Symmetric-Key Homomorphic Encryption for Encrypted Data Processing

Download PDF
20 downloads 2462 Views 77KB Size Report
Comment
Abstract—The difficulty of processing data in encrypted form has long been the barrier to the widespread use of encryption in data storage applications ...
Symmetric-Key Homomorphic Encryption for Encrypted Data Processing Aldar C-F. Chan School of Computing, National University of Singapore [email protected] Abstract—The difficulty of processing data in encrypted form has long been the barrier to the widespread use of encryption in data storage applications; improved security or privacy would always imply a sacrifice of functionality. Many applications, such as ASP, requiring a significant amount of processing at the data storage servers are hence precluded from using encryption to protect data privacy. To address this problem, this paper works on privacy homomorphism which allows encrypted data to be operated on. Two additive homomorphic schemes, namely Iterated Hill Cipher (IHC) and Modified Rivest Scheme (MRS), are given. They are secure to ciphertext-only attacks and have the nice property that the same data may have different representations in the encrypted domain.

I. I NTRODUCTION To address the security and privacy concerns, there is an increasing trend to store data in encrypted form at ASP’s (Application Service Providers) or on data storage servers, such as file servers and mail servers. But this sacrifices functionality for security. To maintain data confidentiality, any processing on the data requires their owner to decrypt them first, then process them and re-encrypt the processing results to be re-stored onto the servers. All these have to be done on the data owner’s computer, not the server. As a result, the main advantage of ASP (which provides a low cost platform for clients to share software applications) is precluded by data encryption. The fundamental problem is that moving the computation to the data storage seems very difficult when the data is encrypted. The problem of processing encrypted data was first addressed in [9] which introduced the notion of privacy homomorphism (or homomorphic encryption), but only a limited number of practical and secure solutions [7], [8], [5], all asymmetric-key, seems to have appeared. The asymmetric-key nature of these schemes is over-tailored for many application scenarios since only a symmetric-key solution is needed for them. For instance, for the ASP scenario, only the user would encrypt and decrypt; another example is secure two party computation [13], [3] in which the two parties want to compute a result on their inputs while keeping each input secret from the other. In a secure two party computation, the party who needs to decrypt a certain ciphertext is usually the one who does its encryption. In this paper, we work on how to process encrypted data without any loss of data confidentiality. An example is a small company, which does not have adequate computing/human resources to manage its financial data, wishes to out-source the data computation task to a service provider while keeping

the data confidential from the latter (as it does not fully trust the service provider). Hence, we need to look for efficient encryption schemes which enable processing over data in encrypted form. We introduce in this paper two novel symmetric-key homomorphic encryption schemes which allow the encrypted data to be added and multiplied by a constant. One of them is based on Hill cipher [12] (Iterated Hill Cipher) and the other on Rivest’s work in [9] (Modified Rivest Scheme). A more sophisticated scheme similar to the latter was given by Domingo-Ferrer in [4]. Both schemes proposed in this paper are secure to ciphertext-only attacks. These two schemes have a nice property that data have different representations in the encrypted domain. This not only can increase their strength to some attack shortcuts but also makes them suitable for use in the secure set intersection computation problem [6] and function hiding [11], [10] which finds theirs application in many areas. Besides, the iterative algorithm provides a more efficient key selection for Hill cipher, and can potentially improve its security if a different initialization vector is used for each plaintext. The remainder of this paper is organized as follows. We discuss privacy homomorphism in the next section. Then we give two homomorphic encryption schemes in section III and IV. In section V, we discuss the properties of the two schemes introduced in this paper. Finally, we conclude in section VI. II. P RIVACY H OMOMORPHISM Basically, privacy homomorphism or homomorphic encryption, introduced in [9], is a special class of encryption functions which allow the encrypted data to be operated on directly without needing any knowledge about the decryption function. The definition of a privacy homomorphism is as follows. Definition 1: Suppose EK (·) is an encryption function with key K and DK (·) is the corresponding decryption function. Then EK (·) is homomorphic with the operator ◦ if there exists an efficient algorithm Alg such that: Alg(EK (x), EK (y)) = EK (x ◦ y) For example, the well-known RSA is a multiplicative homomorphic encryption, that is, ◦ is multiplication. In RSA, EK (x) = xK (all operations are done in Zn )1 . Given another ciphertext EK (y), we can compute EK (x · y) by simply 1Z n

is integer modulo n.

