Hades: Homomorphic Augmented Decryption for Efficient Symbol-comparison -- A Database's Perspective

Abstract

Outsourced databases powered by fully homomorphic encryption (FHE) offer the promise of secure data processing on untrusted cloud servers. A crucial aspect of database functionality, and one that has remained challenging to integrate efficiently within FHE schemes, is the ability to perform comparisons on encrypted data. Such comparisons are fundamental for various database operations, including building indexes for efficient data retrieval and executing range queries to select data within specific intervals. While traditional approaches like Order-Preserving Encryption (OPE) could enable comparisons, they are fundamentally incompatible with FHE without significantly increasing ciphertext size, thereby exacerbating the inherent performance overhead of FHE and further hindering its practical deployment. This paper introduces HADES, a novel cryptographic framework that enables efficient and secure comparisons directly on FHE ciphertexts without any ciphertext expansion. Based on the Ring Learning with Errors (RLWE) problem, HADES provides CPA-security and incorporates perturbation-aware encryption to mitigate frequency-analysis attacks. Implemented using OpenFHE, HADES supports both integer and floating-point operations, demonstrating practical performance on real-world datasets and outperforming state-of-the-art baselines.

Full text

Hades: Homomorphic Augmented Decryption for Eicient
Symbol-comparison—A Database’s Perspective
Dongfang Zhao
University of Washington
United States
dzhao@cs.washington.edu
ABSTRACT
Outsourced databases powered by fully homomorphic encryption
(FHE) oer the promise of secure data processing on untrusted cloud
servers. A crucial aspect of database functionality, and one that has
remained challenging to integrate eciently within FHE schemes,
is the ability to perform comparisons on encrypted data. Such com-
parisons are fundamental for various database operations, including
building indexes for ecient data retrieval and executing range
queries to select data within specic intervals. While traditional
approaches like Order-Preserving Encryption (OPE) could enable
comparisons, they are fundamentally incompatible with FHE with-
out signicantly increasing ciphertext size, thereby exacerbating
the inherent performance overhead of FHE and further hindering
its practical deployment. This paper introduces HADES, a novel
cryptographic framework that enables ecient and secure compar-
isons directly on FHE ciphertexts without any ciphertext expansion.
Based on the Ring Learning with Errors (RLWE) problem, HADES
provides CPA-security and incorporates perturbation-aware en-
cryption to mitigate frequency-analysis attacks. Implemented using
OpenFHE, HADES supports both integer and oating-point opera-
tions, demonstrating practical performance on real-world datasets
and outperforming state-of-the-art baselines.
ACM Reference Format:
Dongfang Zhao. 2024. Hades: Homomorphic Augmented Decryption for
Ecient Symbol-comparison—A Database’s Perspective. In Proceedings of
ACM Conference (Conference’17). ACM, New York, NY, USA, 15 pages. https:
//doi.org/10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
1.1 Background and Motivation
Outsourced databases [
4
] have become a cornerstone of modern
cloud computing, allowing organizations to store and process sen-
sitive data on untrusted servers while reducing local storage and
computation costs. However, outsourcing data to untrusted service
providers raises signicant privacy concerns, particularly when
dealing with sensitive information such as medical records, nan-
cial data, or personal identiers. Ensuring data condentiality in
such settings requires cryptographic mechanisms that enable the
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specic permission and/or a
fee. Request permissions from permissions@acm.org.
Conference’17, July 2017, Washington, DC, USA
©2024 Association for Computing Machinery.
ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. . . $15.00
https://doi.org/10.1145/nnnnnnn.nnnnnnn
database to perform computations directly on encrypted data with-
out revealing plaintext information.
Fully homomorphic encryption (FHE) [
14
] provides a power-
ful framework for privacy-preserving computation in outsourced
databases. By enabling algebraic operations such as addition and
multiplication directly on ciphertexts, FHE allows secure data pro-
cessing without requiring decryption. This capability makes FHE
particularly well-suited for a wide range of database operations,
including statistical analysis and aggregation queries. However,
FHE alone cannot address the full range of database functionalities,
as it inherently lacks the ability to compare ciphertexts—a critical
requirement for many database operations.
In outsourced database systems, symbol comparison is essential
for key database functionalities such as indexing, sorting, ltering,
and range queries. These operations require the database to deter-
mine relationships between encrypted values, such as whether one
value is greater than another or falls within a specied range. Tra-
ditional solutions, such as Order-Preserving Encryption (OPE) [6]
and Order-Revealing Encryption (ORE) [
20
], are designed to enable
such comparisons by preserving or exposing the order relationships
of plaintexts in ciphertexts. However, these schemes introduce sig-
nicant security risks, as the exposed order information can be
exploited through inference attacks, such as frequency analysis
(FA), to deduce plaintext distributions or equality relationships.
Moreover, OPE and ORE schemes often require increased cipher-
text size [
6
,
25
] to support order-preserving comparisons, adding
storage and communication overhead. These schemes are also fun-
damentally incompatible with homomorphic encryption because
they do not support secure algebraic operations on ciphertexts.
One of the fundamental challenges of realizing a practically
secure outsourced database lies in designing a cryptographic frame-
work that combines the algebraic capabilities of homomorphic
encryption with the comparison functionalities of order-revealing
encryption. Such a framework would allow outsourced databases
to perform both secure arithmetic and ecient comparisons on
encrypted data, enabling advanced functionalities like secure in-
dexing and range queries. At the same time, the framework must
maintain strong security guarantees, ensuring that ciphertexts do
not leak sensitive relationships under various security models, even
in scenarios involving malicious service providers. Furthermore,
achieving these functionalities without increasing ciphertext size
is critical to ensuring scalability and minimizing storage and com-
munication costs.
1
arXiv:2412.19980v1 [cs.DB] 28 Dec 2024

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
1.2 Proposed Work
This work addresses the challenges of integrating secure compari-
son capabilities into a homomorphic encryption setting by propos-
ing the HADES framework. HADES enables outsourced databases
to support advanced functionalities while maintaining strong secu-
rity guarantees and computational eciency.
This work makes the following key contributions:
•
Novel Framework: We propose the HADES framework,
a comprehensive solution for integrating order-preserving
comparisons into a homomorphic encryption setting. The
core Compare-Eval Key (CEK) mechanism leverages the
hardness of the Ring Learning with Errors (RLWE) problem
to ensure CPA-security while supporting accurate symbol
comparisons.
•
FA-Extension for Enhanced Privacy: We extend the ba-
sic HADES framework with perturbation-aware encryption,
which obfuscates equality relationships to defend against
stronger threat models, such as frequency-analysis (FA) at-
tacks by compromised databases. Experimental results demon-
strate that the FA-Extension introduces minimal overhead
while signicantly enhancing privacy guarantees.
•
No Ciphertext Size Increase: Unlike many existing OPE
schemes [
6
,
25
], which often increase ciphertext size to sup-
port order-preserving comparisons, HADES achieves secure
comparisons using the existing ciphertext structure. By lever-
aging the CEK, HADES avoids additional storage and band-
width costs, making it highly scalable.
•
Rigorous Theoretical Analysis: We provide formal cor-
rectness proofs, noise management strategies, and an IND-
CPA security analysis for both the basic and extended HADES
schemes. The extended scheme’s resilience against advanced
inference attacks is validated through a reduction to the
RLWE problem.
•
Ecient Implementation and Evaluation: The frame-
work is implemented using OpenFHE [
3
], supporting both
BFV [
12
] and CKKS [
9
] schemes. Experiments on real-world
datasets (Bitcoin [
5
], Covid19 [
11
], hg38 [
17
]) demonstrate
the practicality of the HADES framework, with encryption
and comparison times showing competitive performance.
Additionally, comparisons with baselines such as HOPE [
31
]
and POPE [
27
] highlight the advantages of HADES in terms
of scalability, functionality, and performance.
Experimental Validation. To evaluate the practicality of HADES,
we conducted a series of experiments on diverse application datasets.
The results demonstrate:
•
Eciency: KeyGen times are consistent across datasets,
while encryption and comparison times show minor varia-
tions. The FA-Extension introduces minimal performance
overhead compared to the basic scheme.
•
Scalability: The framework scales eciently across 35,848
encrypted values, with comparison times signicantly shorter
than encryption times, validating HADES’ suitability for op-
erations like range queries, sorting, and clustering on mod-
erately sized datasets.
•
Support for Both Integer and Floating-Point Opera-
tions: HADES supports computations on both types of data
via its BFV and CKKS implementations, providing exibility
for various application domains.
•
Robustness: The perturbation mechanism in HADES FA-
Extension eectively obfuscates equality relationships, en-
suring resistance to frequency-analysis attacks while main-
taining accuracy.
2 RELATED WORK
2.1 Homomorphic Encryption
Homomorphic encryption (HE) is a cryptographic technique that
allows computations to be performed directly on encrypted data
without requiring decryption, ensuring data privacy throughout
the computational process. This capability makes HE a cornerstone
for secure computation in various privacy-preserving applications.
Two widely used homomorphic encryption schemes are the
Brakerski/Fan-Vercauteren (BFV) [
12
] scheme and the Cheon-Kim-
Kim-Song (CKKS) [9] scheme:
•
BFV: The BFV scheme is designed for exact arithmetic over
encrypted integers. It is particularly well-suited for appli-
cations where the precision of computations must be pre-
served, such as encrypted database queries, voting systems,
and secure machine learning. BFV operates eciently by sup-
porting addition and multiplication over ciphertexts while
maintaining accurate results.
•
CKKS: The CKKS scheme is tailored for approximate arith-
metic over real numbers, making it ideal for applications,
e.g., encrypted signal processing, privacy-preserving AI, and
nancial computations. CKKS introduces a trade-o between
precision and computational eciency, allowing for exible
scaling in real-world scenarios.
Both schemes leverage the hardness of the Ring Learning with
Errors (RLWE) problem [
22
] to ensure cryptographic security. They
support bootstrapping to refresh ciphertexts and prevent noise
accumulation, enabling deeper computations on encrypted data.
Additionally, modern HE libraries such as SEAL [
2
], HElib [
1
], and
OpenFHE [
3
] provide optimized implementations of BFV and CKKS,
facilitating their integration into practical applications.
Homomorphic encryption has seen rapid adoption in areas where
sensitive data must remain condential, such as cloud-based secure
computation, federated learning, and encrypted database systems.
The ability to perform secure computations without exposing plain-
text data makes HE a critical tool in advancing privacy-preserving
technologies. Modern advancements in HE schemes, in addition to
BFV [
12
] and CKKS [
9
], include GSW [
15
], TFHE [
10
], etc. These
developments have further been integrated into real-world sys-
tems, including Symmetria [
28
], which leverages HE for secure
database queries, and Rache [
29
], which optimizes range and equal-
ity queries on encrypted datasets. More recent works on FHE in-
clude [8, 13, 16, 30, 33, 34].
2

