Multi-User Encrypted Machine Learning Based on Partially Homomorphic Encryption

Abstract

Machine-learning applications are becoming increasingly widespread. However, machine learning is highly dependent on high-quality, large-scale training data. Due to the limitations of data privacy and security, in order to accept more user data, users are required to participate in the computation themselves through the secure use of secret keys. In this paper, we propose a multi-user encrypted machine-learning system based on partially homomorphic encryption, which can be realized for the purpose of supporting encrypted machine learning under multiple users. In this system, offline homomorphic computation is provided, so that users can support homomorphic computation without interacting with the cloud after locally executing encryption, and all computational parameters are computed in the initial and encryption phases. In this system, the isolation forest algorithm is modified appropriately so that its computation can be within the supported homomorphic computation methods. The comparison with other schemes in the comparison experiments reflects this scheme’s computational and communication advantages. In the application experiments, where anomaly detection is taken as the goal, the encrypted machine-learning system can provide more than 90% recall, illustrating this scheme’s usability.

1. Introduction

With the rapid development of big data, cloud computing, and artificial intelligence, machine learning is increasingly used in a variety of fields. For example, artificial-intelligence algorithms such as logistic regression, decision tree, deep learning, and reinforcement learning are applied in the fields of finance, assisted medical care, speech recognition, and reading comprehension [1,2,3,4,5]. Under the Internet of Energy (IoE) healthcare fields, machine-learning algorithms need a large amount of effective training data in order for them to obtain high-quality machine-learning models, and the quantity and quality of training data both need to be sufficiently high during the training of the machine-learning models, otherwise even the best algorithms cannot perform well [6,7,8]. Therefore, how to obtain a large amount of normal data is a problem that needs to be considered for machine learning.

The amount of data collected and involved in training only, specified by the demands of the users themselves, is not enough. Adequate training data are needed to ensure that the model’s performance meets expectations. We therefore aim to securely collect private data and eliminate as much malicious data as possible. To collect private data, we first need to ensure the privacy and security of user data and then train the model from this secure data. The training data may carry private information [9], such as medical information, fingerprint features, personal information, and other private information [10,11,12]; it is impossible to provide the original information directly from the individual in possession of such information, and it needs to undergo some privacy-preserving processing. There are many types of technique to ensure privacy and security [13,14]; encryption has been applied in various different fields and has demonstrated its effectiveness [15,16], so we will also use encryption to address the privacy and security problem.

Privacy and security can be achieved through encryption [17,18], but the computation that encrypted data can support is limited. There is a conflict between privacy protection and computation; satisfying computational needs requires giving up a certain amount of security, and ensuring security performance requires giving up part of the functionality or efficiency. Therefore, it is of research interest to complete the computation and make it as efficient as possible while still ensuring security. Especially in the scenario of sharing data among multiple users, encryption needs to share data among multiple users and support computation while sharing data. Therefore, research is also needed to determine how to complete the sharing and computation under encryption. Since the computation mode supported by each encryption method does not necessarily support all machine-learning models, it is necessary to design different encryption methods, as well as corresponding sharing and computation methods for different machine-learning models, so that they can be computed efficiently. In the current more popular cloud-computing models, the cloud server has a strong computing capacity, and the reasonable allocation of resources can enhance the performance [19,20]. Compared with the weak computing capacity of the user, if most of the computational cost is allocated to the cloud server, this can improve the computational performance; it is therefore necessary to allocate more computation to the cloud server in the design of the computing.

There are many machine-learning models used to differentiate between normal and abnormal data; considering the robustness and the performance effect under data poisoning, the random forest model was chosen [21]. However, since there is no expert model under all fields, users also need to have an unsupervised learning model. The isolation forest model performs well in abnormal data detection [22]; therefore, the isolation forest model is used as the encrypted machine-learning model.

In the multi-user encrypted machine-learning model, multiple users provide additional data, but also bring more communication problems. There are a large number of computations in the model learning, and the online state of the homomorphic computation requires that the user side must calculate and respond in sufficient time. This means the user needs to be continuously online and have the ability to respond at any time, while the communication line also needs to ensure smoothness. These requirements are easy to achieve in a short period of time, but once the training time is longer, any user problems will cause the model training process to stop, which will significantly extend the training time and increase the training cost. Therefore, offline homomorphic computing can avoid the influence of the user side on the training process and improve the efficiency of model training.

Multi-user encryption methods are required due to the insufficient amount of single-user data, which in turn leads to the problem of computation in the encrypted state. Therefore, this paper proposes a system to support multi-user encrypted machine learning, which optimizes the encryption method to achieve privacy-preserving, multi-user sharing and computation. For the data quality problem, by improving the isolation forest model under plaintext through the encrypted isolation forest model, the model can identify abnormal data. In particular, it is optimized for cloud-computing environments so the server can compute this part. At the same time, the authentication part is increased to reduce the possibility of being spoofed. The contributions of this paper are as follows:

• A new partial homomorphism algorithm that simultaneously supports the offline computation of homomorphic addition and homomorphic comparison is proposed, which enables users to upload locally encrypted data without the need to stay online to cooperate with the cloud server computation.
• In order to improve the security and usability of the scheme, a mechanism for dynamic user joining and exiting is added, as well as a user parameter verification mechanism, which is used to ensure the correctness and security of the user’s secret share. This reduces the difficulty of the user’s participation and also avoids errors in the user’s secret share, resulting in a failure to support homomorphic computation.
• A secure isolated forest algorithm is proposed that can support computation on ciphertext data. It is proved by anomaly detection experiments to be able to accomplish the machine-learning objective in unsupervised mode, with a tiny gap with the isolated forest algorithm in plaintext.

The remainder of this paper is structured as follows: Section 2 details the background and related work on partial homomorphic encryption. Section 3 briefly describes the model and entity of the scheme. Section 4 describes in detail the specific implementation of the encryption methods in the scheme. Section 5 describes in detail the specific implementation of the secure isolation forests algorithm. Section 6 details the security analysis of the encryption scheme. Section 7 comprehensively compares the efficiency of this scheme with other schemes and uses anomaly detection experiments to prove its effectiveness. Section 8 summarizes the paper and analyzes the problems in the current scheme and presents future directions.

2. Related Work

There are several different solutions for machine learning due to privacy and security concerns. Hao et al. [23] designed a secure comparison protocol combining homomorphic encryption and secure multiparty computation, where the communication efficiency was proportional to the number of tree nodes. Shin et al. [24] proposed a homomorphic binary decision tree model based on CKKS encryption in a cloud environment, which was able to compute without decryption. The above methods require communication with the user during computation, which increases the communication cost. Wen et al. [25] investigated the problem of federated learning, which is computed locally, and the communication only interacts with the local model. However, dealing with the data quality problem in the absence of a standard data model cannot accurately identify abnormal data, and the detection of abnormal data through the local model is not accurate enough. There is therefore a need for a more appropriate way to address security in machine learning.

