Is the decompression of compressed and encrypted data without decryption also theoretically impossible?Getting the encryption method and key from the encrypted data and the raw dataDecrypting DES with decrypted and encrypted dataEncrypting and obscuring data between site/user without SSLEncrypt HDD with keyfile and password and allow backing up the keyfile with secret sharingSend an encrypted question and return answer without decryptionAre all encryption tools made equal?Performing simple arithmetic operations on compressed, and both compressed and encrypted dataDecryption that is easy for humans and hard/impossible for computersAre the following asymmetric encryption schemes equivalent?Best practices for saving encrypted user data without a database
How to make thick Asian sauces?
Rotated Position of Integers
Does any lore text explain why the planes of Acheron, Gehenna, and Carceri are the alignment they are?
How do I get a cleat that's stuck in a pedal, detached from the shoe, out?
Opposite of "Squeaky wheel gets the grease"
Is it OK to bring delicacies from hometown as tokens of gratitude for an out-of-town interview?
Why is Colorado so different politically from nearby states?
Filling region bounded by multiple paths
Unorthodox way of solving Einstein field equations
How should I push back against my job assigning "homework"?
How can I make 20-200 ohm variable resistor look like a 20-240 ohm resistor?
Can The Malloreon be read without first reading The Belgariad?
You've spoiled/damaged the card
If a problem only occurs randomly once in every N times on average, how many tests do I have to perform to be certain that it's now fixed?
Is the capacitor drawn or wired wrongly?
Creating Fictional Slavic Place Names
Have powerful mythological heroes ever run away or been deeply afraid?
Is there any Biblical Basis for 400 years of silence between Old and New Testament?
Did Darth Vader wear the same suit for 20+ years?
Will dual-learning in a glider make my airplane learning safer?
Did thousands of women die every year due to illegal abortions before Roe v. Wade?
How can I grammatically understand "Wir über uns"?
Is having a hidden directory under /etc safe?
Will TSA allow me to carry a CPAP?
Is the decompression of compressed and encrypted data without decryption also theoretically impossible?
Getting the encryption method and key from the encrypted data and the raw dataDecrypting DES with decrypted and encrypted dataEncrypting and obscuring data between site/user without SSLEncrypt HDD with keyfile and password and allow backing up the keyfile with secret sharingSend an encrypted question and return answer without decryptionAre all encryption tools made equal?Performing simple arithmetic operations on compressed, and both compressed and encrypted dataDecryption that is easy for humans and hard/impossible for computersAre the following asymmetric encryption schemes equivalent?Best practices for saving encrypted user data without a database
$begingroup$
We have two communication points in an information system, call them A(lice) and B(ackup).
B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.
B should have no option to decrypt the data of A2.
However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.
Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.
My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?
Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?
1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).
2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.
encryption compression
asked 8 hours ago
peterhpeterh
192111
$endgroup$
add a comment |
$begingroup$
We have two communication points in an information system, call them A(lice) and B(ackup).
B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.
B should have no option to decrypt the data of A2.
However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.
Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.
My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?
Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?
1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).
2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.
encryption compression
asked 8 hours ago
peterhpeterh
192111
$endgroup$
2
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago
add a comment |
$begingroup$
We have two communication points in an information system, call them A(lice) and B(ackup).
B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.
B should have no option to decrypt the data of A2.
However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.
Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.
My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?
Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?
1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).
2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.
encryption compression
asked 8 hours ago
peterhpeterh
192111
$endgroup$
We have two communication points in an information system, call them A(lice) and B(ackup).
B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.
B should have no option to decrypt the data of A2.
However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.
Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.
My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?
Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?
1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).
2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.
encryption compression
encryption compression
asked 8 hours ago
peterhpeterh
192111
asked 8 hours ago
peterhpeterh
192111
asked 8 hours ago
peterhpeterh
192111
asked 8 hours ago
peterhpeterh
192111
asked 8 hours ago
peterhpeterh
192111
192111
2
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago
add a comment |
2
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago
2
2
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.
In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.
What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.
Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!
answered 5 hours ago
fgrieufgrieu
82.6k7180357
$endgroup$
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
add a comment |
$begingroup$
I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.
For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.
The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.
I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.
It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.
answered 3 hours ago
PolytroposPolytropos
213
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70934%2fis-the-decompression-of-compressed-and-encrypted-data-without-decryption-also-th%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.
In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.
What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.
Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!
answered 5 hours ago
fgrieufgrieu
82.6k7180357
$endgroup$
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
add a comment |
$begingroup$
The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.
In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.
What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.
Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!
answered 5 hours ago
fgrieufgrieu
82.6k7180357
$endgroup$
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
add a comment |
$begingroup$
The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.
In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.
What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.
Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!
answered 5 hours ago
fgrieufgrieu
82.6k7180357
$endgroup$
The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.
In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.
What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.
Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!
answered 5 hours ago
fgrieufgrieu
82.6k7180357
answered 5 hours ago
fgrieufgrieu
82.6k7180357
answered 5 hours ago
fgrieufgrieu
82.6k7180357
answered 5 hours ago
fgrieufgrieu
82.6k7180357
82.6k7180357
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
add a comment |
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
$endgroup$
– peterh
4 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
$begingroup$
@peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
$endgroup$
– poncho
3 hours ago
add a comment |
$begingroup$
I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.
For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.
The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.
I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.
It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.
answered 3 hours ago
PolytroposPolytropos
213
$endgroup$
add a comment |
$begingroup$
I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.
For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.
The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.
I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.
It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.
answered 3 hours ago
PolytroposPolytropos
213
$endgroup$
add a comment |
$begingroup$
I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.
For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.
The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.
I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.
It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.
answered 3 hours ago
PolytroposPolytropos
213
$endgroup$
I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.
For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.
The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.
I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.
It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.
answered 3 hours ago
PolytroposPolytropos
213
answered 3 hours ago
PolytroposPolytropos
213
answered 3 hours ago
PolytroposPolytropos
213
answered 3 hours ago
PolytroposPolytropos
213
213
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70934%2fis-the-decompression-of-compressed-and-encrypted-data-without-decryption-also-th%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago
$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago