Hindawi Publishing Corporation

EURASIP Journal on Information Security

Volume 2010, Article ID 621521, 9 pages
doi:10.1155/2010/621521

Research Article
Secure Arithmetic Coding with Error Detection Capability

Mahnaz Sinaie and Vahid Tabataba Vakili

Department of Electrical Engineering, Iran University of Science and Technology, Narmak, Tehran 1684613114, Iran

Correspondence should be addressed to Mahnaz Sinaie, [email protected]

Received 9 February 2010; Revised 23 May 2010; Accepted 7 September 2010

Academic Editor: Enrico Magli

Copyright © 2010 M. Sinaie and V. T. Vakili. This is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly
cited.

Recently, arithmetic coding has attracted the attention of many scholars because of its high compression capability. Accordingly,
this paper proposed a Joint Source-Cryptographic-Channel Coding (JSCC) based on Arithmetic Coding (AC). For this purpose,
embedded error detection arithmetic coding, which is known as continuous error detection (CED), is used. In our proposed
method, a random length of forbidden symbol which is produced with a key is used in each recursion. The dummy symbol is
divided into two dummy symbols with a key and then is placed in random positions in order to provide security. Finally, in
addition to producing secure codes, the suggested method reduced the added redundancy to half of the total redundancy added by
CED. It has less complexity than cascades source, channel coding, and encryption while its key space in comparison to other joint
methods has enlarged. Moreover, the coder provides a flexible switch between a standard compression model and a joint model.

1. Introduction Many data compression techniques are available for

The increasing demand for the use of computer networks,
the wide availability of digital multimedia contents, and the
accelerated growth of wired and wireless communications
have resulted in new research areas in joint coders.
The design of modern multimedia communication sys-
tems is very challenging as the system must satisfy several
contrasting requirements [1]. Data compression is needed
because it provides a mechanism to increase the effective
bandwidth in a network and serves the highest possible
number of users. Data compression optimizes the required
storage space and reduces transmission time in the network.
In one hand, compression typically makes the transmission
very sensitive to error or packet losses, thus it can decrease
the quality of received data by the final users so channel
coding is required for error detection and correction [2].
On the other hand, source coding decreases redundancy
in the plaintext which makes the data more resistant to
statistical methods of cryptanalysis [3], and additionally, the
accessibility of data makes it possible for the unauthorized
users to reach the data easily. Therefore, to be reliably
and confidentially transmitted, the data must be encrypted
[4].
efficient source coding [5, 6]. Strong error control codes
have been developed for channel coding. In addition, some
encryption algorithms have been developed for secure data
transmission. Recent source coding, channel coding, and
encryption algorithms require computational power for
encoding and decoding. This is particularly unfavorable
in certain applications such as mobile communications,
embedded systems and real-time communication, where
devices (e.g., portable equipments) are resource constrained
due to the size limitation and power consumption consider-
ations [2].
In real-time or satellite communication, delay and com-
plexity are not desirable. Therefore, low complexity JSCC is
preferable for such situations. Techniques for joint source-
channel coding, which have been proposed in this research,
use the duality of source encoding and channel decoding
and are aimed at decoding noisy compressed data as reliably
as possible. The development of these joint algorithms has
closely followed the development of source and channel
coding algorithms.
Most of the early works on joint source-channel coding
used different forms of Huffman codes. But nowadays, by
increasing interest in arithmetic coding in the multimedia
2 EURASIP Journal on Information Security
applications [7], for example, JPEG2000 and H.264, many
researchers were attracted to it. In 1997 Boyd et al. [8]
introduced a forbidden symbol in the source alphabet and
used it at the decoder side as an error detection device.
Sayir [9] considered the arithmetic coder as a channel coder
and added redundancy in the transmitted bit stream by
introducing gaps in the coding space and shrinking the
probability of symbols by a factor [10]. In these joint coders,
we have embedded error detection compressed data without
providing essentially any security in the face of a chosen
plaintext attack, in which an attacker has the ability to specify
a sequence of input symbols, to observe the corresponding
output, and to repeat this process for an arbitrary number of
