A SMART-GENTRY BASED SOFTWARE SYSTEM FOR SECRET

PROGRAM EXECUTION

Michael Brenner, Jan Wiebelitz, Gabriele von Voigt and Matthew Smith

Research Center L3S, Gottfried Wilhelm Leibniz Universitaet Hannover, Appelstrasse 9a, Hannover, Germany

Keywords:

Homomorphic encryption, Secret program execution, Secure function evaluation, Encrypted processor.

Abstract:

Currently generic executable programs can only be encrypted during transmission and storage. To execute

the program itself and the data it operates on must be decrypted. If the execution system is not trusted or

compromised, both the program code and data are endangered. Recent advances in homomorphic cryptog-

raphy show how additions and multiplications can be executed in encrypted space, i.e. without decrypting

the information, the arithmetic operations themselves are not encrypted. To date, a universal implementation

of a homomorphic system, capable of executing arbitrary programs and allowing for practical experiences is

still missing. In this paper we present the ﬁrst method to compute a non-linear arbitrary secret program on

an untrusted resource using fully homomorphic encrypted circuits. We use our own implementation of the

Smart-Gentry crypto-system as a foundation and deﬁne a processor architecture which is capable of executing

encrypted programs on encrypted data. Unlike other approaches, such as static one-pass boolean circuit sim-

ulations, our system supports read and write memory access, dynamic parameters and non-linear programs,

that render branch-decisions at runtime and cannot be represented in a circuit with hard-wired in-circuit pa-

rameters and data. Our implementation comprises the runtime environment for an encrypted program and an

assembler to generate the encrypted machine code. The system represents a ﬁrst step to show the capabilities

of homomorphic encryption in software and system architecture.

1 INTRODUCTION

Fully homomorphic encryption has often been called

the cryptographer’s holy grail. Once the mathemat-

ical foundation has been established (Gentry, 2009),

we need further procedures and architectures that en-

able a reasonable application of the encrypted addi-

tions and multiplications on single bits. It’s essen-

tially this, what the latest homomorphic systems pro-

vide. To fully harness the potential of homomorphic

encryption, a generic runtime container that is able of

executing arbitrary encrypted programs on encrypted

data is needed.

In this paper, we present a method to compute

such encrypted programs on an untrusted resource

using fully homomorphic encrypted circuit represen-

tations. We deﬁne a sample processor architecture

for which we provide a software implementation and

present performance ﬁgures based on our implemen-

tation

of the underlying Smart et al. cryptosystem

(Smart and Vercauteren, 2010). Our concept solves

The implementation can be downloaded from our web-

site at http://www.dcsec.uni-hannover.de/brenner.html

the problems of encrypted storage access with en-

crypted addresses and encrypted branching: in con-

trast to other approaches, like Yao’s Garbled Circuits

(Yao, 1986) and different derivates such as (Malkhi

et al., 2004) and (Kolesnikov et al., 2009), our sys-

tem supports non-linear programs, dynamic parame-

ters and subsequent provision of encrypted input data

that can easily be written to the encrypted memory.

We support programs that render dynamic branch-

decisions at runtime, even allow self-modifying code

that cannot be represented in a one-pass boolean cir-

cuit. The solved problem is different from the classic

multiparty secure function evaluation, where two par-

ties compute a common function, each delivering a

secret portion of the input data that is hidden from the

other party (Abadi and Feigenbaum, 1990). Our con-

cept achieves obliviousness, as deﬁned by Goldreich

(Goldreich and Ostrovsky, 1996) as an implication of

sequential circuit simulation. We also solve the prob-

lem of both protecting an executing host from mali-

cious code and protecting mobile code from a mali-

cious host.

The paper structure is as follows: Related work

238

Brenner M., Wiebelitz J., von Voigt G. and Smith M..

A SMART-GENTRY BASED SOFTWARE SYSTEM FOR SECRET PROGRAM EXECUTION.

DOI: 10.5220/0003445802380244

In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2011), pages 238-244

ISBN: 978-989-8425-71-3

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

and other interesting approaches are discussed in Sec-

tion 2. Section 3 introduces the approach of encrypt-

ing circuits using homomorphicallyencrypted bit rep-

resentations. We also introduce a sample CPU model

that is described in detail, both in boolean logic and

encryptable arithmetics. We discuss our software im-

plementation and provide basic performance ﬁgures

in Section 4. Future work and lessons learned from

the implementationare presented in Section 5. In Sec-

tion 6 we give a short summary of our contributions.