Existing privacy computing schemes [26,27,28,29] use homomorphic encryption, secure multiparty computation, federated learning, and trusted computing environments. Homomorphic encryption [26] allows direct computation over the ciphertext, and decryption of the ciphertext computation results is the same as the plaintext computation results. Currently, there exist partially homomorphic encryption and fully homomorphic encryption. Full homomorphic encryption supports homomorphic addition and homomorphic multiplication. In contrast, partially homomorphic encryption only supports homomorphic addition or homomorphic multiplication, and partially homomorphic encryption is faster than full homomorphic encryption in terms of computational efficiency [30]. Secure multiparty computation [27] can securely compute the result of a function with multiple parties, guaranteeing secure participation in the computation. However, multiple rounds of interaction are required in the computation process. Federated learning [28] can compute a local model locally and produce a global model by aggregating the local models of multiple parties in the cloud. However, it requires local computational resources and is susceptible to data poisoning attacks. Trusted computing environment [29] can be computed in an independent computing environment to ensure the security of its computation, but it requires the support of trusted hardware [31]. Machine-learning model training requires comprehensive consideration of the machine-learning model, security requirements, data provider computing power, cloud server computing power, computational efficiency, communication efficiency, hardware conditions, etc., to consider the adopted scheme in specific cases. In this paper, we focus on the homomorphic encryption method, which extends the homomorphic properties from partially homomorphic encryption while ensuring its computational efficiency.

Homomorphic encryption includes full homomorphic encryption and partially homomorphic encryption; full homomorphic encryption has BGV, CKKS, and another scheme [32,33,34], which cannot be applied due to efficiency problems. Therefore, starting from partially homomorphic encryption, we look for the encryption methods that can be used to build the foundation. Common additive homomorphic encryption includes the Paillier encryption algorithm [35], and multiplicative homomorphic encryption includes the ElGamal encryption algorithm, the RSA encryption algorithm, and so on. There is also BGN additive homomorphic encryption [36], which supports one-time multiplication.

Park et al. [37] combined additive homomorphism and federated learning and proposed federated learning that can protect the process of local model aggregation in all models. They also used additive homomorphism in the aggregation process so that the local model was not leaked, but still could not overcome the problem of data poisoning in federated learning [25]. Petrean et al. [38] implemented a random forest algorithm by combining a multi-user homomorphism algorithm and a lookup table, which could compute the result of the ciphertext under the provided ciphertext model in possession of the ciphertext model and the ciphertext data. However, this required a ciphertext model and could not work without one. Rezaeibagha et al. [39] combined additive homomorphic encryption and user authentication to achieve verifiable user ciphertext aggregation under the security of chosen plaintext attack (IND-CPA), but additive aggregation has no other homomorphic properties. Savvas et al. [40] proposed a new symmetrically encrypted approach that provided homomorphic addition and multiplication, respectively, and at the same time the encryption was very efficient and secure.

Additive or multiplicative properties on their own cannot build machine-learning models such as decision trees, clustering algorithms, and support vector machines, and other models need to be compared during the training process, so it is also necessary to provide homomorphic comparison properties as a basis. Liu et al. [41] proposed a coding method to realize homomorphic comparison operations; the data were converted into ordinal codes and tails for comparison. The ciphertext comparison can be transformed into exponential and mantissa comparisons, and each comparison only leaks 1 bit of information, which better protects privacy in the case of efficient comparisons. Li et al. [42] proposed order-preserving encryption based on a coded tree. The tree had the characteristics of B-tree, and the tree establishment and maintenance process was re-modified based on encoding and order preservation based on B-tree. Jun et al. [43] proposed a hash-based comparison encryption, which encodes the data into binary data and uses hash blindness and fixation for each digit, and the subsequent comparisons can be made as a whole to compare the results and then derive the size through the comparative part. The homomorphic comparison encryption realized by encoding can only support homomorphic comparison. It cannot be extended to realize other homomorphic properties, so it cannot support the perfect machine-learning model. Zhao et al. [44] proposed a homomorphic computation toolkit, which was obtained by homomorphic computation and secure multi-party computation that could support a variety of computational methods. The homomorphic comparison process only leaks the comparison results without leaking other information, but the comparison process requires interaction, while other computation methods are not realized in a homomorphic way. Huang et al. [45] proposed a comparative homomorphic application, which demonstrated the ability to compute the distance using the homomorphic comparison and could be realized in a better way on private data, but the application only demonstrated the results.

3. System Model

3.1. Preliminary Knowledge

Suppose that there exists a cyclic group G of order $ord\left(g\right)$ with a generator g. Generate the prime numbers p and q of length $\lambda$ and compute $N=pq$.

3.1.1. Partial Discrete Logarithm

Suppose that at ${\mathbb{Z}}_{N^2}^{*}$, given the tuple $\left(g,g^{\alpha }\mathrm{mod}{N}^2,N\right)$, which is a random value of $\alpha$, there exists no polynomial-time algorithm capable of computing $\alpha$.

3.1.2. Decisional Diffie–Hellman

Given the tuple $\left(g,g^{\alpha }\mathrm{mod}{N}^2,g^{\beta }\mathrm{mod}{N}^2,N\right)$, which is a random value of $\alpha ,\beta$, there exists no polynomial-time algorithm capable of computing $g^{\alpha \beta }$.

3.1.3. BCP Encryption

Init phase: Generate safe prime numbers $p,q$ by selecting safe parameters $\lambda$; compute $N=pq$. Generate the generator $g=-a^{2N}(a\in {\mathbb{Z}}_{N^2}^{*})$ with private key $s\in [1,{\displaystyle \frac{N^2}{2}}]$ and public parameters $(N,g,h=g^s)$.

Enc phase: Select $m\in {\mathbb{Z}}_N^{*}$; compute ciphertext $C_1=g^r\mathrm{mod}{N}^2,C_2=h^r(1+mN)$ by random chose $r\in [1,{\displaystyle \frac{N}{4}}]$.

3.1.4. Lemma

$m_1,m_2$ are two positive integers requiring $\left|m_1-m_2\right|<{\displaystyle \frac{1}{2}}{N}^2$., $M=m_1-m_{2}mod{N}^2$ if $M\in \left(0,{\displaystyle \frac{1}{2}}{N}^2\right)$, then $m_1<m_2$; otherwise, $M\in \left({\displaystyle \frac{1}{2}}{N}^2,N^2\right)$, then $m_1>m_2$.