multiplying the two ciphertexts: EK (x · y) = (x · y)K = xK · y K = EK (x) · EK (y). Although RSA gives a good demonstration for privacy homomorphism, it cannot support addition which is the most frequently used operation. For use in most applications, a practical homomorphic encryption scheme needs to support two basic types of encrypted data processing, namely addition and scalar multiplication. In fact, nearly all the homomorphic encryption schemes proposed so far are additive. The objective of this paper is to look for schemes supporting these two operations with details below. [Addition]: Given EK (x) and EK (y), there exists a computationally efficient algorithm Add such that: EK (x + y) = Add(EK (x), EK (y)). That is, EK (x + y) can be found easily from EK (x) and EK (y) without needing to know what x or y is. [Scalar Multiplication]: Given EK (x) and t, there exists a computationally efficient algorithm sMulti such that: EK (t · x) = sMulti(EK (x), t). That is, EK (t · x) can be found easily from t and EK (x) without needing to know what x is. Indeed when a scheme supports addition, it would also support scalar multiplication because EK (t·x) can be achieved by summing EK (x) successively t times. Of course, more efficient derivations of scalar multiplication algorithm from the addition algorithm exist [11]. Although the notion of privacy homomorphism has been introduced for more than twenty years, most of the existing schemes are found to be insecure. For example, two out of the five schemes proposed in [9] have been proven insecure to ciphertext-only attack by Brickell et. al. [2]. The one on which Modified Rivest Scheme in this paper is based is also vulnerable to a shortcut of attack, and we fix this weakness in this paper. On the other hand, the handful of exceptions remaining secure seem to be very inefficient. Those schemes based on public key techniques, such as RSA and Paillier’s [7] (widely proposed for use in voting schemes), are computationally inefficient and their security is based on the algorithmic complexity assumptions of some problems in number theory2 . Others are either impractical [1] or over restrictive on the number of operations allowed [2]. Hill cipher [12], whose linear encryption/decryption operations enable homomorphism, is a potentially good candidate. But its choice of keys is limited which in turn weakens its security and adds large overhead in testing a proper key. In our first scheme, we propose a new iterative encryption and decryption algorithm which is equivalent to a Hill cipher, hence supporting homomorphism. In our second scheme, we fix the security pitfalls of one of the Rivest’s schemes in [9]. III. I TERATED H ILL C IPHER (IHC) In this section, we describe the original scheme of Hill cipher and present the iterative algorithm in our implementation called Iterated Hill Cipher (IHC). 2 These

schemes would become insecure when there were improved algorithms for solving the underlying problems.

A. Original Scheme of Hill Cipher Suppose the arithmetic is done in Zn . Denote the set of l ×l matrices and the set of l × 1 vectors in Zn by Ml×l and Vl respectively. The operation of a Hill cipher is as follows: • n is a randomly picked large integer. The private key of a Hill cipher is A ∈ Ml×l . • [Encryption] Given the encryption function of the form EA (·) : Vl → Vl , the encryption is: c = EA (m) = Am where m and c are the plaintext and the corresponding ciphertext vectors respectively. −1 • [Decryption] Denote the inverse of A by A , then the −1 decryption is: m = DA (c) = A c • [Homomorphism] As the encryption function of a Hill cipher is a linear mapping, it is additive homomorphic and supports addition and scalar multiplication as follows. – Addition: E(x + y) = A(x + y) = Ax + Ay = E(x) + E(y) – Scalar multiplication: E(tx) = Atx = tAx = tE(x) where t is a scalar constant. Hill cipher is unconditionally secure [12] to ciphertextonly attacks3 , that is, it is secure against an adversary with unbounded computation and storage capacity. However, a key matrix A invertible in Zn is needed Q for the correct decryption of a Hill cipher. Suppose n = 1≤i≤t pi (for some integer t), to have A invertible in Zn , we need det A 6≡ 0 (mod pi ), for ∀i. This limits the possible choices of A, thus making it more difficult to pick and test a key A and weakening the security (A smaller key space would allow an adversary to make a successful exhaustive key search more easily.). As an example, let n = pq (i.e. t = 2) where p and q are primes and p < q, then the number of invertible 2 × 2 matrices in Zn is < p(p − 1)(p2 − 1)q, compared to p4 q 4 which is the total number of 2 × 2 matrices in Zn . To overcome this, we introduce an iterative encryption and decryption algorithm to allow us to make use of all the l × l matrices in Ml×l as the secret key4 for a Hill cipher. B. IHC Details The encryption and decryption of an Iterated Hill Cipher (IHC) with k iterations works as follows: [Encryption] The encryption function is of the form E(·) : Vl → Vl × Vl and the encryption steps are as follows: • Randomly choose a key matrix A ∈ Ml×l and an initialization vector u ∈ Vl . • Set x−1 = u and x0 = m where m ∈ Vl is the plaintext vector. • For 0 ≤ i < k, compute xi+1 = Axi − xi−1 (For example, x1 = Ax0 − x−1 .) • Ciphertext c = (xk , xk−1 ). 3 Ciphertext-only attacks refer to attacks wherein the attacker is given ciphertexts only. 4 Some trivial matrices like the Identity Matrix still need to be avoided

