In case you missed our blog posts, previously in Curl, we used discrete wavelet transform (DWT) and lookup tables under arithmetic secret sharing to evaluate large language models (LLM) privately. Then, in Ripple, utilizing programmable bootstrapping, we extended the use of DWT-encoded lookup tables to fully homomorphic encryption. In this blog post, to boost execution times, we take the use of DWT a step further by employing function secret sharing (FSS). Wave is exponentially faster than state-of-the-art PIKA and more than 1 order of magnitude faster than Curl, the previous DWT implementation.
Ripple: https://nillion.com/news/1523/
Curl: https://nillion.com/news/1175
Motivation
As Artificial Intelligence (AI) gains prominence in our daily lives, it becomes increasingly important that we protect our sensitive information. As discussed in our previous blog post, privacy-preserving AI aims to fill this gap by providing AI services that benefit our lives without compromising our privacy.
In Curl, we built ways to evaluate large language models (LLMs) privately. With it, you can send your data to the server encrypted and get the answer from the LLM back all without the server learning anything about your input or the LLM’s output. For this, we used the discrete wavelet transform (DWT) to improve the speed and accuracy of LLMs under secure multiparty computation (MPC), a method for private computation, but there still remains more extractable value in how fast and accurately we can evaluate these models under MPC using DWT. We built Curl in Python, which is easy to use, user-friendly, and familiar to machine learning practitioners to make it more approachable to practitioners. It also uses simple arithmetic sharings, which fit into the design that PyTorch already has. All of this convenience does come at the cost of speed, however.
In Wave Hello to Privacy, we introduce a faster and more accurate computation scheme, again relying on DWTs but building the MPC from the ground up using C++ and function secret sharing (FSS) for a more efficient design. It is so efficient that we can increase the accuracy of the computation without diminishing the speed.
Discrete Wavelet Transforms (DWT)
A discrete wavelet transform is a signal processing method that divides a signal into approximation and detail coefficients. Most of the information is captured by the approximation coefficients while the detail coefficients contain information about small errors in the signal. This process is reversible; the original signal can be reconstructed without any information loss using the approximation and the detail coefficients. Another property of DWT is that it can be recursively applied; we can take the approximation coefficients of the approximation coefficients, obtaining an even smaller set of approximations! This way, the signal can be compressed to the desired size and corresponding accuracy level.
The most basic DWT method is called Haar, in which a linear transformation is applied to the signal and essentially breaks the signal into sums and differences. The points that are close to each other, namely the ones that share the higher-order bits, have the same approximation under Haar. This makes it easy to apply under FHE as we only need to see the higher-order bits to compute a number’s Haar approximation. We simply truncate the number, i.e., cut out the lower-order bits and apply a lookup table protocol with the higher-order bits.
Haar’s simplicity is also its weakness as it does not utilize the lower-order bits. In contrast, Biorthogonal is a more complex DWT that uses weighted averages of several points that are close to each other and uses a scaling factor that considers both lower-order bits and the higher-order to approximate values. In this, it captures more information about the number and allows for a better approximation. Being a more elaborate technique, however, it takes longer to execute, but also greatly enhances the accuracy of the approximation.
Function Secret Sharing
Function Secret Sharing (FSS) is a cryptographic technique used to securely evaluate a function on private inputs, without revealing those inputs to the parties involved in the computation. In simple terms, FSS enables multiple parties to jointly compute a function on secret inputs in a way that prevents any individual party from learning the other parties’ inputs. The function itself is “shared” across multiple parties, and the output of the function can be computed without compromising the privacy of the inputs. FSS is used mainly in two-party computation as the complexity of the computation grows exponentially with more parties. Instead of secret sharing the whole domain like we would need in arithmetic secret sharing, in FSS the two parties each hold a seed that they can expand using length double pseudorandom number generators to evaluate the function over the whole domain. As these evaluations are optimized at the hardware level, FSS is very fast. These hardware optimizations exist in common computers, so there is no need to purchase specialized hardware. Sharing the seeds is much less bandwidth intensive than actually secret sharing a whole function.
