Abstract Keywords: 1. Introduction

Transcription

1 Joint Encryption & Compression using Variable Model Arithmetic Coding Ranjan Bose and Saumitr Pathak Department of Electrical Engineering Indian Institute of Technology, Delhi, Hauz Khas, New Delhi Ph: , Fax: Abstract Past research in the field of cryptography has not given much consideration to arithmetic coding as a feasible encryption technique. Over the past few years, while arithmetic coding has still been the focus of a lot of intense research, studies have proven compression-specific arithmetic coding to be largely unsuitable for encryption. This is in spite of the large size of the model that arithmetic coding works with. Adaptive modelling, in particular, offers a huge model, variable in structure, and as completely as possible a function of the entire text that has been transmitted since the time the model was initialized. This serves as a huge key, which can make decryption arbitrarily difficult. But the scheme has been shown to be vulnerable to organized cryptanalysis. The focus of the work presented in this paper has been to incorporate the results of chaos theory into arithmetic coding, to device a convenient method to make the structure of the model unpredictable and variable in nature, and yet to retain, as far as is possible, statistical harmony, so that compression is possible. A chaosbased adaptive arithmetic coding-encryption technique has been designed, developed and tested and its implementation has been discussed. For typical text files, the proposed encoder gives compression between 67.5 and 70.5 % and is not susceptible to previously carried out attacks on arithmetic coding algorithms. Keywords: Symmetric key cryptography, variable model, arithmetic coding, chaos, compression, encryption. 1. Introduction The idea of combining data compression with encryption of data is a useful one since, in addition to an optimisation of storage space required and transmission times needed, compression leads to a decrease in the redundancy in the plaintext, which makes the data more resistant to statistical methods of cryptanalysis [18]. Nevertheless, incorporating cryptographic features in a compression algorithm is a difficult exercise and often leads to a compromise between the amount of compression achieved and the amount of security incorporated [18, 9]. Also, computational resources today allow the cryptanalyst to carry out organized attacks with much success, and the time-complexity of brute force attacks, too, has been greatly reduced. Robust algorithms, promising sufficient data security, are, therefore, an ever-recurring need. The mathematical notion of chaos has found applications in diverse real life situations, including secure communication and cryptography [7, 12]. Due to their unpredictable nature, chaotic variables provide a degree of randomness not achievable otherwise through simple mathematical functions. They are extremely sensitive to the initial value within the chaotic domain and processes that differ by values as small as lead to completely unrelated sequences after a finite number of iterations [5]. This implies that if a coding algorithm carries out encryption based on a particular value of the seed, then the cryptanalyst may not be able to generate the same sequence to break the code, even if his approximation of the seed has a high degree precision-closeness. Of late, a number of attempts, using different approaches, have been made to bring together chaos and cryptography; a few of them are [5,17,13,2,1,21]. Arithmetic coding [20,10,11,15], in its essence, assigns to each possible character a range, the width of which reflects the frequency of occurrence of the symbol. This conceptual space, consisting of all such ranges arranged cumulatively, is shrunk consecutively to uniquely represent the input symbols. Each consecutive symbol causes the current range boundaries to shrink to accurately represent its occurrence, using the range allotted to it, and after each revaluation of the current limits of the range, the entire symbol space, having been updated to account for the new symbol, is mapped into this new range. This is accompanied by an increase in the precision bits of the variables used to represent the boundaries. In practice, a window is used to represent the current range boundaries, to prevent computational overflow, while the most significant bits are continuously shifted out and filed. Accurate prediction of symbol probabilities is essential to the efficiency of compression. 1

