Compcrypt–Lightweight ANS-Based Compression and Encryption

. Compression is widely used in Internet communication to save communication time and bandwidth. Recently invented by Jarek Duda asymmetric numeral system (ANS) oﬀers an improved eﬃciency and a close to optimal compression. The ANS algorithm has been deployed by major IT companies such as Facebook, Google and Apple. Compression by itself does not provide any security (such as conﬁdentiality or authentication of transmitted data). An obvious solution to this problem is an encryption of compressed bitstream. However, it requires two algorithms: one for compression and the other for encryption. In this work, we investigate natural properties of ANS that allow to incorporate authenticated encryption using as little cryptography as possible. We target low-level security communication such as transmission of data from IoT devices/sensors. In particular, we propose three solutions for joint compression and encryption (compcrypt). All of them use a pseudorandom bit generator (PRGB) based on lightweight stream ciphers. The ﬁrst solution applies state jumps controlled by PRGB. The second one employs two ANS algorithms, where compression switches between the two. The switch is controlled by a PRGB bit. The third compcrypt modiﬁes the encoding function of ANS depending on PRGB bits. Security and eﬃciency of the proposed compcrypt algorithms are evaluated.


Introduction
It is a common knowledge that a majority of Internet transmission is highly redundant. Popular video/audio streaming applications such as radio, TV, Skype/Zoom/Webex teleconferencing, Netflix/Stan entertainment providers, Facebook social platforms, medical remote diagnosis and monitoring, and remote teaching are all good examples Internet applications, which transmit and process highly redundant data. To save communication bandwidth and make transmission faster, a redundant stream is compressed before sending to a receiver. Upon reception, the receiver recovers the original (redundant) stream from the compressed one. Note that we are talking about lossless compression, where the receiver is able to recreate the original/uncompressed data. Note that video/audio compression is usually lossy.
Theoretical underpinning of compression is deeply rooted in Information Theory initiated by Shannon's seminal work [9]. The first compression algorithm invented by Huffman [5] and known as the Huffman code (HC) shows optimal compression for symbol streams, whose probabilities follow very specific patterns (i.e. natural powers of 1 2 ). Arithmetic coding (AC) (and many its variants -see [8]) offers compression of symbols with an arbitrary probability distribution and is close to optimal. The main drawback of AC is its low efficiency as it requires complex arithmetics and heavy computational overhead. In contrast, asymmetric numeral system (ANS) invented by Jarek Duda [2] gives a close to optimal and efficient compression. The efficiency gain is achieved by representing coding/decoding operations by their tables that define corresponding finite-state • analyses confidentiality and integrity of data provided by a plain ANS (without any cryptography). The analysis is done for ciphertext-only and known-plaintext attacks. It also discusses integrity of output streams, • defines our requirements for lightweight compcrypt algorithms, i.e. (1) minimal use of cryptography, (2) security against ciphertext-only adversaries and (3) integrity checking mechanism, • provides three compcrypt solutions. First one is based on state jumps. The second one applies two plain ANS algorithms with transition between the two controlled by PRGB bits. And the third one uses PRGB bits to modify ANS encoding function, • evaluates security and efficiency of the proposed compcrypt algorithms.
The rest of the work is structured as follows. Section 2 introduces the plain ANS. We first give a bird-eye view of ANS followed by a formal description of its algorithms. The section is complemented by an example of a toy ANS. Section 3 analyses confidentiality and integrity of the plain ANS under ciphertext-only and known-plaintext attacks. Section 4 describes our three lightweight compcrypt algorithms. Section 5 evaluates security and efficiency of the proposed algorithms. Section 6 concludes the work.

