Practical Secure Two-Party Computation and Applications Lecture 3: - - PowerPoint PPT Presentation

Practical Secure Two-Party Computation and Applications

Lecture 3:
 Tools and Applications Estonian Winter School in Computer Science 2016

Overview of this lecture

2

Special Purpose Protocols Generic Protocols Arithmetic Circuit Boolean Circuit Homomorphic Encryption Symmetric Crypto Public Key Crypto GMW Yao OT
 One-Time Pad >> >>

Part 1: TASTY Part 2: ABY Part 3: GSHADE

Part 1: TASTY

3

• W. Henecka, S. Kögl, A.-R. Sadeghi, T. Schneider, I. Wehrenberg:


TASTY - Tool for Automating Secure Two-partY computations.

In ACM CCS’10.

Code: http://encrypto.de/code/TASTY

How to use SFE for your specific task?

4

Goal:
 Automize with Tools

Task / Problem Algorithm SFE Protocol Implementa:on Measure Performance Homomorphic Encryp:on (HE) Garbled Circuits (GC)

SFE Compilers and Libraries

5

Abstrac5on Level Primi5ves GC HE Func:on Descrip:on
 (What?) I/O, computa:on Fairplay(MP) (Py)SMCL Protocol Descrip:on
 (How?) I/O, enc/dec, compute under encryp:on VIFF, SMC, Sharemind Here: TASTY Protocol Implementa:on
 (How Exactly?) I/O, protocols, messages,
 crypto primi:ves Qilin, L1 Previous SFE compilers were restricted to either GC or HE.

SFE with Homomorphic Encryption (HE)

6

Application: SFE by Computing on Encrypted Data

pk, JxK JzK JzK = f(JxK, JyK)

HE Schemes: Property:

+

[Paillier99], [DamgårdJ01], [DamgårdGK07], ...

+, 1*

[BonehGN05], [GentryHV10], ...

+, *

[Gentry09], [SmartV10], [vanDijkGHV10], ...

z

Server Client

restricted to
 specific
 homomorphic


• peration(s)

private data x private data y

8x, y 2 P : Jx yK = JxK JyK, JxK := Encpk(x)

Examples for Homomorphic Encryption Schemes

Multiplicatively homomorphic encryption:

• Epk(x) Epk(y) = Epk(xy)
• RSA: c1 = x1e mod n, c2 = x2e mod n


c1 c2 = (x1e )(x2e) mod n = (x1x2)e mod n

• ElGamal: c1 = (gr1 ; x1 hr1), c2 = (gr2 ; x2 hr2)


c1 c2 = (gr1+r2; x1x2hr1+r2 ) Additively homomorphic encryption:

• Epk(x) Epk(y) = Epk(x+y)
• Epk(x)a = Epk(ax)
• Paillier: c1 = gx1r1n mod n², c2 = gx2r2n mod n²


c1 c2 = gx1+x2(r1r2)n mod n²

7

Performance of Homomorphic Encryption

8

• Fully HE: minimal interac:on but not prac5cal yet

– [SmartV10]: 3.5s to encrypt 1 bit (up to 2*) – [HaleviGentry EC’10 Rump]: Re-Crypt 30min (deg=15,dim=215)

• Addi:vely Homomorphic Encryp:on is prac:cal

but needs interac5on for mul5plica5on:

JxK, JyK choose random rx, ry J¯ xK = JxK JrxK J¯ yK = JyK JryK J¯ xK, J¯ yK ¯ z = ¯ x ∗ ¯ y J¯ zK Jx ∗ yK = J¯ zK − ryJ¯ xK − rxJ¯ yK − Jrx ∗ ryK

Combine Advantages of HE and GC

9

• HE good for linear opera:ons (+,*)
• GC good for + and non-linear opera:ons

(<,min,...)

• convert HE ⇔ GC


[BrickellPSW07], [BarniFKLSS09], [KolesnikovSS13], ...