[Decryption] With c = (xk , xk−1 ) as the initial condition, iterate the following k times to get back x0 which is the plaintext: xi−1 = Axi − xi+1 The major advantage of this iterative algorithm is that there is no restriction on the choice of A (Of course, we still need to avoid trivial matrices like the identity matrix.). It can be shown that the IHC algorithm satisfies the following lemma. Lemma 1: All the intermediate values xk ’s (including the ciphertexts) of an IHC are derivatives of the Hill cipher in the following form: ˆ km + u ˆk xk = A ˆ k ∈ Ml×l is a function in A (more precisely A ˆk = where A k ˆ k ∈ Vl is a function of both A and u (x−1 ). A ) and u Due to the above lemma, we can easily prove that the security property of Hill cipher holds for IHC, that is, IHC is secure to ciphertext-only attacks. Furthermore, due to the linearity of the operations involved, IHC is additive homomorphic and supports both addition and scalar multiplication (just like the Hill cipher). Although it does not look like additive ˆ , this term will be accounted homomorphic due to the term u for in the iterative decryption algorithm. [Homomorphism] Addition and scalar multiplication of the plaintexts can be done by component-wise vector addition and scalar multiplication of the ciphertexts. Suppose E(a) = (xk , xk−1 ) and E(b) = (yk , yk−1 ), then • Addition: E(a + b) = (xk + yk , xk−1 + yk−1 ) • Scalar multiplication: E(ta) = (txk , txk−1 ) where t is a scalar constant. C. Security Analysis of IHC Decrypting a ciphertext of IHC needs the knowledge of both A (the secret key matrix) and k (the number of iteration steps). Given a ciphertext of IHC (that is, (xk , xk−1 )), there are l linear equations in l(l + 1) unknowns, l2 of which from the key matrix A and the other l from xk−2 . l2 more equations are needed for solving these unknowns. Given an additional distinct ciphertext, l new equations are added but l new unknowns (from a new xk−2 ) are added as well. No matter how many ciphertexts an adversary has, he would always go short of l2 equations to find the key matrix A. Hence the scheme is unconditionally secure to ciphertext-only attacks on finding A. Even if an adversary knew the key matrix A, without the knowledge of k, he would still be unable to decrypt any given ciphertext. Therefore, if the number of iterations k is kept secret as part of the private key, the security of IHC would be increased. In our considerations so far, when the initialization vector u has been chosen, it is fixed (just like A) and used for encrypting all plaintext vectors. Although u is part of the secret key of IHC, it is not needed in decryption if the iterative algorithm is used. In fact, if a different u is used for encrypting each plaintext vector, the security of IHC could be significantly improved. The result is summarized by the following lemma.

Lemma 2: If each plaintext vector is encrypted with a different initialization vector while the same key matrix is used, IHC is secure to both ciphertext-only and known-plaintext attacks. The original scheme of Hill cipher is secure to ciphertextonly attacks but can be broken if sufficient ciphertext-plaintext pairs are available to an adversary. For example, if the key matrix of a Hill cipher is l×l in dimension, l pairs of ciphertext and plaintext are sufficient to uniquely determine its key matrix and all the subsequent ciphertexts would become insecure. In contrast, IHC using different u for each plaintext vector remains secure even though several ciphertext-plaintext pairs are available. This is because a new ciphertext-plaintext pair adds l equations and l new unknowns due to a different initialization vector, thus the set of equations remains undetermined. D. An Example of IHC Supposethe arithmetic  is done  inZ10 . Let the following: 1 3 4 1 A =  2 5 6 , u =  2  7 1 2 3 Suppose there  are two plaintext   a and b as follows:  1 8 0 a =  3  and b =  2  such that 2a + b =  8  7 6 0 Assume the number of iteration rounds k = 3, then Encrypting a:



