Is the decompression of compressed and encrypted data without decryption also theoretically impossible?Getting the encryption method and key from the encrypted data and the raw dataDecrypting DES with decrypted and encrypted dataEncrypting and obscuring data between site/user without SSLEncrypt HDD with keyfile and password and allow backing up the keyfile with secret sharingSend an encrypted question and return answer without decryptionAre all encryption tools made equal?Performing simple arithmetic operations on compressed, and both compressed and encrypted dataDecryption that is easy for humans and hard/impossible for computersAre the following asymmetric encryption schemes equivalent?Best practices for saving encrypted user data without a database

How to make thick Asian sauces?

Rotated Position of Integers

Does any lore text explain why the planes of Acheron, Gehenna, and Carceri are the alignment they are?

How do I get a cleat that's stuck in a pedal, detached from the shoe, out?

Opposite of "Squeaky wheel gets the grease"

Is it OK to bring delicacies from hometown as tokens of gratitude for an out-of-town interview?

Why is Colorado so different politically from nearby states?

Filling region bounded by multiple paths

Unorthodox way of solving Einstein field equations

How should I push back against my job assigning "homework"?

How can I make 20-200 ohm variable resistor look like a 20-240 ohm resistor?

Can The Malloreon be read without first reading The Belgariad?

You've spoiled/damaged the card

If a problem only occurs randomly once in every N times on average, how many tests do I have to perform to be certain that it's now fixed?

Is the capacitor drawn or wired wrongly?

Creating Fictional Slavic Place Names

Have powerful mythological heroes ever run away or been deeply afraid?

Is there any Biblical Basis for 400 years of silence between Old and New Testament?

Did Darth Vader wear the same suit for 20+ years?

Will dual-learning in a glider make my airplane learning safer?

Did thousands of women die every year due to illegal abortions before Roe v. Wade?

How can I grammatically understand "Wir über uns"?

Is having a hidden directory under /etc safe?

Will TSA allow me to carry a CPAP?



Is the decompression of compressed and encrypted data without decryption also theoretically impossible?


Getting the encryption method and key from the encrypted data and the raw dataDecrypting DES with decrypted and encrypted dataEncrypting and obscuring data between site/user without SSLEncrypt HDD with keyfile and password and allow backing up the keyfile with secret sharingSend an encrypted question and return answer without decryptionAre all encryption tools made equal?Performing simple arithmetic operations on compressed, and both compressed and encrypted dataDecryption that is easy for humans and hard/impossible for computersAre the following asymmetric encryption schemes equivalent?Best practices for saving encrypted user data without a database













2












$begingroup$


We have two communication points in an information system, call them A(lice) and B(ackup).



B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.



B should have no option to decrypt the data of A2.



However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.



Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.



My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?



Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?



1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).



2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.










share|improve this question









$endgroup$







  • 2




    $begingroup$
    Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
    $endgroup$
    – poncho
    8 hours ago










  • $begingroup$
    @poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
    $endgroup$
    – peterh
    8 hours ago
















2












$begingroup$


We have two communication points in an information system, call them A(lice) and B(ackup).



B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.



B should have no option to decrypt the data of A2.



However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.



Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.



My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?



Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?



1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).



2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.










share|improve this question









$endgroup$







  • 2




    $begingroup$
    Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
    $endgroup$
    – poncho
    8 hours ago










  • $begingroup$
    @poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
    $endgroup$
    – peterh
    8 hours ago














2












2








2





$begingroup$


We have two communication points in an information system, call them A(lice) and B(ackup).



B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.



B should have no option to decrypt the data of A2.



However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.



Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.



My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?



Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?



1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).



2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.










share|improve this question









$endgroup$




We have two communication points in an information system, call them A(lice) and B(ackup).



B has to store encrypted data received from A. The storage of B is encrypted, but not compressed1.



B should have no option to decrypt the data of A2.



However, the data channel between A and B are too narrow, compared to the data volume, making the compression of the communication a requirement. However, encryption maximizes the entropy of the content, making it incompressible.



Another option would be to compress the data, and then encrypt it, but then B should be able to decrypt the data to decompress it.



My first idea was that these requirements are contradicting, as it seems with the practical tools known to me. But I am not sure, how does it look from a theoretical view?



Is an encryption possible, what does not worsens the compressibility of the data in it, despite that it is "enough" secure?



1The reason is here data safety and the support of incremental backups, if it matters (I think, it doesn't).



2It has obvious security reason - a backup storage having all data of a complex network becomes a security bottleneck.







encryption compression






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 8 hours ago









peterhpeterh

192111




192111







  • 2




    $begingroup$
    Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
    $endgroup$
    – poncho
    8 hours ago










  • $begingroup$
    @poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
    $endgroup$
    – peterh
    8 hours ago













  • 2




    $begingroup$
    Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
    $endgroup$
    – poncho
    8 hours ago










  • $begingroup$
    @poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
    $endgroup$
    – peterh
    8 hours ago








2




2




$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago




$begingroup$
Why is there a requirement that B store encrypted uncompressed data? If B doesn't have the key, why does he care which it is? If A sends encrypted compressed data, why would B need to decompress it?
$endgroup$
– poncho
8 hours ago












$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago





$begingroup$
@poncho As I wrote in (2), it has a practical reason: B is actually a central system in the backend infrastructure, having all the backup snapshots of many client machines. That makes B a very risky thing, I would sleep much better if it would only store the data, but it would not be able to access it. As I wrote in (1), the need for decompression has two reasons: 1) possibility to create incremental backups, and 2) better recoverability options in the case of a data loss.
$endgroup$
– peterh
8 hours ago











2 Answers
2






active

oldest

votes


















3












$begingroup$

The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.



