Abstract
Background: Searching for similar compounds in a database is the most important process for in-silico drug screening. Since a query compound is an important starting point for the new drug, a query holder, who is afraid of the query being monitored by the database server, usually downloads all the records in the database and uses them in a closed network. However, a serious dilemma arises when the database holder also wants to output no information except for the search results, and such a dilemma prevents the use of many important data resources.
Results: In order to overcome this dilemma, we developed a novel cryptographic protocol that enables database searching while keeping both the query holder’s privacy and database holder’s privacy. Generally, the application of cryptographic techniques to practical problems is difficult because versatile techniques are computationally expensive while computationally inexpensive techniques can perform only trivial computation tasks. In this study, our protocol is successfully built only from an additive-homomorphic cryptosystem, which allows only addition performed on encrypted values but is computationally efficient compared with versatile techniques such as general purpose multi-party computation. In an experiment searching ChEMBL, which consists of more than 1,200,000 compounds, the proposed method was 36,900 times faster in CPU time and 12,000 times as efficient in communication size compared with general purpose multi-party computation.
Conclusion: We proposed a novel privacy-preserving protocol for searching chemical compound databases. The proposed method, easily scaling for large-scale databases, may help to accelerate drug discovery research by making full use of unused but valuable data that includes sensitive information.
Introduction
In recent years, the increasing cost of drug development and decreasing number of new chemical entities have become growing concerns [1]. One of the most popular approaches for overcoming these problems is searching for similar compounds in databases [2]. In order to improve the efficiency of this task, it is important to utilize as many data resources as possible. However, the following dilemma prevents the use of many existing data resources. Unpublished experimental results have been accumulated at many research sites, and such data has scientific value [3]. Since data holders are usually afraid of sensitive information leaking from the data resources, they do not want to release the full data, but they might allow authorized users to search the data as long as the users obtain only search results from which they cannot infer sensitive information. Likewise, private databases of industrial research might be made available if the sensitive information were sufficiently protected. On the other hand, query compounds are also sensitive information for the users, and thus the users usually avoid sending queries and want to download all of the data in order to conduct search tasks on their local computers. In short, we cannot utilize important data resources because both the data holder and the data user insist on their privacy. Therefore, an emerging issue is to develop novel technology that enables privacy-preserving similarity searches. We show several use cases in the next section.
Let us start by clarifying privacy problems in database searches. In a database search, two types of privacy are of concern: “user privacy” (also known as input privacy) and “database privacy” (also known as output privacy). The first is equal to protecting the user’s query from being leaked to others including the database holder. The second is equal to protecting the database contents from being leaked to others including the database user, except for the search results held by the user. Here we firstly consider the case of using no privacy-preserving techniques; namely, the user sends a plain query to the server and the server sends the search result. In this case, the user’s query is fully obtained by the server. On the database side, the server’s data is not directly leaked to the user. However, there is a potential risk that the user may infer the database contents from the search results. To protect user privacy, a scheme called single-database private information retrieval (PIR) has been proposed [4]. The simplest method for achieving PIR is that the user downloads all the contents of the database and searches on his/her local computer. Since this naive approach needs a huge communication size, several cryptographic techniques have been developed, in which the query is safely encrypted/randomized in the user’s computer and the database conducts the search without seeing the query. Although PIR is useful for searching public databases, it does not suit the purpose of searching private databases because of the lack of database privacy. Likewise, similarity evaluation protocols keep user privacy [5–7] but they do not sufficiently protect database privacy because the server directly outputs similarity scores that become important hints for inferring database contents.
Generally speaking, it is very difficult to keep both user privacy and database privacy, because the database side must prevent various attacks without seeing the user’s query. Among them, the following two attacks are major concerns.
Regression attack
Given one data point, the similarity between a target and the data point becomes a strong hint for detecting the target. The accuracy of the detection increases as the number of given data points becomes larger. In fact, a protocol that is not suitably designed may lead to even a small number of queries enabling the database user to detect the target. For example, when the server returns the exact distance between a query and a database entry, the range of the entry is rapidly narrowed as the number of queries increases, and the entry is finally detected uniquely by only almost the same number of queries as the dimension of the entry. For example, in the case of using the MACCS keys, which are 166 bit structural key descriptors and often used for representing chemical compounds, a database entry is detected by sending only 166 queries. Therefore, it is necessary for the server to return the minimum information that is sufficient for the purpose of the search (see Fig. 1 for a detailed explanation).