2 RELATED WORK

Many different approaches exist, that address secu-

rity to code execution on remote, untrusted resources.

One group of methods is the construction of boolean

circuits with encrypted function tables as a function

representation. The circuit is then encrypted in some

way, to conceal the original function. The contribu-

tions of Yao (Yao, 1986), Abadi (Abadi and Feigen-

baum, 1990) and Malkhi (Malkhi et al., 2004) are

examples for this class of approaches. Their goal

is to establish a protocol and an execution container

that allows the Secure Function Evaluation of a com-

mon function, having a secret input from every par-

ticipating entity. Goldreich and Ostrovsky describe

an approach that reduces software protection to on-

line simulation of a program in an oblivious random

access machine (Goldreich and Ostrovsky, 1996).

Pinkas and Reinman improve the oblivious RAM ap-

proach by reducing the protocol complexity (Pinkas

and Reinman, 2010).

Another class of concepts addresses security by

evaluating encrypted functions and/or data, where

most methods apply some sort of homomorphic en-

cryption. Sander and Tschudin (Sander and Tschudin,

1998a) (Sander and Tschudin, 1998b) have proposed

a scheme that is able to evaluate encrypted polyno-

mials over rings Z/nZ. Lee et al have been working

on a method to partially encrypt and evaluate a se-

ries of interdependent three-address statements (Lee

et al., 2001). US Patent No. 7,296,163 B2, Systems

and methods for encrypted executionof computer pro-

grams (Cybenko, 2007), tries to solve the problem

of encrypted execution by representing boolean XOR

and NOT functions as matrix operations and by dis-

tributing the calculation over a number of hosts, the

results of which have to be merged by a control com-

puter.

None of the approaches allows for fully encrypted

execution of arbitrary programs on encrypted data

with support for read and write memory access, dy-

namic parameters and non-linear programs that ren-

der branch-decisions at runtime.

3 CONSTRUCTION OF AN

ENCRYPTED CPU

This section describes basic circuit encryption and

different processor primitives that are necessary to

construct a CPU and to model random access mem-

ory as suggested in (Brenner et al., 2011). We will

then transform these fundamental components from

the switching functions into the encryptable form.

3.1 Basic Circuit Encryption

Our concept is based on the encryption of circuits

in their arithmetic representation. To achieve this,

we apply a homomorphic scheme that is capable

of multiplication and addition of encrypted bits

To explain the relationship between the switching

function and the arithmetic representation we identify

the algebraic operations addition and multiplication

with the boolean operations exclusive disjunction

(XOR) and conjunction (AND), which are sufﬁcient to

build arbitrary circuits. The characteristics of binary

addition equal the XOR-operation, whereas binary

multiplication equals the AND-operation

. This

allows us to simulate chains of boolean operations

by means of simple binary or integer arithmetics.

This can be achieved by replacing XOR operators by

addition and AND operators by multiplication.

Deﬁnition 3.1.1. In boolean expressions the

operator ⊕ denotes the XOR operation.

Example 3.1.1. The boolean term

r = (a ⊕ b) ⊕ (a ∧ b), which results in a

boolean OR-operation can be expressed in integer

arithmetics as r = (a+ b) + (a ∗ b), assuming a and b

being representations of bit values. 

Deﬁnition 3.1.2. We use the notation ◦ for the

composite OR-operation in arithmetics which is de-

ﬁned as a◦ b = (a+ b) + (a ∗ b).

An integer based encryption scheme can also be ap-

plied. In that case the bit is encoded in a ciphers property

of having an even or odd remainder modulo a secret prime

key.

The function tables also apply for integer parities: even

and odd parities are equivalent to 0s and 1s

A SMART-GENTRY BASED SOFTWARE SYSTEM FOR SECRET PROGRAM EXECUTION

239

3.2 Encrypted Memory Access

A basic circuit that implements read-access to mem-

ory is depicted in Figure 1. In that diagram, the mem-

ory values are drawn from static memory over the

m-wires, which is a notation that closely relates to a

software simulation. The output bit of this single bit

memory-column with two address lines can be calcu-

lated as

c = (¬a

∧ ¬a

∧ m

) ∨ (a

∧ ¬a

∧ m

)∨

(¬a

∧ a

∧ m

) ∨ (a

∧ a

∧ m

AND

m0..3 a0..1

Figure 1: Basic memory circuit.

By extending this function to the required number

of address lines and memory columns, we are able

to model a memory-circuit of any size. Now we

transform the boolean gate logic for this memory

circuit into arithmetic, which results in the following

expression (see Example 3.1.1 and Deﬁnition 3.1.2):

row

= ((a

+ 1) ∗ (a

+ 1) ∗ m

),row

= (a

∗

+ 1) ∗ m

),row

= ((a

+ 1) ∗ a

∗ m

),row

∗ a

∗ m

);c = row

◦ row

Example 3.1. Given the random bit sequence

{1,0, 1,0} as values of a memory column, the

sequence {0,1} represents the decimal address 2 in

binary form. Then the memory access described in

arithmetics can be calculated as follows: row

((0+1)∗ (1+1)∗ 1) = 0, row

= (0∗(1+1) ∗ 0) = 0,

row

= ((0 + 1) ∗ 1 ∗ 1) = 1, row

= (0 ∗ 1 ∗ 0) = 0,

r = 0◦ 0◦ 1 ◦ 0 = 1 

It’s important to note that the same result can

be achieved when using homomorphically encrypted

representations of the bits. So we are able to access

encrypted memory providing an encrypted address to

the circuit, so the access procedure reveals neither

memory address, nor memory content. Assuming that

the probabilistic Smart crypto-system provides differ-

ent cipher representations for a single plain-text bit,

we can observe, that accessing memory with a dif-

ferent representation of an equivalent plain-text ad-

dress results in a different representation of the ac-

cessed memory content. Also note the fact, that we

always have to solve the entire circuit, since we have

no possibility to decide wether a particular row holds

an encrypted 1 and therefore the calculation of the

following row results can be omitted. This provides

obliviousness because any two memory accesses can-

not be distinguished and even the data direction can

be kept secret.

To assign a new value to a memory cell, this

new value representation is passed as i (input) to the

access function. For each memory row we generate

the new cell value as m

new

= (row∧ i) ∨ (¬row∧ m)

with row being the row select signal as shown

above. This assigns the new bit value i, if the row

is selected (and thus has the value 1) and the old

value m otherwise. Even if not selected, every cell is

assigned a new equivalent of the old representation.

To implicitly decide between memory read- and

write-access, we introduce an encrypted write-signal

analogy that indicates the direction of the data

ﬂow. Implicit decision means, that there is, of

course, no true decision, because the new value is

a logical-numeric calculation over all given target

bit representations (memory cells) and the selecting

bit representations (address lines). The full-ﬂedged

bi-directional access function for a single bit column

in the address-space of A reads as follows: ∀x ∈ A :

= (row

∧ write ∧ i)∨, (row

∧ ¬write ∧ m

)∨,

(¬row

∧ m

), c =

(row

∧ m

)

Theorem 3.1 (informal statement). Since the re-

sult of the access function is a logic combination

of all memory cells, the complexity of memory ac-

cess, which depends of the circuit size φ, is an al-

most linear function. The number of boolean gates

{1,2,3}

= {¬,∧,∨} that have to be processed in or-

der to determine r during a read access is given as

f(φ) = (φ ∗ B

) + (2∗ φ∗ B

) + ((φ − 1) ∗ B

). 

3.3 Encrypted Arithmetic-logical Unit

To model an encrypted ALU, we apply a similar tech-

nique, as we use to implement memory access. Fig-

ure 2 shows a simple 1-bit ALU which is capable of

an addition and simple boolean operations.

Full

Adder

AND

XOR

NOT

o0..1 a b

AND

Figure 2: 1-bit ALU circuit.

