compression & nulls in cryptosystems
John Denker
jsd at research.att.com
Thu May 31 21:42:57 EDT 2001
I wrote:
> >I always scratch my head when somebody says that XX attack on YY algorithm
> >requires a huge carefully-chosen plaintext, and ends the discussion there,
> >when by adding nulls you can guarantee that no chosen plaintext ever gets
> >processed as such.
In reply, at 02:16 PM 5/31/01 -0400, John Kelsey wrote:
[ a number of lucid and interesting points, leading up to ... ]
>But CBC-mode does the same thing much more cheaply.
Touché! Good point.
But what if I had asked about a !known!-plaintext attack?
Note the contrast:
-- Known plaintext + CBC = equally-well-known plaintext.
-- Known plaintext + nulls = not-completely-known plaintext
But let me try to answer my own question, by coming from another angle: It
seems like adding lots of random nulls is AT BEST equivalent to
*) First: encoding with random session keys and really small sessions, then
*) Second: sending those sessions (and their keys) through the
aforementioned YY algorithm.
This would be an effective way, but hardly the best way, of defeating
known-plaintext attacks.
What this really comes down to is how often you need to change session keys
in order to defeat known-plaintext attacks. There are standard methods for
changing session keys, and I now see that teaching the compressor to throw
in random nulls is not an improvement over the standard methods.
So I learned something. Thanks!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list