In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.



What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.



Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!






share|improve this answer









$endgroup$












  • $begingroup$
    The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
    $endgroup$
    – peterh
    4 hours ago










  • $begingroup$
    @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
    $endgroup$
    – poncho
    3 hours ago


















1












$begingroup$

I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.



For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.



The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.



I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.



It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.






share|improve this answer









$endgroup$













    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70934%2fis-the-decompression-of-compressed-and-encrypted-data-without-decryption-also-th%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3












    $begingroup$

    The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.



    In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.



    What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.



    Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!






    share|improve this answer









    $endgroup$












    • $begingroup$
      The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
      $endgroup$
      – peterh
      4 hours ago










    • $begingroup$
      @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
      $endgroup$
      – poncho
      3 hours ago















    3












    $begingroup$

    The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.



    In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.



    What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.



    Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!






    share|improve this answer









    $endgroup$












    • $begingroup$
      The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
      $endgroup$
      – peterh
      4 hours ago










    • $begingroup$
      @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
      $endgroup$
      – poncho
      3 hours ago













    3












    3








    3





    $begingroup$

    The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.



    In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.



    What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.



    Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!






    share|improve this answer









    $endgroup$



    The decompression of compressed-then-encrypted data is not possible without the decryption key, at least for compression and encryption schemes independent of each other. We can make a theoretical argument for that: compression schemes compress only a small portion of possible plaintexts (that happen to be the ones where compression is used in practice), and slightly expand the others (e.g. random data). Encryption makes it impossible to distinguish if two ciphertexts of equal size correspond to plaintext that compression compressed, or not; thus prevents any meaningful decompression.



    In the question's situation, the classical solution (described as "Another option" in the question) is to compress at A, then encrypt, then transfer the compressed+encrypted data to B. On retrieval, that same compressed+encrypted data is forwarded from B to A (or A'), decrypted, then decompressed. This reduce bandwidth for backup and retrieval, and storage requirements at B. B does not need to decompress the data at any point: the question's "but then B should be able to decrypt the data to decompress it" is true, but a non-issue.



    What is an issue is direct access to a portion of a huge data set: for many common compression algorithms, that requires transfer of all the data before the point being accessed (sometime, all the data). This is solved by a split-then-compress-then-encrypt strategy, where the plaintext is split in segments that are compressed independently, then enciphered independently (or mostly so). But the splitting tends to reduces compression, especially for short segments.



    Another issue is that the compression ratio leaks to an eavesdropper, and that reveals something about the data. This can be a serious issue: for voice, it has been shown to be enough to understand what's being said!







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 5 hours ago









    fgrieufgrieu

    82.6k7180357




    82.6k7180357











    • $begingroup$
      The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
      $endgroup$
      – peterh
      4 hours ago










    • $begingroup$
      @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
      $endgroup$
      – poncho
      3 hours ago
















    • $begingroup$
      The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
      $endgroup$
      – peterh
      4 hours ago










    • $begingroup$
      @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
      $endgroup$
      – poncho
      3 hours ago















    $begingroup$
    The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
    $endgroup$
    – peterh
    4 hours ago




    $begingroup$
    The problem with it that on this way, B has the option to decrypt the data. Your answer is imho very useful, however the goal of my question was to find some option to decompress encrypted data without decrypting it, if it exists.
    $endgroup$
    – peterh
    4 hours ago












    $begingroup$
    @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
    $endgroup$
    – poncho
    3 hours ago




    $begingroup$
    @peterh: no, it doesn't; B never needs to decrypt (and hence doesn't need the decryption key); it always just handles encrypted compressed messages.
    $endgroup$
    – poncho
    3 hours ago











    1












    $begingroup$

    I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.



    For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.



    The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.



    I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.



    It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.






    share|improve this answer









    $endgroup$

















      1












      $begingroup$

      I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.



      For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.



      The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.



      I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.



      It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.






      share|improve this answer









      $endgroup$















        1












        1








        1





        $begingroup$

        I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.



        For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.



        The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.



        I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.



        It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.






        share|improve this answer









        $endgroup$



        I think it is theoretically possible to have semantically secure encryption that supports decompression of encrypted data (both in lossy and lossless compression settings), but that it will be very inefficient in practice.



        For a generic approach, one could compress the plaintext, encrypt it using a fully homomorphic encryption scheme, and then decompress the encrypted ciphertext server-side using an implementation of the decompression mechanism as a constant-size circuit that can be evaluated homomorphically. This requires only that the decompression mechanism be expressible as a fixed-size circuit, which is not too restrictive.



        The argument made in a previous answer that the ability to decompress encrypted data will leak the compression ratio and therefore violate semantic security I believe to be wrong. It is possible that encrypted decompression blows up all ciphertexts equally, irrespective of the actual compression ratio on the plain data. Even when that is not the case, it is possible that the compression ratio is already apparent from the size of the compressed plaintext alone (e.g. in the case of compressed fixed-size images), so in that case the leakage is there but has nothing to do with the encryption scheme.



        I am not an FHE expert, but I think this could be borderline practical in lossy compression settings nowadays. For instance, JPEG decompression is essentially application of an inverse discrete cosine transform on relatively small data blocks. I imagine it could be possible to actually implement this or some other lightweight lossy decompression scheme FHE-style without prohibitive work factors.



        It would still be much more efficient in almost any imaginable sense to just store symmetrically encrypted compressed plaintext though. Specifically, I doubt that this can be made more efficient for the client than just decompressing client-side.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 3 hours ago









        PolytroposPolytropos

        213




        213



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70934%2fis-the-decompression-of-compressed-and-encrypted-data-without-decryption-also-th%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單