Scalable and Privacy-Preserving Federated Principal Component Analysis

HE for Linear Algebra.

Multiple works have shown how to optimize matrix-vector multiplications [24], [56] and multiplications between small matrices (i.e., fitting in a single ciphertext) [57], [58], [59], [60]. Multiplication of large encrypted matrices, whose rows do not fit into single ciphertexts, has been less studied. PCA requires multiple types of multiplications involving large matrices of varying dimensions, and efficiently performing these operations under encryption is key to achieving practical performance. SF-PCA jointly leverages a range of matrix multiplication methods whose complexities scale differently with the input dimensions, making an adaptive choice for each computational step in RPCA (§.6.1).

Distributed HE.

When multiple parties use HE to combine their private data, they can either share all of their data encrypted under the same key held by a trusted entity (e.g., in a centralized scheme [61], [62]), or adopt a distributed scheme where no single entity holds the decryption key. In threshold encryption schemes [63], [64], the encryption key is known to all parties whereas the decryption key is secret-shared among the parties such that a predefined number of them must collaborate to decrypt a ciphertext. In multi-key [65] schemes (including a hybrid with threshold schemes [66]), the parties have their own key pair and can jointly compute on data encrypted under different keys, but the complexity scales with the number of parties. In SF-PCA, we rely on a multiparty HE scheme (MHE) proposed by Mouchet et al. [48], which corresponds to an s-out-of-s threshold scheme. This scheme enables local computation with complexity independent of the number of parties and provides a lightweight, interactive protocol to refresh (bootstrap) a ciphertext—a key factor for SF-PCA’s efficiency in contrast to alternative approaches (see §.5).

Secure Centralized PCA.

Few solutions have been proposed for the secure centralized computation of PCA due to its computational complexity. Pereiral and Aranhal [67] proposed a method for performing PCA on an encrypted dataset using homomorphic encryption (HE). HE-based solutions typically incur a high computational overhead compared to their cleartext counterparts. In addition, they require a costly centralization of the data and have a single point-of-failure, i.e., the holder of the decryption key. In SF-PCA, since the exchanged data are encrypted with a collective key, no single entity can decrypt them, and compute-intensive HE operations (e.g., bootstrapping) are replaced by lightweight interactive protocols. In §.7.6, we compare SF-PCA with an HE-based centralized solution.

Non-Secure Federated PCA.

Solutions that enable PCA on distributed data without privacy protection fall in two main categories: iterative [68], [69], [70], [71] and non-iterative [33], [34], [35], [36], [37], [38], [39], [40], [41], [42], [43]. In the former, the DPs communicate and collaborate in order to perform each step of the algorithm. In the latter, the DPs perform the decomposition locally and then merge their results; we also refer to this approach as meta-analysis. Meta-analysis requires less communication but introduces inaccuracies by approximating PCA with two levels of decomposition, i.e., an independent local decomposition by each DP and a global one for the merged results. These solutions typically require that the local data distribution be consistent across DPs to obtain accurate results. In addition, they are not end-to-end secure as they require the DPs’ intermediate results to be revealed to an aggregator server (or to other DPs), representing a single point of failure. Intermediate results have been shown to reveal information about the original data in federated settings, e.g., in PCA [70] and ML [72], [73]. In contrast, SF-PCA implicitly performs RPCA on the joint data without altering the original approach, thus obtaining accurate results independently of the data distribution among the DPs (§.7). It also keeps all the exchanged information secret and does not rely on an aggregator server.

SMC-based PCA.

Several solutions [43], [44], [45], [46] leverage secure multiparty computation (SMC) to perform PCA on data that are secret-shared among a limited number of parties (e.g., three). These solutions require the data to be outsourced to computing parties, incurring a high communication overhead for large datasets. Unlike SMC solutions, SF-PCA can be efficiently used by a large number of parties, and their data are kept locally with a minimal amount of encrypted information exchanged for the PCA computation. In §.8, we discuss an extension of SF-PCA where SMC techniques are integrated into our system to aid in carrying out non-polynomial function evaluations on small-dimensional inputs.

HE-based PCA.

To our knowledge, Liu et al. [74] proposed the only existing homomorphic encryption (HE)-based solution for federated PCA. However, they rely on an aggregator server that decrypts the aggregated values at each step of the process. Since the intermediate results can reveal information about the parties’ local data, these methods are not end-to-end secure. SF-PCA demonstrates that a fully decentralized and end-to-end secure solution for PCA is practically feasible.

Differential Privacy-based PCA.

Solutions based on differential privacy [75], [76], [77] fundamentally differ from SF-PCA in that their goal is to limit the privacy leakage of the intermediate or final results. To achieve this goal, these solutions introduce noise into the computation, making the final results less accurate. Furthermore, analogous to meta-analysis, some of these solutions rely on a local decomposition followed by a global aggregation of results, introducing an approximation error in addition to the noise added for differential privacy. In SF-PCA, no intermediate result is revealed, hence differential privacy is not needed to protect the information exchanged during the algorithm. On the other hand, if the DPs wish to reveal the final PCA result with differential privacy, such guarantee can be added to SF-PCA (§.8).

Main MHE Operations.

The DPs each have a public key $p{k}_i$ and the corresponding secret key $s{k}_i$ (with $\left\{s{k}_i\right\}$ the set of all DPs’ secret keys) and can collectively execute the following operations. We denote a collectively encrypted vector by $\mathit{c}$ and a plaintext vector by $\tilde{\mathit{p}}$. Symbols are summarized in Tab. 3 (Appendix B).

• $pk,evks\leftarrow \mathrm{D}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}\left(\left\{s{k}_i\right\}\right)$ generates the collective public key $pk$ and evaluation keys $evks$, which are required for ciphertext transformations such as rotations. The DPs aggregate the local shares of keys (randomly generated based on a public source of randomness) to obtain public collective keys [48].

• $\mathit{c}\leftarrow \mathrm{D}\mathrm{B}\mathrm{o}\mathrm{o}\mathrm{t}\mathrm{s}\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{p}\left({\mathit{c}}^{\prime },\left\{s{k}_i\right\}\right)$ collectively refreshes a ciphertext to obtain a fresh encryption. This operation is required after every $\lambda$ multiplications to ensure a correct decryption.

• ${\mathit{c}}_{p{k}^{\prime }}\leftarrow \mathrm{D}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{S}\mathrm{w}\mathrm{i}\mathrm{t}\mathrm{c}\mathrm{h}\left(\mathit{c},p{k}^{\prime },\left\{s{k}_i\right\}\right)$ changes the encryption of a ciphertext $\mathit{c}$ from the public key $pk$ to another public key $p{k}^{\prime }$, without decrypting the ciphertext. The collective decryption is a special case of this operation (i.e., $\left.\mathrm{D}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{S}\mathrm{w}\mathrm{i}\mathrm{t}\mathrm{c}\mathrm{h}\left(\mathit{c},\mathrm{\varnothing },\left\{s{k}_i\right\}\right)\right)$. To prevent information leakage upon decryption [84], a fresh noise with a variance larger than that of the ciphertext is added before decryption [48], [84], [85], [86].

Each DP can independently encrypt, and perform the following operations listed in order of increasing computational complexity (Tab. 2):

• ${\mathit{c}}_{pk}\in R_{Q_L}^2\leftarrow \mathrm{E}\mathrm{n}\mathrm{c}(pk,\tilde{\mathit{p}})$ with a plaintext vector $\tilde{\mathit{p}}$, such that $\mathrm{D}\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{S}\mathrm{w}\mathrm{i}\mathrm{t}\mathrm{c}\mathrm{h}\left({\mathit{c}}_{pk},\mathrm{\varnothing },\left\{s{k}_i\right\}\right)\approx \tilde{\mathit{p}}$.

• ${\mathit{c}}^{\prime \prime }=\mathit{c}+{\mathit{c}}^{\prime }$, addition of encrypted vectors.

• ${\mathit{c}}^{\prime }=\mathit{c}·\tilde{\mathit{p}}$, element-wise multiplication of an encrypted vector and a cleartext vector. The result needs to be rescaled to maintain ciphertext scale.

• ${\mathit{c}}^{\prime \prime }=\mathit{c}·{\mathit{c}}^{\prime }$, element-wise multiplication of two encrypted vectors. The result needs to be relinearized and rescaled to maintain ciphertext size and scale.

• ${\mathit{c}}^{\prime }={\mathrm{R}\mathrm{o}\mathrm{t}}_y(\mathit{c},evks)$, cyclic rotation of length $y$ to the left (to the right if $y$ is negative) on the encrypted vector $\mathit{c}$.

• ${\mathit{c}}^{\prime \prime }=\mathit{c}·{\mathit{c}}^{\prime }$, dot product of two encrypted vectors. The result is encoded in the first position of a one-hot encoded vector ${\mathit{c}}^{\prime \prime }$.

