On Compressing Encrypted Data

3
Eavesdropper
Message Source
Encryption
Compression Public channel
Joint decompression and decryption
cted Source
Secure channel Key
Fig. 2.
Proposed system: The source is first encrypted and then compressed. The compressor does not have access to the key
On Compressing Encrypted Data∗
Mark Johnson†, Prakash Ishwar, Vinod M. Prabhakaran, Daniel Schonberg, and Kannan Ramchandran Department of Electrical Engineering and Computer Sciences, University of California, Berkeley, CA 94720, USA. Email: {mjohnson, ishwar, vinodmp, dschonbe, kannanr}@
1
2
encrypted using one of the many widely available encryption technologies. At the receiver, decryption is performed first, followed by decompression.
I. I NTRODUCTION Consider the problem of transmitting redundant data over an insecure, bandwidth-constrained communications channel. It is desirable to both compress and encrypt the data. The traditional way to do this, shown in Figure 1, is to first compress the data to strip it of its redundancy followed by encryption of the compressed bitstream. The source is first compressed to its entropy rate using a standard source coder. Then, the compressed source is
Eavesdropper
Message Source
Compression
Encryption Public channel
Decryption
Decompression
Reconstructed Source
Secure channel Key
Fig. 1.
Conventional system: The encoder first compresses the source and then encrypts before transmitting over a public
used in the encryption step. At the decoder, decompression and decryption are performed in a single joint step.
same compression efficiency, for any fixed distortion, as when we compress before encrypting. For more general sources, we cannot achieve the same compression gains as in the conventional system, which is a direct result of the rate-loss of the underlying Wyner-Ziv problem. All of these claims relate to the theoretical limits of compressing an encrypted source, and are demonstrated via non-constructive, existence proofs. However, in addition to studying the theoretical bounds, we also implement a system where the compression step follows the encryption. We will describe the construction of this system and present computer simulations of its performance We also investigate the security provided by a system where a message is first encrypted and then compressed. We first define a measure of secrecy based on the statistical correlation of the original source and the compressed, encrypted source. Then, we show that the “reversed” cryptosystem in Figure 2 can still have perfect secrecy under some conditions. While we focus here on the fact that the reversed cryptosystem can match the performance of a conventional system, we have uncovered a few application scenarios where the reversed system might be preferable. In one such scenario, we can imagine that some content, either discrete or continuous in nature, is being distributed over a network. We will further assume that the content owner and the network operator are two distinct entities, and do not trust each other. The content owner is very interested in protecting the privacy of the content via encryption. However, because the owner has no incentive to compress his data, he will not use his limited computational
∗
This research was supported by NSF under grants CCR-0219722, CCR-0208883, and CCR-0096071 and DARPA under grant F30602-
00-2-0538.
†
Mark Johnson’s work is supported by the Fannie and John Hertz Foundation
channel. The decoder first decrypts the received bitstream and then decompresses the result.
In this paper, we investigate the novelty of reversing the order of these steps, i.e., first encrypting and then compressing the encrypted source, as shown in Figure 2. The compressor does not have access to the cryptographic key, so it must be able to compress the encrypted data (also called ciphertext) without any knowledge of the original source. At first glance, it appears that only a minimal compression gain, if any, can be achieved, since the output of an encryptor will look very random. However, at the receiver, there is a decoder in which both decompression and decryption are performed in a joint step. The fact that the decoder can use the cryptographic key to assist in the decompression of the received bitstream leads to the possibility that we may be able to compress the encrypted source. In fact, we show that a significant compression ratio can be achieved if compression is performed after encryption. This is true for both lossless and lossy compression. In some cases, we can even achieve the same compression ratio as in the standard case of first compressing and then encrypting. The fact that we can still compress the encrypted source follows directly from distributed source coding theory. When we consider the case of lossless compression, we use the Slepian-Wolf theorem [1] to show that we can achieve the same compression gain as if we had compressed the original, unencrypted source. For the case of lossy compression, the Wyner-Ziv theorem [2] dictates the compression gains that can be achieved. If the original source is Gaussian, then we can achieve the
Abstract When it is desired to transmit redundant data over an insecure and bandwidth-constrained channel, it is customary to first compress the data and then encrypt it. In this paper, we investigate the novelty of reversing the order of these steps, i.e., first encrypting and then compressing, without compromising either the compression efficiency or the information-theoretic security. Although counter-intuitive, we show surprisingly that, through the use of coding with side information principles, this reversal of order is indeed possible in some settings of interest without loss of either optimal coding efficiency or perfect secrecy. We show that in certain scenarios our scheme requires no more randomness in the encryption key than the conventional system where compression precedes encryption. In addition to proving the theoretical feasibility of this reversal of operations, we also describe a system which implements compression of encrypted data.