times.
Some schemes of joint AC and encryption have been also
proposed up to now. Wen et al. [11] modified the traditional
AC by removing the constraint that intervals corresponding
to each symbol are continuous and the intervals associated
with each symbol can be split according to a key which
is known for the both encoder and decoder. Grangetto et
al. [12] proposed a method in which the system modified
the traditional arithmetic coder by randomly permuting the
intervals in accordance with a key.
Magli et al. [1] developed a JSCC. It used arithmetic cod-
ing which was proposed by Sayir and for providing security;
it randomly permuted the intervals in accordance with a
key generating shuffling sequence which was introduced by
Grangetto. Although this system is a JSCC but the attacker
can break the system by comparing N pairs of the output
with the corresponding input which differ from each other
in exactly one symbol. Teekaput and Chokchaitam [13] have
introduced a scheme for JSCC. Security was provided by
changing the location of the forbidden symbol. This system
looks like the system which was introduced by Magli et al., so
it suffered from the same limitations.
In this paper, we present a method for joint source-
cryptographic-channel coding based on arithmetic coding.
This is very important in light of simplifying the design of the
system. We use binary arithmetic coding with the forbidden
symbols which was introduced in [14] for error detection.
Security is provided by using random length of the forbidden
symbols and randomly placing these dummy symbols in
the probability table. Compression ratio is improved in
comparison with the systems in [1, 13]. Also, the actual key
space has enlarged. This method can be used for arithmetic
coding with multiple symbols. However, to simplify the
method, we use binary AC.
The rest of this paper is organized as follows: in Section 2,
we discuss more on arithmetic coding and arithmetic coding
with forbidden symbol. In Section 3, our proposed method
for JSCC is described. In Section 4, the results obtained
from the simulation and the performance of the system are
explained. In Section 5, we draw some conclusions.
2. Arithmetic Coding and CED
This section provides a brief introduction to arithmetic
coding and AC with forbidden symbol which is named in
1 0.375 0.281 0.281
c c c c
b b b b
a a a a
0 0 0.141 0.246
Before encoding After After After
any symbol encoding a encoding b encoding c
Figure 1: An example of arithmetic coding, the source symbols are
a, b, c with p(a) = 0.011, p(b) = 0.011, p(c) = 0.010 [10].
[14] as CED. Until AC was developed in the 1970s, Huffman
coding was considered to be almost optimal. Huffman
coding uses a tree for encoding a sequence. AC uses a
one-dimensional table of probabilities instead of a tree. It
always encodes the whole massage at once and allows the
allocation of fractional number of bits to each source symbol.
It generates a code sequence which is uniquely decodable,
such that the probability of distribution of code sequence
approaches the uniform distribution over the code alphabet
[6].
AC works by recursively subdivision of coding interval
in portion to probabilistic estimates of symbols as generated
by a given model and retains it to be used as the new
interval for the next encoding step of the recursion [5].
This can be illustrated better with an example. Consider a
source alphabet with three symbols [14] a, b, and c with
p(a) = 0.375, p(b) = 0.375, and p(c) = 0.25. For example,
we want to encode the sequence abc. After encoding a, the
new interval will be [0, 0.375), and the transmitted sequence
would lie in this interval. The next symbol is b, and according
to the intervals associated to each symbol, the next interval
will be [0.141, 0.281). This recursion continues to the end of
the sequence. At the end, a number in the last interval which
is a fractional number between zero and one will be sent as
the sequence code. This example is illustrated in Figure 1.
AC is a powerful source coding technique and has higher
compression efficiency than other entropy coders. But arith-
metic coding has two major drawbacks, the error sensitivity
and error propagation property. Error propagation because
of loss of synchronization can damage the whole data after
an error has occurred in the compressed data. We can use
this loss of synchronization to error detection. Anand et al. in
[14] introduced a forbidden symbol which does not belong
to the source alphabet and never occurs in the probability
table. For inserting dummy symbol into the probability table,
probability of the symbols should be shrunk by a factor.
This forbidden symbol has a finite and small probability
assigned to it. If its probability is ε, so the probability
of the symbols must be shrunk by factor (1 − ε). The
introduction of the forbidden symbol produces an amount
of artificial coding redundancy per encoded bit equal to
EURASIP Journal on Information Security 3