Illegal query attack
Searching with an illegal query often causes unexpected server behaviour. In such a case, the server might return unexpected results that include important server information. To prevent this, the server should ensure the correctness of the user’s query.
The red point represents the server’s data and × represents the attacker’s query. Prior to the query, the search spaces (white areas) in (a-1) and (b-1) are equal. After the first query has been sent, the search space in (a-2) is limited to the circle whose radius is the distance between the attacker’s query and the server’s data. On the other hand in (b-2), only the small area of the dashed circle whose radius is the given threshold (gray area) is excluded from the search space. By sending the second query, the attacker knows that one of the two intersections of the two circles in (a-3) is equal to the server’s data, while the search space is large in (b-3). Finally, the server’s data is detected by sending the third query in (a-4), however in (b-4), the search space is still large, even though the third query is within the given threshold.
A schematic view of the privacy-preserving database search problems discussed here is shown in Fig. 2.
For user privacy, the user’s query and the search result which includes the query information must be invisible to the database side during the search task. For database privacy, the server minimizes output information for preventing regression attacks (b-1), and also detects and rejects illegal queries that might cause unexpected information leakage (b-2). These server’s tasks must be carried out with the encrypted queries in order to keep user privacy.
In the field of cryptography, there have been studies of versatile techniques such as general purpose multi-party computation (GP-MPC) [8] and fully homomorphic encryption (FHE) [9], which enable the design of systems that maintain both user privacy and database privacy. However, these techniques require huge computational costs as well as intensive communications between the parties, so they are scarcely used in practical applications. In order to avoid using such techniques, a similarity search protocol using a trusted third party [10] and a privacy preserving SQL database using a trusted proxy server [11] have been proposed, but those methods assure privacy only when the third party does not collude with the user or the server, which is not convenient for many real problems. As far as we know, no practical method has been proposed despite the great importance of privacy-preserving similarity searching. To overcome this lack, we propose a novel privacy-preserving similarity search method that can strongly protect database privacy as well as user privacy while keeping a significantly low computational cost and small communication size.
The rest of this paper is organized as follows. In the next section, we summarize our achievements in this study. This is followed by the Cryptographic background section and the Method section, where we define the problem and introduce details of the proposed protocol. In the Security analyses section, both the user privacy and database privacy of the proposed protocol are discussed in detail. In the Performance evaluation section, the central processing unit (CPU) time and communication size of the proposed protocol are evaluated for two datasets extracted from ChEMBL. Finally, we present our conclusions for this study in the Conclusion section.
Our Achievements
Here we focus on similarity search with the Tversky index of fingerprints, which is the most popular approach for chemical compound searches [12] and is used for various search problems in bioinformatics. To provide a concrete application, we address the problem of counting the number of similar compounds in a database, which solves various problems appearing in chemical compound searches. The following model describes the proposed method.
Model 1 The user is a private chemical compound holder, and the server is a pri-vate database holder. The user learns nothing but the number of similar compounds in the server’s database, and the server learns nothing about the user’s query compound.
Here we introduce only a small fraction of the many scientific or industrial problems solved by Model 1.
Secure pre-purchase inspection service for chemical compound.
When a client considers the purchase of a commercial database such as a focused library [13], he/she wants to check whether the database includes a sufficient number of similar compounds, without sending his/her private query, but the server does not allow downloading of the database.
Secure patent compound filtering.
When a client finds a new compound, he/she usually wants to know whether it infringes on competitors’ patents by searching the database of patent-protected compounds maintained by third parties. The same problem occurs when the client wants to check whether or not the compound is undesirable.
Secure negative results check.
It is a common perception that current scientific publication is strongly biased against negative results [3], although a recent study showed statistically that negative results brought meaningful benefit [14]. Since researchers are reluctant to provide negative results, which often include sensitive information, a privacy-preserving system for sharing those results would greatly contribute to reducing redundant efforts for similar research topics. For example, it would be useful to have a system that allows a user to check whether the query is similar to failed compounds that have previously been examined in other laboratories.
In this study, we propose a novel protocol called the secure similar compounds counter (SSCC) which achieves Model 1. The first main achievement of this study is that SSCC is remarkably tolerant against regression attacks compared with existing protocols which directly output the similarity score. Moreover, we propose an efficient method for protecting the database from illegal query attacks. These points are discussed in the Security analyses section.
