Guiming Shi,Yi Li,Xueqiang Wang,Zhanhong Tan,Dapeng Cao,Jingwei Cai,Yuchen Wei,Zehua Li,Wuke Zhang,Yifu Wu,Wei Xu,Kaisheng Ma

DOI: https://doi.org/10.1109/HCS59251.2023.10254692

2023-01-01

Abstract:• Cloud computing has evolved into the key infrastructure of emerging applications, storing massive amounts of data. Yet, how to safely handle this sensitive data in a shared cloud is a major concern. Paillier homomorphic encryption is an important privacy protection approach that permits arithmetic operations on ciphertext without first decrypting it, offering a viable solution to the privacy dilemma. • The Paillier approach has a significant computational overhead compared to plaintext computation because computing in the ciphertext domain requires expensive large integer modular operations that are inefficient for CPUs. As a result, it is preferable to create domain-specific processors for Paillier. Paillier computing patterns are divided into two types, both of which are extensively employed in Paillier applications: independent vector operations and multiply-and-accumulate (MAC) operations. The former is primarily employed in applications such as private information retrieval and on the client side for privacy-preserving AI. In contrast, the latter is required for cloud-side AI inference, particularly computing convolution in neural networks. • We introduce PHEP: Paillier Homomorphic Encryption Processors for cloud-based privacy-preserving applications. PHEP is built on two Paillier acceleration chips: Paillier engine-1 and Paillier engine-2, both produced on the same wafer. Paillier engine-1 focuses on vector operations and attempts to increase computation as much as feasible. It contains 80 processing elements (PE) and can provide 480 TOPS (INT8) for a 16-chip Full-Height-Full-Length (FHFL) PCle card. Paillier engine-2 is designed for MAC operations and has 16 high-performance bit-serial sparse PEs. It only has 192 TOPS (INT8) for an 8-chip FHFL PCle board. However, it is specialized for matrix operations like convolutions. Both engine chips have the same hardware interface, allowing them to use the same PCB board, FPGA scheduler, and software framework design. The PHEP accelerator card also contains a host FPGA. The host FPGA schedules both data transfers and computation among these engine chips. To manage these engines, we use a complex software stack. The software stack includes an offline compiler and an online task scheduler for automatically balancing compute workload across multiple cards on the same server and even across multiple servers. The findings of the end-to-end evaluation reveal that PHEP can perform Paillier-based machine learning workloads 1–2 orders of magnitude faster than state-of-the-art CPUs (Intel Xeon Platinum 8260M with 192 cores), making these privacy-preserving applications practical.

Wenhao Wang,Yichen Jiang,Qintao Shen,Weihao Huang,Hao Chen,Shuang Wang,XiaoFeng Wang,Haixu Tang,Kai Chen,Kristin Lauter,Dongdai Lin

DOI: https://doi.org/10.48550/arXiv.1905.07766

2019-05-20

Abstract:It has been a long standing problem to securely outsource computation tasks to an untrusted party with integrity and confidentiality guarantees. While fully homomorphic encryption (FHE) is a promising technique that allows computations performed on the encrypted data, it suffers from a significant slow down to the computation. In this paper we propose a hybrid solution that uses the latest hardware Trusted Execution Environments (TEEs) to assist FHE by moving the bootstrapping step, which is one of the major obstacles in designing practical FHE schemes, to a secured SGX enclave. TEEFHE, the hybrid system we designed, makes it possible for homomorphic computations to be performed on smaller ciphertext and secret key, providing better performance and lower memory consumption. We make an effort to mitigate side channel leakages within SGX by making the memory access patterns totally independent from the secret information. The evaluation shows that TEEFHE effectively improves the software only FHE schemes in terms of both time and space.