Description of Asymmetric Numeral System (ANS)
Let m be the size of an alphabet S, n -the number of symbols in a sequence, and N -the number of bits in a sequence. Given a source that generates a sequence S = {s j } n j=1 of symbols with their probabilities Pr(s i ) = p i ≈ |{j : s j = i}|/n, where |A| is cardinality of the set A. In entropy coding, we would like to uniquely translate S into bit sequence B = {b j } N j=1 . Shannon defines entropy of the source as H(p) = address the problem of encoding symbols with an arbitrary probability distribution. They allow to achieve encoding that is as close to Shannon entropy as needed. The reader interested in ANS details is referred to [2,7] 2.1 Bird-eye View of ANS ANS [2] allows to achieve a close to optimal compression for a source of an arbitrary probability distribution. The ANS encoding and decoding can be done very efficiently. When describing ANS operations, it is helpful to think about ANS as a finite state machine (FSM) optimized for a given probability distribution, whose states are labelled by integers. In this context, ANS is also a Moore machine as a binary encoding and the corresponding symbol are uniquely determined by the machine state. The main data structure is determined by the number of states L = 2 R , where R ∈ N + is a parameter, which determines the number of states. Let L s denote the number of occurrences of symbol s, where s L s = L and L s is an approximation of P r(s) = p s . Define the following sets L = {L, . . . , 2L − 1} and L s = {L s , . . . , 2L s − 1}, where s ∈ S. Assume that the current state is x, then ANS processes a symbol s in two steps: 1. re-normalises the current state x by truncating enough least significant bits (LSB) of x so the truncated integer belongs to L s , 2. calculates a new state by applying an encoding function C(·) or L s C(·) −→ L and outputs the binary sequence b s =LSB(x), which is a binary encoding of s.
The crux of ANS is its encoding function x = C(s, y) that assigns a state/integer x ∈ L that encodes s ∈ S using the integer y ∈ L s . A symbol spread functions : L → S is closely connected to the encoding function C(s, y). It determines the symbol s that is encoded in x ors(x) = s. The encoding function C : L s → L is constructed so the following conditions hold: • The approximation Ls 2 R ≈ p s determines quality of compression. This means that there are L s different integers x ∈ L that encode s. Also the probability distribution of integers x ∈ L is as flat as possible.
• By construction for a given symbol s, C(s, y) accepts integers y ∈ L s . The function C(s, y) can be represented by a table, whose rows are indexed by a symbol s and columns by an integer y ∈ L s -see below.
The integers x ∈ Γ s (called also the symbol spread for s) can be chosen at random from L as long as any symbol spread pair does not have any integers in common, i.e. Γ s ∩ Γ s = ∅ as long as s = s , where Γ s = {x ∈ L|x = C(s, y); y ∈ L s }.
A decoding function D : L → S × L s takes an integer x ∈ L and returns the corresponding symbol s and an integer y, which is a re-normalised state from L s . In fact, D(x) can be seen as the inverse of C(s, y). By construction, the integer x points out a unique pair (s, y). Note that if x ∈ Γ s , then it cannot occur in any other Γ s , otherwise the condition Γ s ∩ Γ s = ∅ is violated.
Encoding -given a state x ∈ Γ s that is an encoding of s, the number of bits of b s is computed as The binary string b s is sent to the output. Now for the next symbol s ∈ S, the state x is updated as follows Note that x ∈ Γ s but x/2 k ∈ L s . Decoding -for a state x ∈ L and an output binary string B, the decoding function D(x) = (s, y) determines the symbol s and integer y ∈ L s . Next the number of bits that needs to be read from B is calculated as The k-bit string is read from B or b s = M SB(B) k , where M SB stands for the most significant bits. The string B is updated by removing b s and the state is modified The full description of ANS is given below.

ANS Algorithms
The ANS compression can be seen as a triplet I, C, D , where I is an initialization algorithm executed once before compression by communicating parties. C is a compression algorithm performed by a sender and D is a decompression algorithm used by a receiver.

Initialisation I
Input: A set S of symbols, their probability distribution p : S → [0, 1], s ps = 1 and a parameter R ∈ N + . Output: Instantiation of • the encoding functions C(s, x) and ks(x) and • the decoding functions D(x) and k(x). Steps: Initialisation proceeds as follows: • calculate the number of states L = 2 R ; • determine the set of states L = {L, . . . , 2L − 1}; • for each symbol s ∈ S, compute integer Ls ≈ Lps, where ps is probability of s; • define the symbol spread function s : L → S, such that |{x ∈ L : s(x) = s}| = Ls; • establish the coding function C(s, y) = x for the integer y ∈ Ls = {Ls, . . . , 2Ls − 1}, which assigns states x ∈ L according to the symbol spread function; • compute the function ks(x) = lg(x/Ls) for x ∈ L and s ∈ S. The function shows the number of output bits generated during a single encoding step; • construct the decoding function D(x) = (s, y), which for a state x ∈ L assigns its unique symbol (given by the symbol spread function) and the integer y ∈ Ls. Note that D(x) = C −1 (x). • calculate the function k(x) = R − lg(x) , which determines the number of bits that need to be read out from the bitstream in a single decoding step.
The algorithm C takes a sequence of symbols further called a symbol frame and generates a stream of bits also called binary frame.

Frame Encoding C
Input: A symbol frame S = (s 1 , s 2 , . . . , sn) and an initial state x = xn ∈ L; where n = |S|. Output: A binary frame B = (b 1 , b 2 , . . . , bn), where b i is a binary encoding of s i ; |b i | = ks i (x i ) and x i is the state.
Steps: For i = n, n − 1, . . . , 2, 1 do (encoding has to be in opposite direction) { s := s i ; k = ks(x) = lg(x/Ls) ; (compute the number of bits to be extracted) b i = x mod 2 k ; (send k LSB of current state x = x i to the output) x := C(s, x/2 k ); (update the state x i → x i−1 ) }; Store the final state x 0 = x; The next algorithm takes a binary frame and the final state and produces symbols of the corresponding frame.