The second main achievement is that SSCC is significantly efficient both in computational cost and communication size. We carefully designed the protocol such that it uses only an additive-homomorphic cryptosystem, which is computationally efficient, and does not rely on any time-consuming cryptographic methods such as GP-MPC or FHE. Hence the performance of the protocol is sufficiently high for a large-scale database such as ChEMBL [15], as is shown in the Performance evaluation section.
Cryptographic background
Additively homomorphic encryption scheme
In this paper, we use an additive-homomorphic cryptosystem to design our protocol. The key feature of the additive-homomorphic cryptosystem is that it enables to perform additive operations on encrypted values. Therefore, intuitively, any standard computation algorithm can be converted into the privacy-preserving computation algorithm, if operations used in the standard algorithm can be replaced by additions.
More formally, we use a public-key encryption scheme (KeyGen; Enc; Dec), which is semantically secure; that is, an encryption result (ciphertext) leaks no information about the original message (plaintext) [16]. Here, KeyGen is a key generation algorithm for selecting a pair (pk, sk) of a public key pk and a secret key sk; Enc(m) denotes a ciphertext obtained by encrypting message m under the given pk; and Dec(c) denotes the decryption result of ciphertext c under the given sk. We also require the following additive-homomorphic properties:
Given two ciphertexts Enc(m1) and Enc(m2) of messages m1 and m2, Enc(m1 + m2) can be computed without knowing m1, m2 and the secret key (denoted by Enc(m1) ⊕ Enc(m2)).
Given a ciphertext Enc(m) of a message m and an integer e, Enc(e · m) can be computed without knowing m and the secret key (denoted by e ⊗ Enc(m)).
For example, we can use either the Paillier cryptosystem [17] or the “lifted” version of the ElGamal cryptosystem [18] as such an encryption scheme; now the second operation ⊗ can be achieved by repeating the first operation ⊕. We notice that the range of plaintexts for those cryptosystems can be naturally set as an integer interval [–N1,N2] for some sufficiently large N1, N2 > 0; therefore, the plaintexts are divided into positive ones, negative ones, and zero.
Non-interactive zero-knowledge proof
Below, we discuss the following situation: A user (a prover) wants to make a server (a verifier) convinced that a ciphertext c generated by the user corresponds to a message m in {0,1}, but does not want to reveal any information about which of 0 and 1 is m. This can be achieved by using a cryptographic tool called non-interactive zero-knowledge (NIZK) proof. In the present case, it enables the user to generate a “proof” associated with c, so that:
If m is indeed in {0,1}, then the server can verify this fact by testing the proof (without knowing m itself).
If m ∉ {0,1}, then the user cannot generate a proof that passes the server’s test.
The server cannot obtain any information about m from the proof, except for the fact that m ∊ {0,1}.
(See [19] for a general formulation.) Besides the existing general-purpose NIZK proofs, Sakai et al. [20] proposed an efficient scheme specific to the “lifted” ElGamal cryptosystem, which we use below.
Method
The goal of this study is to design a protocol between a user and a server that enables the user to obtain the number of compounds in the server’s database that are similar to the user’s target compound. Here, a fingerprint of compound is modeled as 
(i.e., a bit string of length ℓ). An equivalent way to refer to 
is the set of all indices i where pi = 1. We denote such a set by p. The similarity of two compounds p, q is then measured by Tversky index which is parameterized by α, β > 0 and is defined as:
Tversky index is useful since it includes several important similarity measurements such as Jaccard Index (JI, which is exactly TI1,1 and also known as Tanimoto Index) and Dice index (which is exactly TI1/2,1/2) [21]. First, we introduce the basic idea and two efficient techniques for improving database privacy. Then, we describe our full proposed protocol.
Basic idea
We firstly consider the simplest case that the user has (the fingerprint of) a target compound q as a query and the server’s database consists of only a single fingerprint p. The case of a larger database is discussed later. The goal here is to detect whether or not the Tversky index of p and q is larger than a given threshold 1 ≥ θ > 0. The main idea of our approach is to calculate the score
from encrypted fingerprints p and q by an additive-homomorphic cryptosystem. The score is non-negative if and only if the Tversky index of p and q is at least θ. Now since |p \ q| = |p| – |p ∩ q| and a similar relation holds for |q \ p|, the score (1) is positively proportional to
where λ1 = c(θ−1 – 1 + α + β), λ2 = cα, λ3 = cβ and any positive value c. We assume that the parameters and the threshold for the Tversky index are rational numbers denoted by α = μa/γ, β = μb/γ and θ = θn/θd, where μa, μb, γ, θn and θd are non-negative integers. By using c = γθng−1 under this assumption, λ1, λ2 and λ3 become non-negative integers where g is the greatest common divisor of γ(θd – θn) + θn(μa + μb), θnμa and θnμb.