• ${\mathit{c}}^{\prime }={\mathrm{D}\mathrm{u}\mathrm{p}}_y\left(\mathit{c}\right)$, duplication of the first element of $c$ to the first $y$ positions of ${\mathit{c}}^{\prime }$ with $⌈{\mathrm{l}\mathrm{o}\mathrm{g}}_2\left(y\right)⌉$ rotations and additions.

Obtaining Accurate Results by Emulating Centralized PCA.

Existing federated approaches to PCA that combine the results independently obtained by the DPs (e.g., meta-analysis), are prone to errors introduced by differences in data distribution among the DPs. In SF-PCA, we avoid this pitfall by securely combining the intermediate results at each step of the protocol (via collective aggregation $\mathrm{\Xi }$ in Alg.1) to emulate a centralized analysis, thus obtaining the same PCs regardless of how the data are split (§.7.7).

Efficient Edge-Computing on Local Cleartext Data.

Working with an encrypted form of the entire input matrix ($\tilde{\mathit{A}}$ in Fig. 1) would require the DPs to transfer large amounts of data (e.g., for centralized HE or secret sharing) or to perform costly ciphertext operations on large matrices, both of which become impractical for large-scale datasets. In SF-PCA (Alg.1), the DPs jointly perform the PCA without encrypting or exchanging the input data. They collaborate instead by computing on their local cleartext data (i.e., the sub-matrix ${\tilde{\mathit{A}}}_i$) and exchanging only low-dimensional and aggregate-level encrypted information. This enables the DPs to minimize communication and maximize the use of low-cost MHE operations involving the cleartext data (e.g., with our default parameters, cleartext-ciphertext multiplication is eight times faster than a ciphertext-ciphertext multiplication; Tab. 2). We also modify the RPCA computation to use only the cleartext input throughout the workflow. For example, instead of directly constructing a mean-centered input matrix (Step 2 in Fig. 1), which needs to be encrypted due to the means being private, SF-PCA keeps each local matrix ${\tilde{\mathit{A}}}_i$ in cleartext and associates with it an encrypted mean vector $\mathit{o}$ to correct for mean shifts in subsequent steps (see Step 2 in Alg.1). This enables a key optimization for the matrix multiplications in Steps 3–5, 7 and 8 (Alg.1), where the cleartext matrix ${\tilde{\mathit{A}}}_i$ is pre-transformed to minimize costly ciphertext operations such as rotations in later steps. In §.6.1.3, we show how to efficiently multiply an encrypted matrix with another containing only duplicated rows (or columns), which is used for lazy mean correction in Steps 4, 5, 7 and 8.

Adaptive Selection of Computational Routines based on Data Dimensions.

In practice, PCA is applied to datasets whose dimensions vary greatly depending on the application, e.g., from tens of features in small predictive modeling tasks to tens of thousands of features in genomic studies (§.7). To achieve practical performance in a wide range of settings, we propose an adaptive approach for optimizing the computational routines based on the input dimensions. In Alg.1, we introduce two different workflows for performing RPCA: Precomp and Seq. In Precomp, the encrypted covariance matrix $\mathit{G}$ is precomputed in the beginning of Step 4 and reused, such that most of the following operations scale primarily with the number of features $m$. In Seq, $\tilde{\mathit{A}}$ is kept in cleartext and used for matrix multiplications, which is more efficient than using $\mathit{G}$, but now the computation scales with both $m$ and the number of samples $n$. In addition, in §.6.1, we describe several matrix multiplication methods, each of which scales differently with the input dimensions; SF-PCA selects the best approach for each step in its workflow. Similarly, in §.6.2, we introduce two approaches for performing the QR factorization on an encrypted matrix (QR in Step 4), with different complexities depending on the input dimensions.

Optimized Data Encoding for Linear Algebra on Encrypted Matrices.

The secure execution of RPCA requires that the DPs iteratively perform various matrix operations on encrypted data, including multiplication and factorization. For example, the QR factorization, which is repeatedly executed in-between matrix multiplications (in Steps 4, 6, and 7 of RPCA; Fig. 1), is performed over the rows of an encrypted matrix in SF-PCA. Selecting a row in a matrix of $m$ columns, where the columns are individually packed in ciphertexts, would require $m$ homomorphic multiplications, additions, and rotations; in contrast, row selection incurs no cost when the matrix is row-wise encoded. In fact, the overwhelming cost of transforming encrypted matrices from one encoding to another would make our system impractical. We therefore adopt a consistent vectorized encoding scheme throughout the algorithm to represent encrypted matrices and tailor the operations to efficiently work with this format without costly conversions. This also allows SF-PCA to fully utilize the packing and SIMD properties of MHE thus minimizing its overall computation and communication costs.

