A. Bird-Eye View of ANS

ANS [5] allows to achieve a close to optimal compression for a source of an arbitrary probability distribution. The ANS encoding and decoding can be done very efficiently. When describing ANS operations, it is helpful to think about ANS as a finite state machine (FSM), optimised for a given probability distribution, whose states are labelled by integers [16]. We describe building blocks of ANS without giving rationale for their design. This is enough to understand the encryption part of the paper. The reader interested in ANS details is referred to [5], [18].

The main data structure is determined by the number of states $L$ . For simplicity, we assume that $L=2^{R}$ , where $R\in \mathbb {N}^{+}$ is a parameter, which determines the quality of compression. Let $L_{s}$ denote the number of occurrences of symbol $s$ , where $\sum _{s} L_{s} =L$ and $L_{s}$ is an approximation of probabilities of $Pr(s)=p_{s}$ . Define the following sets $\mathbb {L}=\{L,L+1,\ldots,2L-1\}$ and $\mathbb {L}_{s}=\{L_{s},L_{s}+1,\ldots,2L_{s} -1\}$ , where $s\in \mathbb {S}$ . Given a state is $x_{i}$ and a symbol $s_{i}$ . ANS needs to determine the next state $x_{i+1}$ and the output bits $b_{i}$ . If one looks at ANS as FSM, then the state-transition function is defined by the following two steps:

1. the current state $x_{i}$ is re-normalised by truncating enough least significant bits (LSB) so the truncated integer $y$ belongs to $\mathbb {L}_{s_{i}}$ ,

2. calculates a new state $x_{i+1}$ by applying an encoding function $C(s_{i},y)$ and outputs the binary sequence $b_{i}$ =LSB$(x_{i})$ , which is a binary encoding of $s_{i}$ .

The crux of ANS is its encoding function $x=C(s,y)$ that assigns a state/integer $x\in \mathbb {L}$ that encodes $s\in \mathbb {S}$ using the integer $y\in \mathbb {L}_{s}$ . A symbol spread function $\bar {s}: {\mathbb L}\rightarrow {\mathbb S}$ is closely connected to the encoding function $C(s,y)$ . It determines the symbol $s$ that is encoded in $x$ or $\bar {s}(x)=s$ . The encoding function $C: {\mathbb L}_{s}\rightarrow {\mathbb L}$ is constructed so the following conditions hold:

• The approximation $\frac {L_{s}}{L} \approx p_{s}$ determines quality of compression. This means that there are $L_{s}$ different integers $x\in \mathbb L$ that encode $s$ .

• By construction, for a given symbol $s$ , $C(s,y)$ accepts integers $y\in \mathbb L_{s}$ . The function $C(s,y)$ can be represented by a table, whose rows are indexed by a symbol $s$ and columns by an integer $y\in \mathbb {L}_{s}$ . The columns are indexed by all consecutive integers starting from $y_{min}=\min _{s}{L_{s}}$ . The last column index is $2^{R}-1$ . The entries of the $s$ -th row for consecutive columns $L_{s},L_{s}+1,\ldots, 2L_{s}-1$ create a set $\Gamma _{s}$ of states arranged in an increasing order. $\Gamma _{s}$ is also called symbol spread for $s$ .

• The integers $x\in {\Gamma }_{s}$ can be chosen at random from $\mathbb L$ as long as any symbol spread pair is disjoint, i.e. $\Gamma _{s} \cap \Gamma _{s'}=\emptyset$ as long as $s\neq s'$ , where $\Gamma _{s}=\{ x\in \mathbb {L} | x=C(s,y); y\in \mathbb {L}_{s}\}$ and $\bigcup _{s} \mathbb {L}_{s} = \mathbb {L}$ .

A decoding function $D: {\mathbb L} \rightarrow {\mathbb S}\times \mathbb {L}_{s}$ takes an integer $x \in {\mathbb L}$ and returns the corresponding symbol $s$ and an integer $y$ , which is a re-normalised state from $\mathbb {L}_{s}$ . In fact, $D(x)$ can be seen as the inverse of $C(s,y)$ . By construction, the integer $x$ points out a unique pair $(s,y)$ . Note that if $x\in {\Gamma }_{s}$ , then it cannot occur in any other ${\Gamma }_{s'}$ , otherwise the condition $\Gamma _{s} \cap \Gamma _{s'}=\emptyset$ is violated.

Encoding – given a state $x\in \Gamma _{s}$ that is an encoding of $s$ , the number of bits of $b_{s}$ is computed as $$\begin{equation*}k=k_{s}(x)=\lfloor \log _{2}(x/L_{s}) \rfloor \longrightarrow b_{s}= x\mod {2^{k}}.\end{equation*}$$ View Source\begin{equation*}k=k_{s}(x)=\lfloor \log _{2}(x/L_{s}) \rfloor \longrightarrow b_{s}= x\mod {2^{k}}.\end{equation*}

The binary string $b_{s}$ is sent to the output. Now for the next symbol $s'\in \mathbb S$ , the state $x$ is updated as follows $$\begin{equation*}x \longrightarrow x'=C(s',\lfloor x/2^{k} \rfloor).\end{equation*}$$ View Source\begin{equation*}x \longrightarrow x'=C(s',\lfloor x/2^{k} \rfloor).\end{equation*}

Note that $x\in \Gamma _{s}$ but $\lfloor x/2^{k} \rfloor \in \mathbb {L}_{s}$ .

Decoding – for a state $x\in \mathbb {L}$ and an output binary string $\cal {B}$ , the decoding function $D(x)=(s,y)$ determines the symbol $s$ and integer $y\in \mathbb {L}_{s}$ . Next, the number of bits that needs to be read from $\cal {B}$ is calculated as $k_{s}=k_{s}(x)=R - \lfloor \log _{2} x \rfloor$ . The $k_{s}$ -bit string is read from $\cal {B}$ or $b_{s}=MSB{(\cal {B})}_{k_{s}}$ , where $MSB$ stands for the most significant bits. The string $\cal {B}$ is updated by removing $b_{s}$ and the state is modified $x'=2^{k}\cdot y+b_{s}$ . The full description of ANS is given below.

B. ANS Algorithms

The tANS compression can be seen as a triplet $\langle \mathbf {I}, \mathbf {C},\mathbf {D}\rangle$ , where $\mathbf {I}$ is an initialization algorithm executed once before compression by communicating parties. However, if symbol statistics changes, the algorithm may need to be rerun. $\mathbf {C}$ is a compression algorithm performed by a sender and $\mathbf {D}$ is a decompression algorithm used by a receiver.

The algorithm $\mathbf {C}$ takes a sequence of symbols further called a symbol frame and generates a stream of bits also called binary frame.

The next algorithm takes a binary frame and the final state and produces symbols of the corresponding frame.

Note that $LSB({\mathcal{ B}})_{\ell }$ and $MSB({\mathcal{ B}})_{\ell }$ stand for the $\ell$ least and most significant bits of $\cal B$ , respectively.

C. Example

Design compression and decompression algorithms for a source with $m=3$ symbols, where $\mathbb {S}=\{s_{0},s_{1}, s_{2} \}$ , $p_{0}=\frac {3}{16}$ , $p_{1}=\frac {8}{16}$ , $p_{2}=\frac {5}{16}$ and a free parameter ${R}=4$ . Note that $R$ determines quality of compression. The higher $R$ the better compression but the algorithm is less efficient. The number of states $L=2^{R}=16$ and the state set $\mathbb L=\{16,17,\ldots, 31\}$ .

Determine symbol spread function $\overline {s}: {\mathbb L}\to \mathbb {S}$ such that $$\begin{align*} \overline {s}(x)= \begin{cases} s_{0} & \quad \text {if } x\in \{18,22,25\} =\Gamma _{0} \\ s_{1} & \quad \text {if } x\in \{16,17,21,24,27,29,30,31\}=\Gamma _{1}\\ s_{2} & \quad \text {if } x \in \{19,20,23,26,28\}=\Gamma _{2} \end{cases}\end{align*}$$ View Source\begin{align*} \overline {s}(x)= \begin{cases} s_{0} & \quad \text {if } x\in \{18,22,25\} =\Gamma _{0} \\ s_{1} & \quad \text {if } x\in \{16,17,21,24,27,29,30,31\}=\Gamma _{1}\\ s_{2} & \quad \text {if } x \in \{19,20,23,26,28\}=\Gamma _{2} \end{cases}\end{align*} where $L_{0}= | \{18,22,25\} |=3$ , $L_{1}=| \{16,17,21,24,27,\,\,29,30,31\} |=8$ and $L_{2}=| \{19,20,23,26,28\} |=5$ . Note that sets $\Gamma _{s}$ need to be arranged in increasing order.

Write the encoding function $C(s,y)$ as the following table $$\begin{align*}\begin{array}{l||c|c|c|c|c|c|c|c|c|c|c|c|c|} \hline s \backslash y &3&4&5& 6 &7&8&9& 10 &11&12&13& 14 &15 \\ \hline s_{0} &18&22&25& - &-&-&-& - &-&-&-& - & -\\ \hline s_{1} &-&-&-& - &-&16&17& 21 &24&27&29& 30 & 31\\ \hline s_{2} &-&-&19& 20 &23&26&28& - &-&-&-& - & -\\ \hline \end{array}\end{align*}$$ View Source\begin{align*}\begin{array}{l||c|c|c|c|c|c|c|c|c|c|c|c|c|} \hline s \backslash y &3&4&5& 6 &7&8&9& 10 &11&12&13& 14 &15 \\ \hline s_{0} &18&22&25& - &-&-&-& - &-&-&-& - & -\\ \hline s_{1} &-&-&-& - &-&16&17& 21 &24&27&29& 30 & 31\\ \hline s_{2} &-&-&19& 20 &23&26&28& - &-&-&-& - & -\\ \hline \end{array}\end{align*} The top row of the table defines $\mathbb {L}_{0}=\{3,4,5\}$ , $\mathbb {L}_{1}=\{8,9,10,11,12,13,14,15\}$ and $\mathbb {L}_{2}=\{5,6,7,8,9\}$ .

