), &{} \text {otherwise} \end{array}\right. } $$

Here \(\lambda _1\) denotes whether an overflow occurs or not, and \(\lambda _2\) denotes whether y is odd or not. That is \(\lambda _1 = 1\) if \(r > y\), and 0 otherwise. Similarly, \(\lambda _2 = 1\) if y is odd and 0 otherwise, \(\oplus \) denotes the XOR operation. It is noteworthy that N in the Paillier cryptosystem is always odd, this follows in the HE1N system as well.

The second half of the SBD protocol is to verify if the bit decomposition is correct or not from the step 5 to 8 in Algorithm 2. The sub-protocol: secure verification of result (SVR()) is used to perform this verification. Basically what the dataserver does here, it reconstructs the integer from the decomposed bits, masks it with some random noise, and send it to the keyserver for decryption. If the bit decomposition is correct, the keyserver will receive encryption of 0 otherwise some random encrypted number. The result is conveyed to the dataserver; if the decomposition is incorrect, the dataserver starts over from step 2 of Algorithm 2.