Stream Decoding D
Input: A binary frame B and the final state x = x 0 ∈ L of the encoder. Output: A symbol frame S.
(produce the corresponding symbol s and integer y) (compute the number of bits to be read from B) bs = M SB(B) k ; (extract k MSB from B) B := LSB(B) |B|−k ; (update the stream of bits to be processed) x := 2 k y + bs; (update the state Note that LSB(B) n and M SB(B) n stand for the n least and most significant bits of B, respectively.

Example
as follows: To illustrate calculations in the table, assume that we have x i = 25 and input symbol is s 0 . First we determine the number of bits that need to be extracted k = lg(x i /L 0 ) = lg(25/3) = 3 and compute Given an initial state x 0 = 19, compress the following symbol frame S = (s 1 , s 1 , s 2 , s 1 , s 2 , s 1 , s 1 , s 0 , s 2 ) Applying the encoding table for consecutive symbols, we get The output bits are B = 110001100110 and the final state is 28. The decoding Note that x i+1 = 2 k y + b i , where b i is an integer that corresponds to binary encoding of s i . Given the binary frame B = 110001100110 and the final state 28, we recover the corresponding sequence of symbols, where the binary string needs to be read from right to left.
Let us check how optimal is our compression algorithm. The source entropy is Assuming that probability distribution of x ∈ L is close to uniform, the average length of binary (compressed) string is where s i is the average length of the output if algorithm compresses the sequence of the same symbol s i .

Analysis of Plain ANS
A symbol frame S is compressed at the sender side. A binary frame B together with the final state x F is sent to a receiver who decompresses the stream back to the symbol frame S. Both the sender and receiver know a symbol source statistics and parameters of the ANS including an encoding function C(s, y). It is important to distinguish between different views of binary frames, namely • a view of a receiver who knows C(s, y). It sees sequence of encodings for consecutive symbols, i.e. B = (b 1 , . . . , b n ), where b i is an encoding of s i . In other words, it knows how to divide a binary frame into encodings b i . As each b i may have a different length, we can define a window frame W = (k 1 , . . . , k n ), where k i indicates the number of bits in b i or k i = |b i |. In other words, the receiver knows both frames B and W, • a view of an adversary A who does not know C(s, x). A deals with a binary frame B and it does not know how to extract particular encodings b s i . In other words, A knows B but does not know the window frame W. Note that, in general, a window frame does not determine symbols as the same symbol s can be encoded into b s of different lengths.
Note that we ignore active adversaries who may access to an ANS encoder/decoder (or to oracles O E /O D ). In this case, an adversary is able to extract states and encodings by inputting short symbol frames to O E and reconstruct the encoding function C(s, x). In our analysis, we assume that an adversary is passive and can observe behaviour of ANS. The table below shows attack scenarios investigated in this section.
-guessing a window frame W only -parameters of ANS -finding full/partial symbol frame n number of symbols in frame -A observes binary frame B and x F known--As above + -guessing a window frame W plaintext -observes symbol frame S = (s i ) n 1 ; s i ∈ S -finding encoding function C(s, y) Integrity -As for ciphertext-only attack -acceptance of forged binary -A can inject bits to binary frames frames as genuine The above scenarios are most common in IoT applications. The ciphertext-only attack is relevant to any adversary who is able to see the traffic generated by an IoT device. The known-plaintext attack can be launched if an adversary has additionally access to source of symbols. For instance, it is easy to determine symbols for a temperature sensor by installing an adversarial sensor nearby that hopefully replicates the temperature readings.

Ciphertext-only Attack against ANS
A majority of IoT devices that use ANS for compression communicates with their servers via broadcasting channels (such as Bluetooth or WiFi). This makes them vulnerable to eavesdropping (alternatively called ciphertext-only attacks). The main difficulty for an adversary is to guess a window frame. After she has guessed it, she can upload an observed binary frame B into consecutive windows and recover a sequence of encodings. Our task here is to determine an upper bound for probability of guessing the window frame and evaluate a lower bound of security provided by a plain ANS.
Symbol versus Widow Statistics A typical source includes all 2 8 ASCII symbols. Its statistical properties are approximated by geometric probability distribution truncated to 2 8 events.
To recall, geometric probability distribution is defined as P (j) = (1 − p) j p, where 0 < p < 1 is a parameter and j = 1, 2, · · · are the events. In practice, instead of infinite number of events, j has to be equal to the number of all symbols produced by the source. It is important to note that, in general, a symbol can be assigned to binary encodings of different lengths. In our example, s 2 can be compressed into either 1-bit or 2-bit encoding. Consequently, the statistics of windows of different lengths is different from the source statistics. This is illustrated below.

Source Statistics Window Statistics
gives probability that ANS produces a window of the length i, where i = 1, · · · , α and α is the longest window used by ANS. In our example, ANS translates the source probabilities ( 3 16 , 1 2 , 5 16 ) into window probabilities (P 1 , P 2 , P 3 ) = ( 37 64 , 21 64 , 6 64 ). Remark 1. Given ANS window probabilities P i ; i = 1, · · · , α and the number n of symbols processed by ANS, then an adversary can guess the window frame for the symbols with probability no better than Guessing Window Frames Assume that n symbols are generated according to the source statistics and processed by ANS. The resulting window frame is a random variable, which is a described by concatenation of n window random variables. In practice, ANS accepts 2 8 possible symbols described by an appropriate probability distribution and processes it into a window probability distribution {P (W = i) = P i |i = 1, 2, . . . , α}. To simplify our considerations, we assume that the window variable W is defined for three events {1, 2, 3} only, where P (W = 1) = P 1 , P (W = 2) = P 2 andP 3 = P (W = 3) = α i=3 P i . To enumerate possible window frames and find the probability of guessing the right one, we use the binomial theorem [6] that says that Let us illustrate the connection between the theorem and our problem. Assume that we are dealing with window frames that are built from n window variables. We have 3 n possible window frames (events) containing 1-bit, 2-bit and 3-bit windows. The binomial theorem asserts us that Note that the term n k 2 k gives the number of window frame events that consists of k either 2-bit or 3-bit windows and (n − k) 1-bit windows. The probability that a randomly chosen window frame contains (n − k) 1-bit windows and k either 2 or 3-bit windows is The total length of window frames ranges from n + k to n + 2k, where k = 0, . . . , n.

Remark 2.
It is reasonable to assume that an adversary knows the length n of symbol frame and the length N of binary frame. This helps the adversary as the space of events is restricted to N -bit window frames. She knows that n 1 + n 2 + · · · + n α = n where n i ∈ N is the number of i-bit windows; i = 1, . . . , α. It is easy to determine a space of solutions (n 1 , . . . , n α ) for which Equation (1) holds. For a given (n 1 , . . . , n α ), the adversary needs to look through n n 1 , n 2 , . . . , n α = n! n 1 !n 2 ! · · · n α !
Let us make the following observations about ANS resistance against ciphertext-only attack.
• The adversary has a "good" chance to guess relatively short window frames. She may attempt to determine such frames at any position of binary stream as symbols are independently generated. As the number n of symbols grows, the probability of success quickly becomes negligible. Note that this observation is consistent with the conclusion made by Gillman et al. [4] about cryptanalysis of compression with Huffman codes that is "surprisingly difficult". • If the length N of binary frame is known and very close to either n or α · n, then it is possible to guess the window frame with a non-negligible probability. Note however that probability of such events is negligible for a large enough n. • Guessing a window frame allows A to correctly allocate binary encodings. Moreover, she is able to determine the most frequent symbols (as they are assigned to 1-bit windows with a high probability) and the least frequent symbols (as they are assigned to α-bit windows with probability 1).

Known-Plaintext Attack against ANS
For a given symbol, ANS assigns binary encodings/windows of different lengths. The following observation can be used to determine the window lengths for each symbol.
Fact 1 Given a symbol s ∈ S and its L s ≈ 2 R · p s , then the window length k s satisfies the following condition When the approximation L s ≈ 2 R · p s can be replaced by equality L s = 2 R · p s , the above condition can be re-written as From now on, we assume that for each symbol s ∈ S, ANS assigns an encoding b s , whose length is either k s or k s +1 with the probabilities P (k s ) = β s and P (k s +1) = 1−β s , respectively. In cases, where there is only one length k s , the probability distribution becomes trivial, i.e. P (k s ) = 1 and P (k s + 1) = 0 (or vice versa). A probabilistic model of ANS is illustrated below. Note that symbols are listed according to decreasing order of their probablities, i.e. s 1 is the most probable while s m -the least.
Symbol s Length k s Probability β s where k i is the length of a window used by ANS to encode s i ; i = 1, . . . , n. Note that k i can take on two values only so we can write that k i = c i + γ i , where a constant c i is known to the adversary and γ i ∈ {0, 1} is unknown. Equation (3) can be re-written as The integer n i=1 γ i is the number of times when γ i = 1 and it is known to the adversary, • enumerates all possible patterns of (γ i ) n 1 , whose weight is N − n i=1 c i . It is obvious that the number of patters is n N − n i=1 c i To maximise chances, the adversary tries from most probable patterns. This can be done as she knows probabilities β s .
In general, guessing of window frames can be difficult or even impractical for some ANS instances. There is, however, a word caution. If some probabilities of symbols are powers of (1/2) or close to it, then ANS assigns to them a window with a single length. This increases chances of guessing a widow frame. In an extreme case, when all probabilities are powers of 1/2, the adversary can determine a window frame with probability 1.
Adaptive Attack against ANS We assume that an adversary knows a symbol frame S = (s i ) n i=1 together with the corresponding binary frame B and a guessed (correctly) window frame. In other words, A knows all encodings (b i ) n i=1 and a final state x F . Her goal is to find an encoding function C(s, y). However, one can argue that instead of finding C(x, y), the adversary can design (adaptively) her own ANS A , which is fully/partially "isomorphic" to the analysed ANS. In other words, the adversary intends to find a function that translates output bits of the original (attacked) ANS into output bits of the adversary ANS A . Note that the adversary does not known the current state of the original ANS. In fact, the adversary does not need to know the original ANS as long as her ANS A produces a bitstream that can be translated to bitstream generated by the original ANS. In this sense, both ANS and ANS A are isomorphic. In other words, we are looking for a function F such that The adaptive attack proceeds along the following steps: 1. The adversary A designs her ANS A applying the same parameters as the original ANS.

2.
A chooses an initial state x 1 at random. For the first observation (s 1 , b 1 ), she finds b 1 from the encoding table of ANS A . She records

3.
A continues with subsequent observations and builds the function (table) F . This process is successful if the function fully determined for all symbols and states. If the original ANS or ANS A contain cycles then the algorithm fails. If a cycle occurs in the original ANS, A needs to "re-design" ANS A by introducing the cycle of an appropriate length. On the other hand, if ANS A hits a cycle, it needs re-design to remove the cycle.

Integrity of ANS Binary Frames
ANS is normally represented by its encoding table E(x i , s i ). Equivalently, it can be described by a directed graph with 2 R vertices that correspond to states and edges that are labelled by symbols. An edge s from a vertex x i to x i+1 shows transition determined by the encoding function x i+1 = C(s, x i 2 ks )). For a fixed symbol s ∈ S, the function C(s, ·) assigns one of L s states. This implies that the following sequence of transitions has to be periodic for j ≥ L s . This also means that the ANS graph has to be cyclic. For each fixed symbol s ∈ S, there may be a single cycle of up to the length L s or a collection of shorter ones. The cycle includes different binary encoding of s. Consider ANS from our Example. Assume that ANS starts from an initial state x = 19 and processes a long sequence of s 2 . ANS produces the following (periodic) sequence of binary stream: The periodic nature of ANS has the following security and design implications.
• Cycles in ANS are unavoidable. A designer of ANS can avoid loops (cycles of the length 1) making sure that for each state x i and any symbol s ∈ S Getting rid of longer cycles requires more and more computation overhead as the designer has to consider different combinations of states and symbols. This also means that the entropy of state selection drops, which means that an adversary does not need to enumerate encoding functions C(s, y) that have short cycles. • Cycles are easy to identify by searching binary frame for repeating sequences. A detection of a concatenation of two or more bit patterns allows the adversary to remove or insert arbitrary number of times the bit pattern without detection by the receiver. This is true as injection/removal of bit pattern repetition correspond to adding/removing a cycle without disturbing decoding process for other parts of the binary frame (before and after injection/removal). • If a ciphertext-only adversary can remove/inject binary patterns from/into the binary frame, then a decoder recovers an incorrect symbol frame. A typical integrity check applied in ANS that checks correctness the final state fails. • For an observed binary cycle in B, a known-plaintext adversary can ensemble a relation for encoding function C(s, y). This reduces entropy of the encoding function.

Lightweight Encryption with ANS
The analysis given in Section 3 identifies strengths and weaknesses of ANS and is a major driver for our design of a cryptographically strengthened ANS-based compcrypt. Note that it is easy to design a very secure compcrypt algorithm when one can use a full range of cryptographic tools. A price to pay for increase of security is a heavy resource overhead, which discourages potential users from using them. This is true if ANS is applied for a relatively low-security communication (such as collecting data from IoT devices). Our constructions are guided by the following design principles: • Minimal application of cryptographic tools so compcrypt preserves its efficiency and compression quality. In other words, our designs must be lightweight avoiding "heavy" cryptography and encouraging potential user to adopt the designs for protection of data collected by IoT devices. • Secure against a ciphertext-only adversary who additionally can modify binary frames by injecting/removing bit cycles. In other words, detection of a cycle in a binary frame is a "false positive" with overwhelming probability. • Repair of the existing ANS authentication/integrity checking mechanism so any bit stream modification is detected with probability ≈ (1 − 2 −R ). Note that the plain ANS allows to check equality of a (pre-agreed) encoding initial states on both communicating sides. As discussed in Section 3, this may involve a careful selection of encoding function C(s, y) with no short cycles.
Interestingly enough, our analysis indicates that there is no need for encryption of bit stream under the assumption of ciphertext-only adversary. The main security feature already provided by plain ANS is a variable length of binary encodings, which are glued together when sending to the decoder. So any attempt to recover symbol frame amounts to guessing a correct window frame. As shown in Section 3, probability of a successful guess is negligible even for short sequences of symbols and decreases exponentially with the number of compressed symbols.

Compcrypt with State Jumps
The main cryptographic tool used here is a pseudorandom bit generator (PRGB), whose seed K is a secret cryptographic key that is shared between encoder and decoder. PRGB is used to produce sequence of integers state_cor, where 0 ≤ state_cor ≤ 2 R . The integer state_cor determines a jump from the current state x ∈ L to a new one The integer state_cor := P RGB(i, K) is a state correction at the ith iteration. To make implementation easier, we assume that the distance between two consecutive jumps denoted by an integer length is fixed for the duration of frame encoding. The integer should be kept secret and known to the communicating parties. Below there is a pseudocode for frame coding. A pseudocode for frame decoding can be easily reconstructed.
Implementation of the algorithm seems to introduce a relatively light overhead. Few points are relevant here.
• State jumps tend to have a negative impact on quality of compression. This implies that jumps should not occur too often. Consequently, very short cycles of output bits may be observable. To avoid such cycles, ANS should be carefully designed to exclude short cycles.
• Consider a state jump. Note that a binary encoding b i has to be computed for the state after jump, i.e. x i + state_cor. Otherwise, decoding fails. • The only cryptographic component used is PRGB. It could be as simple as a linear feedback shift register (LFSR), whose seed (or initial state) is K. It could be also cryptographically strong PRGB based on nonlinear feedback shift register (NFSR) or block cipher or hashing. • Generation of integers PRGB(i, K) for state correction should be easy in both directions: backward (for encoding where i decreases) and forward (for decoding where i increases).

Compcrypt with Double ANS
The idea is to design two copies of ANS i with their encoding functions C i (s, y), where i = 1, 2. So we have two symbol encoding tables E i (x, s). Consider entries (s, x i ) from E 1 (x, s) and E 2 (x, s). They can be merged as shown below: Note that k s and b i for both ANS copies (and the merged ANS D ) are the same. Compcrypt selects the next state (pseudo) randomly from two possibilities. As before, we use a pseudorandom bit generator controlled by a seed K that is a secret key shared by both encoder and decoder. A pseudocode for compcrypt with double ANS is given below.

Algorithm 2: Frame Coding C for Double ANS Compcrypt
Input: A symbol frame S = (s1, s2, . . . , sn), an initial state x = xn ∈ L and a secret key K for PRGB. Output: A binary frame B = (b1, b2, . . . , bn), where |bi| = ks i (xi) and xi is state at i-th step. begin for i = n, n − 1, . . . , 2, 1 do s := si; (new symbol to be compressed k := ks(x) = lg(x/Ls) ; (compute the number of bits to be extracted) bi := x mod 2 k ; (send k LSB of current state x = xi to the output) if P RGB(i, K) = 0 then x := C1(s, x/2 k ); (update the state xi → xi−1 using C1) else x := C2(s, x/2 k ); (update the state xi → xi−1 using C2) Store the final state x0 = x; We assume that PRGB generates a single bit for each call P RGB(i, K). The pseudocode is written for the case when compcrypt chooses next state from two possibilities for each symbol. Clearly, we can allow compcrypt to run a single encoding function (single ANS) for longer sequence of symbols before the next pseudorandom toss. Let us make the following observations.
• Intuitively, switching encoding functions should not have an impact on compression quality.
• Compared to a single ANS i , compcrypt requires larger memory (twice as much) to store two encoding functions C 1 (s, y) and C 2 (s, y). The same size of memory is enough to store encoding function C(s, y) for ANS with a double number of states, which allows better approximation of symbol statistics and consequently better compression. • It is possible to reduce storage requirements by selection of encoding functions that are the same for least probable symbols, i.e. C 1 (s, y) = C 2 (s, y) for s ∈ S, where s is one of least probable symbols. • An adversary who detects a cycle in the bit stream is unlikely to succeed in injecting it into the stream without detection.

Compcrypt with Encoding Function Evolution
Compcrypt based on two ANS can be seen a graph built from two subgraphs. Each subgraph represents a plain ANS. Compression is done by using both subgraphs, where transition between them is controlled by PRGB. As already noted that may be perceived as a waste of resources. An option could be to modify a encoding function C(s, y) after a few steps of compression. To make the presentation simpler, we assume that we modify the function after processing a single symbol. In practice, the function modification can be done less frequently. The idea is depicted below.
x i−1 The symbol s i−1 is processed using C(s, y), where D(x) is its inverse. Next compcrypt generates a pseudorandom integer PRGB(i, K) that modifies x i according to the following equation The states x i , x i are swapped and the resulting encoding function is denoted by C (s, y). Its inverse D (x i ) satisfies two relations, namely D ( A sketch of pseudocode for compression is given below.

Algorithm 3: Frame Coding C for Compcrypt with Encoding Function Evolution
Input: A symbol frame S = (s1, s2, . . . , sn), an initial state x = xn ∈ L and a secret key K for PRGB. Output: A binary frame B = (b1, b2, . . . , bn), where |bi| = ks i (xi) and xi is state at i-th step. begin for i = n, n − 1, . . . , 2, 1 do s := si; (new symbol to be compressed k := ks(x) = lg(x/Ls) ; (compute the number of bits to be extracted) bi := x mod 2 k ; (send k LSB of current state x = xi to the output) xnew := x + P RGB(i, K); (new state generated pseudorandomly) C(s, y) with x and xnew swapped; (update encoding function) x := C(s, xnew/2 k ); (update the state xi → xi−1 ) Store the final state x0 = x; This variant has interesting properties. Let us discuss some of them.
• As the encoding function is constantly updated, it seems to be difficult to extend attacks, whose goal is its recovery. Additionally, insertion/deletion of binary cycles into/from binary frame is very likely to be detected with high probability. • Quality of compression could suffer and this aspect needs more investigation.
• As we have already noted, the C(s, y) update does not need to be done for every symbol. It looks reasonable to allow longer runs of compression without C(s, y) update. If the interval between two consecutive updates is too long, then one can expect that short cycles could be detectable. However, we do not know how this can be exploited by an adversary. • It is possible to get rid of PRGB all together and rely on the internal structure of ANS.
C(s, y) can be stored as the following cyclic register: The register stores all 2 R ANS states. Each state is allocated to a unique symbol s by the spread function. The above structure resembles the data structure used by the well-known RC4 cipher [10]. We can modify the RC4 key scheduling algorithm to swap states using the cryptographic key K only with a few instructions.

Security and Efficiency of Lightweight Encryption with ANS
Our goal is to strengthen a plain ANS using as little cryptography as possible. In our three compcrypt versions we use a cryptographically strong PRGB. This is the only cryptographic tool needed. Note that we assume that the adversary knows our ANS algorithm details except the cryptographic key K that is applying in PRGB to extract pseudorandom bits. For security evaluation, we normally assume that the adversary may have access to compcrypt algorithms for compression/encryption and for decompression/decryption. For simplicity we call them encryption and decryption oracles. Recall that encryption/decryption oracles are abstract concepts that allow the adversary to interact with cryptographic algorithms by asking an oracle to generate outputs for given inputs.

Security against Known-Plaintext Attacks
Observe that our adversary A is able to recover the window frame with high probability. The probability becomes 1 if different symbols are assigned to encoding with different lengths. We assume that this is the case. This removes one of important and natural strengths of a plain ANS. Consider our three versions.
• Compcrypt with state jumps -A may target the least probable symbols, which have been encoded into longest binary strings. She can recover pseudorandom bits by looking up the encoding table. To illustrate the attack, take into account example from Section 2. Assume A observes that the i-th symbol is s 0 with its encoding is 010. The next symbol is also s 0 and is compressed into 101. A knows from the ANS encoding table that the state x i = 18 ≡ 10010 and x i+1 = 29 ≡ 11101, which means that the pseudorandom string has been 01111. This allows A to replace the symbol s 0 by other most frequent symbols. • Compcrypt with double ANS -A knows the two ANS encoding tables and as above she targets two consecutive occurrences of the least probable symbol. She can identify a (hopefully) unique states for both ANS copies. Now she has to consider four possible cases: (1) both symbols are encoded by ANS 1 , (2) both symbols are encoded by ANS 2 , (3) first by ANS 1 and the second by ANS 2 and (4) first by ANS 2 and the second by ANS 1 . If the tables are "sufficiently" different, A can identify the PRGB bit. • Compcrypt with encoding function evolution -A knows the initial ANS and her goal is to recover the pseudorandom bits. As this compcrypt algorithm needs recalculation of encoding table every time the states are swapped, it is reasonable to expect that the swapping is not frequent. This assumption allows the adversary to launch the following attack. A starts from the initial and known encoding table and identify the state just before the first swap. After the first state swap, she guesses the second state (or equivalently PRGB bits). For each guess, she recalculates the encoding table and checks if it is consistent with sequence of observed symbols and their encodings. This costs her 2 R−1 guesses on the average. The probability of success depends on the number of symbols encoded between two consecutive swaps.