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
2.2 Order-Preserving Encryption
Order-Preserving Encryption (OPE) is a cryptographic technique
designed to enable range queries on encrypted data by preserv-
ing the order of plaintexts in ciphertexts. This functionality makes
OPE particularly valuable in privacy-preserving database systems
where ecient sorting and ltering operations are essential. The
concept of order-preservation is closely tied to secure comparison
tasks, a challenge rst formalized in Yao’s Millionaire Problem [
32
].
OPE can be viewed as an extension of this idea, providing an e-
cient mechanism for comparing encrypted data across a broader
range of applications. Unlike Yao’s solution, which relies on interac-
tive protocols such as garbled circuits and oblivious transfer, OPE
achieves order-preserving comparison through carefully designed
encryption schemes that inherently encode the order of plaintexts.
The formal concept of OPE was rst introduced by Agrawal et
al. [
4
], who proposed a scheme for numeric data that preserves
plaintext order in ciphertexts. This approach enables ecient query
execution but leaks order relationships, making it vulnerable to
inference attacks. To address such vulnerabilities, Boldyreva et
al. [
6
] formalized the security model for OPE and proposed a more
robust scheme known as Order-Preserving Symmetric Encryption
(OPSE). However, their design still revealed the relative order of
plaintexts, which can be exploited in practical scenarios.
Subsequent work by Popa et al. [
25
] introduced an ideal-security
protocol for Order-Preserving Encoding (OPE), which minimizes
leakage by carefully managing encoding operations. While their
approach enhanced security, it required interactive client-server
protocols, increasing communication overhead. To further miti-
gate leakage, Kerschbaum [
19
] proposed Frequency-Hiding Order-
Preserving Encryption, which masks the frequency of ciphertext
occurrences. Despite these advances, frequency-hiding schemes
introduce additional computational costs, making them less suitable
for large-scale applications.
The limitations of traditional OPE schemes were further high-
lighted by Naveed et al. [
23
], who demonstrated inference attacks on
property-preserving encryption systems. Their work emphasized
the need for hybrid approaches that integrate OPE with advanced
cryptographic frameworks to enhance security while maintaining
eciency. Some schemes, such as [
21
], depend on the client main-
taining a plaintext-to-ciphertext mapping, introducing signicant
overhead for storage and synchronization. Furthermore, as dataset
sizes grow or query volumes increase, the interaction costs of these
schemes scale accordingly, potentially limiting their practicality
in large-scale deployments [
7
]. These challenges underscore the
importance of designing OPE mechanisms that not only reduce
information leakage but also ensure scalability and compatibility
with modern privacy-preserving computation frameworks.
Modern designs, such as HOPE [
31
], leverage homomorphic en-
cryption to perform secure comparisons, reducing leakage while
maintaining compatibility with privacy-preserving computation
models. HOPE introduces a randomized dierence mechanism to
achieve security under the IND-OCPA model, ensuring that cipher-
texts do not reveal plaintext order relationships while remaining
ecient and stateless. Notably, HOPE stands out as the only state-
less protocol, requiring neither client-side storage nor network-
dependent operations during queries, which makes it uniquely
suitable for outsourced database systems with minimal interaction
overhead. However, its functionality is limited to homomorphic
addition and integer-only data, restricting its applicability in sce-
narios requiring more advanced operations, such as multiplication
or oating-point computations. These advancements highlight the
potential of hybrid OPE methods to balance security, eciency, and
practical deployment in real-world applications.
2.3 RLWE and Noise Augmentation
The Ring Learning with Errors (RLWE) problem is a fundamen-
tal cryptographic assumption that underpins the security of many
modern encryption schemes, including homomorphic encryption.
RLWE extends the classical Learning with Errors (LWE) [
26
] prob-
lem into the setting of polynomial rings, enabling more ecient
operations while maintaining robust cryptographic hardness.
In the RLWE problem, an adversary is tasked with distinguishing
between samples of the form
(𝑎, 𝑎 ·𝑠+𝑒)
and uniformly random
samples over a polynomial ring modulo a prime
𝑞
. In this formula-
tion:
•𝑎is a randomly chosen polynomial from the ring,
•𝑠is a secret polynomial representing the private key,
•𝑒
is a small noise polynomial added to obscure the relation-
ship between 𝑎·𝑠and the result.
The security of RLWE arises from the diculty of solving lat-
tice problems, such as nding short vectors in high-dimensional
lattices. This makes RLWE not only resistant to classical attacks
but also robust against quantum adversaries, establishing it as a
foundational component of post-quantum cryptography.
Noise augmentation serves a dual purpose in RLWE-based sys-
tems. First, it enhances security by increasing the diculty for
adversaries to recover private keys or infer plaintext relationships.
Second, it maintains correctness by ensuring the noise remains
small enough to enable accurate decryption. Striking a balance
between these objectives is critical:
•
Larger noise terms improve cryptographic security but risk
introducing decryption errors in homomorphic encryption
systems, where noise accumulates during computations.
•
Smaller noise terms reduce decryption errors but may weaken
security against adversarial inference.
In this work, noise augmentation is integrated into the Compare-
Eval Key (CEK) mechanism. By embedding a controlled noise term,
the CEK masks the direct relationship between ciphertexts and
the private key, thereby mitigating key recovery attacks under the
chosen plaintext attack (CPA) model. This design leverages the
RLWE problem to ensure both security and functionality, making
it well-suited for privacy-preserving symbol comparison.
3 DESIGN GOALS
3.1 Feature Summary
Table 1 summarizes the key features of the state-of-the-art OPE
approaches and the proposed HADES protocol. The comparison
highlights the trade-os between security levels, client-side require-
ments, and ciphertext operations across dierent schemes. Early
OPE designs, such as those by Agrawal et al. [
4
] and Boldyreva
et al. [
6
], provided basic order-preserving capabilities but lacked
3

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
Table 1: Features of Order-Preserving Encryption (OPE) Schemes
Scheme Security Level Client Storage Network Rounds Ciphertext Operations
Agrawal et al. [4] None O(1) O (1)Comparison only
Boldyreva et al. [6] None O(1) O (1)Comparison only
Popa et al. [25] IND-OCPA O(1) O (log 𝑛)Comparison only
Kerschbaum [19] IND-FAOCPA O(𝑛) O(1)Comparison only
POPE [27] IND-FAOCPA O(log 𝑛) O (𝑛)Comparison only
HOPE [31] IND-OCPA O(1) O (1)Comparison, Addition
HADES Basic (this work §4) IND-OCPA O(1) O (1)Comparison, Addition, Multiplication
HADES FAE (this work §5) IND-FAOCPA O (1) O (1)Comparison, Addition, Multiplication
strong security guarantees, making them vulnerable to inference
attacks. More advanced designs, such as Popa et al. [
25
], Ker-
schbaum [
19
], and POPE [
27
], introduced mechanisms like fre-
quency hiding or partial order encoding to enhance security. How-
ever, these schemes often require additional client storage or incur
higher network overhead, limiting their scalability for large-scale
databases. HOPE [
31
] stands out as a stateless protocol that achieves
IND-OCPA security with minimal client and network requirements.
Despite its eciency, HOPE only supports integer addition and
lacks the exibility to perform more complex operations, such as
multiplication or oating-point arithmetic.
The proposed HADES protocol strives to address these limita-
tions by integrating homomorphic encryption with order-preserving
comparisons. HADES Basic provides ecient comparison and ad-
dition operations under the IND-OCPA model, while HADES FAE
extends these capabilities to support multiplicative operations and
enhanced privacy guarantees under the stronger IND-FAOCPA
model. Both versions of HADES maintain minimal client and net-
work overhead and avoid increasing ciphertext size, making them
suitable for real-world applications requiring privacy-preserving
computation at scale.
3.2 Correctness
The proposed protocol ensures that symbol comparison operations
yield accurate results, even in the presence of noise and perturba-
tions. Given two ciphertexts corresponding to plaintexts
𝑚0
and
𝑚1
, the output must correctly indicate whether
𝑚0>𝑚1
,
𝑚0=𝑚1
,
or 𝑚0<𝑚1. This correctness is achieved through:
•
Scaling amplication: The plaintext dierence is amplied
using a carefully chosen scaling factor
scale
, ensuring that
noise contributions do not distort the sign of the result. The
scaling factor is calibrated to balance correctness and com-
putational eciency.
•
Perturbation-aware encryption: In the FA-Extension, pertur-
bations are introduced to obfuscate equality relationships
without compromising comparison integrity. These pertur-
bations ensure that identical plaintexts result in statistically
independent ciphertexts, defending against frequency analy-
sis attacks.
•
Compatibility with existing ciphertext structures: Correct-
ness is maintained without requiring additional ciphertext
components, ensuring the protocol remains ecient and
seamlessly integrates into existing homomorphic encryption
frameworks.
3.3 Security
The mechanism is designed to resist adversarial attempts to infer
sensitive information from ciphertexts, ensuring robust privacy
guarantees. This includes:
•
Key condentiality: The private key
𝑠𝑘
remains secure under
CPA, with the CEK
𝑐𝑒𝑘
constructed to be indistinguishable
from random polynomials under the RLWE assumption.
•
Order privacy: The mechanism prevents adversaries from de-
ducing unintended plaintext order relationships. Perturbation-
aware encryption in the FA-Extension obfuscates equality
relationships, defending against frequency-analysis attacks
and ensuring that plaintext distributions remain secure even
under repeated queries.
•
Quantum resistance: The RLWE-based design ensures re-
silience against both classical and quantum adversaries, es-
tablishing the framework as a robust solution for long-term
privacy.
•
No leakage through ciphertext size: By avoiding any increase
in ciphertext size, the scheme eliminates side channels that
adversaries might exploit to infer sensitive information.
3.4 Eciency
The scheme achieves high computational and communication ef-
ciency, making it practical for real-world deployments. This is
demonstrated through:
•
Key generation eciency: HADES achieves consistent key
generation times across datasets, as shown in experimental
evaluations, ensuring suitability for large-scale deployments.
•
Encryption and comparison eciency: Encryption and com-
parison times are optimized for both the Basic HADES and
the HADES FA-Extension schemes. Experiments indicate
that comparison operations are signicantly faster than en-
cryption, demonstrating scalability for frequent queries.
•
No ciphertext size increase: HADES does not require any in-
crease in ciphertext size for comparison operations. Instead,
it uses a separate Compare-Eval Key (CEK) to facilitate secure
evaluations, avoiding the additional storage or bandwidth
overhead commonly seen in order-preserving encryption
(OPE) schemes.
4