a1 a2 a3
Original probability space

Reserving a a1 a2 a3 f1
probability space ε

1-ε ε

Arithmetic encoding a1 a1 a1 a2 a1 a3 a1 f1 a2 a1 a2 a2 a 2 a3 a2 f 1 a3 a1 a3 a2 a3 a3 a3 f1
f1 X
with a forbidden symbol

Reserved code space

a2 a 1 a1
a2 a1 a2

a2 a1 a3

a2 a2 a1
a2 a2 a2
a2 a2 a3

a2 a3 a1
a2 a3 a2
a2 a3 a3
a2 a1 f 1

a2 a2 f 1

a2 a3 f 1

a3 a1 a1
a3 a1 a2
a3 a1 a3

a3 a2 a1
a3 a2 a2
a3 a2 a3

a3 a3 a1
a3 a3 a2
a3 a3 a3
a3 a1 f1

a3 a2 f 1

a3 a3 f 1
a1 a1 a1
a1 a1 a2
a1 a1 a3

a1 a2 a1
a1 a2 a2
a1 a2 a3

a1 a3 a1
a1 a3 a2
a1 a3 a3

a1 f1 X

a2 f 1 X

a3 f 1 X
a1 a1 f 1

a1 a2 f 1

a1 a3 f 1 f1 XX
Valid code space

Figure 2: Encoding with a forbidden symbol for probability ε.