Cryptography and Security

Guiming Shi,Zhanhong Tan,Dapeng Cao,Jingwei Cai,Wuke Zhang,Yifu Wu,Kaisheng Ma

DOI: https://doi.org/10.1109/isscc42615.2023.10067522

2023-01-01

Abstract:Cloud computing currently lies at the heart of tremendous emerging information applications, providing various reliable and high-performance services based on vast amounts of individual and organizational data. Paillier homomorphic encryption (PHE) [6] is one of the critical privacy computing techniques that enables the ciphertext to enjoy equivalent utility as the plaintext. In the PHE scheme shown on the upper left of Fig. 15.4.1, the client encrypts its plaintext into ciphertext and then sends it to the server, which performs the homomorphic evaluation and returns the encrypted results to the client. However, this process avoids the delivery of plaintext at the cost of several computing burdens, and we list three dominant challenges in the rest of Fig. 15.4.1. First, the ciphertext domain calculation needs expensive large integer modular arithmetic operations (e.g., modular multiplication (ModMul), modular inversion (Modlnv), and modular exponentiation (ModExp)) with several orders of magnitude higher energy and latency. Second, the client performs encryption and decryption featuring independent vector operations, while the server is expected to perform evaluations with multiply-and-accumulation (MAC) operations. Third, the diversity of tasks requires computing scalability to meet the latency and throughput demands in the cloud.

Guiming Shi,Zhanhong Tan,Dapeng Cao,Jingwei Cai,Wuke Zhang,Yifu Wu,Kaisheng Ma

DOI: https://doi.org/10.1109/ISSCC42615.2023.10067522

2023-01-01

Abstract:Cloud computing currently lies at the heart of tremendous emerging information applications, providing various reliable and high-performance services based on vast amounts of individual and organizational data. Paillier homomorphic encryption (PHE) [6] is one of the critical privacy computing techniques that enables the ciphertext to enjoy equivalent utility as the plaintext. In the PHE scheme shown on the upper left of Fig. 15.4.1, the client encrypts its plaintext into ciphertext and then sends it to the server, which performs the homomorphic evaluation and returns the encrypted results to the client. However, this process avoids the delivery of plaintext at the cost of several computing burdens, and we list three dominant challenges in the rest of Fig. 15.4.1. First, the ciphertext domain calculation needs expensive large integer modular arithmetic operations (e.g., modular multiplication (ModMul), modular inversion (Modlnv), and modular exponentiation (ModExp)) with several orders of magnitude higher energy and latency. Second, the client performs encryption and decryption featuring independent vector operations, while the server is expected to perform evaluations with multiply-and-accumulation (MAC) operations. Third, the diversity of tasks requires computing scalability to meet the latency and throughput demands in the cloud.

Wei Liu,Lan Ai Wan,Hua Xiao Hao,Mu Han,Long Xiao Zhu,Kai Xu

DOI: https://doi.org/10.1145/3584714.3584720

2022-12-16

Abstract:To address the problems that homomorphic encryption cannot achieve secret sharing and existing Paillier cryptosystems cannot resist quantum attacks and are not suitable for scenarios where encrypted data is only uploaded by the data owner, this paper designs an NTRU (number theory research unit) based symmetric additive homomorphic encryption-proxy rekey (PAHE-PRK) scheme using the ideas of proxy rekeying and symmetric encryption based on the approximate convention number problem and the ring fault-tolerant learning problem. research unit) Proxy ReKey-based Symmetric Additive Homomorphic Encryption scheme (Partially Additive Homomorphic Encryption-Proxy ReKey, PAHE-PRK). The proxy can not only perform homomorphic computation on the original ciphertext, but also re-encrypt the homomorphic key so that the trusted user can obtain the homomorphic key to decrypt the ciphertext, thus achieving secret sharing and privacy protection. Finally, the performance and security of the proposed scheme are discussed in comparison with the traditional Paillier cryptosystem and the proxy re-encryption scheme based on the fault-tolerant learning problem, showing that the proposed scheme is faster in encryption and decryption, has less computation and storage overhead, and is resistant to the indistinguishability under chosen plaintext attack (IND-CPA).

Mathematics,Computer Science

Abbas Acar,Hidayet Aksu,A. Selcuk Uluagac,Mauro Conti

DOI: https://doi.org/10.48550/arXiv.1704.03578

2017-04-12

Cryptography and Security

Abstract:Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.