3.2. System Model

The entities in the system model shown in the Figure 1 are cloud server and user. Encryption parameters and computation parameters are obtained after communication between users. Users encrypt and upload their respective data to the cloud through encryption parameters, and then the cloud server performs homomorphic computation on the ciphertext using the public parameters. The homomorphic computation contains homomorphic addition and homomorphic comparison; the property of offline homomorphism can be supported in the system model, and the optimized isolation forest algorithm achieves the unsupervised machine-learning approach.

4. Homomorphic Encryption Scheme

4.1. Initial Phase

As shown in Figure 2, initial parameters are generated from the security parameters, and the data for each user identification and system identification are computed; the secret-sharing aggregation parameter ${\Delta }_i$, corresponding to the user identification and system identification, is published, and the identification is sent to the user, together with the secret-sharing aggregation parameter ${\Delta }_i$. Disclosure of public parameters, $params$.

As shown in Figure 3, user $U_i$ randomly generates a secret-sharing polynomial $f_i\left(x\right)$ locally. User $U_i$ computes a secret-sharing value ${\Delta }_{i,k}=f_i\left(u_k\right){\Delta }_k$ of the secret-sharing polynomial $f_i\left(x\right)$, with respect to other users, $U_k$, and a secret-sharing value $R_{i,k}=g^{f_i\left({\nu }_k\right){{\Delta }_k}^{\prime }}$, with respect to the system, $V_k$. User $U_i$ generates n-1 commitment ${\left\{co{m}_{i,k}=g^{h_{i,k}}\right\}}_{k=1,2,\dots ,n-1}$ and uploads this verification commitment to the cloud server. User $U_i$ randomly generates a user private key, $us{k}_i$, and a user public key, $up{k}_i$, for the private part and the public part, respectively, and sends the secret-sharing value ${\Delta }_{i,k}$ in user private key $us{k}_i$ to the corresponding user, $U_k$, and makes user public key $up{k}_i$ public. When user $U_i$ receives the shared secret ${\Delta }_{j,i}$, they can simultaneously obtain the verification commitment from the cloud and compute the verification commitment locally and verify it through the equation $CO{M}_{j,i}\stackrel{?}{\to }{g}^{f_j\left(u_i\right){\Delta }_i}$. After the user receives the secret-sharing ${\Delta }_{j,i}$ from other users, all the secret-sharing parameters sent by other users are aggregated to form the secret-sharing value $F\left(\begin{array}{c}{u}_i\end{array}\right){\Delta }_i$ for the total secret.

As shown in Figure 4, the cloud server collects the public parameters of all users and stores them in the cloud, and it then computes the secret-sharing parameter $R_{k,i}$ corresponding to the system identifier on the cloud, aggregates the secret-sharing parameters corresponding to all system identifiers, and obtains the total publicly releasable secret-sharing parameter R.

4.2. Encryption Phase

In Figure 5, if a homomorphic comparison between two users, $U_{com1},U_{com2}$, is required, in addition to the ciphertext, the comparison parameters must be provided for the computation of the homomorphic comparison. User $U_{com1},U_{com2}$ first obtains the public parameter $params$ from the server and encrypts the plaintext $m_{com1},m_{com2}\in \left(0,N^{{\displaystyle \frac{1}{4}}}\right)$ into the ciphertext $C_{com1},C_{com2}$ using the public key $g^s$. Second, user $U_{com1},U_{com2}$ computes the homomorphic comparison parameters locally from the secret-sharing values $F\left(u_{com1}\right){\Delta }_{com1},F\left(u_{com2}\right){\Delta }_{com2}$ of the total secret and the respective random values $k_{com1},k_{com2}\in \left(0,{\displaystyle \frac{N}{\sqrt{2\left(N^{\frac{5}{4}}+1\right)}}}\right),r_{com1},r_{com2}$, and the user uploads the ciphertext and the comparison parameters $ar{g}_{com1},ar{g}_{com2}$ to the cloud server.

4.3. Homomorphic Property

Homomorphic properties of the ciphertext computation and arithmetic procedure. The ciphertexts for both sides of the computation are shown below:

$$C_1=\left\{\begin{array}{c}{C}_{1,1}={\left(g^s\right)}^{r_1}\left(1+m_{1}N\right)\mathrm{mod}{N}^2\\ C_{1,2}=g^{r_1}\mathrm{mod}{N}^2\end{array}\right\}{C}_2=\left\{\begin{array}{c}{C}_{2,1}={\left(g^s\right)}^{r_2}\left(1+m_{2}N\right)\mathrm{mod}{N}^2\\ C_{2,2}=g^{r_2}\mathrm{mod}{N}^2\end{array}\right\}$$

(1)

4.3.1. Homomorphic Addition

The homomorphic addition of the ciphertext is computed as follows:

$$C_{add}=\left\{\begin{array}{c}{C}_{add,1}=C_{1,1}{C}_{2,1}={\left(g^s\right)}^{r_1+r_2}\left(1+\left(m_1+m_2\right)N\right)\mathrm{mod}{N}^2\\ C_{add,2}=C_{1,2}{C}_{2,2}=g^{r_1+r_2}\mathrm{mod}{N}^2\end{array}\right\}$$

(2)

4.3.2. Homomorphic Subtraction

The homomorphic subtraction of the ciphertext is computed as follows:

$$C_{sub}=\left\{\begin{array}{c}{C}_{sub,1}=C_{1,1}/C_{2,1}={\left(g^s\right)}^{r_1-r_2}\left(1+\left(m_1-m_2\right)N\right)\mathrm{mod}{N}^2\\ C_{sub,2}=C_{1,2}/C_{2,2}=g^{r_1-r_2}\mathrm{mod}{N}^2\end{array}\right\}$$

(3)

4.3.3. Homomorphic Comparison

The homomorphic comparison of the ciphertext is computed as follows:

$$\overline{C}=C_{2,1}/C_{1,1}={\displaystyle \frac{{\left(g^s\right)}^{r_2}\left(1+m_{2}N\right)}{{\left(g^s\right)}^{r_1}\left(1+m_{1}N\right)}}={\left(g^s\right)}^{r_2-r_1}\left(1+\left(m_2-m_1\right)N\right)$$

(4)

$$\begin{array}{cc}& M=\overline{C}ar{g}_{1}ar{g}_2={\left(g^s\right)}^{r_2-r_1}\left(1+(m_2-m_1)N\right)k_1{k}_2{\left(g^s\right)}^{r_1-r_2}\hfill \\ & =k_1{k}_2\left(1+(m_2-m_1)N\right)\hfill \end{array}$$

(5)

It can be seen that Lemma 1 holds by $\left|M\right|=\left|k_1{k}_2\left(1+(m_2-m_1)N\right)\right|\in \left(0,{\displaystyle \frac{1}{2}}{N}^2\right)$, and therefore the theorem holds when $k_{com1},k_{com2}\in \left(0,{\displaystyle \frac{N}{\sqrt{2\left(N^{\frac{5}{4}}+1\right)}}}\right),m_1,m_2\in \left(0,N^{{\displaystyle \frac{1}{4}}}\right)$ is set and is able to perform homomorphic comparison computations.