Motivated by this observation, we define the following modified score, called the threshold Tversky index:
Given parameters α and β and a threshold θ for the Tversky index which are rational numbers denoted by α = μa/γ,β = μb/γ and θ = θn/θd where μa, μb, γ, θn and θd are non-negative integers, then the threshold Tversky index 
for fingerprints p and q is defined by
and non-negative integer parameters λ1, λ2 and λ3 are defined by
where g is the greatest common divisor of γ(θd–θn)+θn(μa+μb), θnμa and θnμb.
By the above argument, we have TIα,β(p, q) ≥ θ if and only if 
. Therefore, the user can know whether or not his/her target compound q is similar (i.e., TIα,β(p, q) ≥ 0) to the fingerprint p in the database, by obtaining only the value 
In the protocol, the bits of the user’s target fingerprint q and the value |p| held by the server are both encrypted using the user’s public key. Since 
can be computed by the addition of these values and multiplication by integers, the protocol can calculate (without the secret key) a ciphertext of 
, which is then decrypted by the user. For simplicity, we will abuse the notation and write 
without subscripts α, β, θ when the context is clear.
We emphasize that our protocol does not use time-consuming cryptographic methods such as GP-MPC and FHE, and data transfer occurs only twice during an execution of the protocol. Hence, our protocol is efficient enough to scale to large databases.
Database security enhancement techniques against regression attack
The ideal situation for the server is that the user learns only the similarity/nonsimilarity property of fingerprints p and q, without knowing any other information about the secret fingerprint p. This means that only the sign of 
should be known by the user. However, in our basic protocol, the value of 
is fully obtained by the user; Database privacy is not protected from regression attacks. (See the Security analyses section for details.) In order to send only the sign of 
, we firstly considered using a bit-wise decomposition protocol [22] for extracting and sending only the sign bit of 
. Although this approach is ideal in terms of security, the protocol requires more than 30 rounds of communications, which is much more efficient than using GP-MPC or FHE, but rather time-consuming for large-scale databases. Therefore, here we propose the novel technique of using dummy replies, which requires only one round of communication while sufficiently minimizing information leakage of p. In the proposed technique, besides its original reply 
, the server also chooses random integers ϕ1,...,ϕn from a suitable interval and encrypts those values under the user’s public key pk. Then the server sends the user a collection of ciphertexts t, Enc(ϕ1),..., Enc(ϕn) that are shuffled to conceal the true ciphertext t, as well as the number sd of dummy values ϕk with ϕk ≥ 0. The user decrypts the received n + 1 ciphertexts, counts the number sc of non-negative values among the decryption results, and compares sc to sd. Now we have 
≥ 0 if and only if sc – sd = 1; therefore, the user can still learn the sign of 
, while the actual value of 
is concealed by the dummies. We have confirmed that the information leakage of p approaches zero as the number of dummies becomes large; see the Security analyses for pudding dummies section for more detailed discussion. (We have also developed another security enhancement technique using sign-preserving randomization of 
; see the Further security enhancement technique by using sign-preserving randomization section in Supporting Information for details.)
Database security enhancement technique against illegal query attack
Illegal query attacks can be prevented if the server can detect whether or not the user’s query is valid. To keep user privacy, the server must conduct this task without obtaining more information than the validity/invalidity of the query. In fact, this functionality can be implemented by using the NIZK proof by Sakai et al. [20] mentioned in the Non-interactive zero-knowledge proof section. The improved protocol requires the user to send the server a proof associated with the encrypted fingerprint bits qi, from which the server can check whether q is indeed a valid fingerprint (without obtaining any other information about q); the server aborts the protocol if q is invalid. Here we use the “lifted” ElGamal cryptosystem as our basic encryption scheme to apply Sakai’s scheme. (We note that if we require the user to send Enc(–|q|) used by server’s computation, then another NIZK proof is necessary to guarantee the validity of the additional ciphertext, which decreases the communication efficiency of our protocol. Hence our protocol requires the server to calculate Enc(– |q|) by itself.)
Secure similar compounds counter
For the general case that the database consists of more than one fingerprint p, we propose the protocol shown in Algorithm 1 to count the number of fingerprints p similar to the target fingerprint q. In the protocol, the server simply calculates the encryption of the threshold Tversky indices for all database entries and, as discussed above, replies with a shuffled collection of these true ciphertexts and dummy ciphertexts, as well as the number sd of non-negative dummy values. Then the value sc – sd finally obtained by the user is equal to the number of similar fingerprints p in the database.