2 Past research in the field of cryptography has not given much consideration to arithmetic coding as a feasible encryption technique and, while arithmetic coding has still been the focus of a lot of intense research, studies by [3] and [4] have proven compression-specific arithmetic coding, both adaptive and fixed-model, to be largely unsuitable for encryption. This is in spite of the large size of the model that arithmetic coding works with. Adaptive modelling, in particular, offers a huge model, variable in structure, and as completely as possible a function of the entire text that has been transmitted since the time the model was initialized. This serves as a huge key which can make decryption arbitrarily difficult [19]. But the scheme has been shown to be vulnerable to organized cryptanalysis [4]. Nevertheless, the difficulty in resynchronising arithmetic codes [16, 22] offers motivation for using arithmetic codes for encryption. In particular, joint compression and encryption, sharing the computation cost, has been proposed in [16]. The focus of the work presented in this paper has been to incorporate the results of chaos theory into arithmetic coding, to device a convenient method to make the structure of the model unpredictable and variable in nature, and yet to retain, as far as is possible, statistical harmony, so that compression is possible. This paper is organized as follows. The system model has been introduced in section 2. The proposed idea has been put forward and briefly discussed in section 3. Algorithms being used in the implementation have been described in section 4. Results and further discussions have been carried out in section Variable Model Arithmetic Coding for Compression and Encryption The methodology being proposed in this paper seeks to effectively combine the unpredictable behaviour of the logistic function with a variablemodel adaptive arithmetic coder. We consider a model for carrying out zero-order adaptive arithmetic coding. The encoder block (figure 1) consists of the modified arithmetic coder, which uses the secret information (the seed for the logistic function) to process the input plaintext file, giving compressed and encrypted output. The information from the encoder block uses the insecure public channel to transmit the coded data to the decoder block, while a private, secure channel is used to transfer the seed for the logistic function. The modified arithmetic decoder recreates the encoder model using the encoded data and the seed value and carries out decoding in a similar fashion. The logistic function being used in the above blocks can be represented as, x k = αx k-1 (1 - x k-1 ) (1) where x n and α are the initial condition and system parameter, respectively. This equation shows period doubling route to chaos in the system parameter range 1 to 4, and for the value of α > 3.57, the point of accumulation, the periodicity gives way to complete chaos [5,14]. We carry out two basic operations to make the arithmetic coding secure and the decoding completely key-dependent. Before the actual coding and transmission of encoded-encrypted bits, we break up the conceptual symbol space (which is the statistical model used by arithmetic coding), between the different symbols, using an algorithm based on the logistic map's unpredictable course. The logistic function is iterated, 100 times each, for each symbol until it lands in an empty slot. The slot is then assigned to the current symbol and the process repeated for each remaining symbol in the ascii table. It can be proved that, for a uniformly random function, the number of iterations to fill the complete symbol space is finite. Considering a random function, uniform over its entire range, the first slot may be filled in the first attempt itself, with expectation of number of attempts 1 and no more. All other slots may be filled in any number of attempts, the probability of which can be summed as an infinite progression. For an n symbol alphabet, if we consider expectation of the number of attempts as: E = (# of attempts) (probability of # of attempts) Then, E(1) is 1. E(2) comes out to n 1 n 1 1 n ( ) + 2 ( )( n n n ) + 3 ( )( n n )2 +.. In general, for the (i+1)th case, the expression for E(I+1) looks like, 1 ( n i ) + 2 ( n i i )( n n n ) + 3 ( n i i )( n n )2 +.. Summing this series and considering for the ith case, the number of attempts is, n n i + 1 Total number of attempts for all n slots is, n n (2) i = 1 n i + 1 For a 256 symbol alphabet, the number of iterations come out to around In the case of the logistic equation, if used without a proper randomiser to make its distribution uniform, the number of iterations range from 1800 to 2200 as the seed and the coefficient are varied. Therefore the algorithm is implementable in real time, as is. We found that for values of coefficient α below 3.997, initially 1 and then progressively higher number of slots remain unfilled and the algorithm loops 2