Selective Bootstrapping to Minimize Communication.

After a certain number of multiplications, a ciphertext needs to be bootstrapped (DBootstrap, §.3) to restore its capacity for computation. In SF-PCA, this is a collective operation, which is computationally lightweight in contrast to its centralized equivalent, but requires the ciphertext to be exchanged among all DPs. To further minimize this communication overhead, we restrict the invocation of DBootstrap to places where an intermediate result is already globally synced and of a small dimension (e.g., during QR factorization in Steps 4 and 7 in Alg. 1; see §.6.2), while flexibly allowing a ciphertext to be bootstrapped even if some multiplication capacity remains.

Step 1: Setup.

Each ${\mathrm{D}\mathrm{P}}_i$ holds ${\tilde{\mathit{A}}}^{\left(n_i\times m\right)}$, a submatrix of the global input matrix ${\tilde{\mathit{A}}}^{(n\times m)}$. The DPs generate the required public keys (DKeyGen, §.3) and agree on the PCA parameters, including: the number of power iterations $p$, the number of QR iterations $w$ for eigendecomposition, the desired number of PCs $\psi$, the oversampling parameter $\alpha$ (resulting in the number of components $\rho =\psi +\alpha$ for RPCA), and a public random sketch matrix ${\tilde{\mathbf{\Pi }}}^{(\rho \times n)}$ (e.g., generated from a shared seed). In addition, the DPs together decide the specifics of certain computational steps in SF-PCA, such as the approximation intervals for non-linear operations (§.6.3) and the method of choice for costly linear algebraic operations (matrix multiplication and transformations; see §.6), taking the input dimensions into account to maximize performance. All the parameters introduced in this step are considered public. Note that the procedure to agree upon the parameters is orthogonal to SF-PCA; e.g., the DP initiating the collaboration could propose the parameters.

Step 2: Mean Calculation.

The DPs compute the encrypted vector ${\mathit{o}}^{(1\times m)}$ of column averages of the input matrix ${\tilde{\mathit{A}}}^{(n\times m)}$ by securely aggregating their local column sums divided by $n$, encrypted under the collective public key.

Open in a new tab

Step 3: Random Projection.

${\mathrm{D}\mathrm{P}}_i$ projects ${\tilde{\mathit{A}}}_i$ to a subspace of $\rho$ dimensions using the public sketch matrix ${\tilde{\mathbf{\Pi }}}^{(\rho \times n)}.{\mathrm{D}\mathrm{P}}_i$ locally computes the product of ${\tilde{\mathit{A}}}_i$ and the corresponding submatrix ${\tilde{\mathbf{\Pi }}}_i^{\left(\rho \times n_i\right)}$ of ${\tilde{\mathbf{\Pi }}}^{(\rho \times n)}$ to obtain its local sketch in cleartext. The result is then encrypted and aggregated among all DPs to obtain the encrypted sketch $\mathit{P}$ of the global matrix $\tilde{\mathit{A}}$.

Step 4: Power Iterations.

The sketch of the input matrix obtained in the previous step is repeatedly multiplied with the input matrix to increase the spectral gap between the top eigenvectors of interest and the rest [47]. We execute this step differently depending on the input dimensions for optimized performance; the two approaches considered by SF-PCA are described below. Notably, in both approaches, we leverage the fact that the cost of cleartext operations is almost negligible compared to that of HE to optimize the computation.

Step 5: Reduction.

In the Precomp approach, the matrix $\mathit{P}$ resulting from Step 4 is transformed to a small symmetric matrix $\mathit{Z}$ by multiplying the covariance matrix ${\mathit{G}}_i$ from both sides. In the Seq approach, this is performed by using the cleartext matrix ${\tilde{\mathit{A}}}_i^T$ and then by multiplying the result by its transpose. As in Step 4, SF-PCA employs lazy mean-centering for this step.

Step 6: Eigendecomposition.

The eigendecomposition (introduced in §.3) is executed on the encrypted matrix $\mathit{Z}$. We detail our MHE-based algorithm for this step in Alg. 4. It requires the iterative execution of ${\mathrm{Q}\mathrm{R}}^T$ and matrix multiplications.

Step 7: Reconstruction.

The PCs (rows of $\mathit{W}$) are computed by multiplying the eigenvectors from Step 6 with the approximated subspace from Step 3, followed by a final round of power iteration and orthogonalization $\left({\mathrm{Q}\mathrm{R}}^T\right)$ for numerical stability.