Parameter settings of the protocol
Decrypting an encrytion of too large value needs huge computation cost if the lifted-ElGamal cryptosystem is used. Therefore, in order to keep the consistency and efficiency of the protocol, the range of 
should not be too large. i.e., the integer parameters λ1, λ2 and λ3 in the threshold Tversky index should not be too large. In fact, this will not cause a problem in practice; For example, the parameters become λ1 = 9, λ2 = λ3 = 4 for computing 
which is a typical setting of a chemical compound search. In this case, a minimum value and a maximum value of 
is -664 and 166 for 166 MACCS keys, which is a sufficiently small range. (See Ranges of 
for typical parameter settings section in Supporting Information for details.)
Security analyses
In the area of cryptology, the following two standard security models for two-party computation have been considered:
Semi-honest model: Both parties follow the protocol, but an adversarial one attempts to infer additional information about the other party’s secret input from the legally obtained information.
Malicious model: An adversarial party cheats even in the protocol (e.g., by inputting maliciously chosen invalid values) in order to illegally obtaining additional information about the secret.
In this section, we evaluate security of SSCC in both the semi-honest and malicious models.
The secure similar compounds counter (SSCC)
Public input: Length of fingerprints ℓ and parameters for the Tversky index θ = θn/θd,α = μa/γ,β = μb/γ
Private input of a user: Target fingerprint q
Private input of a server: Set of fingerprints P = {p(1),...,p(M)}
(Key setup of cryptosystem) The user generates a key pair (pk, sk) by the key generation algorithm KeyGen for the additive-homomorphic cryptosystem and sends public key pk to the server (the user and the server share public key pk and only the user knows secret key sk).
(Initialization) The user encrypts his/her fingerprint q as a vector of ciphertexts:
(Enc(q1),..,Enc(qℓ)). He/she also generates ν as a vector of proofs. Each proof νi is associated with Enc(qi).(Query of entry) The user sends the vector of ciphertexts
and the vector of proofs v to the server as a query.(Query validity verification) The server verifies the validity of
by testing the vector of proof ν. If ν does not pass the server’s test, the user cannot move on to the next step.(Calculation of threshold Tversky index)
The server calculates the greatest common divisor of γ(θd – θn) + θn(μa + μb), θnμa and θnμb as g, and calculates λ1 = γθng-1 (θ-1 – 1 + α + β), λ2 = γθng−1α, and λ3 = λθng-1β.
The server calculates
from .for j =1 to M do
The server calculates
and encrypts it to obtain a ciphertext Enc(–|p(j)|).The server calculates a ciphertext tj of threshold Tversky index
. c ← Enc(0)for k =1 to ℓ do
if pk(j) = 1
end if
end for
end for
(Padding of dummies)
The server generates a set of dummy values {ϕ1,...,ϕn} and counts the number sd of non-negative dummies ϕi > 0.
The server encrypts ϕi to obtain a ciphertext Enc(ϕi) for i = 1,...,n.
The server shuffles the contents of the set T = {t1,...,tM, Enc(ϕ1),...,Enc(ϕn)}.
(Return of matching results) The server sends T and sd to the user.
(Decryption and counting) The user decrypts the contents of T and counts the number sc of non-negative values.
(Evaluation) The user obtains sc – sd as the number of similar fingerprints in the database.
User privacy
The semantic security of the encryption scheme used in the protocol (see the Additively homomorphic encryption scheme section) implies immediately that the server cannot infer any information about the user’s target fingerprint q during the protocol. This holds in both the semi-honest and malicious models.
Thresholding largely improves database privacy
By the analysis described below, we show the large difference between the “ideal” case, in which the user learns only the sign of 
during the protocol, and the “plain” case, in which the user fully learns the value TI(p,q). Note that SSCC aims for the “ideal” case while the methods proposed in previous studies aim for the “plain” case. Here we consider the general case in which the user is allowed to send more than one query and those queries are searched by Jaccard Index. We also suppose that the database consists of a single fingerprint p in order to clarify the effect of thresholding.
The goal of an attacker is to reveal p by analysing the results returned from the server. It is generally effective for the attacker to exploit the difference between the two outputs obtained by sending two different queries. In fact, when the server returns 
becomes positive if and only if pi = 1, where q = (0,..., q = 1,..., 0) and 0 = (0,..., 0). This means that the attacker can reveal any bit in p by sending the single query after sending the first query 0. Therefore, p can be fully revealed by sending only ℓ + 1 queries. On the other hand, there is no deterministic attack for revealing p from only the sign of 
, because two different inputs do not always lead to different outputs. Since we know of a linear algorithm that fully reveals p in response to at most 2ℓ queries after making a “hit” query q such that 
> 0, here we evaluate database privacy by the probability of making at least one hit query when the user is allowed to send x queries. (See the The attack algorithm by using a hit query section in Supporting Information for details.) This probability is denoted as
where fp, defined as follows, is the probability that the user makes one hit query with a single trial when p is given.
For ease of calculation, we computed the upper bound of equation (2) for x = 1, 10, 102,..., 106 and θ = 0.7, 0.8, 0.9, 1.0. (See the Derivation and calculation of upper bound of the probability for making at least one hit query section in Sup-porting Information for details.) Since publicly available 166 MACCS keys are the most popular fingerprint for chemical compound searches, we set ℓ to 166. From the results shown in Fig. 3, we can see that the probability of making a hit query is sufficiently small even though the user is allowed to send a large number of queries. Considering that the user learns p by using no more than ℓ + 1 queries when he/she learns 
, we can conclude that database privacy is largely improved by thresholding. In other words, the proposed protocol, which aims to output only the sign of the similarity score, has stronger security than other previous methods, which directly output similarity scores.
Note that the hit query becomes the critical hint for revealing database information. Each line shows the results with one of the four different thresholds.
Security analyses for padding dummies
We showed that the output privacy in the “ideal” case is significantly improved from the “plain” case. Here we experimentally evaluate how the actual situation of our proposed protocol is close to the “ideal” case.
Before going into detail analyses, let us discuss how to generate dummies. It is ideal for the server privacy to generate a dummy according to the same distribution where 
is generated from. However, this is not realistic because 
is determined by both p and q which is user’s private information. Therefore, in our analyses, we assume that a dummy is generated from uniform distribution over possible values of 
. For example, if possible values of 
is {1, 2, 3,4, 5}, dummies are randomly selected from any one of them. The purpose of pudding dummies is to mitigate the risk of leaking 
. In order to clarify the effect of the use of dummy values, we concentrate on the basic case; the database contains a single p, and there exist k possible values of 
. i-th value of the k possible values arises as the true 
according to the probability wi. Namely, true 
is generated from the multinomial distribution with k different probabilities w = w1,...,wk, while dummies are generated from the multinomial distribution with equal probability 1/k. To conduct stringent analyses, we assume that the user knows w, and he/she also knows that dummies are uniformly distributed over k possible 
.
In this experiment, we evaluate the security of our protocol by comparing the probabilities that the user correctly guesses the value 
in two cases: The case in which the user makes a guess based only on a prior knowledge w, and the other case in which the user makes a guess based on the observation of the search result under the condition that he/she knows w.
For the first case, the user’s best strategy for guessing 
is to choose the i0-th possible value, where
In this case, the success probability of the guess is wi0.
Let us consider the best strategy for the second case. As described above, we consider an practical case that n dummy values ϕ1,...,ϕn chosen from the k possible values uniformly at random, and the user makes a guess from the received n + 1 shuffled values ϕ1,..., ϕn, 
. Now suppose that the user received the i-th possible value ai times for each 1 ≤ i ≤ k (hence 
). Since the choices of ϕ1,...,ϕn are independent of 
, the probability that the user received i-th possible value ai times for each 1 ≤ i ≤ k and that 
is io-th possible value is
Therefore, the conditional probability that 
is the i0-th possible value, conditioned on the set of the user’s received values, is
This implies that the user’s best strategy is to guess that 
is the i0-th possible value, where
We estimated success probabilities of user’s guess for the both cases by simulation experiments. Here we assumed typical case when TI1,1,0.8 and 166 MACCS keys are used. In this case, k = 831 and we performed the experiments for n = 831 × 100, 831 × 101,...,831 × 104 on three different distributions of 
which were obtained by the following schemes:
We randomly selected one fingerprint q from ChEMBL and calculated
for all the entries in ChEMBL and used the observed distribution as w. In our experiment, 177159-th fingerprint was selected as q (referred as wChEMBL–177159)The same scheme as 1) was used when q was 265935-th fingerprint (referred as wChEMBL–265935)
We randomly selected a value from 1,...,k for m times and count frequency of i as hi and set wi = hi/m, (referred as wrandom). We used k × 5 as m.