3 indefinitely. This is because the equation has not reached complete chaos through the perioddoubling route and some areas of the domain, which increased progressively as the coefficient was decreased, are never stepped on by the logistic function. We have used the value of α to be 4 in our implementation. Next, we consider an alphabet of n different symbols, a 1, a 2, a 3, a n. This sequence of symbols is not arranged in ascii order, rather the ordering is obtained by the algorithm given above. The number of different symbols that have occurred in the input is l. Given a sequence of source symbols, from an i.i.d. source, s 1, s 2, s 3, s k, with s i a 1, a 2,... a l and a sequence of numbers x 1, { } x 2, x 3, x k, with 0 < x j < 1, generated through successive iterations of the logistic function as given in (1), we consider the occurrence and subsequent coding of the kth symbol. Conditional probability estimate for the symbol s k, when it occurs, is P(s k s k-1 ) where s k-1 denotes the set of past events corresponding to the occurrence of symbols s 1, s 2, s 3, s k-1 on which the probability of the current symbol is conditioned. If we take c 1, c 2, c 3, c l as the frequencies of occurrence for the symbols a 1, a 2, a 3, a l, then the probability j estimate for the kth symbol is c, where c j l i = 1 corresponds to the symbol s k. This information is sufficient to carry out arithmetic encoding for the symbol s k. Next, we consider a sorted sequence c o 1, c o 2, c o 3, c o n, with c o i c o i+1 for 1 i n, with each element corresponding to the sequence c 1, c 2, c 3, c n. a o 1, a o 2, a o 3, a o n is the sequence corresponding to a 1, a 2, a 3, a n, with each element of the sequence a o i having frequency count c o i for 1 i n. If c j corresponds to c o j' in the sorted sequence then we denote as N' the set { c o j'-t, c o j'-t+1,, c o j'-1, c o j'+1,, c o j'+t-1, c o j'+t} and as N the t eff elements of the set N' which are closest in index distance to c o j'. t eff is defined as min(l-1, t), where t, referred to as threshold, is a parameter which controls the security-compression tradeoff. Elements of the set N', as seen, belong to the sequence c o 1, c o 2, c o 3, c o l, while the sequence c o l+1, c o l+2, c o n, corresponds to symbols yet to occur. Partitioning the space between 0 and 1 into t eff spaces, we select the partition that contains x k. The corresponding element of the set N' is c o j',x k, hereafter written as c o x k for conciseness, and the corresponding symbol is a o x k. At this point, we exchange the two symbols a o j' and a o x k, in the sorted sequence a o 1, a o 2, a o 3, a o n, which causes a reversal in the frequency counts of the two c i symbols, with c o j' being the frequency count for symbol a o x k and c o x k being the count for a o j'. Since the statistical model for the arithmetic coding has now changed, for the next occurrence of the symbols a o x k and a o j', the probability estimate is more than the true value for one and less for the other, or the reverse, depending on whether c o x k c o j', or c o x k c o j'., which, in its turn, depends on x k. Subsequent occurrences of the symbol a o j' will result in a series of further exchanges, causing further increase or decrease in the value of c o j'. It should be seen here that the initial symbol distribution 3. Simulation Results on Compression and Security Issues For testing the proposed technique, we have used files from the Calgary Corpus (ftp.cpcs.ucalgary.ca/pub/projects/text.compression.corpus). The file paper5 is a normal English text file while the file obj1 consists of executable code and is comparatively more difficult to compress because of a flatter distribution of symbols. In order to see the correlation between compression and frequency deviation, we define f o = ( f i f' i ) 2 (3) Where f i is the actual frequency and f I is the deviated frequency for the ith symbol. In general, f may represent the variance between two frequency distributions. The nature of the encoding algorithm may indicate an inverse relation between the degree of compression achieved and f o. Figures 3 shows a plot of % compression vs. variance for typical text files. We have varied the seed for logistic map to plot the graph. No direct correlation can be seen. This is attributed to the fact that even though variance between the two variables has increased, it cannot be accurately predicted whether