Gang Du,Chunguang Ma,Zengpeng Li,Ding Wang

DOI: https://doi.org/10.1007/978-3-319-68542-7_21

2017-01-01

Abstract:Despite the convenience brought by cloud computing, internet users, meanwhile, are faced with risks of data theft, tampering, forgery, etc. Fully homomorphic encryption (FHE) has the ability to deal with the ciphertext directly, which can solve the problem of data security in cloud computing. Therefore, fully homomorphic encryption (FHE) has been widely used in cloud computing as well as multiparty computing, functional encryption and private information retrieval, etc. However, previous FHE schemes are based on standard (ring) learning with errors (LWE) assumption and the most typical schemes were created by Brakerski (CRYPTO2012) and Gentry-Sahai-Waters (GSW) (CRYPTO2013). Moreover, inspired by the work of Li et al. at ICPADS2016, they made use of Brakerski's scale-invariant technology and constructed a new FHE scheme with errorless key switching under Dual-First-is-errorless LWE (Dual-Ferr. LWE) problem. Hence, armed with Li et al.'s work, in this paper, we use Gentry-Peikert-Vaikuntanathan's scheme (i.e., under dual LWE assumption) as building block to construct a FHE scheme. Lastly, under the assumption of decisional learning with errors (LWE), we prove that our scheme is CPA (chosen-plaintext-attack) secure.

Wei Wang,Yin Hu,Lianmu Chen,Xinming Huang,Berk Sunar

DOI: https://doi.org/10.1109/tc.2013.154

IF: 3.183

2015-03-01

IEEE Transactions on Computers

Abstract:In 2010, Gentry and Halevi presented the first FHE implementation. FHE allows the evaluation of arbitrary functions directly on encrypted data on untrusted servers. However, even for the small setting with 2048 dimensions, the authors reported a performance of 1.8 s for a single bit encryption and 32 s for recryption on a high-end server. Much of the latency is due to computationally intensive multi-million-bit modular multiplications. In this paper, we introduce two optimizations coupled with a novel precomputation technique. In the first optimization called partial FFT, we adopt Strassen’s FFT-based multiplication algorithm along with Barret reduction to speedup modular multiplications. For the encrypt primitive, we employ a window-based evaluation technique along with a modest degree of precomputation. In the full FFT optimization, we delay modular reductions and change the window algorithm, which allows us to carry out the bulk of computations in the frequency domain. We manage to eliminate all FFT conversion except the final inverse transformation drastically reducing the computation latency for all FHE primitives. We implemented the GH FHE scheme on two GPUs to further speedup the operations. Our experimental results with small parameter setting show speedups of 174, 7.6, and 13.5 times for encryption, decryption, and recryption, respectively, when compared to the Gentry–Halevi implementation. The speedup is enhanced in the medium setting. However, in the large setting, memory becomes the bottleneck and the speedup is somewhat diminished.

engineering, electrical & electronic,computer science, hardware & architecture

WANG Ziwang,Yi ZHUANG,Ziwang WANG

DOI: https://doi.org/10.1587/transcom.2019ebp3098

2020-03-01

IEICE Transactions on Communications

Abstract:Currently, mobile terminals face serious security threats. A Trusted Execution Environment (TEE) which can provide an isolated execution environment for sensitive workloads, is seen as a trusted relay for providing security services for any mobile application. However, mobile TEE's architecture design and implementation strategy are not unbreakable at present. The existing researches lack of detect mechanisms for attack behaviour and malicious software. This paper proposes a Malicious code Detection scheme for Trusted Execution Environment based on Homomorphic Encryption (HE-TEEMD), which is a novel detection mechanism for data and code in the trusted execution environment. HE-TEEMD uses the Paillier additive homomorphic algorithm to implement the signature matching and transmits the ciphertext information generated in the TEE to the normal world for detection by the homomorphism and randomness of the homomorphic encryption ciphertext. An experiment and security analysis proves that our scheme can achieve malicious code detection in the secure world with minimal cost. Furthermore, evaluation parameters are introduced to address the known plaintext attack problem of privileged users.