Security against Ciphertext-only and Integrity Attacks
Here we assume that the adversary observes outputs from an encryption oracle or she knows a binary frame (that does not reveal window frame lengths). This time, to analyse the encryption, A needs first to guess symbols (knowing its probability distribution) of the corresponding symbol frame. Next for each symbol s i , it has to guess the length |b i | of the corresponding output bits b i . After correct guesses, A may apply the known-plaintextext attack scenario. To achieve confidentiality with λ bit security, one needs to modify our algorithms so they do not generate binary frames for small number of symbols so the probability of correct guesses of symbols and lengths of their compressions is smaller than 2 λ . Integrity checks are done on the receiving side. In our algorithms, the receiver verifies if the final state is the prearrange one (could be determined by both sides using PRGB). Note that probability of detecting tampering with output bit stream is equal to 2 −R .

Efficiency Evaluation
Our implementation of tabular version of ANS was written in the Go language (version 1.15.2). Throughout our experiments, we have used an OpenBSD 6.8-current installed on a Lenovo Thinkpad T450s with 12 GB of RAM and an i7-5600U CPU with 2 physical cores running at 2.6 GHz and hyper-threading enabled, which makes 4 threads available in total. All our compcrypt algorithms invoke PRBG. The impact of the PRBG on the execution time of the encoding and decoding heavily depends on its implementation. Our implementation use standard Go function provided by math/rand. Let us discuss briefly some implementation details of our comcrypt algorithms with: • state jumps -our experiments assume that state jumps are performed for each input symbol.
The initial encoding/decoding tables are created precisely as in the plain ANS. • double ANS -there are two plain ANS algorithms. The switch between the two is done by PRBG for each input symbol. The execution time should not be much different from the previous algorithm. A significant difference relates to an extra memory needed to store two encoding/decoding tables. Consequently, loading time may impact overall execution time. This may be noticeable when processing short streams of symbols. • encoding function evolution -the algorithm is initialised to a plain ANS and then its encoding  overhead of 50 ms. It is caused by processing the second table. As one can expect, efficiency of compcrypt with state jumps is comparable to the one offered by a plain ANS.
Let us consider quality of compression provided by the three compcrypt algorithms. We use a plain ANS as a reference. Figure 2 describes our results. We observe that compcrypt with encoding function evolution lengthens output stream by < 10% in comparison to the plain ANS. Compcrypt with double tables increases the length of output bits by less than 1%. Compression quality of compcrypt with state jumps is similar to the one of a plain ANS.

Conclusions and Future Research
The work investigates joint compression and encryption for lightweight applications, where natural behaviour of ANS is enhanced using as little cryptography as possible. Consequently, resulting compcrypt algorithms offer low-security level for both confidentiality and integrity (against ciphertext-only adversaries). The only cryptographic tool used is PRBG, which can be chosen depending on efficiency and security requirements. For applications that require a decent security level, a PRBG based on a good quality stream cipher (such as Trivium [1]) is recommended. As hinted in the work, PRBG can be removed all together and replaced by a cryptographic key and make the encoding table dynamic (using encoding function evolution). This is an attractive direction for future research (connection with the RC4 cipher).
We propose three compcrypt algorithms. The first one applies a single ANS with state jumps controlled by PRBG. The second one uses two copies of ANS, where PRBG manages transition between copies. The third compcrypt deploys encoding function evolution that modifies encoding tables. Assuming a ciphertext-only adversary, the security level for confidentiality is mainly determined by the probability of guessing input symbols. It is significant for small number of symbols but diminishes exponentially when the number grows. This is true for all three algorithms. But when the guess is correct we deal with a known-plaintext attack. Under the attack, compcrypt with encoding function evolution offers best security. With the exception of com-pcrypt with encoding function evolution, the algorithms offer similar efficiency and compression quality as the plain ANS.
Note that compcrypt with encoding function evolution can be slightly modified so it preserves good security features and has "almost" the same efficiency and compression quality as the plain ANS. Instead of swapping states after processing any single symbol, compcrypt starts as the original algorithm (swapping states frequently) and then it gradually increases number of symbols between two consecutive swaps.