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
•
Dataset scalability: The system supports more than 35,000
encrypted values without signicant performance degrada-
tion, ensuring applicability to real-world scenarios like range
queries, secure sorting, and clustering.
•
Integration into existing frameworks: HADES is implemented
using OpenFHE, leveraging the eciency of state-of-the-art
homomorphic encryption libraries. This ensures compati-
bility with BFV and CKKS schemes for integer and oating-
point computations, respectively.
4 BASIC HADES
4.1 Overview
The proposed scheme introduces a Compare-Eval Key (CEK) mech-
anism to enable secure symbol comparison while preserving both
privacy and eciency. The CEK leverages polynomial ring oper-
ations within the RLWE framework, ensuring robustness against
chosen plaintext attacks (CPA). Formally, the CEK is constructed
as:
𝑐𝑒𝑘 =𝑠𝑘 ·scale +𝑒𝑐𝑒𝑘 ,
where
𝑠𝑘 ∈ R𝑞
is the private key,
scale ∈Z
is a carefully chosen
scalar treated as a global system parameter, and
𝑒𝑐𝑒𝑘 ∈ R𝑞
is a noise
polynomial. Here,
R𝑞=Z𝑞[𝑥]/( 𝑓(𝑥))
represents the polynomial
ring modulo
𝑓(𝑥)
, typically
𝑓(𝑥)=𝑥𝑛+
1with
𝑛
being a power of
2.
Key generation produces
𝑝𝑘
,
𝑠𝑘
, and
𝑐𝑒𝑘
as follows: the public
key
𝑝𝑘
is derived using a uniformly random polynomial
𝑎∈ R𝑞
and
a noise polynomial
𝑒𝑝𝑘
, ensuring
𝑝𝑘
is computationally indistin-
guishable from random under the RLWE assumption. Additionally,
the CEK incorporates a scaling factor
scale
that amplies plaintext
dierences to dominate noise contributions during evaluation.
For two ciphertexts
𝑐𝑡0
and
𝑐𝑡1
corresponding to plaintexts
𝑚0
and
𝑚1
, the evaluation function is modied to leverage a linear
combination of 𝑐𝑡0,𝑐𝑡1, and 𝑐𝑒𝑘:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1,scale)=𝑐𝑡0·scale +𝑐𝑡1·𝑐𝑒𝑘 mod 𝑞.
The correctness of the scheme is maintained if the noise term
satises:
∥⟨𝑒𝑐𝑒𝑘 , 𝑐𝑡1⟩ + scale · (𝑚0−𝑚1) ∥∞<scale
2.
This ensures that the result reects the sign of
𝑚0−𝑚1
. If
𝑚0>𝑚1
,
the result is
+
1; if
𝑚0<𝑚1
, the result is
−
1; and if
𝑚0=𝑚1
, the
result is 0.
This modied CEK mechanism securely embeds the private key
𝑠𝑘
and a noise term
𝑒𝑐𝑒𝑘
, maintaining CPA security. Furthermore,
the new linear combination formulation allows for exible scal-
ing during evaluation, making it suitable for advanced privacy-
preserving computations such as range queries, sorting, and secure
data aggregation in large-scale encrypted systems.
4.2 Preliminaries
This section outlines the mathematical foundations of the proposed
scheme, focusing on polynomial rings, noise management, and the
RLWE assumption.
Polynomial Rings. A polynomial ring
R𝑞=Z𝑞[𝑥]/( 𝑓(𝑥))
con-
sists of polynomials with coecients in
Z𝑞
, reduced modulo both a
prime integer 𝑞and a xed polynomial 𝑓(𝑥). Formally:
R𝑞={𝑝(𝑥) | 𝑝(𝑥)=
𝑛−1

𝑖=0
𝑐𝑖𝑥𝑖, 𝑐𝑖∈Z𝑞,deg(𝑝)<𝑛}.
Addition and multiplication in R𝑞are dened as:
𝑝(𝑥) + 𝑞(𝑥)=(𝑝(𝑥) + 𝑞(𝑥)) mod 𝑓(𝑥)mod 𝑞,
𝑝(𝑥) · 𝑞(𝑥)=(𝑝(𝑥) · 𝑞(𝑥)) mod 𝑓(𝑥)mod 𝑞.
These operations provide an ecient algebraic structure for cryp-
tographic computations.
Noise in Cryptography. Noise is critical for the security of lattice-
based cryptography, obfuscating relationships between plaintexts
and ciphertexts. In RLWE-based schemes, noise is represented as a
polynomial
𝑒(𝑥) ∈ R𝑞
with coecients sampled from a bounded
distribution. The noise polynomial 𝑒(𝑥)is formalized as:
𝑒(𝑥)=
𝑛−1

𝑖=0
𝑒𝑖𝑥𝑖, 𝑒𝑖∼ U(−𝐵𝑒, 𝐵𝑒),
where
U(𝑎, 𝑏)
denotes the discrete uniform distribution over
[𝑎, 𝑏]
.
The noise must satisfy:
∥𝑒(𝑥)∥∞=max{ |𝑒0|,|𝑒1|, . . . , |𝑒𝑛−1|} <𝐵𝑒,
ensuring both correctness and security.
Ring Learning with Errors (RLWE). The RLWE problem extends
the classical LWE problem to polynomial rings, providing eciency
and security. An RLWE sample is a pair (a,b), where:
b=a·s+e(mod 𝑞),
with s
,
e
∈ R𝑞
. Solving RLWE involves distinguishing whether
(
a
,
b
)
is sampled from the RLWE distribution or is uniformly ran-
dom:
Given (a,b),determine if b=a·s+eor random.
The hardness of RLWE is rooted in lattice problems like the Shortest
Vector Problem (SVP) in high-dimensional spaces.
Noise Management and Scaling. Noise management is critical for
maintaining correctness in lattice-based cryptosystems. To mitigate
noise accumulation during computations, a scaling factor
scale
is
often introduced to amplify meaningful signal components relative
to noise. Formally, let
𝑐𝑡0
and
𝑐𝑡1
be ciphertexts corresponding to
plaintexts
𝑚0
and
𝑚1
, with associated noise
𝑒0
and
𝑒1
, respectively.
The scaled ciphertext dierence can be expressed as:
𝑐𝑡Δ=(𝑚0−𝑚1) · scale + (𝑒0−𝑒1).
Scaling ensures that plaintext dierences dominate noise contri-
butions during evaluation. For any evaluation operation, the cor-
rectness condition requires that the accumulated noise remains
bounded:
∥NoiseTerm∥∞<scale
2.
This principle underpins many RLWE-based schemes, enabling
accurate computation without compromising security.
5

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
4.3 Algorithm Description
This section details the procedural framework underlying the se-
cure symbol comparison scheme. The framework is structured into
three main components: Key Generation, Ciphertext Comparison,
and Result Decoding. Each component is presented with detailed
explanations and pseudocode to illustrate the cryptographic opera-
tions involved.
4.3.1 Key Generation. As shown in Algorithm 1, the key genera-
tion process establishes the cryptographic foundation for the pro-
posed secure symbol comparison scheme. It outputs a public key
𝑝𝑘, a secret key 𝑠𝑘, and a Compare-Eval Key 𝑐𝑒𝑘 .
Algorithm 1: Key Generation
Input: RLWE parameters R𝑞, modulus 𝑞, noise bound 𝐵𝑒
Output: Public Key 𝑝𝑘, Secret Key 𝑠𝑘, Compare-Eval Key
𝑐𝑒𝑘
1Sample 𝑠𝑘 ∈ R𝑞, a secret key uniformly from the ring of
polynomials;
2Sample 𝑎∈ R𝑞, a uniformly random polynomial;
3Sample 𝑒𝑝𝑘 ∈ R𝑞, a noise polynomial with coecients
drawn from the discrete uniform distribution
U(−𝐵𝑒, 𝐵𝑒)
;
4Compute the public key: 𝑝𝑘 ← −(𝑎·𝑠𝑘 +𝑒𝑝𝑘 )mod 𝑞;
5Select the scaling factor scale: ensure
scale >max(2·𝐵𝑒,∥𝑠𝑘 ∥∞);
6Sample 𝑒𝑐𝑒𝑘 ∈ R𝑞, another noise polynomial with
coecients drawn from the discrete uniform distribution
U(−𝐵𝑒, 𝐵𝑒);
7
Compute the scaled secret key:
𝑠𝑘scaled ←𝑠𝑘 ·scale mod 𝑞
;
8Construct the Compare-Eval Key: 𝑐𝑒𝑘 ←𝑠𝑘scaled +𝑒𝑐𝑒𝑘
mod 𝑞;
9Verify noise bounds: ensure ∥𝑒𝑝𝑘 ∥∞and ∥𝑒𝑐𝑒𝑘 ∥∞<𝐵𝑒;
10 return 𝑝𝑘, 𝑠 𝑘, 𝑐𝑒 𝑘;
The secret key
𝑠𝑘
is sampled uniformly from the polynomial
ring
R𝑞=Z𝑞[𝑥]/( 𝑓(𝑥))
. This key serves as the fundamental secret
for decryption and evaluation. To generate the public key
𝑝𝑘
, a
uniformly random polynomial
𝑎∈ R𝑞
and a noise polynomial
𝑒𝑝𝑘 ∈ R𝑞
, with coecients drawn from a bounded distribution, are
used. The public key is computed as
𝑝𝑘 =−(𝑎·𝑠𝑘 +𝑒𝑝𝑘 )mod 𝑞
,
ensuring that the relationship between
𝑝𝑘
and
𝑠𝑘
is obfuscated
by the noise
𝑒𝑝𝑘
, thereby preserving security under the RLWE
assumption.
The Compare-Eval Key
𝑐𝑒𝑘
is constructed to facilitate secure
symbol comparison. A scaling factor
scale
is chosen to satisfy
scale >max(
2
·𝐵𝑒,∥𝑠𝑘 ∥∞)
, ensuring that the scaled secret key
𝑠𝑘scaled =𝑠𝑘 ·scale
dominates the noise. The
𝑐𝑒𝑘
is then computed
as
𝑐𝑒𝑘 =𝑠𝑘scaled +𝑒𝑐𝑒𝑘 mod 𝑞
, where
𝑒𝑐𝑒𝑘
is another noise polyno-
mial. This design ensures that the
𝑐𝑒𝑘
provides robustness against
chosen plaintext attacks (CPA) while maintaining correctness dur-
ing decryption and comparison.
Both
𝑒𝑝𝑘
and
𝑒𝑐𝑒𝑘
are veried to be within their respective noise
bounds
𝐵𝑒
, ensuring that noise does not interfere with the correct-
ness of the scheme. The key generation process guarantees the
generation of cryptographic keys that are both secure and ecient
for the intended operations.
4.3.2 Ciphertext Comparison. The Perturbation-Aware Ciphertext
Comparison algorithm evaluates the relative ordering of encrypted
plaintexts while maintaining security and correctness under the
RLWE assumption. It achieves this by computing a linear combina-
tion of ciphertexts and the Compare-Eval Key (CEK). The mecha-
nism incorporates scaling and perturbation to ensure robust com-
parisons and obfuscate equality relationships.
The process involves three main steps:
(1)
Compute the ciphertext dierence to isolate the relative
distance between plaintexts.
(2)
Apply scaling and perturbation using the CEK to prepare
the result for evaluation.
(3)
Decode and interpret the evaluation value to determine the
relative order.
The detailed procedure is presented in Algorithm 2.
Algorithm 2: Evaluation with Compare-Eval Key
Input: Ciphertexts 𝑐𝑡0=(𝑐0,0, 𝑐 0,1)and 𝑐𝑡1=(𝑐1,0, 𝑐1,1),
Compare-Eval Key 𝑐𝑒𝑘 , scaling factor scale (global
parameter), modulus 𝑞, noise threshold 𝜏
Output: Comparison result (−1,0,+1)
1begin
2Compute the ciphertext dierence:
𝑐𝑡Δ=(𝑐0,0−𝑐1,0, 𝑐0,1−𝑐1,1)mod 𝑞
3Apply scaling and compare-eval key:
𝑐𝑡Eval =(𝑐Δ,0·scale +𝑐Δ,1·𝑐𝑒𝑘)mod 𝑞
4Decode the evaluation value:
DecryptedValue =Decode(𝑐𝑡Eval)
5If |DecryptedValue|<𝜏, set DecryptedValue ←0;
6Determine the sign of the result:
Result =







−1if DecryptedValue <0,
0if DecryptedValue =0,
+1if DecryptedValue >0.
7return Result;
The ciphertext dierence
𝑐𝑡Δ
isolates the relationship between
plaintexts by subtracting the components of the input ciphertexts.
This ensures that the operation focuses on dierences rather than
absolute values.
The scaling factor
scale
amplies the dierence, ensuring robust-
ness against noise and perturbation. The CEK introduces controlled
obfuscation, making it infeasible for adversaries to infer equality
relationships while preserving order information.
The decoded value
DecryptedValue
is compared against a noise
threshold
𝜏
to eliminate insignicant dierences caused by noise.
The nal result is determined by the sign of
DecryptedValue
, pro-
viding three possible outcomes:
• −1: The plaintext of 𝑐𝑡0is smaller than that of 𝑐𝑡1.
•0: The plaintexts of 𝑐𝑡0and 𝑐𝑡1are approximately equal.
6

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
• +1: The plaintext of 𝑐𝑡0is larger than that of 𝑐𝑡1.
The algorithm is designed to handle noise and perturbation
eectively, ensuring that the scaled dierence dominates other
factors. This design guarantees correctness, robustness, and security
under the IND-CPA model.
By enabling secure comparisons with minimal computational
overhead, this algorithm is crucial for applications such as en-
crypted database queries, privacy-preserving sorting, and range
queries. Its integration into the HADES framework ensures both
scalability and privacy in real-world deployments.
4.4 Correctness Analysis
The correctness of the proposed scheme ensures that the evalu-
ation result accurately reects the relative comparison (
−
1
,
0
,+
1)
between plaintexts
𝑚0
and
𝑚1
. This section provides a formal analy-
sis under bounded noise conditions, demonstrating that the scheme
achieves reliable symbol comparison while preserving correctness
and security.
Theorem 4.1 (Correctness of Evaluation). Under the bounded
noise assumption, the proposed scheme guarantees that the evaluation
result reects the relative comparison between plaintexts
𝑚0
and
𝑚1
.
Specically:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑐Δ,0·scale)+(𝑐Δ,1·𝑐𝑒𝑘 )mod 𝑞,
where
𝑐Δ,0
and
𝑐Δ,1
represent the components of the ciphertext dif-
ference
𝑐𝑡Δ=(𝑐0,0−𝑐1,0, 𝑐0,1−𝑐1,1)
. The sign of
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)
satises:
sign(Eval(𝑐𝑒𝑘 , 𝑐𝑡0, 𝑐𝑡 1)) =sign(𝑚0−𝑚1),
ensuring correctness for symbol comparison (−1,0,+1).
Proof.
The evaluation begins by computing the ciphertext dif-
ference:
𝑐𝑡Δ=(𝑐0,0−𝑐1,0, 𝑐0,1−𝑐1,1)mod 𝑞.
Next, scaling and perturbation are applied:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑐Δ,0·scale)+(𝑐Δ,1·𝑐𝑒𝑘 )mod 𝑞.
Substituting the structure of
𝑐𝑒𝑘
, where
𝑐𝑒𝑘 =𝑠𝑘 ·scale +𝑒𝑐𝑒𝑘
, the
evaluation expands as:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑐Δ,0·scale) + (𝑐Δ,1· (𝑠𝑘 ·scale+𝑒𝑐𝑒𝑘 )) mod 𝑞.
Reorganizing terms, the evaluation becomes:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑚0−𝑚1) · scale+ (𝑐Δ,1·𝑒𝑐 𝑒𝑘 )mod 𝑞.
The plaintext dierence
𝑚0−𝑚1
is embedded in the rst term,
yielding:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑚0−𝑚1) · scale + ⟨𝑒𝑐𝑒𝑘 , 𝑐 𝑡Δ⟩mod 𝑞.
To ensure correctness, the noise term ⟨𝑒𝑐𝑒𝑘, 𝑐 𝑡Δ⟩must satisfy:
|⟨𝑒𝑐𝑒 𝑘, 𝑐𝑡Δ⟩ | <scale
2.
This condition ensures that the scaled plaintext dierence
(𝑚0−
𝑚1)·scale
dominates the noise, preserving the sign of the evaluation
result.
Finally, the evaluation result satises:
sign(Eval(𝑐𝑒𝑘 , 𝑐𝑡0, 𝑐𝑡 1)) =







+1if 𝑚0>𝑚1,
0if 𝑚0=𝑚1,
−1if 𝑚0<𝑚1.
Thus, the scheme achieves correctness for symbol comparison.
□
Role of Scaling Factor
scale
.The scaling factor
scale
is critical
for maintaining correctness. By amplifying the plaintext dierence
𝑚0−𝑚1
, it reduces the relative inuence of noise. The scheme
ensures:
scale >max(2· ∥𝑒𝑐 𝑒𝑘 ∥∞,∥𝑠𝑘 ∥∞),
balancing correctness and computational eciency. While larger
scale
values enhance robustness against noise, they may also in-
crease computational overhead.
Parameter Sensitivity. The eectiveness of HADES depends on
carefully chosen parameters such as the scaling factor
scale
and the
perturbation range
𝜖
. A large
scale
amplies plaintext dierences,
reducing the impact of noise and ensuring correctness for symbol
comparisons. However, excessively large
scale
may increase com-
putational overhead. For most practical settings, a moderate
scale
value is sucient to balance eciency and correctness. The per-
turbation range
𝜖
aects the scheme’s ability to obfuscate equality
relationships. To ensure that perturbations do not interfere with
correctness, 𝜖must satisfy:
|Δ(𝑚𝑎) − Δ(𝑚𝑏)| · scale ≪ |𝑚𝑎−𝑚𝑏| · scale.
Empirically,
𝜖
values between 10
−2
and 10
−3
provide eective pri-
vacy while maintaining correctness.
Handling Special Cases. A threshold
𝜏
is introduced during evalu-
ation to handle cases where
𝑚0=𝑚1
. If
|Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1) | <𝜏
, the
result is set to 0, ensuring noise does not dominate the comparison.
This mechanism ensures:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=0if 𝑚0=𝑚1.
Implications for Practical Systems. The correctness analysis demon-
strates that the scheme achieves reliable symbol comparison under
bounded noise conditions. By appropriately choosing
scale
and
managing noise, the scheme ensures robust performance in practi-
cal applications without compromising security or eciency.
4.5 Security Analysis
The proposed scheme achieves resistance to chosen plaintext at-
tacks (CPA) by leveraging the cryptographic hardness of the Ring
Learning with Errors (RLWE) problem. This section outlines how
the CEK design ensures security under CPA, preventing adversaries
from recovering private keys or plaintext relationships, while man-
aging noise in a way that maintains security and correctness.
Threat Model. The proposed scheme operates under the Chosen
Plaintext Attack (CPA) model, where adversaries have access to
an arbitrary number of plaintext-ciphertext pairs. The primary
objectives of such adversaries are as follows:
•
Key Recovery: Exploit relationships between plaintexts and
ciphertexts to infer the private key 𝑠𝑘.
7

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
•
Plaintext Relationship Leakage: Deduce sensitive rela-
tionships between plaintext values, such as order or equality,
by observing comparison outputs.
Under this model, adversaries may manipulate input plaintexts
to probe the evaluation mechanism and exploit decryption results
or noise characteristics to achieve their goals.
In outsourced database scenarios, we distinguish the role of the
database provider from that of a general adversary. The outsourced
database (e.g., AWS) operates as an honest-but-curious party with
the following properties:
•
The database is responsible for processing encrypted data
and performing operations such as comparisons and queries
as instructed by the client.
•
The database may attempt to infer relationships between
encrypted inputs or deduce patterns from repeated queries
but does not conduct global frequency analysis across users
or datasets.
•
Unlike a malicious adversary, the database provider is as-
sumed to follow the prescribed protocol and does not ma-
nipulate data to create additional attack vectors.
This distinction emphasizes the practical assumption that the
database provider, while curious, does not act maliciously or ex-
ploit its position to aggregate global statistical information for a
frequency analysis attack. For environments where this assumption
does not hold, an extended security model is required to address
global frequency analysis and ensure stronger privacy guarantees.
Security from RLWE Assumptions. The CEK is constructed as:
𝑐𝑒𝑘 =𝑠𝑘 ·scale +𝑒𝑐𝑒𝑘 ,
where
𝑒𝑐𝑒𝑘
is a noise polynomial derived from the RLWE problem.
The RLWE assumption ensures that
𝑐𝑒𝑘
is computationally indis-
tinguishable from a random polynomial over
R𝑞
. This randomness
obfuscates the relationship between
𝑠𝑘
and ciphertexts, preventing
adversaries from recovering
𝑠𝑘
through algebraic techniques or
statistical inference.
Resistance to Key Recovery. When the CEK is used during evalu-
ation, the adversary observes results of the form:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑐Δ,0·scale)+(𝑐Δ,1·𝑐𝑒𝑘 )mod 𝑞,
where
𝑐𝑡Δ=(𝑐0,0−𝑐1,0, 𝑐0,1−𝑐1,1)
is the ciphertext dierence. The
noise term
𝑐Δ,1·𝑒𝑐𝑒𝑘
introduces controlled randomness that masks
the relationship between
𝑠𝑘
and
𝑐Δ
. Even if the adversary knows
𝑚0
and
𝑚1
, the bounded noise prevents accurate recovery of
𝑠𝑘
or
the exact value of scale.
Protection Against Order Inference. The CEK ensures that the only
information revealed during evaluation is the sign of the plaintext
dierence (
−
1
,
0
,+
1). The scaling factor
scale
amplies plaintext
dierences, reducing the inuence of small variations. Furthermore,
noise management ensures that small dierences in ciphertexts
cannot reveal unintended order information, preventing adversaries
from deducing ne-grained plaintext relationships.
Noise Management and Security Guarantees. Noise management
in the CEK design leverages the bounded noise assumption:
∥𝑐Δ,1·𝑒𝑐𝑒𝑘 ∥∞<scale
2.
This constraint ensures that noise remains controlled, preserv-
ing correctness while maintaining security. The RLWE hardness
assumption guarantees that even with repeated observations of
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)
, adversaries cannot reverse-engineer
𝑠𝑘
or infer
plaintext relationships. The combination of RLWE-based random-
ness and bounded noise provides robustness against both classical
and quantum adversaries.
CPA Security Proof. We prove the IND-CPA security of HADES
as follows.
Theorem 4.2. The proposed Compare-Eval Key (CEK) mechanism
is CPA-secure under the Ring Learning with Errors (RLWE) assump-
tion. Specically, if an adversary
A
can distinguish valid CEK eval-
uation results from random outputs with non-negligible advantage,
then Acan solve the RLWE problem.
Proof.
Assume there exists an adversary
A
that can break the
CPA security of the CEK mechanism. We construct a reduction
algorithm Bthat uses Ato solve the RLWE problem.
RLWE Problem Setup. Let (a,b)be an RLWE challenge, where:
b=a·s+e(mod 𝑞),
with secret s
∈ R𝑞
and noise e
∈ R𝑞
. The goal of
B
is to distin-
guish whether
(
a
,
b
)
is sampled from the RLWE distribution or is
uniformly random.
Reduction. To embed the RLWE problem into the CEK mecha-
nism, Bsets the CEK as:
𝑐𝑒𝑘 =b.
This CEK construction implicitly encodes sand e, aligning with the
form
𝑐𝑒𝑘 =𝑠𝑘 ·scale +𝑒𝑐𝑒𝑘
in the proposed scheme. The adversary
A
is provided with this CEK and allowed to make chosen plaintext
queries. For plaintexts
𝑚0
and
𝑚1
, the evaluation result observed
by Ais:
Eval(𝑐𝑒 𝑘, 𝑐𝑡 0, 𝑐𝑡1)=(𝑐Δ,0·scale)+(𝑐Δ,1·𝑐𝑒𝑘 )mod 𝑞.
Simulation. If b
=
a
·
s
+
e, the evaluation behaves consistently
with the proposed CEK mechanism, as the noise term
𝑐Δ,1·
eintro-
duces controlled randomness. If bis uniformly random, the CEK
behaves unpredictably, and
A
cannot derive meaningful relation-
ships between ciphertexts and plaintexts.
Advantage Transfer. If
A
can distinguish the CEK behavior with
non-negligible advantage,
B
uses this capability to distinguish valid
RLWE instances from random instances. Thus,
A
’s success implies
B’s success in solving RLWE.
Conclusion. Since solving RLWE is computationally infeasible,
A
cannot break the CPA security of the CEK mechanism. This
establishes the CPA security of the scheme under the RLWE as-
sumption. □
5
HADES FREQUENCY-ANALYSIS EXTENSION
This section introduces an extension to the basic HADES frame-
work (§4) to address scenarios involving potentially malicious out-
sourced databases. The extended design incorporates additional
perturbations during encryption to obscure equality relationships
and prevent frequency analysis attacks, ensuring robust security
even under a strengthened threat model.
8

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
5.1 Strengthened Security Model
In the basic HADES framework, the outsourced database is assumed
to be an honest-but-curious party, following the protocol but poten-
tially analyzing data relationships. However, this model does not
account for malicious adversaries that could perform sophisticated
attacks, such as frequency analysis, by aggregating results across
multiple queries or users.
Under the strengthened security model, the adversary (e.g., the
database) is assumed to:
•
Correlate comparison results across multiple queries to infer
plaintext relationships, leveraging statistical techniques to
estimate value distributions.
•
Exploit repeated queries on identical plaintext values to de-
duce their frequency, thereby reconstructing the approxi-
mate plaintext distribution. For instance, frequent queries for
a single encrypted value might indicate common or default
plaintexts, such as zero or specic constants.
•
Attempt to compromise the equality information (
𝑎=𝑏
)
by analyzing query patterns and comparing results across
encrypted datasets.
Examples of real-world scenarios where such attacks are plausi-
ble include:
•
Medical databases: Repeated queries on specic encrypted
thresholds, such as cholesterol levels or blood sugar ranges,
can reveal common patient conditions.
•
Financial systems: Default threshold comparisons, such as
tax brackets or high-value transaction alerts, may leak user
nancial proles.
•
IoT systems: Regular sensor readings often have predictable
periodic patterns (e.g., temperature sensors), making them
vulnerable to statistical inference.
To mitigate these threats, the proposed extension incorporates
randomized perturbations and scalable obfuscation mechanisms,
ensuring that:
•
Robust privacy is preserved for both high-frequency values
and edge-case thresholds.
•
Ecient operations support large-scale encrypted datasets
without compromising query throughput.
•
Adaptability to domain-specic constraints, such as real-time
IoT systems or high-frequency nancial transactions.
The objective of this extension is to mitigate these risks and
ensure that:
•
Obfuscation of equality relationships: Equality relationships
(
𝑎=𝑏
) are fully obfuscated, preventing frequency-based
inferences. Even if
𝑎=𝑏
, the resulting ciphertexts are ran-
domized, ensuring no direct correlations can be established.
•
Preservation of comparison correctness: Comparison cor-
rectness for
𝑎>𝑏
and
𝑏>𝑎
is maintained, ensuring that
the framework continues to support critical database func-
tionalities such as sorting, ltering, and range queries.
•
Maintained computational eciency: The computational
eciency and security properties of the original framework
are preserved, ensuring the solution remains practical for
large-scale deployments.
5.2 Algorithm Description
5.2.1 Encryption. The Perturbation-Aware Encryption algorithm,
presented in Algorithm 3, introduces controlled random perturba-
tions during encryption to obscure direct relationships between
plaintexts. This design ensures that even identical plaintexts result
in statistically independent ciphertexts, signicantly enhancing
privacy protection against frequency analysis attacks.
The algorithm takes as input a plaintext
𝑚
, a public key
𝑝𝑘
, a
scaling factor
scale
, and a modulus
𝑞
. Unlike traditional encryption
schemes, the scaling factor
scale
amplies plaintext dierences,
ensuring robust numerical separation between encoded values. Ad-
ditionally, the algorithm generates a small random perturbation
Δ𝑚
from the range
[−𝜖, 𝜖 ]
, where
𝜖≪scale
. This perturbation ensures
ciphertext diversity, further obfuscating plaintext relationships.
To enhance security, a noise polynomial
𝑒𝑚
is sampled from a
bounded distribution. The combined eect of
scale
,
Δ𝑚
, and
𝑒𝑚
ensures that the resulting ciphertext
𝑐𝑡𝑚
is robust against infer-
ence attacks while maintaining correctness for operations such as
comparisons.
Algorithm 3: Perturbation-Aware Encryption
Input: Plaintext 𝑚, public key 𝑝𝑘, scaling factor scale
(system parameter), modulus 𝑞
Output: Ciphertext 𝑐𝑡𝑚
1begin
2Compute the scaled plaintext:
𝑚scaled ←𝑚·scale mod 𝑞
3Sample a small perturbation value Δ𝑚from the range
[−𝜖, 𝜖 ], where 𝜖≪scale;
4Apply perturbation to the scaled plaintext:
𝑚perturbed ←𝑚scaled +Δ𝑚·scale mod 𝑞
5Sample a noise polynomial 𝑒𝑚∈ R𝑞from a bounded
distribution, ensuring:
∥𝑒𝑚∥∞<𝐵𝑒
6Encode the perturbed plaintext with noise:
𝑚encoded ←𝑚perturbed +𝑒𝑚mod 𝑞
7Encrypt the encoded plaintext using the public key:
𝑐𝑡𝑚←Encrypt(𝑝𝑘, 𝑚encoded)
8return 𝑐𝑡𝑚;
This encryption algorithm aligns with the complexity of stan-
dard lattice-based encryption processes, ensuring computational
eciency while maintaining robustness against inference attacks.
5.2.2 Comparison. The Perturbation-Aware Symbol Comparison
algorithm evaluates the relative ordering of two encrypted plain-
texts while preserving security and obfuscating equality relation-
ships. This process is critical in privacy-preserving applications
where precise comparisons must be performed without revealing
sensitive plaintext information. The algorithm, detailed in Algo-
rithm 4, uses ciphertext dierences, scaling, and perturbation to
achieve correctness under bounded noise assumptions.
9

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
Algorithm 4: Perturbation-Aware Symbol Comparison
Input:
Ciphertexts
𝑐𝑡𝑚𝑎=(𝑐𝑎,0, 𝑐𝑎,1)
and
𝑐𝑡𝑚𝑏=(𝑐𝑏,0, 𝑐𝑏,1)
,
Compare-Eval Key
𝑐𝑒𝑘
, scaling factor
scale
, modulus
𝑞
Output: Comparison result: True if 𝑚𝑎>𝑚𝑏,False if
𝑚𝑎<𝑚𝑏
1begin
2Compute the ciphertext dierence:
𝑐𝑡Δ=(𝑐𝑎,0−𝑐𝑏,0, 𝑐𝑎,1−𝑐𝑏,1)mod 𝑞
3Apply scaling and CEK:
𝑐𝑡Eval =(𝑐Δ,0·scale +𝑐Δ,1·𝑐𝑒𝑘)mod 𝑞
4Decode the evaluation value:
EvalValue =Decode(𝑐𝑡Eval )
where
Decode(·)
extracts the numerical representation
embedded in 𝑐𝑡Eval;
5Determine the comparison result:
Result =(True if EvalValue >0,
False if EvalValue <0.
6return Result;
The algorithm begins by calculating the ciphertext dierence
𝑐𝑡Δ
, which isolates the relative distance between the plaintexts
𝑚𝑎
and
𝑚𝑏
. This subtraction ensures that the operation focuses on the
dierence, rather than the absolute values of the plaintexts, thereby
making the result agnostic to the specic encrypted values.
To amplify the plaintext dierence and reduce the inuence
of noise and perturbations, the algorithm applies a scaling factor
scale
. The scaling ensures that even small dierences between
𝑚𝑎
and
𝑚𝑏
remain distinguishable despite added perturbations. Pertur-
bation, introduced through the Compare-Eval Key (CEK), further
obfuscates the result, ensuring that equality relationships cannot
be directly inferred from the evaluation process.
The scaled and perturbed result is then decoded into a numeri-
cal evaluation value EvalValue. This value determines the relative
ordering of the plaintexts and is compared against thresholds to
classify the relationship. The classication results in one of two
outcomes:
•
True: Indicates that
𝑚𝑎>𝑚𝑏
, meaning
𝑚𝑎
is ranked higher
than 𝑚𝑏in the encrypted space.
•
False: Indicates that
𝑚𝑎<𝑚𝑏
, meaning
𝑚𝑏
is ranked higher
than 𝑚𝑎.
This design avoids exposing explicit equality relationships (
𝑚𝑎=
𝑚𝑏
) while preserving the total order of the encrypted values. Even
if
𝑚𝑎
and
𝑚𝑏
are equal, the perturbation ensures that the cipher-
texts corresponding to these plaintexts dier, preventing frequency
analysis or other inference attacks.
The Perturbation-Aware Symbol Comparison algorithm ensures
robust and privacy-preserving comparisons with minimal com-
putational overhead. Its integration into the HADES framework
supports privacy-preserving operations such as encrypted sorting,
secure ltering, and range queries. By combining rigorous noise
management with ecient polynomial arithmetic, the algorithm
achieves high accuracy and scalability, making it suitable for large-
scale encrypted datasets in real-world deployments.
5.3 Correctness Analysis
The correctness of the extended HADES scheme ensures that com-
parison operations accurately reect the intended ordering of plain-
texts, while equality relationships remain obfuscated. This is achieved
through precise management of scaling, perturbations, and noise
contributions.
Correctness is dened as the preservation of the relative ranking
between plaintexts. For plaintexts 𝑚𝑎and 𝑚𝑏, let:
TrueValue =(𝑚𝑎−𝑚𝑏) · scale
represent the primary dierence after scaling, and let:
PerturbationEect =(Δ(𝑚𝑎) − Δ(𝑚𝑏)) · scale
capture the perturbation contributions. Correctness holds if:
|PerturbationEect|≪|TrueValue|,
ensuring that the perturbation does not obscure the primary dier-
ence. This condition is satised when the perturbation range
Δ(𝑚)
is designed such that:
|Δ(𝑚)| ≪ |𝑚𝑎−𝑚𝑏|,
making the perturbation negligible compared to the scaled plaintext
dierence when 𝑚𝑎≠𝑚𝑏.
Noise Management. Noise introduced during encryption and
evaluation is bounded to ensure correctness. Let the noise term
introduced by ciphertext operations be denoted as
⟨𝑒𝑚,𝑐 𝑡Δ⟩
. Cor-
rectness requires:
|⟨𝑒𝑚, 𝑐𝑡 Δ⟩| <1
2|TrueValue|,
ensuring that noise does not alter the sign of
EvalValue
. By main-
taining this constraint, the scheme guarantees that the scaled plain-
text dierence
TrueValue
dominates both perturbation and noise,
preserving the accuracy of comparisons.
Scalability to Large Datasets. The HADES framework is designed
to scale eciently for large datasets by maintaining a xed ci-
phertext size and leveraging the linear complexity of comparison
operations. For
𝑛
encrypted values, the comparison time scales as:
𝑇cmp =O(𝑛),
allowing HADES to handle datasets with millions of entries without
signicant performance degradation. Additionally, the linear com-
plexity ensures that the framework can support high-throughput
applications such as secure range queries and sorting.
Practical Implications. By carefully balancing scaling, perturba-
tions, and noise management, the HADES framework achieves
accurate and robust comparisons. These properties ensure its appli-
cability to real-world scenarios requiring secure and ecient com-
putation, such as encrypted database queries, privacy-preserving
analytics, and large-scale outsourced computations.
10