• 1. A: add random mask under encryp:on
• 2. B: decrypt + encrypt with new scheme
• 3. A: take off random mask under encryp:on

Theoretical Framework: SFE using GC + HE

10

SFE = convert + compute on encrypted data [KolesnikovSS13]

• 1. encrypt inputs
• 2. compute under encryp:on
• 3. decrypt outputs

Plain Value x Boolean Circuits using Garbled Circuits Client C Homomorphic Value JxK Plain Value x Server S Garbled Value e x Arithmetic Circuits using Homomorphic Encryption Inputs/Outputs Encrypted Values SFE of

Contributions of the TASTY Framework

11

TASTY: SFE tool to arbitrarily combine GC+HE

• TASTYL: Intui:ve Protocol Descrip:on Language
• For many privacy-preserving applica5ons
• Primi5ves: shii complexity into setup phase
• Performance:

– Faster GC implementa:on (10x faster online phase) – Fast Mul:plica:on Circuits – Mul:plica:on GC vs. HE

+ =

TASTY: Tool for Automating Secure Two-partY computations

12

Design Goals:

• program SFE protocols

as sequence of

• pera:ons on

encrypted data

• minimize latency of
• nline phase by pre-

compu:ng in setup phase

• test, benchmark +

compare performance

• f SFE protocols

Client C Server S Input Output Input Output Costs Protocol Description in TASTYL Analyzation Phase Setup Phase Online Phase Runtime Environment

TASTYL: Types and Operators

13

Garbled Vector min, max, ... Vector +, -, *, dot Garbled Value mux, <, =, ... Homomorphic Value Plain Value rand, input, output /, <, =, ... Unsigned Modular Signed bitlength Value +, -, * N Homomorphic Vector Plain Vector rand, input, output /, =, ... Unsigned Vector Signed Vector Modular Vector

TASTYL: Example

14

# convert unsigned to homomorphic vector client.hv = HomomorphicVec(val=client.v) server.hv <<= client.hv # mul:ply vectors (component-wise) server.hx = server.hv * server.w # convert homomorphic to garbled vector client.gx <<= GarbledVec(val=server.hx) # compute minimum value client.gmin = client.gx.min_value() # convert garbled to unsigned value and output client.min = Unsigned(val=client.gmin) client.min.output(desc="minimum value") def protocol(client, server): N = 4 L = 32 # input of client client.v = UnsignedVec(bitlen=L, dim=N) client.v.input(desc="enter values for v") # input of server server.w = UnsignedVec(bitlen=L, dim=N) server.w.input(desc="enter values for w”)

Inputs: C has vector v and S has vector w (N=4 unsigned L=32-bit values each) Output: C obtains GC HE

mini=1,..,N(vi · wi)

Privacy-Preserving Applications in TASTYL

15

• Private Set Intersec:on [FreedmanNP04]: HE
• Face-Recogni:on [SSW09]: HE+GC

– based on Eigenface algorithm [TurkP91] – berer online communica:on than [ErkinFGKLT09]: HE – less efficient than hand-op:mized code [SSW09] – SCiFI [OsadchyPJM10] is more accurate/efficient:
 co-designed recogni:on algorithm and protocol

• Medical Diagnos:cs (ECG) [BFKLSS09]: HE+GC
• ...

Multiplication Circuits for ℓ-bit values

16

• Textbook mul:plica:on:


2ℓ2 - ℓ non-XORs [KSS09]

• Fast mul:plica:on

[KaratsubaO62]
 ≈ 9 ℓ1.6 - 13 ℓ - 34 non-XORs 


Bitlength ⌥ 19 20 32 64 128 Textbook 703 780 2,016 8,128 32,640 Karatsuba 703 721 1,729 5,683 17,973 Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 %

Algorithm 1 Karatsuba multiplication 1: function karatsuba(x, y) . x, y are ` 2: if `  19 then 3: return Textbook(x, y) 4: end if 5: xh||xl x . x = x 6: yh||yl y . y = 7: Ph KARATSUBA(xh, yh) 8: Pl KARATSUBA(yl, yl) 9: xs xh + xl 10: ys yh + yl 11: Ps KARATSUBA(xs, ys) 12: Pd Ps Ph Pl 13: return (Ph22d`/2e) + Pd2d`/2e + Pl 14: end function

Multiplication using GC vs. HE

17

• Mul:plica:on = fundamental basic opera:on
• Compare efficiency with TASTY (80 bit security level)

Client C Server S z = x · y HE1 GC1 GC2,HE2 x, y x x, y y

Multiplication GC vs. HE: Communication

18

100 1000 10000 100000 1e+06 1e+07 1 2 4 8 16 32 64 128 Data in Bytes Bitlength HE1: Online HE2: Online GC1: Setup GC1: Online GC2: Setup GC2: Online