The ALU essentially consists of a couple of sim-

SECRYPT 2011 - International Conference on Security and Cryptography

240

ple circuits that are applied to the input signals a and

b and, in every cycle, produce the operation-speciﬁc

output. The command-switch o

..o

, which contains

an opcode selects the appropriate function result for

the output wire and is in this sense equivalent to the

address-selection in the memory circuit. The follow-

ing series of equations model the ALU in boolean

logic, assuming the command-encodingof {o

} as

{0,0} b= add,{1,0} b= and, {0,1} b= xor,{1,1} b= not

: c

add

= fulladder(a,b), c

and

= a∧ b, c

xor

= a⊕ b,

not

= ¬a

The following term renders the result of the par-

ticular operation, denoted by o

: c = (c

add

∧

(¬o

∧ ¬o

))∨,(c

and

∧ (o

∧ ¬o

))∨,(c

xor

∧ (¬o

∧

))∨,(c

not

∧ (o

∧ o

))

Because the ALU function selection and memory ac-

cess are comparable, we are not going to give further

details on ALU circuit modeling. The transformation

into integer arithmetic can also be directly derived

from the memory model.

To integrate the ALU model in the architecture,

we need to determine the size of a machine word. In

the absence of a physical data-bus, this is the com-

mon number of memory columns and coupled 1-bit

ALUs. The dimension of a memory word can be sim-

ply implemented by arranging multiple memory co-

lumns in parallel. Our ALU implementation also han-

dles two ﬂags. The zero-ﬂag indicates an operation

result of zero, or a comparison that yielded equality

(since comparisons are often implemented as implicit

subtractions, the zero ﬂag usually applies for both

comparisons and arithmetic results). The carry ﬂag

indicates a carry between the 1-bit ALUs.

3.4 Encrypted Branching

As an introduction to branching in the encrypted

space, we present the schematic of our CPU- and

system-model, because basic data- and program-ﬂow

is a prerequisite to understanding branching.

Memory

Cell Array

data-out

row-in

ALU

Program

Counter

Command

Accumulator

ALU

Data

Flags

ALU

data-in

Figure 3: CPU schematic.

Figure 3 shows the basic data path in our simple

CPU-model. We deﬁne a single-cycle, accumulator-

driven architecture, which means that every operation

is performed in a phased single cycle and that there is

only one general-purpose register. A sound introduc-

tion to CPU- and system-design is given in (Hennessy

and Patterson, 2006).

A good starting point for a brief description is

the Program Counter that holds the memory address,

where the program starts, as an initial value. After

accessing memory, the content is stored in the Com-

mand and Data Registers. Arithmetic and logical

operations are performed by the main ALU, which

takes the data register and the Accumulator as in-

put and stores the output, according to the command

load or store operation, the data register acts as a

memory address and, when loaded, is overwritten

with the addressed memory cell’s content. The tar-

get register of a branching operation is the program

counter. We have unconditional jumps and branches

that depend on the system’s state, represented by the

ﬂag conﬁguration. A jump is performed by copy-

ing the target address, provided by the jump com-

mand, to the program counter. The ability to per-

form dynamic branches is one of the advantages of

our concept, compared to other approaches. Actu-

ally, most conditional branches are directly inﬂuenced

by a ﬂag, like the common branch-if-zero (bz) or

branch-if-carry-clear (bcc). The triple-ALU in ﬁg-

ure 3 handles the entire program ﬂow. It adds a

static 1 to the program counter in linear program se-

quences and adds the data register’s content in case

of a branch. This branch-logic performs all possi-

ble branch-address calculations and selects the appro-

priate address for the program counter. This selec-

tion is controlled by the command register and the

ﬂag states. Let F be the set of ﬂags, PC the pro-

gram counter register, DR the data register and CR the

command register. The functions jmp(CR), bcc(CR)

and bz(CR) take the command register as input and

return true (a bit representation with odd parity) for

the particular command. The next address to be as-

signed to the PC, following the program ﬂow, is then

∀x : x ∈ {0..wordsize−1}, PC

= ( jmp(CR)∧DR

)∨

(bcc(CR)∧ DR

∧¬F

carry

)∨ (bz(CR) ∧DR

∧F

zero

)∨

(¬ jmp(CR) ∧ ¬bcc(CR) ∧ ¬bz(CR) ∧ (PC+ 1)

3.5 Plugging It Together

Having deﬁned the basic components of a CPU, we

are now able to combine these to construct a pro-

cessor with memory access. The CPU schematic in

Figure 3 shows how the components along the data

A SMART-GENTRY BASED SOFTWARE SYSTEM FOR SECRET PROGRAM EXECUTION

241

path have to be connected. We have registers that

consist of encrypted bit columns, an ALU that is re-

quired for arithmetic and logic operations (the larger

main ALU) and a group of smaller ALUs implement-

ing only comparisons and additions to handle the pro-

gram ﬂow. The memory array consists of the memory

cells and the access logic as described above.