telecommunications,engineering, electrical & electronic

Shengyu Fan,Xianglong Deng,Zhuoyu Tian,Zhicheng Hu,Liang Chang,Rui Hou,Dan Meng,Mingzhe Zhang

2024-03-15

Abstract:Fully Homomorphic Encryption (FHE), a novel cryptographic theory enabling computation directly on ciphertext data, offers significant security benefits but is hampered by substantial performance overhead. In recent years, a series of accelerator designs have significantly enhanced the performance of FHE applications, bringing them closer to real-world applicability. However, these accelerators face challenges related to large on-chip memory and area. Additionally, FHE algorithms undergo rapid development, rendering the previous accelerator designs less perfectly adapted to the evolving landscape of optimized FHE applications. In this paper, we conducted a detailed analysis of existing applications with the new FHE method, making two key observations: 1) the bottleneck of FHE applications shifts from NTT to the inner-product operation, and 2) the optimal {\alpha} of KeySwitch changes with the decrease in multiplicative level. Based on these observations, we designed an accelerator named Taiyi, which includes specific hardware for the inner-product operation and optimizes the NTT and BConv operations through algorithmic derivation. A comparative evaluation of Taiyi against previous state-of-the-art designs reveals an average performance improvement of 1.5x and reduces the area overhead by 15.7%.

Cryptography and Security,Hardware Architecture

Chao Wang,Shubing Yang,Xiaoyan Sun,Jun Dai,Dongfang Zhao

2024-09-05

Abstract:Fully Homomorphic Encryption (FHE) enables computations on encrypted data, preserving confidentiality without the need for decryption. However, FHE is often hindered by significant performance overhead, particularly for high-precision and complex data like images. Due to serious efficiency issues, traditional FHE methods often encrypt images by monolithic data blocks (such as pixel rows), instead of pixels. However, this strategy compromises the advantages of homomorphic operations and disables pixel-level image processing. In this study, we address these challenges by proposing and implementing a pixel-level homomorphic encryption approach, iCHEETAH, based on the CKKS scheme. To enhance computational efficiency, we introduce three novel caching mechanisms to pre-encrypt radix values or frequently occurring pixel values, substantially reducing redundant encryption operations. Extensive experiments demonstrate that our approach achieves up to a 19-fold improvement in encryption speed compared to the original CKKS, while maintaining high image quality. Additionally, real-world image applications such as mean filtering, brightness enhancement, image matching and watermarking are tested based on FHE, showcasing up to a 91.53% speed improvement. We also proved that our method is IND-CPA (Indistinguishability under Chosen Plaintext Attack) secure, providing strong encryption security. These results underscore the practicality and efficiency of iCHEETAH, marking a significant advancement in privacy-preserving image processing at scale.

Cryptography and Security

Weibin Wu,Jun Wang,Yangpan Zhang,Zhe Liu,Lu Zhou,Xiaodong Lin

DOI: https://doi.org/10.1109/tifs.2023.3290483

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The technique of packing multiple values into one message without losing homomorphic computation properties is the main workhorse that drives many exciting advances in applying lattice-based homomorphic encryption schemes to privacy-preserving Machine-Learning-as-a-Service (MLaaS). However, this technique does not directly work for the classic Paillier homomorphic encryption scheme, limiting the use of the Paillier scheme in the privacy-preserving MLaaS. To enrich the applications of Paillier in privacy-preserving MLaaS, we present a set of new methods for efficient linear computations over packed values under the Paillier scheme, such as vector multiplication, matrix multiplication, and convolutional calculation between ciphertexts and plaintexts. Different from the packing methods of lattice-based schemes, the Paillier packing method naturally allows higher packing capability for values in lower bit-length. This property can significantly benefit privacy-preserving MLaaS, as the values of user inputs and parameters of machine learning models are often quantized into low bits (e.g., 1–8 bits). We conduct comparisons based on different linear computation tasks, the proposed methods under the Paillier scheme clearly outperform the state-of-the-art in terms of communication and computational efficiency, especially in realistic scenarios. For example, compared to one of the recent arts CrypTFlow2 (Rathee et al., 2020), the communication cost of our solution can be $21.7\times $ smaller at best. Thanks to the reduction of communication cost, the runtime can be $2.46\times $ faster than CrypTFlow2 at the median-country-speed of current global mobile broadband.