a symbol is being represented by extra probability space or is being under-represented, i.e., whether the symbol is being coded using lesser number of bits or greater number of bits than the optimal. Therefore, a mixture of over-compression and undercompression occurs, causing greater than usual compression for certain symbols, while compression of other symbols suffers. The bargain is that overall, there is not left much direct relation between f o and compression achieved, while the strength of the encryption cannot be accounted for or measured through the above variables. The degree of compression undergone by a test file seems to have a relation with both the contents of the file and the initial seed value being used by the logistic map. Compression on a file varies as the seed value is varied, both in precision and in magnitude. In figure 4, a plot between % 3

4 compression and seed is depicted. Seed values equally placed on either side of.5 yield similar distribution and seeds after.5 have been omitted. It is found that for the file paper5, maximum compression of about 67.65% was achieved when the seed value was.33, while the file obj1 was compressed at most to 80.4% when the seed value was.07. In figure 5a and 5b, we have depicted the deviations in symbol frequencies. The results are for the file paper5. This is unfavourable for the cryptanalyst since statistical information does not help cryptanalysis anymore. In figure 6a, we have depicted the symbol slots among which symbol 32, the <space> character, is exchanged. Such slots are not more numerous than the ones shown since symbols are restricted to being exchanged only among their frequencyneighbours. In figure 6b, we have shown how the <space> character gets exchanged between the different slots. The first 200 exchanges have been shown. Both results are for the file paper5. The unpredictability which is evident from the graphs makes the variable nature of the model extremely difficult to track. This ensures that even known or chosen plain-text attacks can ascertain no useful information about the model, since no aspect of the statistical model is unchanging. In another test, with increase in the threshold parameter, t, the compression was found to suffer. When considering the strength of the encryption, it should be noted that, while the symbol sequence a o 1, a o 2, a o 3, a o n, corresponding to the sorted sequence c o 1, c o 2, c o 3, c o n, is used to carry out symbol exchange, which causes the symbols to depart from their real frequencies, the arithmetic code for a symbol is generated with the symbol space breakup as in the sequence a 1, a 2, a 3, a n. On the other hand, further statistical prediction for symbol exchanges is based on the sequence c o 1, c o 2, c o 3, c o n, which is, at every step, encouraging more chaotic exchanges between symbols and their frequency counts in the sequence a 1, a 2, a 3, a n. The most vulnerable moment, cryptographically, for the model is when it is initially started. A low value of l, combined with known plaintext, will help determine the relative ordering of some symbols, by comparing closely matched outputs of strings like bbbbb and bbbba, as described in [3]. As more characters are inserted into the encrypting engine, the symbols spaces get swapped, more and more chaotically, and no useful output which can help determine ordering can be obtained. Since the current symbol, s k, that is inserted into the engine is immediately swapped with one of the symbols in N', using the value x k to determine the character for exchange, known and chosen plaintext attacks cannot work with the system. Once the engine has been running for a long time, which is the way it is intended to be used, and the number of occurring symbols is closer to the number of symbols in the alphabet, swapping occurs all over the alphabet range and symbol ordering cannot be found out. Moreover, output from the engine is in the form of variable sized words, and individual bit output corresponding to inserted symbols cannot be determined. Statistical inferences cannot be correctly drawn from the output since swapped symbol spaces lead to unpredictable and incomputable errors/deviations in frequency. The model also defies attempts to steer it toward a favourable direction, as has been tried in [4]. We conclude our argument with a bitmap depicting the output of repeated strings of a symbol, as shown in figure 10, which contains no discernible repetitive pattern. The first layer is the original string, while the second layer, which appears shorter due to compression, is the encoded string. In this case only one symbol is occurring and no exchanges take place. 