Step 8: Projection.

Each ${\mathrm{D}\mathrm{P}}_i$ projects its local cleartext data ${\tilde{\mathit{A}}}_i^T$ onto the collectively encrypted PCs in $\mathit{W}$ to obtain their projected data ${\mathit{A}}_i^{\prime }$, which is also encrypted under the collective public key. If required by the application, by using DKeySwitch, the PCs and/or the DPs’ projected data can be collectively decrypted or re-encrypted under the public keys of specific entities to grant controlled access to the decrypted results.

6.1.1. Adaptive Strategy.

We identify two main types of matrix multiplications in Alg. 1: (i) unbalanced multiplications between a large encrypted matrix and a large cleartext (or pre-transformed encrypted) matrix in Steps 4, 7 and 8, with the key property that operations are cheap on one matrix (cleartext) and expensive on the other (ciphertext); and (ii) duplicated-vector multiplications, referring to multiplications between a large encrypted matrix and another encrypted matrix whose rows (or columns) are identical (e.g., corresponding to the encrypted mean vector $\mathit{o}$).

In §.6.1.2, we detail three different approaches (M1, M2, and M3) for unbalanced multiplications, each with a complexity that scales differently with the input dimensions. We denote by ${\zeta }_{\mathrm{M}}^{*}(a,b,c)$, the function that takes the three input dimensions for multiplying ${\mathit{M}}^{(a\times b)}$ and ${\tilde{\mathit{N}}}^{(b\times c)}$ matrices and outputs the cost associated with the most efficient multiplication routine. The cost we compare is a weighted sum of the multiplication and rotation invocation counts, where the weights are determined by the estimated runtime per operation in the given computational environment. The cost of a cleartext-ciphertext multiplication is set to be around 8 times lower than that of a ciphertext-ciphertext multiplication according to our estimates (Tab. 2).

We identify the matrix multiplication costs of Precomp and Seq for a single iteration as ${\zeta }_{\mathrm{M}}^{*}(\rho ,m,m)$ and ${\zeta }_{\mathrm{M}}^{*}\left(\rho ,m,n_{\mathrm{m}\mathrm{a}\mathrm{x}}\right)+{\zeta }_{\mathrm{M}}^{*}\left(\rho ,n_{\mathrm{m}\mathrm{a}\mathrm{x}},m\right)$, respectively, where $\rho$ is the number of reduced dimensions in RPCA, $m$ is the number of input features, and $n_{\mathrm{m}\mathrm{a}\mathrm{x}}={\mathrm{m}\mathrm{a}\mathrm{x}}_i \left(n_i\right)$ represents the largest number of samples locally held by the DPs. We consider the worst-case complexity as the overall runtime being as fast as the slowest DP. In addition, for both approaches, we incorporate the cost of lazy mean-centering when comparing the overall cost; Precomp requires $3b$ Mults and $b$ Rots, whereas Seq requires two duplicated-vector multiplications, which we detail in §.6.1.3. We further compare these approaches in §.7.

6.1.2. Unbalanced Multiplications.

We describe the HE implementations of three matrix multiplication strategies: Dot-Product Method (M1), Element-Duplication Method (M2), and Diagonal Method (M3; adapted from Jiang et al. [59]). We jointly consider these three methods because their costs scale differently with the input dimensions, enabling SF-PCA to optimize its performance in a wide range of scenarios. For each method, we show its cost in terms of the invocations of ciphertext rotations (Rots) and multiplications (Mults) for multiplying a pair of $a\times b$ and $b\times c$ matrices. The cost of cleartext operations is negligible. To simplify the computational complexity analysis, we assume that $b$ and $c$ are powers of two without loss of generality. We denote by $t$ the ciphertext capacity, i.e., the number of values that can be packed in a ciphertext. Due to SF-PCA’s vectorized encoding, the inner dimension $b$ reduces to a small constant $⌈\frac{b}{t}⌉$ in terms of the number of ciphertext operations.

6.1.3. Duplicated-Vector Multiplications.

This method addresses a special setting where we multiply an encrypted matrix $\mathit{M}$ with another encrypted matrix $\mathbf{\Gamma }$ whose rows (Case 1) or columns (Case 2) are identical vectors $\mathit{\mu }$. This setting frequently arises in SF-PCA for the lazy mean-centering operations (i.e., all operations involving $\mathit{o}$ in §.5.2). Our method accounts for this redundancy in the matrix to minimize the number of rotations on both encrypted matrices.