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
5.4 Parameter Sensitivity
The choice of key parameters, such as
scale
and
𝜖
, directly impacts
the correctness, security, and eciency of the HADES framework.
Below, we analyze their eects.
Impact of Scaling Factor
scale
.A larger
scale
amplies plaintext
dierences, making it easier to distinguish small perturbations and
noise terms. However, excessively large
scale
increases computa-
tional overhead during encryption and evaluation. For practical
applications,
scale
values in the range
[
10
2,
10
4]
have shown to
balance eciency and robustness.
Impact of Perturbation Range
𝜖
.The perturbation range
𝜖
deter-
mines the degree of obfuscation for equality relationships. Larger
𝜖
values provide stronger protection against frequency analysis
but may reduce comparison correctness. Empirically,
𝜖
values in
[
10
−3,
10
−2]
are eective, ensuring that perturbation eects remain
insignicant compared to scaled plaintext dierences.
5.5 Security Analysis
The extended HADES scheme enhances security against frequency
analysis attacks by introducing independent perturbations during
encryption, while maintaining the core IND-CPA guarantees of
the basic HADES scheme. A formal proof of IND-CPA security is
provided, encompassing both the basic and extended algorithms.
Theorem 5.1. The extended HADES scheme is IND-CPA secure
under the assumption that the RLWE problem is hard.
Proof.
The IND-CPA security of the extended HADES scheme is
proved via a reduction to the RLWE problem. Suppose an adversary
A
can distinguish ciphertexts under the CPA model with non-
negligible probability. We construct a reduction
B
that uses
A
to
solve the RLWE problem.
Reduction Setup. The RLWE challenge provides a tuple
(𝑎, 𝑏)
,
where:
𝑏=𝑎·𝑠+𝑒(mod 𝑞)
with
𝑠
being the secret key and
𝑒
a small noise polynomial, or
𝑏
is uniformly random. The reduction uses
(𝑎, 𝑏)
to simulate the
encryption process as follows:
•𝑎is treated as the public key 𝑝𝑘.
•𝑏is used to simulate the CEK by setting:
𝑐𝑒𝑘 =𝑏 .
Simulation of Encryption. For plaintexts
𝑚0
and
𝑚1
submitted
by
A
, the reduction selects a random bit
𝑏∈ {
0
,
1
}
, and encrypts
𝑚𝑏as:
𝑐𝑡𝑏=Encrypt(𝑝𝑘, 𝑚𝑏·scale +Δ(𝑚𝑏) · scale +𝑒𝑚mod 𝑞),
where
Δ(𝑚𝑏)
and
𝑒𝑚
are generated according to the perturbation-
aware encryption algorithm. The ciphertext
𝑐𝑡𝑏
is returned to
A
,
simulating the encryption oracle in the IND-CPA game.
Distinguishing Capability. If
𝑏
follows the RLWE distribution,
the ciphertexts
𝑐𝑡0
and
𝑐𝑡1
exhibit statistical properties consistent
with the HADES encryption process. However, if
𝑏
is uniformly
random, the ciphertexts
𝑐𝑡0
and
𝑐𝑡1
become indistinguishable from
random noise. The adversary
A
’s ability to distinguish between
these cases implies a solution to the RLWE problem.
Conclusion. Since breaking the IND-CPA security of HADES
implies solving the RLWE problem, the extended scheme is IND-
CPA secure under the hardness of RLWE. □
Perturbation-Induced Randomness. The inclusion of dynamic per-
turbations
Δ(𝑚)
ensures that ciphertexts corresponding to identical
plaintexts are statistically independent. Specically, for plaintexts
𝑚𝑎=𝑚𝑏
, the perturbations
Δ(𝑚𝑎)
and
Δ(𝑚𝑏)
dier, producing
distinct ciphertexts
𝑐𝑡𝑚𝑎≠𝑐𝑡𝑚𝑏
. This randomness eliminates the
possibility of correlating ciphertexts based on plaintext equality,
providing robustness against frequency analysis attacks.
Scaling and Noise Obfuscation. The scaling factor
scale
ampli-
es plaintext dierences, ensuring that the primary dierence
(𝑚0−𝑚1) · scale
dominates perturbation and noise terms. Ad-
ditionally, the bounded noise
𝑒𝑚
ensures that ciphertexts remain
computationally indistinguishable under the RLWE assumption.
This dual-layer obfuscation prevents adversaries from inferring
plaintext relationships, even when querying the same plaintext
multiple times.
Enhanced Protection Against Equality Leakage. Equality relation-
ships (
𝑚𝑎=𝑚𝑏
) are explicitly obfuscated by combining perturba-
tions and noise. Even with repeated queries, the adversary observes
randomized outputs, making it infeasible to infer equality through
statistical analysis or ciphertext patterns.
Scalability and Computational Eciency. Despite the added per-
turbations, the extended scheme introduces minimal computational
overhead. The encryption and comparison processes retain their
linear complexity with respect to the number of plaintexts, ensur-
ing scalability for large datasets. By maintaining xed ciphertext
sizes and leveraging ecient polynomial arithmetic, the extended
HADES scheme remains practical for real-world applications, such
as encrypted database queries and privacy-preserving analytics.
6 EVALUATION
6.1 System Implementation
The HADES framework was implemented using the OpenFHE li-
brary, a state-of-the-art homomorphic encryption framework that
provides comprehensive support for multiple encryption schemes,
including BFV and CKKS. The system integrates both the Basic and
FA-Extension (FAE) functionalities under these schemes, enabling
secure and ecient symbol comparisons in privacy-preserving ap-
plications. The source code for HADES will be hosted at
https://github.com/hpdic/hades.
Implementation of Basic HADES. The implementation of basic
HADES provides fundamental functionality for secure symbol com-
parison. It includes:
•
Key Generation (KeyGen): A public-private key pair is
generated for encryption and decryption using OpenFHE’s
key generation routines. For BFV, a plaintext modulus of
65537 was used, while for CKKS, scaling modulus sizes and
exible scaling techniques were employed.
11