   7 1 x1 = Aa − u =  7 , x2 = Ax1 − a =  2 , and 1 1  4 x3 = Ax2 − x1 =  1  and E(a) = (x3 , x2 ) 0 Encrypting b:     7 7 y1 = Ab − u =  0 , y2 = Ay1 − b =  4 , and 7 7   0 y3 = Ay2 − y1 =  6  and E(b) = (y3 , y2 ) 0 Computing E(2a + b): E(2a z2 ) = (2x3 + y3 , 2x2 + y2 ) + b)=(z3 ,  8 9 =  8  ,  8  0 9 Note that the first and last entries are encrypted values for 0 but they have different representations in the encrypted domain. Decrypting : E(2a + b):   1 z1 = Az2 − z3 =  4 , 9 

 0 a + b = z0 = Az1 − z2 =  8  0 Hence, we get back 2a + b.

IV. M ODIFIED R IVEST ’ S S CHEME (MRS) In this section, we describe a scheme in [9] and discuss its security pitfalls and our modification to fix them. A. Original Rivest’s Scheme The original scheme of Rivest et. al. [9] works as follows: • Let p and q be large primes and n = pq. (p, q) is the secret key and n is publicly known. • [Encryption] Given the private key (p, q), the encryption function is of the form E(p,q) (·) : Zn → Zn × Zn . E(p,q) (m) = (m mod p, m mod q) [Decryption] Reduce the two component mod p and mod q, then apply the Chinese Remainder Theorem (CRT). • [Homomorphism] Component-wise additions and multiplications of ciphertexts in Zn result in the corresponding plaintext additions and multiplications. Suppose Ep,q (m1 ) = (x1 , y1 ) and Ep,q (m2 ) = (x2 , y2 ), then Addition: Ep,q (m1 + m2 ) = Add(Ep,q (m1 ), Ep,q (m2 )) = (x1 + x2 mod n, y1 + y2 mod n) Multiplication: Ep,q (m1 m2 ) = Multi(Ep,q (m1 ), Ep,q (m2 )) = (x1 x2 mod n, y1 y2 mod n) The security of this scheme is based on the difficulty of factoring composite numbers of large primes (same as RSA). Since an adversary does not know the factorization of n, he cannot decrypt the ciphertext. However, since both addition and multiplication are supported, there might be a possible shortcut to mount a ciphertext-only attack as follows. Suppose we have the ciphertext E(m). Using Multi we can find E(m2 ). After that, we keep running Add recursively until the result is equal to E(m2 ). Then the resulting number of rounds is m. Luckily, test for equality is not always possible since the encryption of a number might have several representations in the Rivest’s scheme. Hence, this attack would only be successful when E(m2 ) only has a single representation. However test for encrypted zero might lead to a possible threat which leaks out the factorization of n because a zero is encrypted to (ap, bq) where a ∈ [0, q − 1] and b ∈ [0, p − 1]. To fix this problem, our scheme splits the plaintext m into l pieces before encryption so that the ciphertexts would never have those vulnerable forms. This also eliminates the notion of Multi(·, ·) and hence the related attacks. In fact, l does not need to be very large. Excluding (0, 0) which will be encrypted to ((0, 0), (0, 0)) by the MRS, there are n − 1 possible pairs in Zn whose sum is 0. Each component of this pair can have q×p representation in Zn ×Zn . As a result, there are (n−1)n2 possible representations for encrypted zero if l = 2. This value for l is sufficiently large for most applications. For a small plaintext m, say smaller than p and q, it is trivially encrypted (unencrypted) in the original Rivest’s scheme. Our scheme multiply the split numbers with a random number5 to avoid trivial encryption. •

5 This

random number can be viewed as part of the secret key.

