Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HE is all you need: Compressing FHE Ciphertexts using Additive HE

Rasoul Akhavan Mahdavi, Abdulrahman Diaa, Florian Kerschbaum

TL;DR

This work tackles the main bottleneck of large download costs in client-server homomorphic encryption by introducing a plug-and-play compression technique that leverages additive HE to process the decryption phase on the server. The authors present LWECompress and RLWE-based extensions, along with batched and key-packed variants, to achieve up to 90% single-ciphertext and up to 99% batched compression. They integrate these techniques into ZipPIR, a private information retrieval protocol with preprocessing that minimizes online communication to about 200–500 KB while maintaining competitive runtime, making it suitable for ephemeral clients and high-latency networks. The results demonstrate significant practical impact on privacy-preserving applications by enabling low-bandwidth, scalable cloud-based privacy services, and they outline further optimization avenues such as improved scaling, noise-overlap techniques, and broader parameter exploration.

Abstract

Homomorphic Encryption (HE) is a commonly used tool for building privacy-preserving applications. However, in scenarios with many clients and high-latency networks, communication costs due to large ciphertext sizes are the bottleneck. In this paper, we present a new compression technique that uses an additive homomorphic encryption scheme with small ciphertexts to compress large homomorphic ciphertexts based on Learning with Errors (LWE). Our technique exploits the linear step in the decryption of such ciphertexts to delegate part of the decryption to the server. We achieve compression ratios up to 90% which only requires a small compression key. By compressing multiple ciphertexts simultaneously, we can over 99\% compression rate. Our compression technique can be readily applied to applications which transmit LWE ciphertexts from the server to the client as the response to a query. Furthermore, we apply our technique to private information retrieval (PIR) where a client accesses a database without revealing its query. Using our compression technique, we propose ZipPIR, a PIR protocol which achieves the lowest overall communication cost among all protocols in the literature. ZipPIR does not require any communication with the client in the preprocessing phase, making it a great solution for use cases of PIR with ephemeral clients or high-latency networks.

HE is all you need: Compressing FHE Ciphertexts using Additive HE

TL;DR

This work tackles the main bottleneck of large download costs in client-server homomorphic encryption by introducing a plug-and-play compression technique that leverages additive HE to process the decryption phase on the server. The authors present LWECompress and RLWE-based extensions, along with batched and key-packed variants, to achieve up to 90% single-ciphertext and up to 99% batched compression. They integrate these techniques into ZipPIR, a private information retrieval protocol with preprocessing that minimizes online communication to about 200–500 KB while maintaining competitive runtime, making it suitable for ephemeral clients and high-latency networks. The results demonstrate significant practical impact on privacy-preserving applications by enabling low-bandwidth, scalable cloud-based privacy services, and they outline further optimization avenues such as improved scaling, noise-overlap techniques, and broader parameter exploration.

Abstract

Homomorphic Encryption (HE) is a commonly used tool for building privacy-preserving applications. However, in scenarios with many clients and high-latency networks, communication costs due to large ciphertext sizes are the bottleneck. In this paper, we present a new compression technique that uses an additive homomorphic encryption scheme with small ciphertexts to compress large homomorphic ciphertexts based on Learning with Errors (LWE). Our technique exploits the linear step in the decryption of such ciphertexts to delegate part of the decryption to the server. We achieve compression ratios up to 90% which only requires a small compression key. By compressing multiple ciphertexts simultaneously, we can over 99\% compression rate. Our compression technique can be readily applied to applications which transmit LWE ciphertexts from the server to the client as the response to a query. Furthermore, we apply our technique to private information retrieval (PIR) where a client accesses a database without revealing its query. Using our compression technique, we propose ZipPIR, a PIR protocol which achieves the lowest overall communication cost among all protocols in the literature. ZipPIR does not require any communication with the client in the preprocessing phase, making it a great solution for use cases of PIR with ephemeral clients or high-latency networks.
Paper Structure (51 sections, 11 theorems, 39 equations, 3 figures, 4 tables, 7 algorithms)

This paper contains 51 sections, 11 theorems, 39 equations, 3 figures, 4 tables, 7 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Homomorphic Encryption
  4. LWE & RLWE ciphertexts
  5. Private Information Retrieval
  6. Additive HE for Smaller FHE Responses
  7. Compressing LWE Ciphertexts
  8. Using Smaller Compression Keys
  9. Batched Compression
  10. Faster Batched Compression with Expanded Key
  11. Rescaling for Compression
  12. Better compression with a smaller scale
  13. Compressing RLWE Coefficients
  14. Related Work
  15. Identity Scheme Switching
  16. ...and 36 more sections

Key Result

Theorem 1

For an LWE ciphertext $\pckeystyle{ct}\in\ZZ_q^{n+1}$, if $m>q+nq^2$, then $\textsc{LWECompress}_q$ produces a compressed ciphertext which decrypts to the correct message if decrypted using ModifiedLWEDecrypt. More formally, if then $\mu" = \textsc{LWEDecrypt}(\sk, \pckeystyle{ct})$

Figures (3)

  • Figure 1: Compressed size and compression time required for compressing LWE ciphertexts with $(n,q)=(630, 2^{64})$ using batched compression. The red line denotes the baseline size of uncompressed LWE ciphertexts.
  • Figure 2: Communication cost and Server Online Runtime as a function of the database size. Each point in the upper graph as a corresponding point in the lower graph. We also plot the minimum communication required for other protocols in the literature. The yellow, orange, and red points correspond to $n=(630,17),(840,22),(1023, 27)$, respectively.
  • Figure 3: Communication cost vs. server online runtime for several database sizes. The red, orange, and yellow points correspond to ZipPIR with different parameters, as described \ref{['fig:eval-pir-comm-comp']}.

Theorems & Definitions (18)

  • Definition 1: Correctness
  • Definition 2: Security
  • Theorem 1: Correctness
  • proof
  • Corollary 1
  • Proposition 1: Security
  • Theorem 2: Correctness
  • proof
  • Corollary 2
  • Theorem 3: Correctness
  • ...and 8 more