HE: beHer setup costs GC: less online costs
 for small operands

Multiplication GC vs. HE: Setup Time

19

0.1 1 10 100 1000 10000 1 2 4 8 16 32 64 128 Setup Time in ms Bitlength HE1: C HE1: S HE2: C HE2: S GC1: C GC2: C

HE: less setup 5me

Multiplication GC vs. HE: Online Time

20

0.1 1 10 100 1000 1 2 4 8 16 32 64 128 Online Time in ms Bitlength HE1: C HE1: S HE2: C HE2: S GC1: C GC1: S GC2: C GC2: S

GC: negligible


• nline work for S

GC: beHer
 for small operands

Part 2: ABY

21

• D. Demmler, T. Schneider, M. Zohner:


ABY - a framework for efficient mixed-protocol secure two-party computation.

In NDSS’15.

A B Y

Code: http://encrypto.de/code/ABY

Protocol Development

22

Function

Boolean Circuits Arithmetic Circuits

GMW Yao

Idea Representation Protocol Optimizations

Point-and-
 permute Fixed-Key
 Garbling Free-XOR Half-Gates

?

DGK Paillier

?

Existing Frameworks Abstract Languages

. . .

Mixed Protocols

23

• Some functionalities have a more efficient circuit representation
• Multiplication in Boolean circuits: O(n2)
• Comparison in Arithmetic circuits: O(n) multiplications of q-bit values
• TASTY [HKSSW10] combines Paillier (Arithmetic) and Yao (Boolean)
• Multiplication and conversion requires public-key operation
• For long-term security, Yao-only is often most efficient [KSS14]

Yao Paillier

Example: Minimum Euclidean Distance

24

Function

Boolean Circuits Arithmetic Circuits

GMW Yao Paillier

. . .

Paillier DGK Yao DGK Paillier DGK

Minimum Euclidean Distance: min(∑d

i=1(Si,1 – Ci)2, …, ∑d i=1 (Si,n – Ci)2)

• Server holds database S, client holds query C
• Used in biometric matching (face-recognition, fingerprint, …)

GMW

Outline

25

Function

Boolean Circuits Arithmetic Circuits

GMW Yao DGK Paillier

. . .

3.ABY

1.OT-ext. 2.Conversion

1) More efficient multiplication using
 OT extension 2) More efficient conversion 3) Mixed-protocol framework called ABY

Multiplication using OT [Gilboa99]

26

School Multiplication z = x * y with x=x3x2x1x0 and y=y3y2y1y0 x3x2x1x0 * y3y2y1y0 (x3x2x1x0) * y0 + (x3x2x1x0 0) * y1 + (x3x2x1x0 0 0) * y2 + (x3x2x1x0 0 0 0) * y3 z7z6z5z4z3z2z1z0 (r0, r0+x)

OT

y0 s0 = r0+x*y0 (r1, r1+2x)

OT

y1 s1= r1+2x*y1 (r3, r3+8x)

OT

y3 s3= r3+8x*y3 . . . [z]A=∑3

i=0 (-ri)

[z]B=∑3

i=0 si


= ∑3

i=0 ri + ∑3 i=02ix*yi

z= [z]A+[z]B r0 ЄR Z28 r1 ЄR Z28 r3 ЄR Z28

Multiplication using OT Extension

27

8 16 32 64 500 1000 1500 2000 2500 3000

Communication

Bit-Length of Values Communication (Bytes) 8 16 32 64 1 10 100 1000 10000 100000

Run-Time

Paillier (WAN) DGK (WAN) Paillier (LAN) DGK (LAN) OT-Ext (WAN) OT-Ext (LAN) Bit-Length of Values Run-time (μs)

Use a multiplication protocol that is based on OT extension

• Requires symmetric-key cryptography only


 Compare one multiplication using Paillier, DGK, and OT extension

Communication and run-time for 1 multiplication in LAN and WAN for long-term security

The ABY framework

28

Combine:

• Arithmetic sharing
• Boolean sharing (GMW)
• Yao's garbled circuits


 Efficient conversions between schemes 
 Use best practices in secure computation:

• batch pre-compute crypto
• use symmetric crypto where possible
• use sub-protocols with recent optimizations