As mentioned above, when using DWT, given an input we cut out lower-order bits and apply a lookup table protocol with the higher-order bits. However, under MPC the two parties do not have access to the actual value. So, if each one of the parties truncates their shares, 50% of the time they will miss the correct truncation in an off-by-one error. For the lookup table evaluation, this translates into obtaining the wrong output by one position, decreasing accuracy. Thanks to the use of FSS we are able to perform a deterministic truncation and obtain the correct output of the lookup table, improving the accuracy of the protocol in an efficient way. With the use of FSS, we are able to use two different techniques to obtain the correct output of the lookup table: deterministic truncation or Grotto segmentation parity that completely avoids truncations. Both these techniques improve the accuracy of the protocol in an efficient way.
Empirical Results
We ran experiments comparing Wave to Curl, which uses DWT compressions but has an inefficient Python implementation, and to Pika, which does not have DWT compression but uses FSS and efficient C++ libraries. We observed that for smaller table sizes, Pika runs faster than Curl as the DWT compression is not enough to make up for the advantages of FSS and the code efficiency. As the table size increases, DWT’s advantage is clear and Curl quickly overtakes Pika. On the other hand, by benefiting from both sides, Wave is faster than both Pika and Curl for all table sizes.
Conclusion
We observed how we can use DWT to compress lookup tables for faster evaluation speed in MPC. By also introducing function secret sharing, deterministic truncation, and code efficiency, we build faster, more accurate protocols. By combining DWT and FSS we were able to accelerate private lookup table evaluations, the main bottleneck in private LLM inference, exponentially as compared to state-of-the-art protocols like PIKA.
This advancement not only improves efficiency but also enables applications that were not possible before due to privacy concerns. It is particularly relevant for AI agents who can interact with their environments and perform goal-oriented tasks, as they are increasingly used to automate business workflows. Privacy and ethical concerns arise when managing sensitive data with these systems as well as the need to protect against unauthorized access, cyber threats, and censorship. This can be a roadblock for their wide adoption. Wave’s ability to enhance function secret sharing while maintaining high accuracy empowers AI agents to securely process encrypted information, protect user confidentiality, and provide an avenue for their wider adoption, particularly in sensitive domains such as personalized healthcare and finance.
Look out for our paper in PETS 2025!
References
José Reis, Mehmet Ugurbil, Sameer Wagh, Ryan Henry, Miguel de Vega.
Wave Hello to Privacy: Efficient Mixed-Mode MPC using Wavelet Transforms.
In: Privacy Enhancing Technologies Symposium
PDF: https://eprint.iacr.org/2025/013.pdf
Manuel B. Santos, Dimitris Mouris, Mehmet Ugurbil, Stanislaw Jarecki, José Reis, Shubho Sengupta, and Miguel de Vega.
Curl: Private LLMs through Wavelet-Encoded Look-Up Tables.
In Conference on Applied Machine Learning for Information Security (CAMLIS), 2024.
PDF: https://eprint.iacr.org/2024/1127.pdf
Code: https://github.com/jimouris/curl
A New Wave of Privacy-Preserving Large Language Models
Unlocking a New Era of Private AI for Everyday Use
Gouert, C., Ugurbil, M., Mouris, D., de Vega, M., Tsoutsos, N.G. (2025). Ripple: Accelerating Programmable Bootstraps for FHE with Wavelet Approximations. In: Mouha, N., Nikiforakis, N. (eds) Information Security. ISC 2024. Lecture Notes in Computer Science, vol 15257. Springer, Cham. https://doi.org/10.1007/978-3-031-75757-0_14
PDF: https://eprint.iacr.org/2024/866.pdf
Code: https://github.com/NillionNetwork/ripple
Follow @BuildOnNillion on X/Twitter for more updates like these