Construct the encoding table ${\mathbb E}(x_{i},s_{i})=({x_{i+1}, b_{i}})\stackrel {{\textit{def}}}{\equiv } {\binom{x_{i+1}}{ b_{i}}}$ as follows: $$\begin{align*}& \begin{array}{l||c|c|c|c|c|c|c|c|} \hline s_{i} \backslash x_{i} &16&17&18& 19&20&21&22& 23 \\ \hline s_{0}&{\binom{22}{ 00}}&{\binom{22}{ 01}}&{\binom{22}{ 10}}&{\binom{22}{ 11}} & {\binom{25}{ 00}}&{\binom{25}{ 01}}&{\binom{25}{ 10}}&{\binom{25}{ 11}} \\ \hline s_{1}&{\binom{16}{ 0}}&{\binom{16}{ 1}}&{\binom{17}{ 0}}&{\binom{17}{ 1}} &{\binom{21}{ 0}}&{\binom{21}{ 1}}& {\binom{24}{ 0}}&{\binom{24}{ 1}} \\ \hline s_{2}&{\binom{26}{ 0}}&{\binom{26}{ 1}}&{\binom{28}{ 0}}&{\binom{28}{ 1}} & {\binom{19}{ 00}}&{\binom{19}{ 01}}&{\binom{19}{ 10}}&{\binom{19}{ 11}} \\ \hline \end{array}\\[2mm]& \begin{array}{l||c|c|c|c|c|c|c|c|} \hline s_{i} \backslash x_{i} &24&25&26& 27&28&29&30&31 \\ \hline s_{0}& {\binom{18}{ 000}}&{\binom{18}{ 001}}&{\binom{18}{ 010}}&{\binom{18}{ 011}} &{\binom{18}{ 100}}& {\binom{18}{ 101}}&{\binom{18}{ 110}}& {\binom{18}{ 111}}\\ \hline s_{1}& {\binom{27}{ 0}}&{\binom{27}{ 1}}&{\binom{29}{ 0}}&{\binom{29}{ 1}} & {\binom{30}{ 0}}&{\binom{30}{ 1}}&{\binom{31}{ 0}}&{\binom{31}{ 1}} \\ \hline s_{2}& {\binom{20}{ 00}}&{\binom{20}{ 01}}&{\binom{20}{ 10}}&{\binom{20}{ 11}} & {\binom{23}{ 00}}&{\binom{23}{ 01}}&{\binom{23}{ 10}}& {\binom{23}{ 11}} \\ \hline \end{array}\end{align*}$$ View Source\begin{align*}& \begin{array}{l||c|c|c|c|c|c|c|c|} \hline s_{i} \backslash x_{i} &16&17&18& 19&20&21&22& 23 \\ \hline s_{0}&{\binom{22}{ 00}}&{\binom{22}{ 01}}&{\binom{22}{ 10}}&{\binom{22}{ 11}} & {\binom{25}{ 00}}&{\binom{25}{ 01}}&{\binom{25}{ 10}}&{\binom{25}{ 11}} \\ \hline s_{1}&{\binom{16}{ 0}}&{\binom{16}{ 1}}&{\binom{17}{ 0}}&{\binom{17}{ 1}} &{\binom{21}{ 0}}&{\binom{21}{ 1}}& {\binom{24}{ 0}}&{\binom{24}{ 1}} \\ \hline s_{2}&{\binom{26}{ 0}}&{\binom{26}{ 1}}&{\binom{28}{ 0}}&{\binom{28}{ 1}} & {\binom{19}{ 00}}&{\binom{19}{ 01}}&{\binom{19}{ 10}}&{\binom{19}{ 11}} \\ \hline \end{array}\\[2mm]& \begin{array}{l||c|c|c|c|c|c|c|c|} \hline s_{i} \backslash x_{i} &24&25&26& 27&28&29&30&31 \\ \hline s_{0}& {\binom{18}{ 000}}&{\binom{18}{ 001}}&{\binom{18}{ 010}}&{\binom{18}{ 011}} &{\binom{18}{ 100}}& {\binom{18}{ 101}}&{\binom{18}{ 110}}& {\binom{18}{ 111}}\\ \hline s_{1}& {\binom{27}{ 0}}&{\binom{27}{ 1}}&{\binom{29}{ 0}}&{\binom{29}{ 1}} & {\binom{30}{ 0}}&{\binom{30}{ 1}}&{\binom{31}{ 0}}&{\binom{31}{ 1}} \\ \hline s_{2}& {\binom{20}{ 00}}&{\binom{20}{ 01}}&{\binom{20}{ 10}}&{\binom{20}{ 11}} & {\binom{23}{ 00}}&{\binom{23}{ 01}}&{\binom{23}{ 10}}& {\binom{23}{ 11}} \\ \hline \end{array}\end{align*}

To illustrate calculations, assume that we have $x_{i}=25$ and input symbol is $s_{0}$ . First we determine the number of bits that need to be extracted $k_{s_{0}}=\lfloor \lg (x_{i}/L_{0}) \rfloor =\lfloor \lg (25/3) \rfloor =3$ , compute $x_{i+1} = C\left({s_{0}, \lfloor {\frac {x_{i}}{2^{k}}} \rfloor }\right)=C(s_{0}, 3)=18$ and $b_{i} = x_{i}\!\!\! \mod {2^{k}} = 25\!\!\! \mod 8=1 \longrightarrow 001$ . Given an initial state $x_{0}=19$ (normally chosen at random), compress the following symbol frame ${\mathcal{ S}}=(s_{1},s_{1},s_{2},s_{1},s_{2},s_{1},s_{1},s_{0},s_{2})$ . Applying the encoding table for consecutive symbols, we get $$\begin{align*} (19) \rightarrow \begin{array}{c} \binom{19} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{17} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{16} {s_{2}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{26} {s_{1}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{29} {s_{2}} \\ \downarrow \\ 01 \end{array} \rightarrow \\ \rightarrow \begin{array}{c} \binom{23} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{24} {s_{1}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{27} {s_{0}} \\ \downarrow \\ 011 \end{array} \rightarrow \begin{array}{c} \binom{18} {s_{2}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} (28) \end{array}\end{align*}$$ View Source\begin{align*} (19) \rightarrow \begin{array}{c} \binom{19} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{17} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{16} {s_{2}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{26} {s_{1}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{29} {s_{2}} \\ \downarrow \\ 01 \end{array} \rightarrow \\ \rightarrow \begin{array}{c} \binom{23} {s_{1}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{24} {s_{1}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} \binom{27} {s_{0}} \\ \downarrow \\ 011 \end{array} \rightarrow \begin{array}{c} \binom{18} {s_{2}} \\ \downarrow \\ 0 \end{array} \rightarrow \begin{array}{c} (28) \end{array}\end{align*}

The output bits are ${\mathcal{ B}}=110001100110$ and the final state is 28.

Build the decoding table. The decoding function $D(x)=(s,y)$ can be obtained from $C(s,y)=x$ and is $$\begin{align*} \begin{array}{l||c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|} \hline x&16&17&18& 19&20&21&22& 23&24&25&26& 27&28&29&30&31 \\ \hline y &8&9&3& 5&6&10&4& 7&11&5&8& 12&9&13&14&15 \\ \hline \end{array}\end{align*}$$ View Source\begin{align*} \begin{array}{l||c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|} \hline x&16&17&18& 19&20&21&22& 23&24&25&26& 27&28&29&30&31 \\ \hline y &8&9&3& 5&6&10&4& 7&11&5&8& 12&9&13&14&15 \\ \hline \end{array}\end{align*}