4.4. Dynamic User Join and Quit Mechanism

When user $U_j$ proposes to join or quit, it is necessary to extract the value of the secret shared by that user’s secret, and just add or subtract it from the total secret value and change the fusion subsecret of each user; then the dynamic quit can be realized.

$$\left\{\begin{array}{c}{g}^s=g^s*g^{s_j}=g^{s_1+s_2+s_3+\dots \dots +s_l+s_j},JOIN\hfill \\ g^s=g^s/g^{s_j}=g^{s_1+s_2+s_3+\dots \dots +s_l-s_j},QUIT\hfill \end{array}\right.$$

(6)

4.4.1. User Join

Firstly, the quitter, $U_j$, provides its secret share $g^{s_j}$ to the cloud server, which executes the exit procedure. For the cloud server, $g^s=g^s/g^{s_j}=g^{s_1+s_2+s_3+\dots \dots +s_l-s_j}$ needs to be employed to remove the participation share of the exit user’s secret in all user secrets. User $U_j$ locally computes ${\left(C_{i,2}\right)}^{s_j}={\left(g^{s_j}\right)}^{r_i}$ and uploads it to the cloud server, which employs $C_{i,1}=C_{i,1}/{\left(C_{i,2}\right)}^{s_j}={(g^s/g^{s_j})}^{r_i}\left(1+m_{i}N\right)$ to update all user ciphertext.

4.4.2. User Quit

Firstly, the joiner, $U_j$, provides its secret share $g^{s_j}$ to the cloud server, which executes the joining procedure. For the cloud server, it is necessary to employ $g^s=g^s·g^{s_j}=g^{s_1+s_2+s_3+\dots \dots +s_l+s_j}$ to add the participation share of the joining user’s secret among all the user secrets. User $U_j$ locally computes C and uploads it to the cloud server, which then employs $C_{i,1}=C_{i,1}{\left(C_{i,2}\right)}^{s_j}={(g^s·g^{s_j})}^{r_i}\left(1+m_{i}N\right)$ to update all user ciphertext.

5. Secure Isolation Forest Algorithm

The Secure Isolation Tree Training Algorithm 1 requires the user to provide a training ciphertext, ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n}$. The cloud server randomly selects a feature, f, and obtains the feature ciphertext maximum, $C_{max}^f$, and minimum, $C_{min}^f$, by the maximum or minimum algorithm supported by homomorphic comparison. Set the random range $module$ and obtain the random value $RandomInt$; compute the current randomly selected comparison point, $point$, by $C_{1,1}\left(1+RandomInt*N\right)$, and then use the comparison algorithm to detect whether or not the current comparison point, $point=\left\{\begin{array}{c}{C}_{min,1}^f={\left(g^s\right)}^{r_{min}}\left(1+\left(m_{min}+RandomInt\right)N\right)\mathrm{mod}{N}^2\\ C_{min,2}^f=g^{r_{min}}\mathrm{mod}{N}^2\end{array}\right\}$, is smaller than the maximum $C_{max}^f$. After determining the comparison point, $point$, the comparison point is used to differentiate between the left and right subtrees of $C_1^f,C_2^f,\dots \dots ,C_u^f$. The algorithm recursively constructs the complete tree from the left and right subtrees and then returns the tree model $Tree$ under the ciphertext.

Algorithm 1 Secure Isolation Tree Training Algorithm

Input:  ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n}$ Output:  $Tree$ 1: $f\leftarrow random\left(n\right)$ 2: $C_{max}^f\leftarrow Max\left(C_1^f,C_2^f,\dots \dots ,C_u^f\right)$ 3: $C_{min}^f\leftarrow Min\left(C_1^f,C_2^f,\dots \dots ,C_u^f\right)$ 4: $module\leftarrow 2^l$ 5: $RandomInt\leftarrow ⌊random(0,1)*module⌋$ 6: $point\leftarrow Add\left(C_{min}^f,RandomInt\right)$ 7: while$Compare\left(point,C_{max}^f\right)\ne C_{max}^f$do 8:    $module\to module/2$ 9:    $RandomInt\leftarrow ⌊random(0,1)*module⌋$ 10:   $point\leftarrow Add\left(C_{min}^f,RandomInt\right)$ 11: end while 12: for each $i\in [1,t]$ do 13:    if $Compare\left(C_i^f,point\right)\ne C_i^f$ then 14:      $LeftTreeNodeSet$ append $point$ 15:    else 16:      $RightTreeNodeSet$ append $point$ 17:    end if 18: end for 19: $LeftTree\leftarrow Train\left(LeftTreeNodeSet\right)$ 20: $RightTree\leftarrow Train\left(RightTreeNodeSet\right)$ 21: $Tree\leftarrow \left[\begin{array}{ccccc}1,& LeftTree,& RightTree,& f,& point\end{array}\right]$ 22: return$Tree$

The Secure Isolation Forest Training Algorithm 2 requires the user to provide training ciphertext ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n}$. The cloud server randomly selects the user’s ciphertext as the training set without putting it back. It uses the training set as the input for Algorithm 1. Each call to Algorithm 1 can obtain a training tree, $Tree$, and add it to the forest, which is then looped 100 times to obtain 100 training trees as a secure isolation forest model, $TreeSet$, for anomaly detection.

Algorithm 2 Secure Isolation Forest Training Algorithm

Input:  ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n}$ Output:  $TreeSet$ 1: for each $i\in [1,100]$ do 2:    $\left\{C_{r1}^{feature},C_{r2}^{feature},\dots \dots ,C_{r256}^{feature}\right\}\leftarrow sample\left(\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}\right)$ 3:    $Tree\leftarrow TrainTree\left({\left\{C_{r1}^{feature},C_{r2}^{feature},\dots \dots ,C_{r256}^{feature}\right\}}_{feature=1,2,3,\dots ,n}\right)$ 4:    $TreeSet$ append $Tree$ 5: end for 6: return$TreeSet$

Secure Isolation Tree PathLength Algorithm 3 needs to provide the user’s detection ciphertext, ${\left\{C_{detect}^{fecture}\right\}}_{feature=1,2,3,\dots ,n}$, and anomaly detection tree model, $Tree$, and the length of the detected, $Length$. The cloud server inputs the corresponding ciphertext on the $Tree$ to detect the two cases; if not a leaf node, then continue to compare, by greater than the node to go to the right sub-tree, $Tree\left[2\right]$, and less than the node to go to the left sub-tree, $Tree\left[1\right]$, and recursive computation of the length of the path, $TreePathLength$. If it has been carried out to the leaf nodes, then determine the number of current leaf nodes stored; different numbers of different computations return different results. The return result is the path length of the ciphertext in a tree model, $TreePathLength$.

