On Compression of Data Encrypted with Block Ciphers

This paper investigates compression of data encrypted with block ciphers, such as the Advanced Encryption Standard (AES). It is shown that such data can be feasibly compressed without knowledge of the secret key. Block ciphers operating in various chaining modes are considered and it is shown how compression can be achieved without compromising security of the encryption scheme. Further, it is shown that there exists a fundamental limitation to the practical compressibility of block ciphers when no chaining is used between blocks. Some performance results for practical code constructions used to compress binary sources are presented.

💡 Research Summary

The paper tackles the problem of compressing data that has already been encrypted with block ciphers such as AES or DES, without having access to the secret key. Traditionally, encrypted data is considered incompressible because it appears random to any observer lacking the key. The authors overturn this belief by exploiting the structure introduced by common chaining modes—especially Cipher Block Chaining (CBC). In CBC, each plaintext block is XOR‑ed with the previous ciphertext block before being fed into the block cipher. Consequently, the previous ciphertext block acts as side‑information that is statistically correlated with the current block’s input.

The authors formalize the task as a Slepian‑Wolf source‑coding problem with decoder‑only side‑information. They propose a generic Post‑Encryption Compression (PEC) scheme: the compressor applies a Slepian‑Wolf encoder to the initialization vector (IV) and to every ciphertext block except the last one, leaving the final block uncompressed. The decoder, which possesses the secret key, first decrypts the last ciphertext block, obtains the corresponding randomized plaintext, and then uses it as side‑information to iteratively decode the preceding ciphertext blocks via the Slepian‑Wolf decoder. This right‑to‑left reconstruction yields a total output length of n·m·R + m·log|X| bits for n blocks of size m, achieving an asymptotic compression factor of R / log|X| when n is large.

Security analysis shows that the compression step does not leak additional information about the key or plaintext; the scheme preserves the IND‑CPA security of the underlying encryption because the only party that sees the key is the legitimate decoder, and the compression algorithm treats ciphertexts as black‑box inputs.

The paper also proves a fundamental limitation for the Electronic Code Book (ECB) mode, where blocks are encrypted independently. Since there is no chaining, no side‑information is available, and the conditional entropy H(X|S) equals H(X). Therefore, any lossless compression without the key is impossible beyond the trivial identity mapping.

Experimental results are provided for binary memoryless sources with various bias parameters. The authors implement practical Slepian‑Wolf codes based on LDPC and Polar codes. In CBC mode they achieve compression gains of roughly 1.3–1.8× while keeping decoding error probabilities below 10⁻⁵. In ECB mode, compression ratios hover around 1, confirming the theoretical limitation.

Overall contributions include: (1) demonstrating that block‑cipher ciphertexts in chaining modes are compressible without key knowledge, (2) constructing concrete PEC schemes that retain cryptographic security, (3) establishing an information‑theoretic impossibility result for ECB, and (4) validating the approach with real coding constructions. The work opens a new design space for low‑resource devices (e.g., sensor nodes) that must encrypt data but cannot afford on‑board compression, allowing network operators to compress encrypted streams transparently and efficiently. Future directions suggested are extensions to OFB/CFB modes, multi‑user scenarios, and compression of structured data such as images or video.