B. MRS Details Like the original Rivest’s scheme, there are two large primes p and q which are private and n = pq which is public. The secret key K = (p, q, r1 , . . . , ri , . . . , rl , s1 , . . . , si , . . . , sl ) where 1 ≤ i ≤ l, and the encryption function is of the form: EK (·) : Zn → (Zn × Zn )l . The MRS scheme works as follows. [Encryption] To encrypt a message m ∈ Zn , run as follows: • Break down m into l arbitrary numbers (m1 , m2 , . . . , ml ) Pl in such a way that m = i=1 mi mod n. • Randomly choose ri < p and si < q, ∀i ∈ [1, l] which are kept secret. • EK (m) = ((m1 r1 mod p, m1 s1 mod q), (m2 r2 mod p, m2 s2 mod q), . . . . . . , (ml rl mod p, ml sl mod q)) = ((x1 , y1 ), (x2 , y2 ), . . . , (xl , yl )) [Decryption] Given a ciphertext c = ((x1 , y1 ), (x2 , y2 ), . . . , (xl , yl )), decrypt c as follows: −1 • Multiply the components with the corresponding ri and −1 si in mod p and mod q respectively: ((x1 r1−1 mod p, y1 s−1 1 mod q), (x2 r2−1 mod p, y2 s−1 2 mod q), . . . , (xl rl−1 mod p, yl s−1 mod q)) l • Use CRT to find m1 , m2 , . . . , ml (mod n). • Sum up mi ’s to recover m. [Homomorphism] Suppose EK (a) = ((x1 , y1 ), . . . , (xl , yl )) and EK (b) = ((u1 , v1 ), . . . , (ul , vl )), and t ∈ Zn is a constant, we can view the ciphertext EK (·) as a l-tuple of 2component vectors. Addition and scalar multiplication of the ciphertexts are then just component-wise vector addition and scalar multiplication of the corresponding l-tuples, that is, Addition: EK (a + b) = (((x1 + u1 ), (y1 + v1 )), . . . , ((xl + ul ), (yl + vl ))) mod n Scalar multiplication: EK (ta) = ((tx1 , ty1 ), . . . , (txl , tyl )) mod n C. Security Analysis of MRS Just like the original Rivest’s scheme, MRS is secure as long as factoring integer composite of large primes is difficult. Unlike the original scheme, there is no notion of Multi(·, ·) in MRS, hence MRS is completely secure to the shortcut of the ciphertext-only attack mentioned earlier. Test for encrypted zero in MRS also seems to be unlikely. D. An Example of MRS Let p = 7, q = 11, then n = 77. For simplicity, let l = 2, that is, each plaintext message is split into 2 smaller pieces. Let ri = si = 5, i = 1, 2. Suppose there are two plaintext numbers in Z77 : a = 10 and b = 7. It can easily be seen that 7a + b ≡ 0 (mod 77) and 14a + 2b ≡ 0 (mod 77). The scheme runs as follows. Encrypting a: Decompose a into a1 = 4 and a2 = 6.

E(a) = ((4 × 5 mod 7, 4 × 5 mod 11), (6 × 5 mod 7, 6 × 5 mod 11)) = ((6, 9), (2, 8)) Encrypting b: Decompose b into b1 = 3 and b2 = 4. E(b) = ((3 × 5 mod 7, 3 × 5 mod 11), (4 × 5 mod 7, 4 × 5 mod 11)) = ((8, 4), (6, 9)) Computing E(7a + b): E(7a + b) = ((7 × 6 + 8, 7 × 9 + 4), (7 × 2 + 6, 7 × 8 + 9)) mod 77 = ((50, 67), (20, 65)) Computing E(14a + 2b): E(14a + 2b) = ((14 × 6 + 2 × 8, 14 × 9 + 2 × 4), (14 × 2 + 2 × 6, 14 × 8 + 2 × 9)) mod 77 = ((23, 57), (40, 53)) ri−1