Algorithm 3 Secure Isolation Tree PathLength Algorithm

Input:  ${\left\{C_{detect}^{fecture}\right\}}_{feature=1,2,3,\dots ,n},Tree,Length$ Output:  $TreePathLength$ 1: if$Tree\left[0\right]\ne 0$then 2:    if $Compare\left(C_{detect}^{Tree\left[3\right]},Tree\left[4\right]\right)\ne C_{detect}^{Tree\left[3\right]}$ then 3:      $PathLength\left({\left\{C_{detect}^{feature}\right\}}_{feature=1,2,3,\dots ,n},Tree\left[2\right],Length+1\right)$ 4:    else 5:      $PathLength\left({\left\{C_{detect}^{feature}\right\}}_{feature=1,2,3,\dots ,n},Tree\left[2\right],Length+1\right)$ 6:    end if 7: else 8:    if $Tree\left[1\right]\ne 1$ then 9:      $c\leftarrow 2^{*}\left({log}_2\left(Tree\left[1\right]-1\right)+0.5772156649\right)-\left(2^{*}\left(Tree\left[1\right]-1\right)/Tree\left[1\right]\right)$ 10:    else 11:      $c\leftarrow 0$ 12:    end if 13: end if 14: return$Length+c$

The Secure Isolation Forest Detection Algorithm 4 needs to provide the user’s detection ciphertext, ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n}$, and training ciphertext, ${\left\{C_{detect}^{fecture}\right\}}_{feature=1,2,3,\dots ,n}$. The cloud server obtains the anomaly detection isolation forest model, $TreeSet$, using Algorithm 2 $TrainTreeSet$. The model is used to detect the ciphertext, ${\left\{C_{detect}^{fecture}\right\}}_{feature=1,2,3,\dots ,n}$, and the path length of the ciphertext in each tree is computed using Algorithm 3 $PathLength$ and is summed to obtain the total path length, $AllLength$. The path length can be used to compute the anomaly score; if this score is higher than the threshold value, then it is anomalous data.

Algorithm 4 Secure Isolation Forest Detection Algorithm

Input:  ${\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_u^{feature}\right\}}_{feature=1,2,3,\dots ,n},{\left\{C_{detect}^{fecture}\right\}}_{feature=1,2,3,\dots ,n}$ Output:  $\left\{Nomal\right|Abnormal\}$ 1: $Treeset\leftarrow TrainTreeSet\left({\left\{C_1^{feature},C_2^{feature},\dots \dots ,C_t^{feature}\right\}}_{feature=1,2,3,\dots ,n}\right)$ 2: $AllLength\leftarrow 0$ 3: for each $i\in [1,100]$ do 4:    $Tree\leftarrow Treeset\left[i\right]$ 5:    $CurrentTreeLength\leftarrow PathLength\left({\left\{C_{detect}^{feature}\right\}}_{feature=1,2,3,\dots ,n},Tree,0\right)$ 6:    $AllLength\leftarrow AllLength+CurrentTreeLength$ 7: end for 8: $AvgLength\leftarrow AllLength/100$ 9: $c\leftarrow 2*\left({log}_2\left(256-1\right)+0.5772156649\right)-\left(2*\left(256-1\right)/256\right)$ 10: $score\leftarrow 2^{AvgLength/c}$ 11: if$score<threshold$then 12:    $Result\leftarrow Normal$ 13: else 14:    $Result\leftarrow Abnormal$ 15: end if 16: return$Result$

6. Security Analysis

6.1. Correctness

Proof of commitment equation $CO{M}_{j,i}\stackrel{?}{\to }{g}^{f_j\left(u_i\right){\Delta }_i}$:

$$\left.CO{M}_{i,j}={\left(g^{s_i}\prod _{k=1}^{n-1}{\left(co{m}_{i,k}\right)}^{{\left(u_j\right)}^k}\right)}^{{\Delta }_j}={\left(g^{s_i}\prod _{k=1}^{n-1}{g}^{h_{i,k}{\left(u_j\right)}^k}\right)}^{{\Delta }_j}={\left(g^{s_i+{\sum }_{k=1}^{n-1}{h}_{i,k}{\left(u_j\right)}^k}\right)}^{{\Delta }_j}=g^{f_i\left(u_j\right){\Delta }_j}\right)$$

(7)

6.2. Security Model

Firstly, we introduce the idea that there are two types of attacker to be considered in the proposed scheme.

• Internal Attackers: This type of attacker consists of malicious users who obtain private key information from the data that other users interact with. In some cases, the malicious user also wants to include malicious data or provide wrong parameters to degrade the quality of the training data or organize the model training process.
• External Attacker: This type of attacker consists of a malicious third party that interacts with users and stores encrypted data on the cloud server to participate in model training, and the malicious third party wants to obtain the model training results or obtain private key information or plaintext information through public parameters.

6.3. Security Analysis

Security is considered for all parts, and if all stages are secured then the overall security is guaranteed.

6.3.1. Homomorphic Encryption System Security

Theorem 1.

If the plaintext m and the private key $r,s$ are not leaked, and only the ciphertext and the computation parameter $\{N,g,{\left\{{\nu }_i\right\}}_{i\in \{1,\dots ,n-2\}},{\left\{u_i\right\}}_{i\in \{1,\dots ,t\}},{\left\{{\Delta }_i\right\}}_{i\in \{1,\dots ,t\}},{\left\{{{\Delta }_i}^{\prime }\right\}}_{i\in \{1,\dots ,n-2\}},$${\left\{{\mathrm{g}}^{s_i},{\mathrm{g}}^{r_i}\right\}}_{i\in \{1,\dots ,t\}},{\mathrm{g}}^s,R,{\left\{M_i,C_{i,1},C_{i,2}\right\}}_{i\in \{1,\dots ,t\}}\}$ are leaked, the possibility that adversary A can compute the plaintext message through the labeled data is negligible.

Proof of Theorem 1.