6.1.4. Further Optimizations.

We note that all multiplication methods are parallelizable at the row level. Each multiplication of a ciphertext is followed by a rescale and a relinearization operation (the result of a multiplication with a plaintext only needs to be rescaled, see §.3). When the results of several multiplications need to be aggregated, we defer the rescale and relinearization operations until after the aggregation step so they can be executed once overall, rather than for every multiplication. Because these operations account for between 52% and 75% of the multiplication time (Tab. 2) and SF-PCA heavily relies on matrix multiplications, this optimization considerably improves SF-PCA’s overall performance. For example, it reduces the runtime of multiplying an encrypted ${\mathit{M}}^{(8\times 2^8)}$ with a cleartext ${\tilde{\mathit{N}}}^{(2^8\times 2^8)}$ with M3 from 24.6 to 3.8 seconds; the improvement is expected to be greater for larger matrices.

Householder Transformation of Encrypted Vectors.

Alg. 2 performs a key step in the Householder transformation, which reflects a vector about a given hyperplane, on an encrypted vector. For use in PCA, we need to choose a specific reflection hyperplane that transforms the input vector $\mathit{v}$ into a vector (of the same norm) with zeros in all coordinates except for the first. The output ${\mathit{v}}^{\prime }$ of Alg. 2 represents this hyperplane; the Householder matrix obtained as $\mathit{H}={\tilde{\mathit{I}}}^{(h\times h)}-2{\mathit{v}}^{\prime }\times {\mathit{v}}^{\prime T}$, where $\tilde{\mathit{I}}$ is the identity matrix, satisfies that $\mathit{H}\times \mathit{v}$ has a nonzero element only in the first coordinate. This method is used in ${\mathrm{Q}\mathrm{R}}^T$ to iteratively apply orthogonal transformations to the input matrix to convert it into a lower triangular matrix. Following the standard technique, the norm of the input vector (computed in Lines 1–3) is added to or subtracted from its first coordinate (Line 7), depending on the sign of the first coordinate (Line 4) for numerical stability. Afterwards, the vector is normalized (Lines 9–11) to obtain the desired reflection vector.

Alg. 2 requires the evaluation of non-polynomial functions, including the sign function (alternatively, $g(x)=x/\sqrt{x^2}$, Line 4), the square root, and the inverse square root. To this end, SF-PCA applies Chebyshev polynomial approximation [89] to each function on a pre-determined input range (agreed upon in Step 1; §.5.2). In addition, we use the baby-step giant-step technique [90] to further reduce the complexity of evaluating degree-$d$ polynomials, resulting in a multiplicative depth of $\lceil \mathrm{l}\mathrm{o}\mathrm{g}\left(d\right)+1\rceil$ and $2·\sqrt{2d}+\frac{1}{2}{\mathrm{l}\mathrm{o}\mathrm{g}}_2\left(d\right)+𝒪\left(1\right)$ ciphertext multiplications. We denote this quantity as $l\left(d\right)$ in our algorithms. We discuss the choice of approximation intervals in §.6.3. For the communication cost, we calculate the number of DBootstrap executions as the multiplicative depth of this method divided by the number of available ciphertext levels $\lambda$ (§.3).

QR Factorization of Encrypted Matrices.

QR factorization decomposes an input matrix $\mathit{V}$ into an orthogonal matrix $\mathit{Q}$ and a lower-triangular matrix $\mathit{R}$ such that $\mathit{V}=\mathit{R}\times \mathit{Q}$. This is repeatedly used in Steps 4, 6 and 7 of SF-PCA’s workflow. In Alg. 3, we describe both the transposed-QR factorization ${\mathrm{Q}\mathrm{R}}^T$ that is executed by one DP on an encrypted matrix and its distributed equivalent ${\mathrm{D}\mathrm{Q}\mathrm{R}}^T.{\mathrm{D}\mathrm{Q}\mathrm{R}}^T$ performs a QR factorization in a federated manner on an encrypted matrix that is distributed among the DPs, requiring the DPs to aggregate (denoted by $\mathrm{\Xi }$) their partial results in Lines 3, 5, and 18. In Step 4 of SF-PCA, ${\mathrm{Q}\mathrm{R}}^T$ is executed on a matrix with $h=m$ columns (i.e., same as the number of features), whereas ${\mathrm{D}\mathrm{Q}\mathrm{R}}^T$ is executed on a matrix with $h=n$ columns distributed among the DPs, where each ${\mathrm{D}\mathrm{P}}_i$ has $n_i$ columns. $\mathrm{H}\mathrm{H}$ and the vector-matrix multiplications in Lines 5 and 18 are the only operations with a cost that depends on $h.{\mathrm{D}\mathrm{Q}\mathrm{R}}^T$ requires more communication among the parties, and the complexity of QR factorization depends mainly on the number of rows $\delta$, which is the same in both ${\mathrm{Q}\mathrm{R}}^T$ and ${\mathrm{D}\mathrm{Q}\mathrm{R}}^T$, and not on $h$. Hence, we use ${\mathrm{D}\mathrm{Q}\mathrm{R}}^T$ only when the difference between $n_i$ and $m$ is large enough to compensate for the communication overhead, i.e., when $\xi ·{\mathrm{l}\mathrm{o}\mathrm{g}}_2\left(n_{\mathrm{m}\mathrm{a}\mathrm{x}}\right)<{\mathrm{l}\mathrm{o}\mathrm{g}}_2\left(m\right)$, with a factor $\xi$ determined by the properties of the network setup (e.g., latency). Note that $n_{\mathrm{m}\mathrm{a}\mathrm{x}}={\mathrm{m}\mathrm{a}\mathrm{x}}_i \left(n_i\right)$.

From Lines 1 to 14, the input matrix $\mathit{V}$ is multiplied by the Householder matrix $\mathit{H}=\tilde{\mathit{I}}-2\mathit{v}\times {\mathit{v}}^T$, where $\mathit{v}=\mathrm{H}\mathrm{H}(\mathit{V}[0,:{]}^T)$ is the Householder vector obtained by Alg. 2 with the first row of $\mathit{V}$ as input. This transformation is recursively performed on the $(i,i)$ minors of $\mathit{V}$ by discarding the first row and the first column to incrementally obtain the lower-triangular matrix $\mathit{R}$. Due to SF-PCA’s vectorized encoding scheme, the sub-matrix is efficiently obtained by applying a single ciphertext rotation per row (Line 9). In SF-PCA, $\mathit{R}$ is only used during the eigendecompostion in Step 6. $\mathit{Q}$ is computed in the second part (Lines 15 to 22) and corresponds to the product of all Householder matrices $\mathit{H}$.

Recall that we minimize bootstrapping by refreshing only small-dimensional data that are globally shared among the DPs (§.5). The intermediate values in ${\mathrm{Q}\mathrm{R}}^T$ satisfy this condition as they are derived from the input matrix that is already aggregated. Hence, the optimized number of invocations of $\mathrm{D}\mathrm{B}\mathrm{o}\mathrm{o}\mathrm{t}\mathrm{s}\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{p}(·)$ for ${\mathrm{Q}\mathrm{R}}^T$ corresponds to its multiplicative depth divided by $\lambda$. For ${\mathrm{D}\mathrm{Q}\mathrm{R}}^T$, the input matrix is split among the DPs. In this case, the results of the collective aggregation $\left(\mathrm{\Xi }\right)$ in Lines 5 and 18, which constitute globally shared vectors among the DPs, are bootstrapped before being broadcast (shown as the additional cost).

Eigendecomposition of Encrypted Matrices.

Alg. 4 decomposes an encrypted matrix $\mathit{M}$ into $\mathit{Q}\times \mathit{L}\times {\mathit{Q}}^T$, where $\mathit{Q}$ is a matrix of eigenvectors and $\mathit{L}$ is a diagonal matrix with the diagonal defined by the encrypted vector of eigenvalues $\mathit{l}$. The eigenvalues are ordered from the largest to the smallest. We adapt the standard QR iteration algorithm [79], [91] to the setting with an encrypted input matrix. The encrypted matrix is first tridiagonalized, i.e., transformed to a matrix where the only nonzero elements are in the diagonal, the subdiagonal, or the superdiagonal, which is known to improve the convergence rate of eigendecomposition [79]. The tridiagonalization is achieved by applying Householder transformations (using Alg. 2) to different subparts of the matrix to introduce zeros (Lines 2 to 11 in Alg. 4). The resulting encrypted matrix $\mathit{T}$ is then iteratively factorized using ${\mathrm{Q}\mathrm{R}}^T$ (Line 17) into $\mathit{R}\times {\mathit{Q}}^{\prime }$ (note the row-wise application of QR) and reconstructed as ${\mathit{Q}}^{\prime }\times \mathit{R}$ to gradually transform the matrix into a diagonal matrix. During this process, the last diagonal element converges to the smallest eigenvalue of the input. This is then executed for each eigenvalue in an ascending order, and the corresponding eigenvectors are obtained from the product of all ${\mathit{Q}}^{\prime }$ matrices. We perform all small-matrix multiplications (Lines 6, 7, 8, 18) by encoding each matrix in a single ciphertext and employing the technique of Jiang et al. [59]. We refer to this method as M5 to distinguish from the large-scale, unbalanced setting in M3 with ciphertext-cleartext multiplications. Multiplying two $s\times s$ encrypted matrices requires $5s$ Mults and $3s+5\sqrt{s}$ Rots. We convert the matrices to our row-wise encoding scheme (in Lines 6, 9, 10, 12, 15, 17, 20, 22, 23) using one multiplication and one rotation per row, only to efficiently perform row and column selections. Similarly as Alg. 3, this method operates on globally shared inputs, and its optimized communication cost scales with the multiplicative depth divided by $\lambda$, in addition to the costs of the $\mathrm{H}\mathrm{H}$ and ${\mathrm{Q}\mathrm{R}}^T$ subroutines.