computer science, theory & methods,engineering, electrical & electronic

Sajjad Akherati,Yok Jye Tang,Xinmiao Zhang

2024-10-17

Abstract:Homomorphic encryption (HE) allows computations to be directly carried out on ciphertexts and is essential to privacy-preserving computing, such as neural network inference, medical diagnosis, and financial data analysis. Only addition and 2-input multiplication are defined over ciphertexts in popular HE schemes. However, many HE applications involve non-linear functions and they need to be approximated using high-order polynomials to maintain precision. To reduce the complexity of these computations, this paper proposes 3-input ciphertext multiplication. One extra evaluation key is introduced to carry out the relinearization step of ciphertext multiplication, and new formulas are proposed to combine computations and share intermediate results. Compared to using two consecutive 2- input multiplications, computing the product of three ciphertexts utilizing the proposed scheme leads to almost a half of the latency, 29% smaller silicon area, and lower noise without scarifying the throughput.

Cryptography and Security,Hardware Architecture

Vasily Sidorov,Ethan Yi Fan Wei,Wee Keong Ng

DOI: https://doi.org/10.48550/arXiv.2202.02960

2022-02-07

Cryptography and Security

Abstract:Oblivious data processing has been an on and off topic for the last decade or so. It provides great opportunities for secure data management and processing, especially in the cloud. At the same time, modern computing resources seem to be affordable enough to allow for practical use of homomorphic cryptography. Yet, the availability of products that offer practical homomorphic data processing is extremely scarce. As part of a project aimed at developing a practical homomorphic data management platform, we have conducted an extensive study of homomorphic cryptosystems' performance, the results of which are presented in this work. For this work we chose the following five cryptosystems: fully homomorphic HElib and SEAL, somewhat fully homomorphic PyAono, and partially homomorphic Paillier and ElGamal. In the discussion of the aggregated results, we suggest that partially homomorphic cryptosystems could be used today in certain practical applications, whereas time has not yet come for the fully homomorphic ones.

Junxue Zhang,Xiaodian Cheng,Liu Yang,Jinbin Hu,Ximeng Liu,Kai Chen

2024-01-31

Abstract:Fully Homomorphic Encryption~(FHE) is a key technology enabling privacy-preserving computing. However, the fundamental challenge of FHE is its inefficiency, due primarily to the underlying polynomial computations with high computation complexity and extremely time-consuming ciphertext maintenance operations. To tackle this challenge, various FHE accelerators have recently been proposed by both research and industrial communities. This paper takes the first initiative to conduct a systematic study on the 14 FHE accelerators -- cuHE/cuFHE, nuFHE, HEAT, HEAX, HEXL, HEXL-FPGA, 100$\times$, F1, CraterLake, BTS, ARK, Poseidon, FAB and TensorFHE. We first make our observations on the evolution trajectory of these existing FHE accelerators to establish a qualitative connection between them. Then, we perform testbed evaluations of representative open-source FHE accelerators to provide a quantitative comparison on them. Finally, with the insights learned from both qualitative and quantitative studies, we discuss potential directions to inform the future design and implementation for FHE accelerators.