−log2 (1 − ε), at the expense of the compression efficiency The combined data encryption and AC use the error prop-
[14]. The decoder obtains an error detection capability and agation property of AC to provide security. Our proposed
enhances its robustness against noise. If an error occurs, this technique uses forbidden symbols with random lengths and
forbidden symbol is very likely to be eventually decoded with places them in random locations. The flowchart of this
a high probability. Figure 2 illustrates a sample of binary AC proposed technique is shown in Figure 3. While the concept
subinterval separation by inserting a forbidden symbol in the of this scheme can be applied to a source alphabet with any
current interval. size, for simplicity, the remainder of the discussion focuses
This forbidden symbol can be placed anywhere in the on the binary case.
probability table, and we can also have more than one
forbidden symbol and place them in more than one location
3.1. Inserting Forbidden Symbols. In conventional CED, the
in the probability table. In conventional CED, the probability
probability of the forbidden symbol is fixed and at the
of the forbidden symbol is fixed, and also the forbidden
beginning of the encoding process; this probability which
symbol is fixed at the same location for the whole encoding
is named ε is determined by (1). This depends on the
process. Before transmission, the encoder and decoder
maximum bit rate, R and the entropy of source, H(A) [9]:
should negotiate the location and size of the forbidden
symbol [13]. If its probability is fixed for the whole encoding  (1/R−1)H(A)
process, then the bit rate of the code is fixed, and the amount 1
ε =1− . (1)
of the added redundancy is fixed to −log2 (1 − ε) bit per 2
symbol.
If we take the maximum bit rate needed into account and Adding the forbidden symbol leads to the addition of
also consider that the bit rate in each recursion is not allowed redundancy to the output extension which can be used as a
to exceed the maximum bit rate, we can change the bit rate means of error detection. This method does not have enough
while encoding. This causes less redundancy to be added to security against attacks; therefore, we use a random-length
the bit stream and higher security. We describe this in more forbidden symbol in each recursion in our scheme instead
details in Section 3. of a fixed-length one. In each recursion with a random
generator, we generate a forbidden symbol in the range
[0, ε), in which ε is determined by maximum bit rate, R, by
3. Scheme of the Proposed Model using (1). The generated probability of the forbidden symbol
in each recursion is named γ. By using this random forbidden
The present paper aims to provide an arithmetic coding symbol in every recursion, we shrink the probability of
system which is secure and has an error detection capability. symbols by the factor (1 − γ). This causes adding random
Our scheme is based on CED, in which there is a forbidden redundancy while encoding each input symbol. In addition,
region with a probability ε, added to the probability table to we can claim that we have a semiadaptive arithmetic coder
provide some redundancy while a synchronized decoder can because in each recursion, a different length of the forbidden
detect the error occurring and conceal wrong decision bits. symbol is produced. It leads to a different shrinking factor
4 EURASIP Journal on Information Security
Start
Initialize PRNGs
New input symbol
Yes End of
Stop
file
No
Produce μ2 , μ1 by random generator
Establishing look up
tables 1 or 2
Determining probability table for PRNG
encoding current symbol
Perform the arithmetic coding
Send encoded bits
Figure 3: Flowchart of the proposed scheme.
in each recursion. Therefore, the probability of the source
symbols with various factors would be shrunk.
In the previous section we said that we can have more
than one forbidden symbol, therefore we use two forbidden
symbols in this method. Since the sum of the probabilities
of two forbidden symbols must be equal to γ, we can divide
the generated forbidden symbol, μ, in each recursion equally,
or generate another forbidden symbol in the range [0, γ)
and then uniformly divide the forbidden symbol to two
forbidden symbols μ1 , μ2 with probabilities of γ1 and γ2 .
The γ1 and γ2 represent the encryption key which is
also referred to as K in the following sections and adjusted
with a proper precision in an acceptable range depending
on the requirements of different applications. At the decoder
side, if a synchronized decoder is applied, that is, adding the
γ1 and γ2 at each coding step, data will be reconstructed
accurately. Otherwise, whether using a standard AC decoder
or a decoder of proposed scheme with a different γ1 and γ2 ,
the encoded code stream cannot be correctly decoded.
3.2. Establishing and Selecting the Probability Table. In
Section 2 we demonstrated that the forbidden symbol can be
placed anywhere in the probability table. In binary AC, it can
be placed at the beginning, in the middle and at the end of the
Table 1: Mapping function of binary arithmetic codes with two
different lengths of forbidden symbols (look up table).
Situations Situations
(a b µ1 µ2 ) (μ1 μ2 a b )
(a µ1 b µ2 ) (μ2 a μ1 b)
(µ1 a b µ2 ) (a μ2 b μ1 )
(µ1 a µ2 b) (μ2 a b μ1 )
Table 2: Mapping function of binary arithmetic codes with two
equal lengths of forbidden symbol (look up table).
Situations
(a b µ1 µ2 )
(a µ1 b µ2 )
(µ1 a b µ2 )
(µ1 a µ2 b)
probability table. We use Pseudorandom Number Generator
(PRNG) to control the place of the forbidden symbols. A
seed value, S, which also represents another encryption key,
is used to initialize the PRNG. The bits of the generated
random sequence are used as an encryption key in each
recursion. In practice, the random sequence is taken on
the values 0 and 1 with probability of .5 which is also the
controlling bits sequence.
If we divide forbidden symbol μ unequally, μ1 and μ2
are in different ranges so a binary memoryless source, X,
with probabilities P0 and P1 is encoded by means of a
quadruplet AC with the alphabets a, b, μ1 , μ2 . For allocating
these, we have different possibilities which are demonstrated
in Table 1. In this situation, for encoding each input symbol,
we use 3 bits of the generated random sequence of PRNG as a
key to control the locations of the forbidden symbols. But, if
we divide μ equally, we will have ternary AC, and Table 2 is its
look up table. This look up table uses 2 bits for determining
the locations of the forbidden symbols.
To conclude, we do not encrypt the code string which
causes a totally different value but only secretly add subin-
tervals and secretly place them. The proposed encoder
works with a key K = (γ1 , γ2 , S), which represents the final
encryption key. Given the same K, both the encoder and the
decoder generate the same pseudorandom number sequence
for decision bits and exactly add the same γ1 , γ2 to the
corresponding code string in order to synchronize them with
each other. On the other hand, no matter which parameter
of K is unknown or incorrectly given, the decoder cannot
decode the compressed data properly, and the decompressed
data is almost meaningless. Furthermore, as long as γ1 and
γ2 are set to 0, our scheme achieves a simple switch from the
joint compression, error detection, and encryption model
to a standard compression model. Also by setting the sum
of γ1 and γ2 equal to ε, this JSCC is transformed to joint
compression and error detection. Thus, this scheme can be
used for selective encryption and apply to portions of data
which needs more security. Nevertheless, an efficient and
EURASIP Journal on Information Security
secure key distribution protocol is one of the challenging
issues and is beyond the scope of this paper.
4. Simulation Results
Our proposed scheme has been implemented with Matlab
software and a personal computer with 2 G of RAM and
Intel Centrino Core 2 Duo 2.2 G as its CPU. Due to
unstable possesses in computer systems, we take 20 trials
and select the most frequently occurred results as the final
values. Input symbols, upper and lower bounds, and also
produced forbidden symbols in each recursion are set with
precisions of 10−6 being equal to 16-bit implementation. It
is worth noting that this precision is not fixed and can be
flexibly adjusted depending on the requirement of the target
applications.
4.1. Compression Ratio. The Joint Source-Cryptographic-
Channel Model should be used with the precondition that
there is no large redundancy generation after modifying the
standard coding engine. Table 3 shows the results of applying
the proposed method for input sequences with lengths of
100, 1000, and 10000 symbols and allows for comparison
with traditional arithmetic coding in absolute as well as
relative terms. The upper half of the table considers the
case where p(a) = 1/3, and the lower half of the table
considers the case where p(b) = 5/6. The exact length of
the output depends not only on the input data but also
on the specific sequence of forbidden symbols, as well as
their locations and lengths in each recursion. Therefore,
the code lengths shown in the table are averages based on
simulations using 1000 random sequence realizations. The
column labeled “proposed method” gives the mean of the
code lengths based on a large number of simulations using
random seeds for location and lengths. These results show
that in order to limit coding redundancy, ε should be defined
in a limited range, which can be flexibly controlled according
to the requirement of various application systems. Table 3
shows that the redundancy added to the bit stream by our
model is half of the redundancy which conventional method
adds to the bit stream. For ε = 0.03, redundancy is 0.0439 bit
per symbol. If the length of ε is fixed, for example, N = 100,
the redundancy which is added is 4.39 bit per symbol, but
our proposed method adds 2.1 bit per symbol.
Using the forbidden symbol in the source alphabet
actually aims at simply detecting errors and not correcting
them. By randomizing the forbidden symbol, although the
amount of the added redundancy is reduced to half, this does
not interfere with the capability of error detection. However,
Anand et al. [14] gave an empirical model to estimate the
number of the bits necessary to detect an error after it has
occurred. This is shown in the following:
P y (k) = (1 − ε)k−1 ε, k = 1, 2, . . . , ∞. (2)
The probability of not detecting an error after n bits is
P(n) = (1 − ε)n . (3)
5
Based on the extensive performed simulations, it is
concluded that in the CED method, if n bits are needed
for detecting an error after it has occurred, (6 ∗ n)/5 bits
are needed for error detection in our proposed method.
Hence, to solve this problem, we can compensate for this
shortcoming by assuming greater lengths for the input blocks
in the proposed encoder. However, we know that adding
security and error detection capability to a compression
encoder often leads to a compromise between the amounts
of compression achieved and the amount of security and the
robustness against channel errors incorporated.
The encoded stream can be reconstructed perfectly
by providing the same K and by reversing the encoding
operations. By having the same K, both encoder and decoder
generate the same pseudorandom number sequence for
decision bits and exactly add the same γ1 and γ2 to the corre-
sponding code string in order to synchronize with each other.
As soon as the forbidden symbol is decoded, the occurrence
of error in the received sequence is detected. However, this
method of decoding is not capable of correcting the errors.
But, the redundancy of the encoder’s output can be used for
correcting errors.
Arithmetic codes can be viewed as tree codes. Sequential
decoding is a general decoding algorithm for tree codes. It
was introduced by Wozencraft and Reiffen to decode con-
volutional codes in [15]. Fano [16] presented an improved
sequential algorithm in 1963, which is now known as the
Fano algorithm. Pettijohn et al. [17, 18] proposed two
sequential decoding algorithms, depth first and breadth first,
for decoding arithmetic codes in the presence of channel
errors. We can use these decoding algorithms with the same
key for decoding the output of our proposed scheme.
4.2. Complexity. Sayir [10] showed that an arithmetic coder
can be an entropy source encoder when the model is
matched with the source and can be a channel encoder
when the probability space is properly reserved for error
protection and can act as a convolutional code. After
inserting the forbidden symbol to a source with M alphabet,
we will have an arithmetic coding with M + 1 alphabet in
which one of the symbols never appears. Therefore, adding
parity is performed while compression without adding more
additional operations to the conventional arithmetic coding.
If the source has M alphabet, so this method just adds M
multiplication and 1 additional operation to the complexity
of conventional arithmetic encoder. But if we want to place
a convolutional encoder after arithmetic encoder, according
to the amount of redundancy, it needs some shift and XOR
operations and increasing memory usage. For example, if the
bit rate is 1/2 and the code generator polynomial is p(x) =
x2 + x, it would need at least three shift register and XOR
operations for each input symbol.
Also because a traditional arithmetic coder needs to work
sequentially, arithmetic coding and convolutional coding
cannot be parallelized. A comparison of time duration for
arithmetic coding and arithmetic coding followed by a 1/2
feedforward convolutional encoder is shown in Figure 4.
Placing the forbidden symbol in different locations
and assigning random lengths of the forbidden symbols
6 EURASIP Journal on Information Security

Table 3: Comparison of code lengths as a function of sequence length N.

Proposed method
AC with fixed length
Symbol probability N N ∗H AC with maximum
ε = 0.03
ε = 0.03
10 9.183 9.1890 9.7390 9.4470
P(a) = 1/3 H = 100 91.83 91.9100 96.3610 94.0330
entropy = .9183 1000 918.3 918.6810 962.7090 941.2350
10000 9183 9183.700 9622.410 9404.46
10 5.917 6.0410 6.4450 6.0100
P(a) = 5/6 H = 100 59.17 65.7390 69.6020 67.3620
entropy = .5917 1000 591.7 650.3070 694.9340 672.7320
10000 5917 6500.250 6940.01 6717.720

250 300

250
200

Time duration (s)

Time duration (s)

200
150
150
100
100

50
50

0 0
8 10 15 30 40 60 80 90 100 8 10 15 30 40 60 80 90 100
File size in bytes ×103 File size in bytes ×103

Disjoint source, channel coder Proposed method

Joint source, channel coder Cascaded AC, AES and convolutional coder

Figure 4: Comparison of AC with forbidden symbol and cascaded Figure 5: Comparison of proposed system and cascaded arithmetic
arithmetic coding with convolutional coder. coding with AES and convolutional coder.

increase computational complexity. This extracomputational
complexity of joint AC and channel coding in comparison
with the complexity of three disjoint coders is very small.
It is relevant to consider a system consisting of a
traditional arithmetic encoder followed by AES, which, of
course, would also deliver security and compression. Since
AES was designed for efficient hardware implementation, it
is extremely fast when it is fully pipelined in hardware [19].
However, because a traditional arithmetic coder needs to
work sequentially, the AC cannot easily be parallelized and
becomes a bottleneck in a combined AC/AES system [7].
AES consists of 40 sequential transformation steps composed
of simple and basic operations such as table lookups, shifts,
and XORs. For a block size of 128, these steps require a
total number of 19 shifts, use of 336 bytes of memory, and
the XORing of approximately (the exact requirement is data
dependent) 608 bytes of data. But, our proposed technique
adds a maximum of 20 bytes of memory, no XOR, and no
shift operations to conventional AC. For a block size of 128
and a source with binary alphabets, our proposed method
adds as much as 128 × 2 × 2 operations to conventional
arithmetic coding operations. This number is much smaller
than the number of operations added to the AC with disjoint
coders. Figure 5 compares time duration required by binary
arithmetic coding for p(a) = 1/3 followed by AES with a
block size of N = 128 and 1/2 feedforward convolutional
encoder with our proposed method. We can see that our
system takes much shorter time than a cascaded system.
Our proposed technique can be implemented utilizing
techniques similar to those used in traditional arithmetic
coding and can benefit from the same optimizations for
speed, finite precision, and so forth. Inserting the forbidden
symbol to the probability table adds no complexity to
arithmetic coder; only establishing the probability table and
searching the look up table increase the amount of memory
needed to store the look up table and the probability of
forbidden symbols. In addition, division of the forbidden
symbol and updating the probability of symbols by factor
(1 − γ) in each recursion introduce an additional multipli-
cation though, as with traditional arithmetic coding, faster
EURASIP Journal on Information Security
algorithms that replace the multiplications with simpler
operations can be introduced [20].
4.3. Security Analysis. A good encryption procedure should
be robust against all kinds of cryptanalytic, statistical, and
brute-force attacks. In this section, we discuss the security
analyses of the proposed encryption scheme. This includes
statistical analysis, key space analysis, and sensitivity analysis
of the proposed encryption scheme with respect to the key
and plaintext, and so forth. to prove that the proposed
cryptosystem is secure against the most common attacks.
4.3.1. Key Space. For a secure encryption algorithm, the key
space should be large enough to make the brute force attack
infeasible. The main private information in our proposed
scheme is the key used in the PRNGs; each of them is as long
as 128 bits. These PRNGs generate random sequences which
are used by the proposed technique as a secret key in each
recursion.
The proposed cipher has 2128×3 different combinations of
the secret key, and key space of our proposed method is larger
than that of the methods introduced in [1, 12]. A cipher with
such a long key space is sufficient for reliable practical use in
multimedia communications.
As mentioned above, the proposed encoder uses gener-
ated random sequences as its secret key in each recursion.
In [13] there are only two possible choices in one recursion:
at the beginning of the probability table or at the end.
Even though the swapping probability is also used as a key
parameter in this method, but there are other keys, γ1 and γ2 ,
and attacker must decode received sequence using all possible
seeds, S, or γ1 and γ2 for accessing correct data.
If precision of γ is set to 16 bits, one should try 232 trails
for estimating each forbidden symbol in one recursion and 23
trails for finding the situation of the probability table in each
recursion; therefore, the actual key space in each recursion
can be 234 times larger than the key space in [13]. In this
proposed method, if we suppose that the key S is known by
the attacker, he cannot find out what random value at which
positions is added, and as long as the attacker is not aware
of the value of the forbidden symbols he cannot access the
status of the probability table in each recursion.
4.3.2. NIST SP 800-22 Test for Cipher. In this study, NIST SP
800-22 [21] tests are used for testing the randomness of the
cipher. The NIST Test Suite is a statistical package consisting
of 16 tests that were developed to test the randomness
of binary sequences, with arbitrary lengths, produced by
either hardware or software-based cryptographic random or
Pseudorandom Number Generators. These tests focus on
a variety of different types of nonrandomness that could
exist in a sequence. Hence, in this test the cipher sequence,
whose length is 106 , is examined. The results of testing the
randomness of the cipher are shown in Table 4. We can
conclude from Table 4 that the cipher which was encrypted
from this encoder is stochastic and it has robustness against
known cipher-text attack.
7
4.3.3. Sensitivity Analysis. An ideal procedure of data encryp-
tion should be sensitive to both the secret key and the
plaintext. The change of a single bit in either the secret
key or the plaintext should produce a completely different
encrypted data. To prove the robustness of the proposed
scheme, we performed sensitivity analysis with respect to
both the secret key and the plaintext.
(A) Sensitivity Analysis of the Cipher to Key. For testing the
key sensitivity of the proposed coder, we performed the
following steps:
(a) changing one bit of S1 which determined the forbid-
den symbol length in each recursion,
(b) changing one bit of S2 which divided the forbidden
symbol into two different forbidden symbols in each
recursion,
(c) changing one bit of S3 which determined the proba-
bility table in each recursion,
(d) changing just one bit of the three main keys.
It is not easy to compare the encrypted outputs by simply
observing them. Thus, for the comparison, we calculated
the correlation between the corresponding bits of the four
encrypted data by (4) [22]:
Cr
N   N N
N j =1 xj × yj − j =1 x j × j =1 yj ,
= 
  2    2
N Nj=1 x2j − Nj=1 x j × N Nj=1 y 2j − Nj=1 y j
(4)
where, x j and y j are the values of corresponding bits in the
two encrypted outputs to be compared and N is the total
number of output bits.
We performed the above mentioned steps for several
different keys. Then, we calculated the correlation coefficient
for the encoded sequences by using (4). In all the cases, very
small correlation coefficients of the corresponding outputs
were obtained. For instance, Table 5 shows the correlation
coefficients between encoded sequences with S1, S2, and S3
keys for the outputs from the steps (a) to (d) based on
changing the first bits of the keys.
As the Table 5 shows, no correlation exists among
the three encrypted outputs even though these have been
produced by using only slightly different secret keys. Also,
based on the comparison of outputs of the proposed scheme
for a large number of inputs, it was found that changing one
symbol in the plaintext will result in a completely different
output by more than 99%. This shows that different inputs
even in one symbol will result in different outputs.
It can be also concluded from this table that all the
ambiguities of the proposed coder are independent from
each other. Therefore, even if the attacker finds access to one
of the keys, no information about the other keys is released
by that one.
8 EURASIP Journal on Information Security

Table 4: Sp 800-22 tests results of cipher. Table 5: Correlation coefficients of different outputs.