Meta-analysis.

For comparison, we replicate the meta-analysis approach of Liang et al [41], whereby a central computing server performs a truncated SVD on the combined SVD results obtained independently by each DP. In Fig. 5, we show that this solution yields the least accurate results across all datasets. Note that SF-PCA significantly improves upon the accuracy of meta-analysis by emulating a centralized PCA. Moreover, most meta-analysis solutions [33], [34], [35], [36], [37], [38], [39], [40], [41], [42], [43] are not end-to-end secure as the DPs’ intermediate results are revealed to an aggregator server (or to the other DPs). These solutions achieve similar runtimes as non-secure centralized solutions because they also operate on unprotected cleartext data.

Centralized HE (C-HE).

We estimate the runtime of an HE-based centralized solution based on SF-PCA’s runtime as follows. We account for the fact that the computations cannot be distributed among the DPs and that all operations must be performed on the encrypted data. Recall that SF-PCA exploits local cleartext operations to optimize computation (e.g., §.6.1) and that multiplying two ciphertexts is 8 times slower than a plaintext-ciphertext multiplication. We also include the overhead brought by a centralized bootstrapping routine [90], which is two orders of magnitude slower than DBootstrap, e.g., 26 seconds for [90] vs. 0.49 seconds with DBootstrap. Furthermore, since centralized bootstrapping consumes levels and lowers the number of available levels for multiplications, C-HE would require more conservative cryptographic parameters with larger ciphertexts, and thus higher computation and communication costs. In Fig. 5, we show the estimated lower bound of the runtime for a C-HE solution executed by a single DP. We remark that SF-PCA, by distributing its workload and relying on efficient interactive protocols, is consistently 1–2 orders of magnitude faster than a C-HE solution. We note that we consider C-HE solutions based on the same underlying scheme of SF-PCA with comparable parameters, and that more sophisticated centralized solutions could be devised. However, those would still suffer from a high communication overhead and introduce a single point of failure due to the data centralization.

Secret Sharing-based SMC.

In Fig. 5, we compare SF-PCA’s runtime with the linear (additive) secret sharing-based SMC solution proposed by Cho et al. [45]. In this solution, two computing servers perform PCA on secret-shared data, and a third server is responsible for the generation and distribution of correlated random numbers used in SMC protocols (e.g., Beaver triples [101]). This additional party is trusted to correctly generate these values and not to collude with any other party. We ran Cho et al.’s publicly available, two-party solution [102] in our evaluation environment. We further estimated the runtime of this solution with 6 DPs under linear scaling with the number of DPs. We observe that SF-PCA is between 3x and 10x faster than the SMC solution while operating in a stronger threat model without the need for an honest third party. We also note that the SMC solution requires the entire dataset to be secret-shared among the computing parties, which can be costly for large datasets and complicate regulatory compliance. For example, with the Lung dataset [55], this represents a communication overhead of more than 60 GB. Finally, we note that SMC solutions heavily rely on interactive computations, leading to many rounds of communication in total. Since a large portion of SF-PCA is local non-interactive computation by each DP, SF-PCA remains practical even in constrained networks with high communication delays, unlike the SMC solutions. For example, when we double the delay from 20ms to 40ms, we observed that SF-PCA’s runtime remains almost constant, whereas the SMC solution becomes 1.9 times slower in the two-party setting. In §.8, we describe an extension of SF-PCA which uses secret sharing specifically for non-polynomial operations over low-dimensional inputs.