ON THE INSECURITY OF ARITHMETIC CODING

Arithmetic coding is a technique which converts a given probability di stribution into an optimal code and is commonly used in compression sc hemes. The use of arithmetic coding as an encryption scheme is conside red. The simple case of a single binary probability distribution with a fixed (but unknown) probability is considered. We show that for a ch osen plaintext attack w+2 symbols is sufficient to uniquely determine a w-bit probability. For many known plaintexts w+m+O(logm) symbols, wh ere m is the length of an initial sequence containing just one of (the two possible) symbols, is sufficient. It is noted that many extension s to this basic scheme are vulnerable to the same attack provided the arithmetic coder can be repeatedly reset to its initial state. If it c annot be reset then their vulnerability remains an open question.