Cryptography and Security,Hardware Architecture

Weiquan Deng,Bowen Zhao,Yang Xiao,Yantao Zhong,Qingqi Pei,Ximeng Liu

2024-10-09

Abstract:Homomorphic secret sharing (HSS) enables two servers to locally perform functions on encrypted data directly and obtain the results in the form of shares. A Paillier-based HSS solution seamlessly achieves multiplicative homomorphism and consumes less communication costs. Unfortunately, existing Paillier-based HSS schemes suffer from a large private key size, potential calculation error, expensive computation and storage overhead, and only valid on linear operations (e.g., addition and multiplication). To this end, inspired by the Paillier cryptosystem with fast encryption and decryption, we propose MORSE, an efficient homomorphic secret sharing scheme enabling non-linear operation, which enjoys a small key size, no calculation error and low overhead. In terms of functions, MORSE supports addition, subtraction, multiplication, scalar-multiplication, and comparison. Particularly, we carefully design two conversion protocols achieving the mutual conversion between one Paillier ciphertext and two secret shares, which allows MORSE to continuously perform the above operations. Rigorous analyses demonstrate that MORSE securely outputs correct results. Experimental results show that MORSE makes a runtime improvement of up to 9.3 times in terms of secure multiplication, and a communication costs reduction of up to 16.6% in secure comparison, compared to the state-of-the-art.

Cryptography and Security

M. Sadegh Riazi,Kim Laine,Blake Pelton,Wei Dai

DOI: https://doi.org/10.48550/arXiv.1909.09731

2020-01-24

Abstract:With the rapid increase in cloud computing, concerns surrounding data privacy, security, and confidentiality also have been increased significantly. Not only cloud providers are susceptible to internal and external hacks, but also in some scenarios, data owners cannot outsource the computation due to privacy laws such as GDPR, HIPAA, or CCPA. Fully Homomorphic Encryption (FHE) is a groundbreaking invention in cryptography that, unlike traditional cryptosystems, enables computation on encrypted data without ever decrypting it. However, the most critical obstacle in deploying FHE at large-scale is the enormous computation overhead. In this paper, we present HEAX, a novel hardware architecture for FHE that achieves unprecedented performance improvement. HEAX leverages multiple levels of parallelism, ranging from ciphertext-level to fine-grained modular arithmetic level. Our first contribution is a new highly-parallelizable architecture for number-theoretic transform (NTT) which can be of independent interest as NTT is frequently used in many lattice-based cryptography systems. Building on top of NTT engine, we design a novel architecture for computation on homomorphically encrypted data. We also introduce several techniques to enable an end-to-end, fully pipelined design as well as reducing on-chip memory consumption. Our implementation on reconfigurable hardware demonstrates 164-268x performance improvement for a wide range of FHE parameters.

Cryptography and Security,Artificial Intelligence,Hardware Architecture,Performance

Ziyuan Liang,Qi'ao Jin,Zhiyong Wang,Zhaohui Chen,Zhen Gu,Yanheng Lu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2024.i2.819-843

2024-01-01

Abstract:Secure multi-party computation and homomorphic encryption are two primary security primitives in privacy-preserving machine learning, whose wide adoption is, nevertheless, constrained by the computation and network communication overheads. This paper proposes a hybrid Secret-sharing and Homomorphic encryption Architecture for Privacy-pERsevering machine learning (SHAPER). SHAPER protects sensitive data in encrypted or randomly shared domains instead of relying on a trusted third party. The proposed algorithm-protocol-hardware co-design methodology explores techniques such as plaintext Single Instruction Multiple Data (SIMD) and fine-grained scheduling, to minimize end-to-end latency in various network settings. SHAPER also supports secure domain computing acceleration and the conversion between mainstream privacy-preserving primitives, making it ready for general and distinctive data characteristics. SHAPER is evaluated by FPGA prototyping with a comprehensive hyper-parameter exploration, demonstrating a 94x speed-up over CPU clusters on large-scale logistic regression training tasks.

Lei Jiang,Lei Ju

DOI: https://doi.org/10.48550/arXiv.2203.00728

2022-03-02

Abstract:Fully Homomorphic Encryption (FHE) emerges one of the most promising solutions to privacy-preserving computing in an untrusted cloud. FHE can be implemented by various schemes, each of which has distinctive advantages, i.e., some are good at arithmetic operations, while others are efficient when implementing Boolean logic operations. Therefore, it is difficult for even cryptography experts let alone average users to choose the "right" FHE scheme to efficiently implement a specific application. Prior work only qualitatively compares few FHE schemes. In this paper, we present an empirical study, FHEBench, to quantitatively compare major FHE schemes

Cryptography and Security