The security of the scheme is demonstrated by constructing several games, as shown below:

• Game 0: This scheme is identical to its security in the real world.

  $$Pr\left[REA{L}_A^{OUR}\left[\begin{array}{c}\lambda \end{array}\right]=1\right]=Pr\left[G_0=1\right]$$

  (8)
• Game 1: This game is based on PDL assumptions and is almost identical to Game 0, except for some parameters.

  $${\left\{CO{M}_{i,j}={\left(g^{s_i}\prod _{s=1}^{n-1}{\left(co{m}_{i,s}\right)}^{{\left(u_j\right)}^s}\right)}^{{\Delta }_j}\right\}}_{i,j=1,2,3,\dots \dots ,n-1\left|\right|i\ne j}$$
  The game requires storage tables to hold the accessed information entries $\left(\begin{array}{c}{u}_i,u_j,CO{M}_{i,j}\end{array}\right)$. When an adversary initiates a query, it checks whether or not the entry is already stored in the table. If the entry is already stored in the table, then the stored entry is returned to the corresponding querier; if the entry does not exist in the table, then an element needs to be randomly selected as the result of the entry and the entry is stored in the table for querying. Since the difficulty of solving the PDL puzzle is known, we define that there exists a polynomial time algorithm, $B1$, that solves the problem, and then the difference between Game 1 and Game 0 is:

  $$Pr[G_1=1]=Pr[G_0=1]+P{r}_{B1}^{PDL}\left[\lambda \right]$$

  (9)
• Game 2: The game is based on the IND-CPA assumption of the BCP encryption scheme and is almost identical to Game 1, except for the encryption.

  $$C_1=\left\{\begin{array}{c}{C}_{1,1}={\left(g^s\right)}^{r_1}\left(1+m_{1}N\right)\mathrm{mod}{N}^2\\ C_{1,2}=g^{r_1}\mathrm{mod}{N}^2\end{array}\right\}$$
  We define that there exists a polynomial time algorithm, $B2$, that solves the IND-CPA puzzle of the BCP encryption scheme [46], then Game 2 is different from Game 1:

  $$Pr[G_2=1]=Pr[G_1=1]+P{r}_{B2}^{IND-CPA}\left[\lambda \right]$$

  (10)
• Game 3: This game is based on an ideal realization of the process and is almost identical to Game 2, except for some of the parameters.

  $$ar{g}_{com2}=R^{r_{com2}}{k}_{com2}{\left(g^{r_{com1}-r_{com2}}\right)}^{F\left(u_{com2}\right){\Delta }_{com2}{\displaystyle \frac{-u_{com2}}{u_{com1}-u_{com2}}}}$$
  The game requires a storage table to record $\left(ar{g}_{com1},ar{g}_{com2},M=\overline{C}ar{g}_{com1}ar{g}_{com2}\right)$, and since this parameter exists for both parties to supply, when asked, check if the entry is already stored in the table. If the entry is already stored in the table, then the stored entry is returned to the corresponding querying party; if the entry does not exist in the table, then an element needs to be randomly selected as the result of the entry and the entry is stored in the table for querying. Since random numbers are added in the computation, we define that there exists a polynomial time algorithm, $B3$, capable of solving the random number discrimination problem; then, Game 3 is different from Game 2:

  $$Pr[G_3=1]=Pr[G_2=1]+P{r}_{B3}^{Random}\left[\begin{array}{c}\lambda \end{array}\right]$$

  (11)
• Simulator S: Simulator S simulates an ideal situation, which differs from the real world. Therefore, the games constructed above are used to analyze the difference between the ideal situation and the real world, which can be obtained throughout the interaction:

  $$\begin{array}{c}Pr\left[IDEA{L}_{A,S}^{OUR}\left[\lambda \right]=1\right]=Pr\left[G_3=1\right]\hfill \\ =P{r}_{B3}^{Random}\left[\lambda \right]+P{r}_{B2}^{IND-CPA}\left[\lambda \right]+P{r}_{B1}^{PDL}\left[\lambda \right]+Pr\left[REA{L}_A^{OUR}\left[\lambda \right]=1\right]\hfill \\ =Pr\left[REA{L}_A^{OUR}\left[\lambda \right]=1\right]+\epsilon \hfill \end{array}$$

  (12)

Therefore, it can be argued that only negligible advantages exist in the interaction process for it to be able to distinguish the ideal situation from the real world. □

6.3.2. Homomorphic Computing Security

The encryption scheme is a BCP encryption scheme. However, the homomorphic computational properties are extended to include partially parametric computation, so the encryption scheme after extending the homomorphic properties is analyzed to see if it is still IND-CPA secure.

Theorem 2.

If the plaintext message m and the private key $r,s$ are not leaked, and only the ciphertext and the result of the homomorphic computation $\left\{\begin{array}{c}{M}_i,C_{i,1},C_{i,2},g^s,C_{sub},C_{add},M_{com}\end{array}\right\}$ are leaked, the possibility that adversary A computes the plaintext message through the ciphertext as well as the result of the homomorphic computation is negligible.

Proof of Theorem 2.

Assuming that there exists a polynomial time algorithm, B, that can attack the encryption scheme with the advantage of $\epsilon$, then an adversary, A, can be constructed to attack the BCP scheme with the same advantage. Since $C_{add},C_{sub}$ has only homomorphic ciphertext results during homomorphic computation, the ciphertext properties of the results of homomorphic addition and homomorphic subtraction are the same as those of the original encryption. Only the information leakage from the ciphertext comparison result is discussed here.

• Init: Adversary A randomly chooses a generator, g, and sends the parameter $\left\{\mathbb{G},g^s,g,N^2\right\}$ to B.
• Challenge: B randomly picks two challenge plaintexts, $m_0,m_1$, and sends them to adversary A. Adversary A randomly picks an r and computes the disclosure value $g^r$. Adversary A first randomly picks $b=\{0,1\}$, computes the challenge ciphertext $\left\{g^r,{\left(g^s\right)}^r\left(1+m_{b}N\right)\right\}$, and sends the ciphertext to B.
• Query: B initiates homomorphic comparison computation by choosing any non-challenge plaintext, $m_0,m_1$, encryption, but its comparison object cannot challenge ciphertext $\left\{g^r,{\left(g^s\right)}^r\left(1+m_{b}N\right)\right\}$. Adversary A accepts the comparison request and returns the homomorphic comparison result of the comparison.
• Guess: B guesses that $b^{\prime }=\{0,1\}$. When $b^{\prime }=b$, then B outputs ’1’, indicating that it can distinguish $m_b$. Otherwise, B outputs ’0’, indicating that it cannot distinguish $m_b$.

