Compress before encrypting? (Was Re: NSA Helped Yeltsin...)

Jay Prime Positive jpp at jpplap.markv.com
Mon May 30 07:17:05 PDT 1994


   From: Martin Janzen <janzen at idacom.hp.com>
   Date: Fri, 27 May 94 14:43:02 MDT

   Most compression programs add a characteristic signature to the beginning
   of the compressed output file.  If a cryptanalyst guesses that you may
   be compressing before encrypting, wouldn't this make his job easier?
   To me, this sounds as though you're adding a known bit of "plaintext" to
   the start of each message.

  In short, you are right, compression algorithms often _do_ include a
magic number at the begining.

  However, compression algorithms intended for cryptographic
applications don't have to include a magic number.  This is especialy
true if the crypto system is never used without the compression
algorithm.

  And if magic numbers are unavoidable, then they can be put at the
end, and the system run in CFB or CBC modes.  Alternatively, a random
block can be prepended to the plaintext, and then exored with each of
the folowing plaintext blocks (thus creating a garanteed flat
distribution for the first bytes of the plain text).

  Finaly, the state of the art in cryptanalysis (as far as I know),
sugests that modern crypto systems aren't as vulnerable to known
plaintext as past systems.  The best attacks I know of (differential,
and linear cryptanalysis) require masive (about 2^30 blocks for DES)
amounts of known, or chosen, plaintext -- though miniscule relative to
the key size (2^56 again for DES).

j'






More information about the cypherpunks-legacy mailing list