On the insecurity of arithmetic coding

Arithmetic coding is a technique which converts a given probability distribution into an optimal code and is commonly used in compression schemes. The use of arithmetic coding as an encryption scheme is considered. The simple case of a single binary probability distribution with a fixed (but unknown) probability is considered. We show that for a chosen plaintext attack w+ 2 characters is sufficient to uniquely determine a w-bit probability. For many known plaintexts w+ m+ O(log m) symbols where mis the length of an initial sequence containing just one of (the two possible) symbols is sufficient. It is noted that many extensions to this basic scheme are vulnerable to the same attack provided the arithmetic coder can be repeatedly reset to its initial state. If it cannot be reset then their vulnerability remains an open question

The subset sum problem and arithmetic coding

The security offered by symmetric cryptosystems based on the arithmetic coding algorithm is examined. It is shown that this can be reduced naturally to the subset sum problem. The subset sum problem is NP-complete, however, the cases which arise in practical cryptosystems based on this problem tend to be solvable in polynomial time because the sums formed are either superincreasing or of low density. Our attack is therefore similar to attacks on public-key cryptosystems based on the subset sum problem (knapsack systems)