Because the BCP encryption scheme has IND-CPA security without the original plaintext, it is impossible to obtain the plaintext $m_i$ by analyzing the ciphertext and homomorphic computation results. In homomorphic computation, only the homomorphic comparison computation has information leakage. However, only the 1 bit information of the size comparison result is leaked, which is unavoidable due to the necessity of comparison. The comparison result is only known to the cloud server. However, the cloud server cannot obtain the plaintext of the original ciphertext, so if the cloud server wants to crack the plaintext range of one of the two ciphertext, it first needs to obtain the plaintext value of the other ciphertext.

$$\begin{array}{cc}& Pr\left[A_{wins}\right]=Pr\left[\left\{Add,Mul,Sub,Com,C\right\}\to m\right]\hfill \\ & =Pr\left[\left\{Add,Mul,Sub,C\right\}\to m\right]+Pr\left[\left\{Com,C\right\}\to m\right]\hfill \\ & =P{r}_{IND-CPA}^{BCP}+Pr\left[\left\{Com,C_1\right\}\to m_1\mid m_2\right]Pr\left[\left\{C_2\right\}\to m_2\right]\hfill \\ & =P{r}_{IND-CPA}^{BCP}+P{r}_{IND-CPA}^{BCP}=\epsilon \hfill \end{array}$$

(13)

So, the possibility that adversary A computes the plaintext message through the ciphertext and the result of the homomorphic computation is negligible. □

7. Performance Analysis

This section analyzes the performance of this scheme in terms of crucial steps and the overall scheme and verifies the feasibility of this scheme through simulation experiments compared with other schemes. Firstly, we compare the theoretical cost of each scheme in different crucial steps and reflect the advantages of this scheme through comparison, which is better than the previous scheme in terms of functionality and cost. Secondly, comparing simulation experiments can reflect the advantages of this scheme compared with other schemes in the application process. Finally, the machine-learning model is implemented on a public dataset, and the machine-learning model is used for anomaly detection. The experimental results show that this scheme can effectively support machine learning in an encrypted state. The simulation experiments were implemented on a laptop computer with an AMD Ryzen7 4800H CPU (2.9 GHz) and 32G RAM by calling the CHARM library [47] and using Python (version 3.7).

Dataset: The KDD-NSL dataset contains training data and test da; the training data has 125,973 records and the test data has 22,544 records. Each of these records contains 43 features, 41 of which describe the traffic input, and the last two features are the label (normal or attack) and the difficulty level. The last two features of all records are removed before model training to simulate unsupervised data for model training.

The communication cost considers the interaction between the client and the server side, so the communication cost is considered from a single client. The communication overhead is considered from two aspects: the communication message’s size and the communication process’s time cost. From the theoretical cost in

Table 1. Theoretical analysis of client communication cost.

Schema	Init	Encryption	Additon	Subtraction	Compare
Our	$O(3u+5\lambda +1)+4T$	$O\left(1\right)+T$	-	-	-
[44]	$O\left(3u+\lambda +1\right)+T$	$O\left(1\right)+T$	$O\left(5\right)+T$	$O\left(5\right)+T$	$O\left(3\right)+2T$
[45]	$O\left(3u+\lambda +1\right)+T$	$O\left(1\right)+T$	-		$O\left(5\right)+2T$

T: Communication delay from server to client or client to server, u: Number of users, $\lambda$: safety parameter.

, it can be seen that the communication cost of the scheme proposed in this paper has been completed in the initial and encryption phases, and the subsequent homomorphic addition and homomorphic comparison do not require the user to be involved in further interaction. Although the communication cost of the scheme proposed in this paper is higher in the initial and encryption phases, it only interacts before uploading the data. It does not need to stay online after uploading the ciphertext, which allows the user to wait offline after all the computations have been performed within a certain period. Other schemes require user participation in the homomorphic computation process, so the proposed scheme has a more significant advantage in the computation process. Machine-learning model computation takes a significant amount of time and may drop in the middle of the process due to unstable participation in network problems, energy problems, etc., so it is evident that offline users are more suitable for practical application scenarios. Through the experimental comparison Figure 6 and Figure 7, it can also be seen that the scheme proposed in this paper has a higher cost in the initial and encryption phases, but at the same time the communication cost in the subsequent homomorphic computation can have a considerable advantage.

We expect the cloud server to have strong computational performance in order to support the computation, but we still need to make a comparison to detect the existence of unaffordable computational costs. Through the theoretical cost in

Table 2. Theoretical analysis of server computation cost.

Schema	Init	Encryption	Additon	Subtraction	Compare
Our	$O(u\lambda Div+u^{2}Mul+u^2\lambda Exp)$	-	$O\left(2Mul\right)$	$O\left(2Div\right)$	$O(Div+2Mul)$
[44]	$O(u\lambda Div+uMul)$	-	$O(2\lambda Mul+2\lambda Div)$	$O(2\lambda Mul+2\lambda Div)$	$O(2\lambda Mul+2\lambda Div)$
[45]	$O(u\lambda Div+uMul+\lambda Exp)$	-	$O\left(2Mul\right)$	$O\left(2Div\right)$	$O(2\lambda Mul+4\lambda Div+2\lambda Exp)$

u: Number of users, $\lambda$: safety parameter, $Div$: Division operations under modulus, $Mul$: Multiplication operations under modulus, $Exp$: Exponential operations under modulus.

, it can be seen that the proposed scheme in this paper has a larger difference than other schemes in the initial phase; the initial phase carries more cost, and the cost is related to the number of participating users, but the actual difference with other schemes needs to be derived through experiments. Since there will not be too many participants in the training of machine-learning models, only users with a large amount of data or with machine-learning needs will be willing to participate, so user participation is set to 100. Since the computation of the servers in the initial phase of this scheme does not have a sequential requirement, the computational cost can make optimal use of the cloud server’s computational cost by concurrency optimization. As shown in Figure 8, after optimization, although this scheme still had an enormous time cost in the initial phase, its time cost was only 12 s in the case of 100 user participation. This time overhead is still within the range of seconds. At the same time, it is possible that the local network latency of some users even exceeds this time cost, so we believe that the server-side time cost in the initial phase is acceptable. The experimental results show that the non-initial phase of the other phases of this scheme is advantageous, and because there is a large number of machine-learning computing in the subsequent model learning and data prediction process, the advantages of homomorphic computing are realized, even when the number of computations is substantial.

From the theoretical analysis in

Table 3. Theoretical analysis of client computation cost.

Schema	Init	Encryption	Additon	Subtraction	Compare
Our	$O(uMul+uExp)$	$O(2Div+8Mul+6Exp)$	-	-	-
[44]	-	$O(2Mul+Exp)$	$O(Div+Mul+Exp)$	$O(Div+Mul+Exp)$	$O(Div+Mul+Exp)$
[45]	-	$O(2Mul+2Exp)$	-	-	$O(2Div+4Mul+4Exp)$

$Div$: Division operations under modulus, $Mul$: Multiplication operations under modulus, $Exp$: Exponential operations under modulus.