The decoding table ${\mathbb D}(x_{i},b_{i})$ can be represented as follows $$\begin{align*} \begin{array}{l||c|c|c|c|c|c|c|c|} \hline x_{i} ~&16&17&18& 19&20&21&22& 23 \\ \hline s_{i} &s_{1}&s_{1}&s_{0}& s_{2}&s_{2}&s_{1}&s_{0}& s_{2}\\ \hline k &1&1&3& 2&2&1&2& 2 \\ \hline x_{i+1} &16\!\!+\!\!b_{i}&18\!\!+\!\!b_{i}&24\!\!+\!\!b_{i}&20\!\!+\!\!b_{i} &24\!\!+\!\!b_{i}&20\!\!+\!\!b_{i}&16\!\!+\!\!b_{i}& 28\!\!+\!\!b_{i} \\ \hline \end{array} \\ \begin{array}{l||c|c|c|c|c|c|c|c|} \hline x_{i} ~&24&25&26& 27&28&29&30&31 \\ \hline s_{i} &s_{1}&s_{0}&s_{2}& s_{1}&s_{2}&s_{1}&s_{1}&s_{1} \\ \hline k &1&2&1& 1&1&1&1&1 \\ \hline x_{i+1} & 22\!\!+\!\!b_{i}&20\!\!+\!\!b_{i}&16\!\!+\!\!b_{i}& 24\!\!+\!\!b_{i}&18\!\!+\!\!b_{i}&26\!\!+\!\!b_{i} &28\!\!+\!\!b_{i}&30\!\!+\!\!b_{i} \\ \hline \end{array}\end{align*}$$ View Source\begin{align*} \begin{array}{l||c|c|c|c|c|c|c|c|} \hline x_{i} ~&16&17&18& 19&20&21&22& 23 \\ \hline s_{i} &s_{1}&s_{1}&s_{0}& s_{2}&s_{2}&s_{1}&s_{0}& s_{2}\\ \hline k &1&1&3& 2&2&1&2& 2 \\ \hline x_{i+1} &16\!\!+\!\!b_{i}&18\!\!+\!\!b_{i}&24\!\!+\!\!b_{i}&20\!\!+\!\!b_{i} &24\!\!+\!\!b_{i}&20\!\!+\!\!b_{i}&16\!\!+\!\!b_{i}& 28\!\!+\!\!b_{i} \\ \hline \end{array} \\ \begin{array}{l||c|c|c|c|c|c|c|c|} \hline x_{i} ~&24&25&26& 27&28&29&30&31 \\ \hline s_{i} &s_{1}&s_{0}&s_{2}& s_{1}&s_{2}&s_{1}&s_{1}&s_{1} \\ \hline k &1&2&1& 1&1&1&1&1 \\ \hline x_{i+1} & 22\!\!+\!\!b_{i}&20\!\!+\!\!b_{i}&16\!\!+\!\!b_{i}& 24\!\!+\!\!b_{i}&18\!\!+\!\!b_{i}&26\!\!+\!\!b_{i} &28\!\!+\!\!b_{i}&30\!\!+\!\!b_{i} \\ \hline \end{array}\end{align*}

Note that $x_{i+1}=2^{k} y+b_{i}$ , where $b_{i}$ is an integer that corresponds to binary encoding of $s_{i}$ . Given the binary frame ${\mathcal{ B}}=110001100110$ and the final state 28, we recover the corresponding sequence of symbols, where the binary string needs to be read from right to left. $$\begin{align*} (28) \rightarrow \begin{array}{c} \binom{28} {0} \\ \downarrow \\ s_{2} \end{array} \rightarrow \begin{array}{c} \binom{18} {011} \\ \downarrow \\ s_{0} \end{array} \rightarrow \begin{array}{c} \binom{27} {0} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c} \binom{24} {1} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c}\binom {23} {01} \\ \downarrow \\ s_{2} \end{array} \rightarrow \\ \rightarrow \begin{array}{c} \binom{29}{ 0} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c}\binom {26}{ 0} \\ \downarrow \\ s_{2} \end{array} \rightarrow \begin{array}{c}\binom {16}{ 1} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c} \binom{17}{ 1} \\ \downarrow \\ s_{1} \end{array} \rightarrow (19)\end{align*}$$ View Source\begin{align*} (28) \rightarrow \begin{array}{c} \binom{28} {0} \\ \downarrow \\ s_{2} \end{array} \rightarrow \begin{array}{c} \binom{18} {011} \\ \downarrow \\ s_{0} \end{array} \rightarrow \begin{array}{c} \binom{27} {0} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c} \binom{24} {1} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c}\binom {23} {01} \\ \downarrow \\ s_{2} \end{array} \rightarrow \\ \rightarrow \begin{array}{c} \binom{29}{ 0} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c}\binom {26}{ 0} \\ \downarrow \\ s_{2} \end{array} \rightarrow \begin{array}{c}\binom {16}{ 1} \\ \downarrow \\ s_{1} \end{array} \rightarrow \begin{array}{c} \binom{17}{ 1} \\ \downarrow \\ s_{1} \end{array} \rightarrow (19)\end{align*}

A. Ciphertext-Only Attack Against ANS

A majority of IoT devices that use ANS for compression communicates with their servers via broadcasting channels (such as Bluetooth or WiFi). This makes them vulnerable to eavesdropping (alternatively called ciphertext-only attacks). The main difficulty for an adversary is to guess a window frame. After it has guessed it, it can upload an observed binary frame $\cal B$ into consecutive windows and recover a sequence of encodings. Our task here is to determine an upper bound for probability of guessing the window frame and evaluate a lower bound of security provided by a plain ANS.

B. Known-Plaintext Attack Against ANS

For a given symbol, ANS assigns binary encodings/windows of different lengths. The following observation can be used to determine the window lengths for each symbol.

A closer look at the above conditions reveals the following properties of window lengths:

• If $p_{s}=(1/2)^{i}$ , then ANS assigns a $i$ -bit window.

• If $p_{s}> 1/2$ , then ANS assigns a window of the length either 0 or 1.