A B Y

a,b

ABY Secure Computation Schemes

29

rithmetic sharing:

• Free addition / cheap multiplication
• Good for multiplication
• olean sharing:
• Free XOR / one message per AND
• Good for multiplexing

ao's garbled circuits:

• Free XOR / no interaction per AND
• Good for comparison

A B Y A B Y

Multiplication Protocol Yao Mixed LAN [µs] 1.1 0.1 Comm. [KB] 100 5 c=a*b c c=a*b

Example: Minimum Euclidean Distance

30

Minimum Euclidean Distance: min(∑d

i=1(Si,1 – Ci)2, …, ∑d i=1 (Si,n – Ci)2)

• Server holds database S, client holds query C
• Used in biometric matching (face-recognition, fingerprint, …)


1) Evaluate in Arithmetic circuits using Paillier [EFGJKT09] or DGK [BG11]

• Comparison is costly



 2) Multiplication in Arithmetic; Comparison in Boolean circuits [HKSSW10]

• Costly conversion/multiplication: expensive public-key crypto

3) Evaluate everything in Boolean circuits using Yao [KSS14] 


Example: Minimum Euclidean Distance

31

Minimum Euclidean Distance: min(∑d

i=1(Si,1 – Ci)2, …, ∑d i=1 (Si,n – Ci)2)

dist min LAN [s] WAN [s] Comm [MB] #Msg Y Y 2.55 24.62 147.7 2 B B 2.43 39.41 99.9 129 A Y 0.19 3.42 5.0 8 A B 0.21 26.41 4.6 101 Euclidean distance for n = 512 values of 32-bit length and d = 4.

Summary of ABY Framework

32

ABY = mixed-protocol secure computation framework Abstract from underlying secure computation protocol Use only fast symmetric key crypto

A B Y

Part 3: Privacy-Preserving Biometric Identification

33

• J. Bringer, H. Chabanne, M. Favre, A. Patey, T. Schneider, M. Zohner:


GSHADE: Faster privacy-preserving distance computation and biometric identification.

In ACM IH&MMSEC’14.

Code: http://encrypto.de/code/GSHADE

Privacy-Preserving Biometric Identification

....

34

Task: Check if query is similar to an entry in the DB.

• without revealing the query to the server
• without revealing the DB to the client

Y1 X Y2 Y3 Yn

....

Use-Cases

35

Biometric Access Control / Border Control
 
 Anonymous Biometric Credentials
 
 
 
 Secure Biometric Database Intersection

HD( , ) < t2 HD( , ) < t3 HD( , ) < tn

The SCiFI Algorithm [Osadchy/Pinkas/Jarrous/Moskovich S&P’10]

36

HD( , ) < t1

....

? ? ? ? Compute Hamming distance of ℓ=900 bit strings and compare with threshold.

Privacy-Preserving Biometric Identification: Classification

37

Technique
 
 Public-Key Crypto Boolean / Hybrid OT-based Hamming (HD)

[OPJM10] [HEKM11]
 [SZ13] [BCP13] SHADE
 GSHADE

Euclidean

[EFG+09] [SSW09]
 [HKS+10]
 [BG11]
 [HMEK11]
 [SZ13] GSHADE

Normalized HD

• [BG11]

GSHADE

Distance

SHADE

38

Secure Hamming Dist. computation from OT [BringerChabannePatey’13] Goal: compute HD(X,Y) = Σ(xi⨁yi), i=1..ℓ

OT

ti=ri+(xi⨁yi) ri+yi ; ri+(1-yi) xi choose ri ∈R Zℓ+1 for i=1..ℓ: T = Σti = R + HD(X,Y) R = Σri Continue with generic MPC protocol (e.g., Yao or GMW)
 from T - R = HD(X,Y) …

GSHADE: Optimizations and Generalization of SHADE

39

• For multiple HD computations: HD(X,Y1), HD(X,Y2), …:


Same number of OTs, but on longer strings

• Can use correlated OT (C-OT) to improve communication
• Generalize to larger class of functions f(X,Y) = fX(X) + fY(Y) + Σfi(xi,Y)
• Hamming Distance: fX=fY=0, fi(xi,Y)=xi⨁yi
• Squared Euclidean Distance (for faces & fingerprints):


fX(X)=Σxi2, fY(Y)=Σyi2, fi(xi,Y)=-2xiyi

• Normalized Hamming Distance (for irises)
• Squared Mahalanobis Distance


(for hand shapes, keystrokes, signatures)