−1

s−1 i

−1

For decryption, = 5 ≡ 3 (mod 7) and =5 ≡ 9 (mod 11). For use in the CRT, 11−1 ≡ 2 (mod 7) and 7−1 ≡ 8 (mod 11). Decrypting E(7a + b): Multiplying ri−1 (mod p) and s−1 (mod q), i ((50, 67), (20, 65)) → ((50 × 3 mod 7, 67 × 9 mod 11), (20 × 3 mod 7, 65 × 9 mod 11)) = ((3, 9), (4, 2)) Using CRT, the two components of 7a + b are: 3 × 11 × 2 + 9 × 7 × 8 mod 77 = 31, and 4 × 11 × 2 + 2 × 7 × 8 mod 77 = 46 Hence, 7a + b = 31 + 46 mod 77 = 0 Decrypting E(14a + 2b): Multiplying ri−1 (mod p) and s−1 (mod q), i ((23, 57), (40, 53)) → ((23 × 3 mod 7, 57 × 9 mod 11), (40 × 3 mod 7, 53 × 9 mod 11)) = ((6, 7), (1, 4)) Using CRT, the two components of 14a + 2b are: 6 × 11 × 2 + 7 × 7 × 8 mod 77 = 62, and 1 × 11 × 2 + 4 × 7 × 8 mod 77 = 15 Hence, 14a + 2b = 62 + 15 mod 77 = 0 As suggested by this example, we may just need to set si = ri = c, ∀i (where c is a randomly picked number) to reduce temporary key storage requirement. V. D ISCUSSIONS The two homomorphic encryption schemes proposed in this paper have the following nice properties making them suitable for a variety of applications: 1) [Secure to Ciphertext-only Attacks]: Given only the ciphertext EK (x), it is hard for an adversary to find the encryption key K or the corresponding plaintext x. IHC could even be secure to known plaintext attacks if different initialization vectors are used for each plaintext. 2) [Additive]: EK (x + y) can be found easily from EK (x) and EK (y) without needing to know what x or y is. 3) [Scalar Multiplicative]: EK (t · x) can be found easily from t and EK (x) without needing to know what x is. 4) [Randomized Zero Encryption]: Suppose x1 + y1 = 0 and x2 + y2 = 0 (usually in modular arithmetic, say in ZN ), then • Add(EK (x1 ), EK (y1 )) = Add(EK (x2 ), EK (y2 )) if and only if x1 = x2 , y1 = y2 . • DK (Add(EK (x1 ), EK (y1 ))) = DK (Add(EK (x2 ), EK (y2 ))) = 0.

That is, EK (0) have several different possible representations, depending on the processing on the encrypted data that results in it. But all these representations are decrypted back to 0; DK (·) is a many-to-one mapping. The second and third properties enable IHC and MRS to cover the majority of applications needing encrypted data processing. The last property precludes any test for encrypted zero which is a basic requirement needed for problems like secure set intersection computation. VI. C ONCLUSIONS The difficulty in processing encrypted data has long been a barrier to secure data storage in many applications like the ASP. In this paper, we give two encryption schemes which enable data to be processed directly in encrypted form. Besides, these schemes have a nice property that encrypted data can have a number of different representations. These can improve their security and render them suitable for some emerging applications like the secure set intersection computation and other instances of secure two-party computation. Nevertheless, the security analysis provided in this paper is not sufficiently rigorous; rigorous security models and reduction proofs of the two schemes given here will be part of the future work. ACKNOWLEDGMENT The author would like to thank the Ministry of Education, Singapore for providing financial support through the LKY Postdoctoral Fellowship and AcRF grant R-252-000-331-112. R EFERENCES [1] N. Ahituv, Y. Lapid, and S. Neumann. Processing encrypted data. Communications of ACM, 20(9):777–780, September 1987. [2] E. F. Brickell and Y. Yacobi. On privacy homomorphisms. In Advances in Cryptology — EUROCRYPT 1987, Springer-Verlag LNCS vol. 304, pages 117–125, 1988. [3] R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot, Israel, 1995. [4] J. Domingo-Ferrer. A provably secure additive and multiplicative privacy homomorphism. In ISC’02, Springer-Verlag LNCS vol. 2433, pages 471– 483, September 2002. [5] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, IT30(4):469–472, July 1985. [6] M. J. Freedman, K. Nissim, and B. Pinkas. Efficient private matching and set intersection. In Advances in Cryptology — EUROCRYPT 2004, Springer-Verlag LNCS vol. 3027, pages 1–19, May 2004. [7] P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology — EUROCRYPT 1999, Springer-Verlag LNCS vol. 1592, pages 223–238, 1999. [8] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of ACM, 21(2):120–126, February 1978. [9] R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and privacy homomorphisms. Foundations of Secure Computation, Academic Press, pages 169–179, 1978. [10] T. Sander and C. Tschudin. On software protection via function hiding. In proc. of the 2nd Workshop on Information Hiding, April 1998. [11] T. Sander and C. Tschudin. Towards mobile cryptography. In IEEE Symposium on Security and Privacy, May 1998. [12] D. R. Stinson. Cryptography: Theory and Practice. CRC Press, Inc., Boca Raton, FL, USA, 1995. [13] A. C. Yao. Protocols for secure computation. In the Proceedings of IEEE Symposium on Foundations on Computer Science (FOCS’82), pages 160–164, 1982.