• Otherwise, ANS assigns a window of the length $k_{s}\in \{i,i+1\}$ , where $i=\lfloor \log _{2}{p_{s}^{-1}} \rfloor$ .

$$\begin{align*} \begin{array}{ccc} Symbol ~s &\quad Length ~k_{s} &\quad Probability ~\beta _{s} \\ \hline s_{1} &\quad \{0,1\} &\quad \beta _{s_{1}} \\ s_{2} &\quad \{1,2\} &\quad \beta _{s_{2}} \\ \vdots &\quad &\quad \\ s_{m-1} &\quad \{m-2,m-1\} &\quad \beta _{s_{m-1}} \\ s_{m} &\quad \{m-1,m\} &\quad \beta _{s_{m}} \\ \hline \end{array}\end{align*}$$ View Source\begin{align*} \begin{array}{ccc} Symbol ~s &\quad Length ~k_{s} &\quad Probability ~\beta _{s} \\ \hline s_{1} &\quad \{0,1\} &\quad \beta _{s_{1}} \\ s_{2} &\quad \{1,2\} &\quad \beta _{s_{2}} \\ \vdots &\quad &\quad \\ s_{m-1} &\quad \{m-2,m-1\} &\quad \beta _{s_{m-1}} \\ s_{m} &\quad \{m-1,m\} &\quad \beta _{s_{m}} \\ \hline \end{array}\end{align*}

Consider ANS from our example. For $s_{1}$ , it assigns a window of length 1 with probability 1. For $s_{2}$ , it allocates a window of the length either 1 or 2, where $\beta _{s_{2}}=1/4$ . For $s_{0}$ , it points a window of the length either 2 or 3, where $\beta _{s_{0}}=1/2$ .

C. Integrity of ANS Binary Frames

ANS is normally represented by its encoding table $\mathbb E(x_{i},s_{i})$ . Equivalently, it can be described by a directed graph with $2^{R}$ vertices that correspond to states and edges that are labelled by symbols. An edge $s$ from a vertex $x_{i}$ to $x_{i+1}$ shows transition determined by the encoding function $x_{i+1}=C\left({s, \Big \lfloor {\frac {x_{i}}{2^{k_{s}}}} \Big \rfloor }\right)\big)$ . For a fixed symbol $s\in \mathbb S$ , the function $C(s,\cdot)$ assigns one of $\mathbb {L}_{s}$ states. This implies that the following sequence of transitions $$\begin{align*}&\hspace {-.5pc}x_{i} \stackrel {s}{\longrightarrow } x_{i+1}=C\left({s, \Big \lfloor {\frac {x_{i}}{2^{k_{s}}}} \Big \rfloor }\right) \stackrel {s}{\longrightarrow } x_{i+2}=C\left({s, \Big \lfloor {\frac {x_{i+1}}{2^{k_{s}}}} \Big \rfloor }\right) \\&\qquad\qquad\qquad\qquad\quad\stackrel {s}{\longrightarrow } \cdots \stackrel {s}{\longrightarrow } x_{i+j}=C\left({s, \Big \lfloor {\frac {x_{i+j-1}}{2^{k_{s}}}} \Big \rfloor }\right)\end{align*}$$ View Source\begin{align*}&\hspace {-.5pc}x_{i} \stackrel {s}{\longrightarrow } x_{i+1}=C\left({s, \Big \lfloor {\frac {x_{i}}{2^{k_{s}}}} \Big \rfloor }\right) \stackrel {s}{\longrightarrow } x_{i+2}=C\left({s, \Big \lfloor {\frac {x_{i+1}}{2^{k_{s}}}} \Big \rfloor }\right) \\&\qquad\qquad\qquad\qquad\quad\stackrel {s}{\longrightarrow } \cdots \stackrel {s}{\longrightarrow } x_{i+j}=C\left({s, \Big \lfloor {\frac {x_{i+j-1}}{2^{k_{s}}}} \Big \rfloor }\right)\end{align*} has to be periodic for $j\geq L_{s}$ . This also means that the ANS graph has to be cyclic. For each fixed symbol $s\in \mathbb S$ , there may be a single cycle of up to the length $L_{s}$ or a collection of shorter ones. The cycle includes different binary encoding of $s$ .

Consider ANS from our Example. Assume that ANS starts from an initial state $x=19$ and processes a long sequence of $s_{2}$ . ANS produces the following (periodic) sequence of binary stream: $$\begin{align*} (19) \rightarrow \begin{array}{c} \binom{28} {s_{2}} \\ \downarrow \\ 1 \end{array} \rightarrow \underbrace { \begin{array}{c} \binom{23}{ s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c}\binom{19}{ s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \binom{28}{ s_{2}} \\ \downarrow \\ 1 \end{array} }_{cycle} \rightarrow \begin{array}{c} \binom{23} {s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c} \binom{19} {s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \cdots \end{array}\end{align*}$$ View Source\begin{align*} (19) \rightarrow \begin{array}{c} \binom{28} {s_{2}} \\ \downarrow \\ 1 \end{array} \rightarrow \underbrace { \begin{array}{c} \binom{23}{ s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c}\binom{19}{ s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \binom{28}{ s_{2}} \\ \downarrow \\ 1 \end{array} }_{cycle} \rightarrow \begin{array}{c} \binom{23} {s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c} \binom{19} {s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \cdots \end{array}\end{align*}

An adversary can inject/delete/replace the cycle and a receiver fails to detect it as the other bits are correctly decompressed and ANS reaches the correct final state. The deletion is illustrated below. $$\begin{align*} (19) \rightarrow \begin{array}{c} \binom{28} {s_{2}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{23} {s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c} \binom{19}{ s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \cdots \end{array}\end{align*}$$ View Source\begin{align*} (19) \rightarrow \begin{array}{c} \binom{28} {s_{2}} \\ \downarrow \\ 1 \end{array} \rightarrow \begin{array}{c} \binom{23} {s_{2}} \\ \downarrow \\ 00 \end{array} \rightarrow \begin{array}{c} \binom{19}{ s_{2}} \\ \downarrow \\ 11 \end{array} \rightarrow \begin{array}{c} \cdots \end{array}\end{align*}

The periodic nature of ANS has the following security and design implications.

• Cycles in ANS are unavoidable. A designer of ANS can avoid loops (cycles of the length 1) making sure that for each state $x_{i}$ and any symbol $s\in \mathbb S$ $$\begin{equation*} x_{i+1}=C\left({s_{j}, \Bigl \lfloor \dfrac {x_{i}}{2^{k_{i}}}\Bigr \rfloor }\right) \neq x_{i}.\end{equation*}$$ View Source\begin{equation*} x_{i+1}=C\left({s_{j}, \Bigl \lfloor \dfrac {x_{i}}{2^{k_{i}}}\Bigr \rfloor }\right) \neq x_{i}.\end{equation*} Getting rid of longer cycles requires more and more computation overhead as the designer has to consider different combinations of states and symbols. This also means that the entropy of state selection drops, which means that an adversary does not need to enumerate encoding functions $C(s,y)$ that have short cycles.