1 P`

i=1(mim0 i(xiyi))

P`

i=1(mim0 i)

. . , XK) and Y = (Y1, . (X − Y )T M(X − Y ),

GSHADE Protocol

40

OT

ti=ri+fi(xi,Y) ri+fi(0,Y); ri+fi(1,Y) xi choose ri ∈R Zm for i=1..ℓ: T = fX(X) + Σti R = - fY(Y) + Σri Goal: compute f(X,Y) = fX(X) + fY(Y) + Σfi(xi,Y) Continue with generic MPC from T - R = f(X,Y) = …

Performance of GSHADE

41

Algorithm Distance Time in s Communication in MB SCiFI Hamming 1,0 6,2 Eigenfaces Euclidean 5,0 83,6 FingerCodes Euclidean 6,7 67,5 IrisCodes Normalized Hamming 9,1 56,4

Compare biometric sample with DB of 5,000 entries.

Performance for SCiFI

42

Runtime in s 0,1 1 10 100 1.000 |DB|=100 |DB|=320|DB|=50,000 9,9 0,3 0,2 46 0,5 0,3 42,9 8,8 244,0 HE
 [OPJM10] GC
 [HEKM11] GMW [SZ13] GSHADE+GMW [BCF+14] Communication in MB 0,1 1 10 100 1.000 |DB|=100 |DB|=320 |DB|=50,000 63,4 0,5 0,2 886,5 5,7 1,7 8,3 2,6 7,3

Runtime for SCiFI

43

Numbers taken from papers (not measured on same machines).

Runtime in s 0,1 1 10 100 1.000 |DB|=100 |DB|=320 |DB|=50,000 9,9 0,3 0,2 46 0,5 0,3 42,9 8,8 244,0 HE (Java)
 [OPJM10] GC (Java)
 [HEKM11] GMW (C++) [SZ13] GSHADE+GMW (C++) [BCF+14]

Communication for SCiFI

44

Improvement by 1 order of magnitude.

Communication in MB 0,1 1 10 100 1.000 |DB|=100 |DB|=320 |DB|=50,000 63,4 0,5 0,2 886,5 5,7 1,7 8,3 2,6 7,3 HE (Java)
 [OPJM10] GC (Java)
 [HEKM11] GMW (C++) [SZ13] GSHADE+GMW (C++) [BCF+14]

Performance for Eigenfaces

45

Runtime in s 0,1 1 10 100 1.000 |DB|=320 |DB|=1,000 1,3 0,6 26,3 17,7 139,6 79,6 40,0 HE
 [EFG+09] HE+GC
 [HKS+10] GMW [SZ13] GSHADE+GMW [BCF+14] Communication in MB 1 10 100 1.000 |DB|=320 |DB|=1,000 9,4 7,7 446 291,1 17 9,2 7,3

Runtime for Eigenfaces

46

Numbers taken from papers (not measured on same machines).

Runtime in s 0,1 1 10 100 1.000 |DB|=320 |DB|=1,000 1,3 0,6 26,3 17,7 139,6 79,6 40,0 HE
 [EFG+09] HE+GC
 [HKS+10] GMW [SZ13] GSHADE+GMW [BCF+14]

Communication for Eigenfaces

47

Communication in MB 1 10 100 1.000 |DB|=320 |DB|=1,000 9,4 7,7 446 291,1 17 9,2 7,3 HE
 [EFG+09] HE+GC
 [HKS+10] GMW [SZ’13] GSHADE+GMW [BCF+14]

Performance for Iriscodes

48

Runtime in s 0,1 1 10 100 1.000 |DB|=320 |DB|=10,000 17,2 0,5 212,6 17,6 HE+GC
 [BG11] GSHADE+GMW
 [BCF+14] Communication in MB 10 100 1.000 |DB|=320 |DB|=10,000 87,5 4,9 37,6 1,7

Performance for Fingercodes

49

Runtime in s 0,1 1 10 100 1.000 |DB|=128 |DB|=1,024 1,6 0,3 1114,3 148,2 HE+GC
 [HMEK11] GSHADE+GMW
 [BCF+14] Communication in MB 1 10 100 |DB|=128 |DB|=1,024 13,8 1,8 17,5 2,2

Summary

Part 1: TASTY

• combine protocol based on


Homomorphic Encryption and Garbled Circuits Part 2: ABY

• combine protocols based on


Arithmetic, Boolean (GMW), and Yao (GC) sharing Part 3: Privacy-preserving biometric identification

• Applications can be built efficiently directly on OT

50

EXERCISE 4

Design public-key based OT protocol with two messages using additively homomorphic encryption.