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
•
Encryption (EncBasic): Plaintext values are packed and
encrypted using OpenFHE’s encoding mechanisms. For BFV,
plaintexts are directly encoded as integers, while for CKKS,
oating-point values are transformed into complex numbers.
•
Comparison (CmpBasic): Ciphertext subtraction and eval-
uation are performed to compute the dierence between two
encrypted values. The result is decrypted and interpreted to
determine the relative ordering.
FA-Extension (FAE) Implementation. The FA-Extension introduces
perturbation-aware encryption to enhance security under stronger
adversarial models:
•
Perturbation Sampling: During encryption, a scaling fac-
tor and a small random perturbation value (
Δ𝑚
) are sam-
pled. These perturbations obfuscate equality relationships
between plaintext values, ensuring resistance against fre-
quency analysis attacks.
•
Modied Encryption (EncFAE): Perturbed plaintexts are
created by adding scaled perturbations to the original values.
These perturbed plaintexts are then encrypted, following the
same routines as in the Basic implementation.
•
Comparison (CmpFAE): The comparison semantics are
enhanced to enforce strict unidirectional constraints, where
equality obfuscation ensures that adversaries cannot deduce
whether
𝑎=𝑏
by querying
𝑎≥𝑏
and
𝑏≥𝑎
simultaneously.
Encryption Schemes: BFV and CKKS. Both BFV and CKKS encryp-
tion schemes were implemented to support dierent computational
requirements:
•
BFV Scheme: Designed for exact computations over inte-
gers, BFV leverages plaintext modulus 65537 and a multiplica-
tive depth of 2to enable ecient homomorphic additions
and multiplications. Relinearization and rotation keys are
precomputed for advanced operations.
•
CKKS Scheme: CKKS supports approximate arithmetic
for oating-point numbers, employing exible scaling tech-
niques to balance precision and performance. Key param-
eters include scaling modulus size 59, a ring dimension of
16384, and multiplicative depth 6.
OpenFHE Parameters and Optimizations. The implementation
relies on various OpenFHE congurations to optimize performance
and security:
•
Security Levels: For both BFV and CKKS schemes, the
HEStd_128_classic security standard was adopted, ensur-
ing 128-bit classical security.
•
Ring Dimensions: BFV used a ring dimension of 4096, while
CKKS employed 16384 for compatibility with approximate
arithmetic.
•
Scaling Techniques: CKKS utilized exible and xed auto-
scaling techniques to minimize precision loss during compu-
tations.
•
Key Switching and Bootstrapping: Advanced key switch-
ing was employed to optimize ciphertext manipulations.
While BFV did not require bootstrapping, CKKS supported
it to extend the operational depth for computationally inten-
sive tasks.
System Compatibility and Scalability. The implementation is de-
signed for scalability, supporting datasets with up to 35,848 data
points. This limit ensures computational feasibility while maintain-
ing generalizability. The framework can be extended to accommo-
date larger datasets by incorporating distributed encryption and
parallelized comparison operations.
6.2 Experimental Setup
All experiments were conducted on a high-performance computing
system [18] with the following conguration:
•
Processor: Intel Xeon Gold 6248R CPU @ 3.00GHz, 48 cores.
•Memory: 256 GB DDR4 RAM.
•Operating System: Ubuntu 24.04 LTS.
•
Library: OpenFHE version 1.2.3, compiled with GCC 10.3.0.
Each experiment was executed three times to account for runtime
variations due to system load or random noise introduced by the
FAE mechanism. The reported results represent the average of these
three runs. Timing measurements were taken for each operation
individually: Key Generation, Encryption (Basic and FAE), and
Comparison (Basic and FAE). The average per-operation time was
calculated and presented in milliseconds for ease of interpretation.
6.2.1 Data Sets. We evaluated the HADES framework on three
real-world datasets, representing diverse application domains:
•
Bitcoin [
5
]: A dataset containing 1,085 cryptocurrency trans-
action values.
•
Covid19 [
11
]: A dataset with numeric metrics from Covid19-
related data, 340 including case counts and recovery rates.
•
hg38 [
17
]: A dataset containing 34,423 genomic data tuples
in numeric form derived from human genome assembly #38.
All of the above 35,848 values were preprocessed to t the plain-
text modulus constraints of the BFV scheme (65537) or appropri-
ately scaled for the CKKS scheme. This ensures compatibility with
encryption operations and avoids runtime errors.
6.2.2 Baseline Protocols. To contextualize our evaluation, we com-
pare HADES against two prominent baseline schemes: HOPE [
31
]
and POPE [
27
], which represent two distinct paradigms for cipher-
text comparison in privacy-preserving outsourced databases.
HOPE is a stateless, cryptographically ecient scheme proposed
in [
31
]. It leverages the Paillier [
24
] encryption system to achieve
secure order-preserving comparisons without requiring server state
or interaction between client and server during comparison. The
primary advantage of HOPE lies in its eciency, as it avoids the
complexities of polynomial-based operations inherent in homo-
morphic encryption schemes like BFV and CKKS. However, HOPE
supports only additive operations and is limited to integer-based
computations. These restrictions make it unsuitable for applications
requiring multiplicative homomorphic operations or oating-point
arithmetic, reducing its applicability in real-world database systems.
POPE, introduced by Roche et al. [
27
], takes a client-dependent
approach to ciphertext comparison. It encodes partial order informa-
tion into the ciphertext, allowing the server to perform comparisons
while preserving certain security guarantees. However, the scheme
requires active client participation during comparison operations,
introducing signicant computational and communication over-
head. This reliance on client involvement makes POPE less suitable
12

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
KeyGen EncBasic EncFAE CmpBasic CmpFAE
Operation Types
0
10
20
30
40
50
60
Time (ms)
HADES Basic and FA-Extension (FAE) Performance for BFV
Operation Types
KeyGen
EncBasic
EncFAE
CmpBasic
CmpFAE
Figure 1: HADES Basic and FA-Extension (FAE) Performance
for BFV [12].
for applications requiring fully independent server-side computa-
tion. Furthermore, the added network latency contributes to its
ineciency, particularly when compared to stateless schemes like
HOPE or HADES.
6.3 Micro Benchmarks
To evaluate the performance of the HADES framework under con-
trolled conditions, we conducted micro benchmarks using randomly
generated datasets. Each dataset consisted of 100 numerical val-
ues, sampled uniformly at random within the range of 0to 10
6
.
This approach ensures consistency and avoids biases introduced by
specic real-world datasets.
The experiments measured the performance of key operations
in both the Basic and FA-Extension (FAE) implementations. These
operations included:
•
Key Generation (KeyGen): Measuring the time to generate
public-private key pairs and associated evaluation keys.
•
Basic Encryption (EncBasic): Encrypting 100 random val-
ues using the Basic implementation.
•
FA-Extension Encryption (EncFAE): Encrypting 100 ran-
dom values with additional perturbation applied during the
encryption process.
•
Basic Comparison (CmpBasic): Performing pairwise com-
parisons between ciphertexts to evaluate relative ordering.
•
FA-Extension Comparison (CmpFAE): Performing pair-
wise comparisons with the enhanced obfuscation of equality
relationships.
6.3.1 HADES for BFV. Figure 1 presents the performance of the
HADES framework implemented using the BFV encryption scheme.
The analysis includes two key components: (1) the original HADES
Basic scheme, and (2) its extension with perturbation-aware encryp-
tion, referred to as FAE (FA-Extension). The performance metrics
evaluated are Key Generation Time, Average Encryption Time, and
Average Comparison Time. The encryption and comparison times
are presented separately for HADES Basic and FAE to highlight
their dierences.
KeyGen EncBasic EncFAE CmpBasic CmpFAE
Operation Types
0
100
200
300
400
500
Time (ms)
HADES Basic and FA-Extension (FAE) Performance for CKKS
Operation Types
KeyGen
EncBasic
EncFAE
CmpBasic
CmpFAE
Figure 2: HADES Basic and FA-Extension (FAE) Performance
for CKKS [9].
The key generation time is consistent across both HADES Basic
and FAE since it is independent of the encryption scheme; there-
fore, we only report the performance once. For encryption, the
FAE extension introduces additional steps, including perturbation
sampling and noise addition, which increase the encryption time
signicantly compared to HADES Basic. Specically, FAE encryp-
tion takes approximately three times longer than Basic encryption.
On the other hand, comparison times are less aected by the
extension since the perturbation does not signicantly impact the
operations required for ciphertext comparison. Interestingly, the
comparison time for FAE is slightly lower than that of Basic, which
could be due to the noise structure simplifying certain polynomial
operations. These results demonstrate the trade-o between secu-
rity enhancements and performance when adopting perturbation-
aware encryption.
6.3.2 HADES for CKKS. Figure 2 presents the performance analy-
sis of the HADES framework using the CKKS encryption scheme.
The analysis evaluates two congurations: (1) HADES Basic, and
(2) HADES FA-Extension (FAE) with perturbation-aware encryp-
tion. The operations measured include Key Generation, Average
Encryption Time, and Average Comparison Time, highlighting the
dierences between Basic and FA-Extension setups.
Key generation time remains consistent across all congura-
tions as it is independent of specic encryption extensions. For
encryption, the FA-Extension introduces additional perturbation
steps, leading to a slight increase in encryption time compared to
the Basic scheme. However, the comparison times between Basic
and FA-Extension are almost identical, as the additional perturba-
tion does not aect the comparison process signicantly. These
results demonstrate the eectiveness of CKKS in handling privacy-
preserving computations while maintaining high precision.
Compared to BFV, CKKS demonstrates higher computation times
across all operations. The increased time is due to CKKS’s reliance
on oating-point arithmetic and complex encoding, which require
additional computational resources to maintain precision. For ex-
ample, the encryption and comparison times in CKKS are approxi-
mately 2-3 times longer than their BFV counterparts. This trade-o
is expected as CKKS oers enhanced exibility and support for
13

Conference’17, July 2017, Washington, DC, USA Dongfang Zhao
KeyGen EncBasic EncFAE CmpBasic CmpFAE
Operation Types
0
10
20
30
40
50
60
Time (ms)
HADES Performance Across Real-world Datasets
Datasets
Bitcoin
Covid19
hg38
Figure 3: HADES Performance Across Datasets for Key Oper-
ations.
approximate arithmetic, making it more suitable for scenarios re-
quiring oating-point operations.
6.4 Real-world Datasets
Figure 3 illustrates the performance of the HADES framework im-
plemented using the BFV encryption scheme, tested on three dier-
ent datasets: Bitcoin, Covid19, and hg38. The performance evalua-
tion measures ve key operations: Key Generation (KeyGen), Basic
Encryption (EncBasic), FA-Extension Encryption (EncFAE), Basic
Comparison (CmpBasic), and FA-Extension Comparison (CmpFAE).
Each operation’s time is reported as an average per operation, with
adjustments for comparability across datasets.
The reported times highlight the computational characteristics
of the HADES BFV framework. KeyGen times are consistent across
datasets, as they are independent of data characteristics. Encryption
times (EncBasic and EncFAE) vary slightly due to the additional per-
turbation steps in FA-Extension, but they remain ecient relative
to comparison times. Comparison times (CmpBasic and CmpFAE)
dominate the overall computation, as pairwise operations scale
quadratically with the dataset size. Notably, the measurements are
reported per operation, ensuring comparability despite dierences
in data size and nature.
6.5 Comparison to State-of-the-arts
We compared the ciphertext comparison time of our proposed
HADES framework (both the Basic and FA-Extension variants)
against state-of-the-art schemes, including HOPE [
31
] and POPE [
27
].
The results, illustrated in Figure 4, demonstrate that HADES achieves
competitive performance while ensuring stronger security guaran-
tees. Specically, the ciphertext comparison time for HADES Basic
and HADES FA-Extension are 6.5ms and 6.1ms, respectively, which
are comparable to HOPE (1.7ms) and signicantly faster than POPE
(385ms).
The main reason for POPE’s ineciency lies in its reliance on
client participation during comparison operations, which intro-
duces not only computational overhead but also network latency.
This architecture prevents fully independent ciphertext compari-
son on the server side, resulting in signicant delays. HOPE, on
the other hand, avoids these issues by being entirely stateless and
HADES Basic HADES FAE HOPE POPE
Protocols
101
102
Time (milliseconds)
Ciphertext Comparison Time of Different Protocols
HADES Basic
HADES FAE
HOPE
POPE
Figure 4: Ciphertext Comparison Time of Dierent Protocols.
cryptographically ecient. Built on Paillier encryption, it enables
rapid comparisons but is limited by its reliance on an integer-based
scheme that supports only addition. Additionally, HOPE’s restricted
functionality makes it less suitable for real-world database systems,
which often require more advanced operations, such as multiplica-
tion or support for oating-point data. In contrast, HADES strikes a
balance between eciency and functionality. While slightly slower
than HOPE due to its reliance on polynomial-based homomorphic
encryption, HADES oers support for both addition and multi-
plication, making it more suitable for modern database systems.
Moreover, the extended FA-Extension variant ensures enhanced
privacy protection against inference attacks, addressing critical
shortcomings of existing stateless schemes like HOPE. These advan-
tages make HADES a robust choice for privacy-preserving database
applications.
7 CONCLUSION
This paper presents HADES, a novel cryptographic framework en-
abling ecient and secure symbol comparison within fully homo-
morphic encryption (FHE) without ciphertext expansion. HADES
introduces the Compare-Eval Key (CEK) mechanism, rigorously
proven CPA-secure under the Ring Learning with Errors (RLWE)
problem. We provide a detailed theoretical analysis, including con-
crete parameter selection to achieve desired security levels. This
framework supports accurate comparisons while maintaining com-
putational and storage eciency, addressing advanced threats such
as frequency-analysis attacks through a novel perturbation-aware
encryption technique. Implemented using OpenFHE, HADES demon-
strates practical performance on real-world datasets, supporting
both integer and oating-point data through BFV and CKKS schemes
and outperforming state-of-the-art baselines in relevant bench-
marks. These results establish HADES as a robust and scalable
solution for privacy-preserving computations, particularly in out-
sourced database scenarios requiring ecient range queries and in-
dexing. Future research directions include exploring optimizations
for specic hardware architectures and investigating the applicabil-
ity of HADES to other privacy-preserving computation paradigms.
14