• Cycles are easy to identify by searching binary frame for repeating sequences. A detection of a concatenation of two or more bit patterns allows the adversary to remove or insert arbitrary number of times the bit pattern without detection by the receiver. This is true as injection/removal of bit pattern repetition correspond to adding/removing a cycle without disturbing decoding process for other parts of the binary frame (before and after injection/removal).

• If a ciphertext-only adversary $\cal A$ can remove/inject binary patterns from/into the binary frame, then a decoder recovers an incorrect symbol frame. A typical integrity check applied in ANS that checks correctness the final state fails.

• For an observed binary cycle in $\cal B$ , a known-plaintext adversary can ensemble a relation for encoding function $C(s,y)$ . This reduces entropy of the encoding function.

• $\cal A$ can increase its chances of guessing lengths of possible cycles by experimenting with random instances of ANS for a known $R$ and a symbol statistics. $\cal A$ hopes that cycles of a target ANS follow the statistics gathered from random instances.

A. Compcrypt With State Jumps

This solution follows close the original ANS. The only change is pseudorandom selection of the next state. Consequently, it preserves the efficiency of ANS and enhances resistance against confidentiality and integrity attacks. The main cryptographic tool used here is a pseudorandom bit generator (PRBG), whose seed $K$ is a secret cryptographic key that is shared between encoder and decoder. PRBG is used to produce sequence of integers state_cor, where $0\leq {{ state\_{}cor}}\leq 2^{R}$ . The integer state_cor determines a jump from the current state $x\in \mathbb L$ to a new one $$\begin{equation*} x:=(x+{{ state\_{}cor}})\!\!\!\!\!\mod {2^{R}} + 2^{R}.\tag{4}\end{equation*}$$ View Source\begin{equation*} x:=(x+{{ state\_{}cor}})\!\!\!\!\!\mod {2^{R}} + 2^{R}.\tag{4}\end{equation*}

The integer ${{ state\_{}cor}}:=PRBG(i,K)$ is a state correction at the $i$ th iteration. To make implementation easier, we assume that the distance between two consecutive jumps denoted by an integer length is fixed for the duration of frame encoding. The integer should be kept secret and known to the communicating parties. Below there is a pseudocode for frame coding. A pseudocode for frame decoding can be easily reconstructed.

A simple illustration of compcrypt with state jumps is given below. $$\begin{equation*} \cdots \stackrel {s_{i-1}}{\longrightarrow } \boxed {x_{i-1}} \stackrel {s_{i}}{\longrightarrow } \boxed { x_{i} \stackrel {{{ jump}}}{\longleftarrow } x_{i}+state\_{}cor} \stackrel {s_{i+1}}{\longrightarrow } \boxed { x_{i+1}} \cdots\end{equation*}$$ View Source\begin{equation*} \cdots \stackrel {s_{i-1}}{\longrightarrow } \boxed {x_{i-1}} \stackrel {s_{i}}{\longrightarrow } \boxed { x_{i} \stackrel {{{ jump}}}{\longleftarrow } x_{i}+state\_{}cor} \stackrel {s_{i+1}}{\longrightarrow } \boxed { x_{i+1}} \cdots\end{equation*}

Implementation of the algorithm seems to introduce a relatively light overhead. Few points are relevant here.

• State jumps tend to have a negative impact on quality of compression. This implies that jumps should not occur too often. Consequently, very short cycles of output bits may be observable. To avoid such cycles, ANS should be carefully designed to exclude short cycles.

• Consider a state jump. Note that a binary encoding $b_{i}$ has to be computed for the state after jump, i.e. $x_{i}+{{ state\_{}cor}}$ . Otherwise, decoding fails.

• The only cryptographic component used is PRBG. It could be as simple as a linear feedback shift register (LFSR), whose seed (or initial state) is $K$ . It could be also cryptographically strong PRBG based on nonlinear feedback shift register (NFSR) or block cipher or hashing.

• Generation of integers ${{ PRBG}}(i,K)$ for state correction should be easy in both directions: backward (for encoding where $i$ decreases) and forward (for decoding where $i$ increases).

B. Compcrypt With Double ANS

This solution is more expensive than the first one, offers better security especially against a known-plaintext adversary and preserves compression quality. The idea is to design two copies of ANS_i with their encoding functions $C_{i}(s,y)$ , where $i=1,2$ . So we have two symbol encoding tables $\mathbb E_{i}(x,s)$ . Consider entries $(s,x_{i})$ from $\mathbb E_{1}(x,s)$ and $\mathbb E_{2}(x,s)$ . They can be merged as shown below: $$\begin{align*} \boxed { \begin{array}{c} x_{i+1}=C_{1}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) \\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} } + \boxed { \begin{array}{c} x_{i+1}=C_{2}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) \\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} } \stackrel {{{ merge}}}{\longrightarrow } \\ \stackrel {{{ merge}}}{\longrightarrow } \boxed { \begin{array}{c} x_{i+1}\stackrel {\$}{\leftarrow } \left\{{ C_{1}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right), C_{2}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) }\right\}\\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} }\end{align*}$$ View Source\begin{align*} \boxed { \begin{array}{c} x_{i+1}=C_{1}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) \\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} } + \boxed { \begin{array}{c} x_{i+1}=C_{2}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) \\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} } \stackrel {{{ merge}}}{\longrightarrow } \\ \stackrel {{{ merge}}}{\longrightarrow } \boxed { \begin{array}{c} x_{i+1}\stackrel {\$}{\leftarrow } \left\{{ C_{1}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right), C_{2}\left({s,\lfloor \frac {x_{i}}{2^{k_{s}}}\rfloor }\right) }\right\}\\ b_{i}=x_{i}\mod {2^{k_{s}}} \end{array} }\end{align*}

Note that $k_{s}$ and $b_{i}$ for both ANS copies (and the merged ANS$_{D}$ ) are the same. Compcrypt selects the next state (pseudo) randomly from two possibilities. As before, we use a pseudorandom bit generator controlled by a seed $K$ that is a secret key shared by both encoder and decoder. A pseudocode for compcrypt with double ANS is given below.