, it can be seen that the most significant difference between this scheme and other schemes in terms of client computation cost lies in the initial phase and homomorphic computation phase. This scheme requires the user to compute the parameters in the initial phase. However, the user does not need to participate in the homomorphic computation process in the homomorphic computation phase. This experiment is compared after setting the number of computations to 10,000; the advantage of this scheme can be seen in Figure 9; the client’s cost is not high when performing a large number of computations. Combining theory and experiments, it can be seen that the advantage of the proposed scheme over other schemes is that there is no need to compute too many parameters locally, and the amount of user computation is only related to the number of participating users and security parameters. Since the client does not need to participate in the homomorphic computation, the computational complexity of the model is not related to the client but only to the server’s power, and the server’s power can be increased to improve the speed of homomorphic computation without considering the limitations of the client’s power. Client-side participation in homomorphic computation must ensure the user’s stable arithmetic and network. Hence, it is impossible to use complex machine-learning models, especially those whose computation is highly correlated with the amount of data. At the same time, the scheme proposed in this paper can be well adapted to these complex models.

Combining the communication time cost and computation time cost, after summarizing all the time costs and analyzing them, from Figure 10 can be seen that the cost of this scheme is significantly smaller than the time cost of other schemes. After all the parameters are computed, this scheme spends more time in the initial and encryption phases. However, in the case of many homomorphic computations, other schemes require both communication and the computation of parameters. Hence, this scheme’s total time overhead is better than other schemes. At the same time, it reduces the requirement of client stability as no subsequent interaction and computation is required.

In terms of user privacy comparison, this scheme has the same security as other schemes, but it has offline computing features, the flexibility of user joining, and the verification of user parameters, which can better provide services for homomorphic computing. Comparing in terms of computational efficiency, this scheme migrates a large number of computational steps to the cloud server for execution, more computational cost is borne by the computationally resource-rich cloud server in the cloud-computing model, and waiting for computation due to communication is avoided. Reasonable configuration of the computation cost of the user and the cloud server, while reducing the waiting time due to communication, can lead to higher computation efficiency. Comparing in terms of communication cost, the offline property of computation in this scheme ensures that the computation required for model training does not need to interact with the user, thus reducing the communication overhead by a significant amount. Even though more communication cost is required in the initial and encryption phases, the disadvantages of the earlier phases can be offset by the advantages of subsequent model training, as can be seen in Figure 7, where the communication advantage of only 10,000 homomorphic computations already outweighs the communication disadvantages associated with the initial and encryption phases.

Different numbers of subtrees mainly affects the stability of anomaly detection. Calculating the average path lengths of normal and abnormal data on different numbers of subtrees, from Figure 11 can be seen that the path length fluctuates greatly when the number of subtrees is less than 60, and the fluctuation is smooth when the number of subtrees is greater than 80. Once the number of subtrees is greater than 100, increasing the number of subtrees only slightly affects the average path length, so it is considered that the average path length has reached convergence after the number of subtrees reaches 100. Therefore, the number of subtrees is set to 100 in the subsequent experiments.

The number of sampling points per subtree mainly affects the height of the subtree, while the isolation forest model detects anomalies mainly relying on the lower layers. Therefore, a subtree with too many sampling points does not significantly improve the accuracy of anomaly detection. From Figure 12, it can also be seen that when the number of sampling points is greater than 128 and the number is then increased, it will only slightly improve the detection accuracy. Therefore, the number of sampling points can be chosen flexibly according to the size of the computing capacity; when the computing capacity is weak, we can choose 32, and when the computing capacity is strong, we can choose 256. Since computations are undertaken by the cloud server, it is recommended to set the number of sampling points to 256.

The anomaly detection task is performed on the NSL-KDD dataset using the proposed scheme in this paper, and the anomaly detection task can be better accomplished under ciphertext by the secure isolation forest algorithm. Since the data are encrypted, the computation under ciphertext and the computation under plaintext cannot be realized in the same way, so the scheme is adapted to the secure isolation forest algorithm, and the secure isolation forest algorithm can still accomplish the anomaly detection task well after the change. The goal of the simulation experiments was to detect anomalies by constantly adjusting the detection threshold of the secure isolation forest; through Figure 13 shown the detection effect of simulation experiments, it was found that setting the detection threshold to 0.422 obtained the best results. In the experimental results, the secure isolation forest algorithm reaches a 90.12% recall rate in anomaly detection, which only leads to about 10% of the anomalous data being undetected, through which it can reduce the anomalous data that is mixed in the normal data by about 90% and reduce the proportion of anomalous data to the total amount of data.

Comparing the isolation forest model under encryption with that under plaintext in the anomaly detection experiments, it can be seen from the Figure 14, only the Recall metric has a large gap, while for the combined Precision, Accuracy, and F1 metrics the encrypted isolation forest algorithm has only a slight gap. This reflects the differences between the encrypted isolation forest and the original model and also shows that the encrypted isolation forest can be used in anomaly detection tasks.

8. Conclusions

Here we propose a multi-user encrypted machine-learning system that supports an unsupervised learning approach, the secure isolation forest algorithm, through a semi-homomorphic encryption scheme. This algorithm can achieve more than 90% recall in anomaly detection experiments, proving that the system can accomplish the machine-learning goal. In this scheme, the base encryption scheme can support homomorphic comparison by front-loading the computational parameters, and by designing the communication and computational processes, the computational parameters required for homomorphic computation are front-loaded to reach the offline computational approach. In comparison with the same type of scheme, it can be seen that there is a higher computational cost in the initial stage due to the need to front-load the computational parameters. However, it is still within the acceptable range. Since the homomorphic computation in the subsequent model learning does not require user participation, it reduces the stability requirements for the clients and lowers the threshold of user participation.

Since the encrypted machine-learning model used in this scheme is the isolation forest algorithm, this method is only effective for the detection of individual anomalies that are far away from the cluster, and it is not effective in detecting small cluster anomalies. Therefore, this scheme mainly focuses on the isolated anomalies that are far away from the normal data, and it is more effective in detecting such anomalies.

In the future, we will study more encrypted machine-learning schemes supported by partially homomorphic encryption to reduce costs. At the same time, we should improve the encryption method to support homomorphic computation while minimizing the communication and computation costs. The pre-computation parameters of the current scheme need to be computed locally, and in the future we will consider adding outsourcing to minimize the arithmetic requirements of local users.