Hades: Homomorphic Augmented Decryption for Eicient Symbol-comparison—A Database’s Perspective Conference’17, July 2017, Washington, DC, USA
ACKNOWLEDGMENT
Results presented in this paper were partly obtained using the
Chameleon testbed supported by the National Science Foundation.
We also appreciate the insightful discussions and feedback from
Professor Stefano Tessaro at the University of Washington, which
helped rene some of the key ideas presented in this paper.
REFERENCES
[1]
[n. d.]. HElib: An open-source library implementing homomorphic encryption.
https://github.com/homenc/HElib. Accessed: 2024-12-17.
[2]
[n. d.]. Microsoft SEAL (Simple Encrypted Arithmetic Library). https://github.
com/microsoft/SEAL. Accessed: 2024-12-17.
[3]
2024. OpenFHE: Open-Source Fully Homomorphic Encryption Library. https:
//github.com/hpdic/openfhe-development. Accessed: 2024-12-14.
[4]
Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. 2004.
Order preserving encryption for numeric data. In Proceedings of the 2004 ACM
SIGMOD International Conference on Management of Data. ACM, 563–574.
[5]
Bitcoin Trade History. Accessed 2022. https://www.blockchain.com/charts/trade-
volume.
[6]
Alexandra Boldyreva, Nathan Chenette, Younho Lee, and Adam O’Neill. 2009.
Order-preserving symmetric encryption. In Advances in Cryptology–EUROCRYPT
2009. Springer, 224–241.
[7]
Xinle Cao, Jian Liu, Yongsheng Shen, Xiaohua Ye, and Kui Ren. 2023. Frequency-
Revealing Attacks against Frequency-Hiding Order-Preserving Encryption. Proc.
VLDB Endow. 16, 11 (jul 2023), 3124–3136. https://doi.org/10.14778/3611479.
3611513
[8]
Sylvain Chatel, Christian Knabenhans, Apostolos Pyrgelis, Carmela Troncoso,
and Jean-Pierre Hubaux. 2024. VERI TAS: Plaintext Encoders for Practical Ver-
iable Homomorphic Encryption. In Proceedings of the 2024 on ACM SIGSAC
Conference on Computer and Communications Security (Salt Lake City, UT, USA)
(CCS ’24). Association for Computing Machinery, New York, NY, USA, 2520–2534.
https://doi.org/10.1145/3658644.3670282
[9]
Jung Hee Cheon, Andrey Kim, Miran Kim, and Yong Soo Song. 2017. Homomor-
phic Encryption for Arithmetic of Approximate Numbers. In 23rd International
Conference on the Theory and Applications of Cryptology and Information Security
(AsiaCrypt), Tsuyoshi Takagi and Thomas Peyrin (Eds.). Springer.
[10]
Ilaria Chillotti, Damien Stehlé, Gilles Van Assche, and Ronan Lychev. 2016. Faster
fully homomorphic encryption: Bootstrapping in less than a second. In Annual In-
ternational Conference on the Theory and Applications of Cryptographic Techniques.
Springer, 3–33.
[11]
Covid-19 Data. Accessed 2022. https://covidtracking.com/data/download/
national-history.csv.
[12]
Junfeng Fan and Frederik Vercauteren. 2012. Somewhat Practical Fully Ho-
momorphic Encryption. Cryptology ePrint Archive, Paper 2012/144. https:
//eprint.iacr.org/2012/144 https://eprint.iacr.org/2012/144.
[13]
Ben Fisch, Arthur Lazzaretti, Zeyu Liu, and Charalampos Papamanthou. 2024.
ThorPIR: Single Server PIR via Homomorphic Thorp Shues. In Proceedings of
the 2024 on ACM SIGSAC Conference on Computer and Communications Security
(Salt Lake City, UT, USA) (CCS ’24). Association for Computing Machinery, New
York, NY, USA, 1448–1462. https://doi.org/10.1145/3658644.3690326
[14]
Craig Gentry. 2009. A fully homomorphic encryption scheme. In Proceedings of
the 41st Annual ACM Symposium on Theory of Computing. ACM, 169–178.
[15]
Craig Gentry, Amit Sahai, and Brent Waters. 2013. Homomorphic encryption
from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-
based. In Advances in Cryptology–CRYPTO 2013. Springer, 75–92.
[16]
Jiaxing He, Kang Yang, Guofeng Tang, Zhangjie Huang, Li Lin, Changzheng Wei,
Ying Yan, and Wei Wang. 2024. Rhombus: Fast Homomorphic Matrix-Vector
Multiplication for Secure Two-Party Inference. In Proceedings of the 2024 on ACM
SIGSAC Conference on Computer and Communications Security (Salt Lake City,
UT, USA) (CCS ’24). Association for Computing Machinery, New York, NY, USA,
2490–2504. https://doi.org/10.1145/3658644.3690281
[17]
Human Genome Databases. Accessed 2022. http://hgdownload.soe.ucsc.edu/
goldenPath/hg38/database/.
[18]
Kate Keahey,Jason Anderson, Zhuo Zhen, Pierre Riteau, Paul Ruth, Dan Stanzione,
Mert Cevik, Jacob Colleran, Haryadi S. Gunawi, Cody Hammock, Joe Mambretti,
Alexander Barnes, François Halbach, Alex Rocha, and Joe Stubbs. 2020. Lessons
Learned from the Chameleon Testbed. In Proceedings of the 2020 USENIX Annual
Technical Conference (USENIX ATC ’20). USENIX Association.
[19]
Florian Kerschbaum. 2015. Frequency-hiding order-preserving encryption. In
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications
Security. ACM, 656–667.
[20]
Kevin Lewi and David J. Wu. 2016. Order-Revealing Encryption: New Construc-
tions, Applications, and Lower Bounds. In Proceedings of the 2016 ACM SIGSAC
Conference on Computer and Communications Security (Vienna, Austria) (CCS
’16). Association for Computing Machinery, New York, NY, USA, 1167–1178.
https://doi.org/10.1145/2976749.2978376
[21]
Dongjie Li, Siyi Lv, Yanyu Huang, Yijing Liu, Tong Li, Zheli Liu, and Liang Guo.
2021. Frequency-Hiding Order-Preserving Encryption with Small Client Storage.
Proc. VLDB Endow. 14, 13 (oct 2021), 3295–3307. https://doi.org/10.14778/3484224.
3484228
[22]
Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On ideal lattices and
learning with errors over rings. In Annual International Conference on the Theory
and Applications of Cryptographic Techniques. Springer, 1–23.
[23]
Muhammad Naveed, Seny Kamara, and Charles V Wright. 2015. Inference attacks
on property-preserving encrypted databases. Proceedings of the 22nd ACM SIGSAC
Conference on Computer and Communications Security (2015), 644–655.
[24]
Pascal Paillier. 1999. Public-Key Cryptosystems Based on Composite Degree
Residuosity Classes. In Proceedings of the 17th International Conference on Theory
and Application of Cryptographic Techniques (Prague, Czech Republic) (EURO-
CRYPT’99). Springer-Verlag, Berlin, Heidelberg, 223–238.
[25]
Raluca Ada Popa, Frank H Li, and Nickolai Zeldovich. 2013. An ideal-security
protocol for order-preserving encoding. In 2013 IEEE Symposium on Security and
Privacy. IEEE, 463–477.
[26]
Oded Regev. 2009. On lattices, learning with errors, random linear codes, and
cryptography. Journal of the ACM (JACM) 56, 6 (2009), 1–40.
[27]
Daniel S. Roche, Daniel Apon, Seung Geol Choi, and Arkady Yerukhimovich. 2016.
POPE: Partial Order Preserving Encoding. In Proceedings of the 2016 ACM SIGSAC
Conference on Computer and Communications Security (CCS ’16). Association for
Computing Machinery, New York, NY, USA.
[28]
Savvas Savvides, Darshika Khandelwal, and Patrick Eugster. 2020. Ecient
condentiality-preserving data analytics over symmetrically encrypted datasets.
Proc. VLDB Endow. 13, 8 (April 2020), 1290–1303. https://doi.org/10.14778/
3389133.3389144
[29]
Olamide T. Tawose, Jun Dai, Lei Yang, and Dongfang Zhao. 2023. TowardEcient
Homomorphic Encryption for Outsourced Databases through Parallel Caching.
Proceedings of the ACM on Management of Data (SIGMOD), Article 66 (May 2023),
23 pages. https://doi.org/10.1145/3588920
[30]
Wenxu Tang, Fangyu Zheng, Guang Fan, Tian Zhou, Jingqiang Lin, and Jiwu
Jing. 2024. DPad-HE: Towards Hardware-friendly Homomorphic Evaluation
using 4-Directional Manipulation. In Proceedings of the 2024 on ACM SIGSAC
Conference on Computer and Communications Security (Salt Lake City, UT, USA)
(CCS ’24). Association for Computing Machinery, New York, NY, USA, 2475–2489.
https://doi.org/10.1145/3658644.3690280
[31]
Baiqiang Wang and Dongfang Zhao. 2024. HOPE: Homomorphic Order-
Preserving Encryption for Outsourced Databases – A Stateless Approach.
arXiv:2411.17009 [cs.CR] https://arxiv.org/abs/2411.17009
[32]
Andrew Chi-Chih Yao. 1982. Protocols for secure computations. In 23rd Annual
Symposium on Foundations of Computer Science (FOCS 1982). IEEE, 160–164.
[33]
Zhou Zhang, Song Bian, Zian Zhao, Ran Mao, Haoyi Zhou, Jiafeng Hua, Yier Jin,
and Zhenyu Guan. 2024. ArcEDB: An Arbitrary-Precision Encrypted Database
via (Amortized) Modular Homomorphic Encryption. In Proceedings of the 2024 on
ACM SIGSAC Conference on Computer and Communications Security (Salt Lake
City, UT, USA) (CCS ’24). Association for Computing Machinery, New York, NY,
USA, 4613–4627. https://doi.org/10.1145/3658644.3670384
[34]
Yufei Zhou, Peijia Zheng, Xiaochun Cao, and Jiwu Huang. 2024. Two-Tier
Data Packing in RLWE-based Homomorphic Encryption for Secure Federated
Learning. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and
Communications Security (Salt Lake City, UT, USA) (CCS ’24). Association for
Computing Machinery, New York, NY, USA, 2844–2858. https://doi.org/10.1145/
3658644.3690191
15