All the distributions used here are shown in the Distribution of w used in the experiments section in Supporting Information.
We performed 100,000 trials for each experiment. Each trial consisted of choosing ϕ1,...,ϕn uniformly at random; choosing 
according to w; deciding the user’s guess i0 by formula (3) and formula (4) respectively (we adopted a uniformly random choice if there were more than one such i0); and checking whether or not 
was the i0-th possible value for both rules (i.e., the user’s guess succeeded). The results of the experiment are given in Table 1; they show that the user’s attack success probability became significantly close to the ideal case when a sufficiently large number of dummies were used; therefore, our technique of using dummies indeed improves the output privacy.
The experimental success ratios of the user’s guess based on the server’s return and the prior distribution of true value, and success probability based only on a guess from the prior distribution. 
(k = 831) is assumed and results are calculated for five different numbers of dummies (n = 831, 831 × 101, 831 × 102, 831 × 103, 831 × 104) are used for three different distributions: wChEMBL–177159 and wChEMBL–265935 are actual distributions of 
on ChEMBL obtained by querying two randomly selected fingerprints from ChEMBL, wrand is obtained by randomly selecting a value from 1,...,k for m = 5 × 831 times and dividing each observed frequency by m.
One might suspect that the attacker can detect the true 
by sending the same query twice and finding the value which is appeared in both results. However, this attack does not easily succeed if n is sufficiently larger than k (i.e., ideally, all possible values of 
are covered by sufficient number of dummies), and we consider that k is not too large in practice as we discussed in Parameters settings of the protocol section. In order to evaluate the security of the case when the user is allowed to submit L queries, we performed following analyses. For the efficiency of the attack, we assumed that the attacker keeps sending the same query L times. For this case, the probability that 
is the i0-th possible value after sending L queries on condition that frequency of i-th possible value of j-th query 
for j = 1,...,L is
This implies that the user’s best strategy is to choose i-th possible value which maximizes equation (5). In our experiment, we compared the success ratio of the attack based on the above strategy and the ideal success ratio when the user makes the guess only from the given distribution w. We also assumed more realistic case that user did not know the exact distribution of dummy but knew the distribution that was similar to the actual distribution the server used. For the evaluation of this case, we generated dummies from the distribution u, which was slightly different from uniform distribution, while the user assumed that dummies were generated from uniform distribution. u was generated as follows:
We performed the experiment for L = 1,10,102,..., 105, n = 831 × 10, 831 × 50, 831 × 102 and δ = 0,0.05,0.1, 0.15, 0.2 based on the same approach used in the evaluation of single query security. i.e., for each trial, n dummies were randomly chosen according to u (note that u was equal to uniform distribution when δ = 0), true value 
was selected according to w and the attacker’s guess was made based on the equation (5). We performed 10,000 trials for each triplet of L, n and δ. Those experiments were conducted for the same three distributions: wChEMBL–177159, wChEMBL–265935 and wChEMBL–random. We compared the success ratio of the attack and the ideal success ratio when the user made the guess without seeing search results. The results are shown in Fig. 4. The success ratio of user’s attack decreased as the number of dummies increased and became closer to the ideal value when the sufficient number of dummies are given, even for the case that a large number of queries were sent. Although an efficient method for dummy generation remains as a future task, the results also show that database privacy is largely improved by hiding the distribution of dummy and the user has to know it with high accuracy in order to attack the server successfully.
(k = 831) is assumed and results are calculated for three different numbers of dummies (n = 831 × 10, 831 × 50, 831 × 102) when the user sends L = 1,10,..., 105 queries and three different distributions: wChEMBL–177159 and wChEMBL–265935 are actual distributions of 
on ChEMBL obtained by querying two randomly selected fingerprints from ChEMBL, wrand is obtained by randomly selecting a value from 1,..., k for m = 5 × 831 times and dividing each observed frequency by m.
Database privacy in malicious model
For our protocol, the difference between the malicious and semi-honest models is that in the malicious model the user may use an invalid input q whose components qi are not necessarily in {0,1}. If the user chooses q in such a way that some component qi is extremely large and the remaining ℓ – 1 components are all zero, then 
will also be an extreme value (distinguishable from the dummy values) and depend dominantly on the bit pi; therefore, the user can almost surely guess the secret bit pi. Since our protocol detects whether or not qi is a bit value without invading user privacy, it can safely reject illegal queries and prevent any illegal query attacks, including above case.