Algorithm 2

Frame Coding C for Double ANS

Show All

We assume that PRBG generates a single bit for each call $PRBG(\text {i},K)$ . The pseudocode is written for the case when compcrypt chooses next state from two possibilities for each symbol. Clearly, we can allow compcrypt to run a single encoding function (single ANS) for longer sequence of symbols before the next pseudorandom toss. Let us make the following observations.

• Intuitively, switching encoding functions should not have an impact on compression quality.

• Compared to a single ANS_i, compcrypt requires larger memory (twice as much) to store two encoding functions $C_{1}(s,y)$ and $C_{2}(s,y)$ . The same size of memory is enough to store encoding function $C(s,y)$ for ANS with a double number of states, which allows better approximation of symbol statistics and consequently better compression.

• An adversary who detects a cycle in the bit stream is unlikely to succeed in injecting it into the stream without detection.

C. Compcrypt With Encoding Function Evolution

Compcrypt based on two ANS can be seen a graph built from two subgraphs. Each subgraph represents a plain ANS. Compression is done by using both subgraphs, where transition between them is controlled by PRBG. As already noted that may be perceived as a waste of resources. An option could be to modify an encoding function $C(s,y)$ after a few steps of compression. To make the presentation simpler, we assume that we modify the function after processing a single symbol. In practice, the function modification can be done less frequently. The idea is depicted below. $$\begin{align*} \boxed { x_{i-1}\;\substack { s_{i-1}\\ \xrightarrow {\hspace {10mm}}\\ C(s,y) } \;\;x_{i} }\;\;\; \boxed { x'_{i}=x_{i}+{{ PRBG}}(i,K) \substack { s_{i}\\ \xrightarrow {\hspace {10mm}}\\ C'(s,y) } \;\;x_{i+1} }\end{align*}$$ View Source\begin{align*} \boxed { x_{i-1}\;\substack { s_{i-1}\\ \xrightarrow {\hspace {10mm}}\\ C(s,y) } \;\;x_{i} }\;\;\; \boxed { x'_{i}=x_{i}+{{ PRBG}}(i,K) \substack { s_{i}\\ \xrightarrow {\hspace {10mm}}\\ C'(s,y) } \;\;x_{i+1} }\end{align*}

The symbol $s_{i-1}$ is processed using $C(s,y)$ , where $D(x)$ is its inverse. Next compcrypt generates a pseudorandom integer ${{ PRBG}}(i,K)$ that modifies $x_{i}$ according to the following equation $$\begin{equation*}x'_{i}=x_{i}+{{ PRBG}}(i,K)\!\!\! \mod {2^{R}} +2^{R},\end{equation*}$$ View Source\begin{equation*}x'_{i}=x_{i}+{{ PRBG}}(i,K)\!\!\! \mod {2^{R}} +2^{R},\end{equation*} where $0\leq {{ PRBG}}(i,K)\leq 2^{R}$ . The states $x_{i},x'_{i}$ are swapped and the resulting encoding function is denoted by $C'(s,y)$ . Its inverse $D'(x_{i})$ satisfies two relations, namely $D'(x'_{i})=D(x_{i})$ and $D'(x_{i})=D(x'_{i})$ . Otherwise, $D(x)=D'(x)$ for $x\notin \{x_{i},x'_{i}\}$ . A sketch of pseudocode for compression is given below.

Algorithm 3

Frame Coding C for Compcrypt With Encoding Function Evolution

Show All

This variant has interesting properties. Let us discuss some of them.

• As the encoding function is constantly updated, it seems to be difficult to extend attacks, whose goal is its recovery. Additionally, insertion/deletion of binary cycles into/from binary frame is very likely to be detected with high probability.

• Quality of compression could suffer and this aspect needs more investigation.

• As we have already noted, the $C(s,y)$ update does not need to be done for every symbol. It looks reasonable to allow longer runs of compression without $C(s,y)$ update. If the interval between two consecutive updates is too long, then one can expect that short cycles could be detectable. However, we do not know how this can be exploited by an adversary.

A. Security of Compcrypt With State Jumps

We start from a lemma that sets up the background for our security discussion.

We are ready to prove security of the compcrypt algorithm. Assume that we deal with a chosen-plaintext adversary $\cal A$ , which can be defined as a known-plaintext adversary with extra ability to choose a symbol frame at will. $\cal A$ goal is to recover a pseudorandom sequence. This is a necessary prerequisite step for a possible attack against PRBG aiming at the secret key $K$ recovery.

Algorithm 1

Frame Coding C for State Jumps

Show All

Few points are relevant here.

• Theorem 1 proves security when $state\_{}cor$ have the same length as the ANS states. It means that each jump is chosen independently at random from the full range of $2^{R}$ states. Probabilities of guessing pseudorandom bits $state\_{}cor$ are the smallest and they give the upper bound on security. Should $state\_{}cor$ be shorter, guessing probabilities are growing. In the case when $state\_{}cor$ is a single bit, guessing probabilities are equal to 1.

• In Lemma 1, $\cal A$ is free to choose an arbitrary strategy of symbol selection. However, it is expected that for a given instance of the algorithm, $\cal A$ first evaluates its chances by computing the relevant success probabilities from Lemma 1 and then $\cal A$ chooses the one that maximises its success probability.

• State jumps have a negative impact on compression. The reason for this is a flat probability distribution of states forced by PRBG. Note that probability distribution of a plain ANS follows $\approx 1/x$ , where $x$ is a state. So a plain ANS favours states with shorter encodings.

• Let us compare the compcrypt with state jumps with a plain ANS, whose output is XOR-ed with a PRBG keystream (ANS$\oplus$ PRBG). From the efficiency point of view, both solutions are more or less equivalent. A major difference lays in security. Note that for ANS$\oplus$ PRBG, a chosen-plaintext adversary $\cal A$ can extract whole keystream generated by PRBG. This may have grave implications for integrity as $\cal A$ can create valid but fake binary frames. For the compcrypt in hand, this is still possible but with a probability that quickly becomes negligible (see Lemma 1). Additionally, because $\cal A$ is forced to make guesses about $state\_{}cor$ generated by PRBG, it is possible to use PRBG with a lower security level that is more efficient.