Statistical test P-value Results Output Correlation coefficient

Monobit 1.1 success Changing first bit of S1 0.0228
Block frequency (m = 128) .2251 success Changing first bit of S2 0.0170
runs .8513 success Changing first bit of S3 −0.0045
Rank .2335 success Changing first bit of S1, S2, S3 −0.0350
Spectral DFT .8513 success
Nonoverlapping templates
(M = 1032, .1799 success
Since the proposed coder is simulated for binary inputs
B = 110101010)
and the output is also binary, we can calculate the changing
Overlapping templates bit rates of the cipher instead of correlation coefficients.
(m = 9, M = 933, 1 success
Change of one bit in the plaintext should make theoretically
B = 110101010)
a 50% difference [22] in the bits of the cipher. We also
P-value 1 .9640 Success
Serial developed a test for the changing rate of the cipher bits. The
P-value 2 .8729 success changing rate was 49.41%. For all these reasons, the proposed
Forward .7573 Success scheme of this study proves to be sensitive to the changes in
Cumulative sums
reverse .6686 success the input, hence, an ideal coder.
X = −4 .9343 Success
X = −3 .8757 Success 4.3.4. Different Attacks. According to both the above analyses
X = −2 .9008 Success and the following reasons, the proposed algorithm is resis-
Random excursions (state X = −1 .8787 Success tant to the chosen plaintext attacks.
x) X =1 .2435 Success (i) The model dynamically reorders the frequency of the
X =2 .8922 Success input symbols according to the length of random
X =3 .6260 Success forbidden symbols in each recursion.
X =4 .8816 success (ii) The output from the engine is in the form of words
X = −9 .8319 Success with variable sizes so the individual bits of the output
X = −8 .9067 Success corresponding to the inserted symbols could not be
X = −7 .8503 Success determined.
X = −6 .9922 Success
The entropy, H(S), of a message source, S, can be
X = −5 .6578 Success calculated by (5)
X = −4 .6592 Success
 1
X = −3 .9653 Success H(S) = P(si )log2 bits, (5)
X = −2 .7504 Success si P(si )
Random excursions variant
X = −1 .6973 Success
(state x) where P(si ) represents the probability of symbol si . The
X =1 .6269 success
entropy is expressed in bits. If the source emits 2 symbols
X =2 .7790 success
with equal probability, that is, S = {s1 , s2 }, then the entropy
X =3 .4957 success is H(S) = 1, corresponding to a true random sequence. The
X =4 .4850 success system test real entropy value is 0.9974. So the system can
X =5 .8543 success resist the entropy attacks.
X =6 .2173 success Another large class of attacks is based on the anal-
X =7 .6084 success ysis of statistical properties of the output bit stream B
=B1 B2 · · · BNc , where Nc is the output length. It is thus
X =8 .5193 success
important to investigate the statistics of B. Various simu-
X =9 .5294 success lations showed that the output of the proposed coder had
P(Bi = 0) = P(Bi = 1) = 1/2, for any i. Therefore, from the
first-order statistics, the attacker cannot find any information
regarding the secret key.
(B) Sensitivity Analysis of Cipher to Plaintext. Generally, Alternatively, the attacker may wish to recover the key
attacker may make a slight change in the plaintext. In order stream which is used in the proposed method. Suppose that
to test the influence of changing a single bit in the original the input symbol sequence length is N. The length of the key
data, the correlation coefficients between the corresponding stream used in the method is then LN = (2 × 16 × N) + 3 × N.
output sequences were calculated for the changes in the input Assume that the generated bit stream is of length N c . Then,
sequence. As expected, the correlation coefficients were very the total complexity of breaking the key stream is 2Nc +LN . In
small. the case that the input symbol sequence length is sufficiently
EURASIP Journal on Information Security
large which makes 2Nc +LN > 2128×3 , the attacker would rather
use the brute-force attack to break the secret key utilized in
the PRNGs.
A pseudorandom sequence is vulnerable to the known
plaintext attacks; since there is a given known input
sequence, the attacker can compare the joint source-channel
coder and the proposed coded sequences and attempt to find
the added subintervals and their locations. To increase the
security, an efficient key distribution protocol could be also
explored in our algorithm to provide a sufficient encryption.
5. Conclusion
In this paper, a scheme has been presented which combines
compression, error detection, and data encryption. The
proposed technique by adding a little complexity to CED
provides security. It adds two random subinterval μ1 and μ2
to the probability interval in each iterative coding step and