51

Literature

• M. Barni, P. Failla, V. Kolesnikov, R. Lazzeretti, A.-R. Sadeghi, T. Schneider: Secure evaluation of private linear branching programs with

medical applications. In ESORICS’09.

• M. Blanton, P. Gasti: Secure and Efficient Protocols for Iris and Fingerprint Identification. In ESORICS’11.
• J. Bringer, H. Chabanne, M. Favre, A. Patey, T. Schneider, M. Zohner: GSHADE: Faster privacy-preserving distance computation and

biometric identification. In ACM IH&MMSec’14.

• J. Bringer, H. Chabanne, A. Patey. SHADE: secure hamming distance computation from oblivious transfer. In FC Workshops’13.
• D. Boneh, E. Goh, K. Nissim: Evaluating 2-DNF Formulas on Ciphertexts. In TCC’05
• J. Brickell, D. E. Porter, V. Shmatikov, E. Witchel: Privacy-preserving remote diagnostics. In ACM CCS’07.
• I. Damgård, M. Geisler, M. Krøigaard: A correction to 'Efficient and secure comparison for on-line auctions'. IJACT’09.
• I. Damgård, M. Jurik: A Generalisation, a Simplification and some Applications of Paillier’s Probabilistic Public-Key System. In PKC’01.
• D. Demmler, T. Schneider, M. Zohner: ABY - a framework for efficient mixed-protocol secure two-party computation. In NDSS’15.
• Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, T. Toft: Privacy-preserving face recognition. In PETS’09.
• M. J. Freedman, K. Nissim, B. Pinkas: Efficient private matching and set intersection. In EURORYPT’04.
• C. Gentry: Fully homomorphic encryption using ideal latices. In STOC’09.
• C. Gentry, S. Halevi, V. Vaikuntanathan: A Simple BGN-Type Cryptosystem from LWE. In EUROCRYPT’10.
• N. Gilboa: Two party RSA key generation. In CRYPTO’99.
• W. Henecka, S. Kögl, A.-R. Sadeghi, T. Schneider, I. Wehrenberg: TASTY - Tool for Automating Secure Two-partY computations. In ACM

CCS’10.

• Y. Huang, D. Evans, J. Katz, L. Malka: Faster secure two-party computation using garbled circuits. In USENIX Security’11.
• Y. Huang, L. Malka, D. Evans, J. Katz: Efficient privacy-preserving biometric identification. In NDSS’11.
• A. Karatsuba, Y. Ofman. Multiplication of many-digital numbers by automatic computers. In SSSR Academy of Sciences’62.
• F. Kerschbaum, T. Schneider, A. Schröpfer. Automatic protocol selection in secure two-party computations. In ANCS’14.
• V. Kolesnikov, A.-R. Sadeghi, T. Schneider: Improved garbled circuit building blocks and applications to auctions and computing minima. In

CANS’09.

• V. Kolesnikov, A.-R. Sadeghi, T. Schneider: A systematic approach to practically efficient general two-party secure function evaluation

protocols and their modular design. In Journal of Computer Security 2013.

• M. Osadchy, B. Pinkas, A. Jarrous, B. Moskovich: SCiFI - A system for secure face identification. In IEEE S&P’10.
• P. Paillier: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In EUROCRYPT’99.
• A.-R. Sadeghi, T. Schneider, I. Wehrenberg: Efficient privacy-preserving face recognition. In ICISC’09.
• T. Schneider, M. Zohner: GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In FC’13.
• N. Smart, F. Vercauteren: Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes. In PKC’10.
• M. Turk, A. Pentland: Eigenfaces for recognition. Journal of Cognitive Neuroscience 1991.
• M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan: Fully Homomorphic Encryption over the Integers. In EUROCRYPT’10.

52