Performance evaluation
In this section, we evaluate the performance of the proposed method on two datasets created from ChEMBL. We implemented the proposed protocol based on lifted ElGamal encryption. For the implementation, we use elliptic curve parameters called secp192k1, as recommended by SECG (The Standards for Efficient Cryptography Group). These parameters are considered to be more secure than 1024-bit RSA encryption, which is the most commonly used public-key cryptosystem. Owing to the limitation of the range of plaintext, the implementation here does not include sign-preserving randomization. For the purpose of comparison, we also implemented a GP-MPC protocol by using Fairplay [23] whose input and output are a fingerprint and the signs of the Tversky indices, respectively. The Jaccard index along with the threshold θ = 0.8 were used for both protocols. For SSCC, we used 10,000 dummies. These two implementations were tested on two datasets: one, referred to as ChEMBL_1000, was the first 1000 fingerprints stored in ChEMBL, and the other, referred to as ChEMBL_Full, was 1,292,344 fingerprints in the latest version of ChEMBL. All the programs were run on a single core of an Intel Xeon 2.9 GHz on the same machine. The results are shown in Table 2. To avoid environmental effects, we repeated the same experiment five times and calculated average values. Since both CPU time and communication size are exactly linear to the size of database for the GP-MPC protocol, results of ChEMBL_Full for GP-MPC were estimated from the results of ChEMBL_1000 because of the limitation of computational resources.
CPU time and communication size of secure similar compounds counter (SSCC) and those of general-purpose multi-party computation (GP-MPC).
Despite the proposed method including elaborate calculation like the NIZK proof, we can see from the results that both the CPU time and communication size of the proposed method are significantly smaller than those of the GP-MPC protocol. Furthermore, it is clear that SSCC provides industrial-strength performance, considering that it works, even on a huge database like ChEMBL_Full, taking no more than 167 s and 173 s for the server and client respectively. By using simple data parallelization, the computational speed will be improved linearly with the number of CPUs. Since all the programs were run on the same machine there was almost no latency for the communication between the two parties in these experiments. Therefore, GP-MPC, whose communication size is huge, is expected to require far more time when it runs on an actual network that is not always in a good condition. The other important point is that SSCC requires only two data transfers, which en-ables data transfer after off-line calculation. On the other hand, GP-MPC must keep online during the search because of the high communication frequency. We also note that it took less than 100 MB to compile SSCC, while GP-MPC required more than 16 GB. Considering these observations, SSCC is efficient for practical use. It is known that several techniques improve the performance of GP-MPC and the previous work by Pinkas et al. [24] reported that Free XOR [25] and Garbled Row Reduction [24], which are commonly used in state-of-the-art GP-MPC methods [26] [27] [28] [29], reduced running time and communication size by factors of 1.8 and 6. 3 respectively when a circuit computing an encryption of AES was evaluated. Though these techniques are not implemented in Fairplay, we consider that GP-MPC is yet far less practical for the large-scale chemical compound search problem compared to our method which improved running time and communication size by factors of 36, 900 and 12,000.
Conclusion
In this study, we proposed a novel privacy-preserving protocol for searching chemical compound databases. To our knowledge, this is the first practical study for privacy-preserving (for both user and database sides) similarity searching in the fields of bioinformatics and chemoinformatics. Moreover, the proposed method could be applied to a wide range of life science problems such as searching for similar singlenucleotide polymorphism (SNP) patterns in a personal genome database. While the protocol proposed here focuses on searching for a number of similar compounds, we are examining further improvements of the protocol such as the client being able to download similar compounds; we expect this on-going study to further contribute to the drug screening process. In recent years, open innovation has been attracting attention as a promising approach for speeding up the process of new drug discovery [30]. For example, research on neglected tropical diseases including malaria has been promoted by the recent attempt to share chemical compound libraries in the research community. In spite of high expectations, such an approach is still limited to economically less important problems on account of privacy problems [31]. Therefore, privacy-preserving data mining technology is expected to be the breakthrough promoting open innovation and we believe that our study will play an important role.
Competing interests
The authors declare that they have no competing interests.
Author’s contributions
KS, HA, KN and KA designed the protocol inspired by the discussion with TH. KS, KN, NA and GH conducted security analyses. KS and SM implemented the protocol. KS evaluated performance of the protocol. All authors wrote the manuscript. All authors read, commented and approved the final manuscript.
Acknowledgement
KS thanks Yusuke Sakai and Takahiro Matsuda for fruitful discussions.