controls the locations of the forbidden symbol by a PRNG
with a seed, S, while the key is K = (S, γ1 , γ2 ) in each
recursion. Moreover, it easily switches to standard arithmetic
coding by setting γ1 and γ2 equal to zero when the data
do not need to be protected. This coder causes the added
redundancy to be almost halved without any special effect
on error detection capability. The proposed technique is less
complicated and faster than cascaded systems; therefore, they
are more suitable for real-time applications. The technique
can be also extended to selectively encrypting data and
images. This proposed method can be used in ARQ systems
for error detection and error correction.
Acknowledgment
The authors would like to thank ITRC (Iran Telecommu-
nication Research Center) for the invaluable assistance and
funding for this paper.
References
[1] E. Magli, M. Grangetto, and G. Olmo, “Joint source, channel
coding, and secrecy,” EURASIP Journal on Information Secu-
rity, vol. 2007, Article ID 79048, 7 pages, 2007.
[2] H. Kaneko and E. Fujiwara, “Joint source-cryptographic-
channel coding based on linear block codes,” in Applicable
Algebra in Engineering, Communication and Computing, vol.
4851 of Lecture Notes in Computer Science, pp. 158–167, 2007.
[3] R. Bose and S. Pathak, “A novel compression and encryption
scheme using variable model arithmetic coding and coupled
chaotic system,” IEEE Transactions on Circuits and Systems, vol.
53, no. 4, pp. 848–857, 2006.
[4] D. Xie and C.-C. J. Kuo, “Multimedia encryption with
joint randomized entropy coding and rotation in partitioned
bitstream,” EURASIP Journal on Information Security, vol.
2007, Article ID 35262, 12 pages, 2007.
[5] A. Moffat, R. M. Neal, and I. H. Witten, “Arithmetic coding
revisited,” ACM Transactions on Information Systems, vol. 16,
no. 3, pp. 256–294, 1998.
[6] T. Cover and J. Thomas, Elements of Information Theory, John
Wiley & Sons, New York, NY, USA, 1991.
9
[7] H. Kim, J. Wen, and J. D. Villasenor, “Secure arithmetic
coding,” IEEE Transactions on Signal Processing, vol. 55, no. 5,
pp. 2263–2272, 2007.
[8] C. Boyd, J. G. Cleary, S. A. Irvine, I. Rinsma-Melchert, and
I. H. Witten, “Integrating error detection into arithmetic
coding,” IEEE Transactions on Communications, vol. 45, no. 1,
pp. 1–3, 1997.
[9] J. Sayir, On Coding By Probability Transformation, Hartung-
Gorre, Konstanz, Germany, 1999.
[10] J. Sayir, “Arithmetic coding for noisy channels,” in Proceedings
of the Information Theory and Communication Workshop, pp.
69–71, IEEE, 1999.
[11] J. G. Wen, H. Kim, and J. D. Villasenor, “Binary arithmetic
coding with key-based interval splitting,” IEEE Signal Process-
ing Letters, vol. 13, no. 2, pp. 69–72, 2006.
[12] M. Grangetto, E. Magli, and G. Olmo, “Multimedia selective
encryption by means of randomized arithmetic coding,” IEEE
Transactions on Multimedia, vol. 8, no. 5, Article ID 1703505,
pp. 905–917, 2006.
[13] P. Teekaput and S. Chokchaitam, “Secure embedded error
detection arithmetic coding,” in Proceedings of the 3rd Interna-
tional Conference on Information Technology and Applications
(ICITA ’05), pp. 568–571, IEEE, July 2005.
[14] R. Anand, K. Ramchandran, and I. V. Kozintsev, “Continuous
error detection (CED) for reliable communication,” IEEE
Transactions on Communications, vol. 49, no. 9, pp. 1540–
1549, 2001.
[15] J. M. Wozencraft, and B. Reiffen, Sequential Decoding, MIT
Press, Cambridge, Mass, USA, 1961.
[16] R. M. Fano, “A heuristic discussion of probabilistic decoding,”
IEEE Transactions Information Theory, pp. 64–74, 1963.
[17] B. D. Pettijohn, K. Sayood, and M. W. Hoffman, “Joint
source/channel coding using arithmetic codes,” in Proceedings
of the Data Compression Conference (DDC ’00), pp. 73–82,
Snowbird, Utah, USA, March 2000.
[18] B. D. Pettijohn, M. W. Hoffman, and K. Sayood, “Joint
source/channel coding using arithmetic codes,” IEEE Transac-
tions on Communications, vol. 49, no. 5, pp. 826–835, 2001.
[19] A. Hodjat and I. Verbauwhede, “Area-throughput trade-offs
for fully pipelined 30 to 70 Gbits/s AES processors,” IEEE
Transactions on Computers, vol. 55, no. 4, pp. 366–372, 2006.
[20] M. Grangetto, E. Magli, and G. Olmo, “Multimedia selective
encryption by means of randomized arithmetic coding,” IEEE
Transactions on Multimedia, vol. 8, no. 5, pp. 905–917, 2006.
[21] A. Rukhin, J. Soto, J. Nechvatal et al., “A statistical test
suite for random and pseudorandom number generators for
cryptographic applications,” NIST Special Publication 800-22,
May 2001.
[22] X. Tong, M. Cui, and Z. Wang, “A new feedback image encryp-
tion scheme based on perturbation with dynamical compound
chaotic sequence cipher generator,” Optics Communications,
vol. 282, no. 14, pp. 2722–2728, 2009.