4. Conlusion We have proposed a novel technique for (i) secure encryption and (ii) compression of data, which relies on a standard zero-order adaptive arithmetic coder for compression and makes the arithmetic coder's statistical model variable in nature using successive iterations of the logistic map. Chaosbased arithmetic coder and decoder have been designed and developed and the implementation details have been explained. Typical text files have been used to test our algorithm. It has been found that normal English text files are compressed to between 67.5% and 70.5%, the variations resulting from changing seeds values. Further, there was found no direct correlation between f o and the degree of compression. The threshold parameter, t, has been found to adversely affect the degree of compression achieved. In another test, repeated strings of a symbol yielded encoded data which showed no repetition or underlying pattern. The nature of symbol swapping algorithm is such that no information about symbol ordering can be found out. Moreover, output from the engine is in the form of variable sized words, and individual bit output corresponding to inserted symbols cannot be determined. Statistical inferences cannot be correctly drawn from the output since swapped symbol spaces lead to unpredictable and incomputable errors/deviations in frequency. The model also defies attempts to steer it toward a favourable direction. The model has, thus, been shown to be largely secure and is not vulnerable to previous attacks. References: [1] Alvarez, E., A. Fernández, P. García, J. Jiménez and A. Marcano, New approach to chaotic 4

5 encryption, Physics Letters A, Volume 263, Issues 4-6, 6 December 1999, pp [2] Baptista, M.S., Phys. Lett. A 240, (1998), pp. 50. [3] Bergen, Helen A., and James M. Hogan, Data Security in a fixed-model arithmetic coding compression algorithm, Computers and Security, 11, 1992, pp [4] Bergen, Helen A., and James M. Hogan, A Chosen Plaintext Attack on an Adaptive Arithmetic Coding Compression Algorithm, Computers and Security, 12, 1993, pp [5] Bose, Ranjan and Amitabha Banerjee, Implementing Symmetric Cryptography using Chaos Functions, 7 th International Conference on Advanced Computing and Communications, Roorkee, Dec [6] Cormen, T. H., Leiserson, C. E., and Rivest, R. L., Introduction to Algorithms, MIT Press, Cambridge, [7] Ditto, William, and Toshinori Munakata, Principles and Applications of Chaotic Systems, Comm. of the ACM, Vol. 38, No. 11, November, 1996, pp [8] Fenwick, P. M., A New Data Structure for Cumulative Frequency Tables, Softw. Pract. Exper. 24, 3, March 1994, pp [9] Finnila, C., Combining Data Compression and Encryption, WESCON/94. 'Idea/Microelectronics'. Conference Record, Sept. 1994, pp [10] Howard, Paul G., and J. S. Vitter, Analysis of Arithmetic Coding for Data Compression, Information Processing and Management, Nov. 1992, pp [11] Howard, Paul G., and J. S. Vitter, Practical Implementation of Arithmetic Coding, Image and Text Compression, 1992, pp [12] Kocarev, L., Chaos-based Cryptography: A Brief Overview, Circuits and Systems Magazine, IEEE, Volume: 1 Issue: 3, 2001, pp [13] Kocarev, L.; Jakimoski, G.; Stojanovski, T.; Parlitz, U., From Chaotic Maps to Encryption Schemes, Circuits and Systems, ISCAS '98. Proceedings of the 1998 IEEE International Symposium on, Volume: 4, 31 May-3 June 1998 pp vol.4. [14] May, R. M., Simple Mathematical Models with Very Complicated Dynamics, Nature, Vol. 261, 5560, pp. 459, 467. [15] Moffat, Alistair, Radford M. Neal and Ian H. Witten, Arithmetic Coding Revisited, ACM Transactions on Information Systems, July 1998, pp [16] Moo, P.W.; Wu, X., Resynchronization properties of arithmetic coding, Data Compression Conference, Proceedings. DCC '99, March 1999 pp [17] Rowlands, T., and Rowlands, D., A More Resilient Approach to Chaotic Encryption, ICITA 2002 Conference, [18] Schneier, B., Applied Cryptography, John Wiley & Sons, [19] Witten, I. H., and J. G. Cleary, On the Privacy afforded by Adaptive Text Compression, Computers and Security, 7, (1988), pp [20] Witten, I. H., R. M. Neal and J. G. Cleary, Arithmetic Coding for Data Compression, Commun. of the ACM, Vol. 30, No. 6, June 1987, pp [21] Wong, K. W., A fast chaotic cryptographic scheme with dynamic look-up table, Physics Letters A, Volume 298, Issue 4, 10 June 2002, pp [22] Xiaolin Wu and P. W. Moo, Joint image/video compression and encryption via high-order conditional entropy coding of wavelet coefficients, IEEE International Conference on Multimedia Computing and Systems, 1999, Vol. 2, 7-11, June 1999, pp vol.2. 5