The processor cycle is implemented as a phased

single cycle comprising four steps:

• FETCH1 read memory cell pointed at by program

counter

• FETCH2 read memory cell pointed at by fetched

operand

• EXEC execute operation in command register

• WRITE write result or refresh old memory value

Every single cycle has to perform three memory

access operations. This is required to achieve obliv-

iousness to make any two processor cycles indistin-

guishable.

4 IMPLEMENTATION &

PERFORMANCE

We provide prototype implementations of our execu-

tion engine concept in Java and C. This section de-

scribes the basic system properties and performance

ﬁgures for selected components of the C implemen-

tation. Figure 4 shows the layered architecture of the

runtime environment.

Assembler Execution Engine

Cryptographic

Library

Operating System / Java VM

Encrypted Program

Figure 4: System Architecture.

The prototype implementation of the processor

outlined in Section 3 use a memory word length of

13 bits in little-endian format. A word contains eight

bits of data in the data compartment (bits 0 to 7) and

a ﬁve bits wide command (bits 8-12). This allows

for a simple processor architecture with a single fetch

cycle for opcode and operand. If a memory loca-

tion is written to, only the data compartment is modi-

ﬁed, whereas the command compartment remains un-

touched. The actual processor implementation, which

is independent of the underlying crypto-system, exe-

cutes 129,397 boolean gates for one cycle including

oblivious memory access on 256 13-bit words. The

entire processor circuit consists of 44,980 XOR and

15,476 NOT gates and 68,933 AND gates. An un-

encrypted cycle (i.e. the processor implementation

is running with deactivated crypto-library) takes be-

tween 2 and 3 milliseconds on our test conﬁguration

including memory access and all CPU logic. Our test

setting consists of a 2.4 GHz Intel Core 2 Duo plat-

form with 4 GB of 667 MHz DDR2 SDRAM. The

processor prototype is executed on a virtual 1-CPU

machine (VirtualBox) running a 32-bit Linux with 2.6

kernel and 1 GB of RAM.

Figure 5: Key Construction.

We have implemented the Smart-Gentry crypto-

system as a cryptographic library for our system. It is

conﬁgured in a couple of small to medium settings

regarding the sizes of key coefﬁcients and ciphers.

The key coefﬁcients are a set of integers and contain

the components for the decryption hint of the Smart-

Gentry public key. Our implementation applies a set

of eight components in the public key and serves as

a proof-of-concept conﬁguration. Figure 5 shows the

time consumption of key generation for different key

sizes. The key size parameter describes the integer

range of a key coefﬁcient as ±2

x−1

∈ N. Key coefﬁ-

cients and the actual ciphers (the encrypted bit repre-

sentations) have the same size. Key generation times

range from an average of 3 seconds for a key size of

256 to an average of half an hour for size 2048. To

track the noise of the ciphers, we attach a numeric

noise counter to every cipher. We assume that an ad-

dition (XOR and NOT gates) increases the noise by 1

while charging the multiplication (AND gates) with a

value of 1000. The crypto-library triggers a recryp-

tion of a cipher when exceeding a noise measure of

2000.

Figure 6 depicts the access time for different key

sizes and is measured as seconds per row of 13 bits (a

memory word). Since the access duration grows de-

pending on the memory size, compact programs and

data are the key to tolerable runtimes. The sizes of key

SECRYPT 2011 - International Conference on Security and Cryptography

242

Figure 6: Memory Access.

coefﬁcients and ciphers are also shown in that ﬁgure.

5 OPEN ISSUES & FUTURE

WORK

The environmentpresented in this paper has proof-of-

concept capabilities and a dependency between mem-

ory size and performance, which makes it suitable for

small problem sizes. By extending the capabilities of

our concept to interact with the host system, we will

be able to perform calculations on portions of secret

data or secret algorithms, that are part of a larger sys-

tem. It is possible to inject encrypted data into the

encrypted environment, which is sufﬁcient to receive

process data from outside the cipher-space. However,

this induces further problems, like the correctness and

consistency of the encrypted code and data. A pos-

sible ﬁeld of application is Cloud Computing, where

small- and medium-scale compute jobs are performed

which have high privacy requirements. The estab-

lishment of an appropriate system- and application-

architecture will be the key to integrate our concept

into existing cloud applications and environments, to

face new security requirements of mobile code and

distributed applications.

