compression & nulls in cryptosystems

John Denker jsd at
Thu May 31 21:42:57 EDT 2001

I wrote:
> >I always scratch my head when somebody says that XX attack on YY algorithm
> >requires a huge carefully-chosen plaintext, and ends the discussion there,
> >when by adding nulls you can guarantee that no chosen plaintext ever gets
> >processed as such.

In reply, at 02:16 PM 5/31/01 -0400, John Kelsey wrote:

[ a number of lucid and interesting points, leading up to ... ]

>But CBC-mode does the same thing much more cheaply.

Touché!  Good point.

But what if I had asked about a !known!-plaintext attack?

Note the contrast:
  -- Known plaintext + CBC   = equally-well-known plaintext.
  -- Known plaintext + nulls = not-completely-known plaintext

But let me try to answer my own question, by coming from another angle:  It 
seems like adding lots of random nulls is AT BEST equivalent to
  *) First: encoding with random session keys and really small sessions, then
  *) Second: sending those sessions (and their keys) through the 
aforementioned YY algorithm.

This would be an effective way, but hardly the best way, of defeating 
known-plaintext attacks.

What this really comes down to is how often you need to change session keys 
in order to defeat known-plaintext attacks.  There are standard methods for 
changing session keys, and I now see that teaching the compressor to throw 
in random nulls is not an improvement over the standard methods.

So I learned something.  Thanks!

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list