On the insecurity of arithmetic coding

Abstract

Arithmetic coding is a technique which converts a given probability distribution into an optimal code and is commonly used in compression schemes. The use of arithmetic coding as an encryption scheme is considered. The simple case of a single binary probability distribution with a fixed (but unknown) probability is considered. We show that for a chosen plaintext attack w+ 2 characters is sufficient to uniquely determine a w-bit probability. For many known plaintexts w+ m+ O(log m) symbols where mis the length of an initial sequence containing just one of (the two possible) symbols is sufficient. It is noted that many extensions to this basic scheme are vulnerable to the same attack provided the arithmetic coder can be repeatedly reset to its initial state. If it cannot be reset then their vulnerability remains an open question.