B. Security of Compcrypt With Double ANS

Consider a chosen-plaintext adversary $\cal A$ , who can input a symbol frame of its choice and can observe a corresponding binary frame. Again we assume that the compcrypt is public and the only unknown part is a secret key (or seed of PRBG). $\cal A$ knows the two ANS encoding tables and can use the least probable symbol to create a symbol frame that repeats the symbol. It can identify a (hopefully) unique states for both ANS copies. Now it has to consider four possible cases: (1) both symbols are encoded by ANS₁, (2) both symbols are encoded by ANS₂, (3) first by ANS₁ and the second by ANS₂ and (4) first by ANS₂ and the second by ANS₁. If the tables are “sufficiently” different, $\cal A$ can identify the PRBG bit. This is to say that the algorithm leaks information of PRBG bits. Nevertheless, the leak is probabilistic and for long symbol frames, a chosen-plaintext adversary loses the guessing game most of the time.

C. Security of Compcrypt With Encoding Function Evolution

As this compcrypt algorithm needs recalculation of encoding table every time the states are swapped, it is reasonable to expect that the swapping is not frequent. This assumption allows the adversary to launch the following attack. Our chosen-plaintext adversary $\cal A$ starts from the initial and known encoding table and identify the state just before the first swap. After the first state swap, it guesses the second state (or equivalently PRBG bits). For each guess, it recalculates the encoding table and checks if it is consistent with sequence of observed symbols and their encodings. This costs it $2^{R-1}$ guesses on the average. The probability of success depends on the number of symbols encoded between two consecutive swaps. This attack fails if the state swaps are done too frequently.

D. Other Cryptographic Attacks

Because of its internal structure, ANS is difficult to analyse using standard tools such man-in-the-middle, differential and linear attacks. The main difficulty seems to be irregular lengths of binary encodings that are assigned to symbols. The encodings are glued together with a single binary frame. To do any meaningful analysis, an adversary needs to split the frame into separate encodings. This unavoidably leads to guessing. There is, however, an exception – algebraic cryptanalysis. The heart of ANS is its symbol spread function. If the function can be represented by short polynomials or short Boolean expressions, then there is a hope that this analysis can work.

E. Efficiency Evaluation

Our implementation of tabular version of ANS was written in the Go language (version 1.15.2). Throughout our experiments, we have used an OpenBSD 6.8 installed on a Dell Precision T3610 desktop PC with 32 GB of RAM and an Intel Xeon E5-1650 with 6 physical cores running at 3.5 GHz and hyper-threading enabled, which makes 12 threads available in total. All our compcrypt algorithms invoke PRBG. The impact of the PRBG on the execution time of the encoding and decoding heavily depends on its implementation. Our implementation use standard Go function provided by math/rand.

Let us discuss briefly some implementation details of our compcrypt algorithms with:

• state jumps – our experiments assume that state jumps are performed for each input symbol. The initial encoding/decoding tables are created precisely as in the plain ANS.

• double ANS – there are two plain ANS algorithms. The switch between the two is done by PRBG for each input symbol. The execution time should not be much different from the previous algorithm. A significant difference relates to an extra memory needed to store two encoding/decoding tables. Consequently, loading time may impact overall execution time. This may be noticeable when processing short streams of symbols.

• encoding function evolution – the algorithm is initialised to a plain ANS and then its encoding table is modified for each symbol by swapping the current state with a random one (chosen by PRBG). The swap might look like a computationally cheap operation but, in fact, each non-trivial swap involves recomputation of the encoding table. This means that for each symbol, we may expect up to $2^{R}$ table operations.

TABLE I Plain ANS Adversarial Models

Fig. 1.

Comparison of execution times of plain ANS (blue □) and compcrypt algorithms with: double tables (red □), encoding function evolution (green □) and state jumps (brown □).

Show All

Let us consider quality of compression provided by the three compcrypt algorithms. We use a plain ANS as a reference. Figure 2 describes our results. We observe that compcrypt with encoding function evolution lengthens output stream by < 10% in comparison to the plain ANS. Compcrypt with double tables increases the length of output bits by less than 1%. Compression quality of compcrypt with state jumps is similar to the one of a plain ANS.

Fig. 2.

Quality of the compression (measured by the number of output bits) for plain ANS (blue □) and compcrypt algorithms with: double tables (red □), encoding function evolution (green □), state jumps (brown □).

Show All

F. Comparison of ANS Algorithms

Table II summarizes our security and efficiency discussion. A plain ANS with a secret symbol spread function is a good option, when ciphertext-only security is required and integrity is not important. The ANS-AES compcrypt provides strong security and if implemented as authenticated encryption can support strong integrity. Its Achilles heel is poor efficiency that precludes it from IoT applications. ANS$\oplus$ PRBG is defenceless against a chosen-plaintext adversary, which can recover a PRBG sequence and reuse it to launch integrity attacks such as sending fake binary frames. ANS with state jumps offers chosen-plaintext security. It allows to check binary frame integrity that finds fakes with probability $(1-2^{-R})$ . State jumps, however, interfere with state probability distribution causing a slight deterioration of compression measured by entropy. This weakness can be mitigated by restricting swaps to states that differ on least significant bits. Needless to say, this has security implications. The double ANS tends to leak pseudorandom bits to a chosen-plaintext adversary at the beginning of a session. It maintains compression rate as for a plain ANS. It consumes twice as memory as a plain ANS. The ANS with state evolution provides chosen-plaintext security and integrity. Its compression rate is as good as for a plain ANS. However, its main weakness is low efficiency due to the need of redesigning encoding table after each state evolution step.

TABLE II Comparison of Compcrypt Algorithms

Table III shows results of IoT implementations for compcrypt algorithms. Experiments have been done for frames of 1000 symbols generated by a source of 256 symbols according to the geometric probability distribution with $p=0.5$ . Instead of random selection of states, evolution light swaps randomly chosen neighbouring states so an encoding table does not need to be re-built.

TABLE III IoT Implementation of Compcrypt Algorithms