6 SUMMARY

In this paper we presented the ﬁrst method to per-

form the execution of arbitrary encrypted programs,

operating on encrypted data. In contrast to other so-

lutions, the code as well as the processed data, held

entirely in the cipher-space, still remain dynamic and

can be provided with data after having been transmit-

ted to the executing host. We described a method to

represent circuits by means of homomorphically en-

crypted arithmetics. Applying the basic logic func-

tion representations, we sketched how to build dif-

ferent microprocessor primitives, like memory-access

logic and arithmetic operations. We then developed

a simple CPU- and system-model and presented the

reference implementation of our model on top of the

Smart-Gentry encryption scheme. An analysis deter-

mined the relationship between our system model and

the underlying encryption scheme. We provided per-

formance ﬁgures for different key sizes and showed

that our system is suitable to act as a sound basis for

further empirical investigation of applied homomor-

phic encryption.

REFERENCES

Abadi, M. and Feigenbaum, J. (1990). Secure cir-

cuit evaluation. Journal of Cryptology, 2:1–12.

10.1007/BF02252866.

Brenner, M., Wiebelitz, J., von Voigt, G., and Smith, M.

(2011). Secret program execution in the cloud apply-

ing homomorphic encryption. In Proceedings of the

5th IEEE International Conference on Digital Ecosys-

tems (DEST 2011), to appear, DEST’11, USA. IEEE.

Cybenko, G. (2007). System and methods for encrypted

execution of computer programs.

Gentry, C. (2009). Fully homomorphic encryption using

ideal lattices. In Proceedings of the 41st annual ACM

symposium on Theory of computing, STOC ’09, pages

169–178, New York, NY, USA. ACM.

Goldreich, O. and Ostrovsky, R. (1996). Software pro-

tection and simulation on oblivious rams. J. ACM,

43:431–473.

Hennessy, J. L. and Patterson, D. A. (2006). Computer Ar-

chitecture. A Quantitative Approach. Academic Press.

Kolesnikov, V., Sadeghi, A.-R., and Schneider, T. (2009).

How to combine homomorphic encryption and gar-

bled circuits - improved circuits and computing the

minimum distance efﬁciently. In Signal Process-

ing in the Encrypted Domain, SPEED’09, Lausanne,

Switzerland. SPEED Project.

Lee, H., Alves-Foss, J., and Harrison, S. (2001). Secur-

ing mobile agents through evaluation of encrypted

functions. Technical report, Center for Secure and

Dependable Software Computer Science Department,

University of Idaho.

Malkhi, D., Nisan, N., Pinkas, B., and Sella, Y. (2004).

Fairplay - a secure two-party computation system. In

Proceedings of the 13th conference on USENIX Secu-

rity Symposium - Volume 13, SSYM’04, pages 20–20,

Berkeley, CA, USA. USENIX Association.

Pinkas, B. and Reinman, T. (2010). Oblivious ram revisited.

In Rabin, T., editor, Advances in Cryptology CRYPTO

2010, volume 6223 of Lecture Notes in Computer Sci-

ence, pages 502–519. Springer Berlin / Heidelberg.

10.1007/978-3-642-14623-7 27.

Sander, T. and Tschudin, C. (1998a). Protecting mobile

agents against malicious hosts. In Vigna, G., editor,

Mobile Agents and Security, volume 1419 of LNCS,

pages 44–60. Springer Berlin / Heidelberg. 10.1007/3-

540-68671-1 4.

A SMART-GENTRY BASED SOFTWARE SYSTEM FOR SECRET PROGRAM EXECUTION

243

Sander, T. and Tschudin, C. F. (1998b). Towards mobile

cryptography. Security and Privacy, IEEE Symposium

on, 0:0215.

Smart, N. and Vercauteren, F. (2010). Fully homomorphic

encryption with relatively small key and ciphertext

sizes. In Public Key Cryptography PKC 2010, vol-

ume 6056 of LNCS, pages 420–443. Springer Berlin /

Heidelberg.

Yao, A. C.-C. (1986). How to generate and exchange se-

crets. Foundations of Computer Science, Annual IEEE

Symposium on, 0:162–167.

SECRYPT 2011 - International Conference on Security and Cryptography

244