[Cryptography] Compression before encryption?

grarpamp grarpamp at gmail.com
Mon Jan 12 02:11:29 EST 2015

On Fri, Jan 9, 2015 at 11:42 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Stephan Neuhaus <stephan.neuhaus at zhaw.ch> writes:
>>I have come across the recommendation to "compress before you encrypt", on
>>the grounds that this makes plaintext recognition through frequency analysis
>>much harder.
> This seems to be based on thinking dating back to hand ciphers and mechanical
> cipher machines, for which this was indeed the case.  Any decent cipher today
> has to be resistant not just to known-plaintext but to chosen-plaintext
> attacks, so hiding plaintext patterns doesn't really get you much.  OTOH it
> opens you up to a pile of oracle attacks based on compressability of
> plaintext, so the answer to "should I compress before encrypting?" is no-
> biased, it'll definitely hurt you but it's questionable whether it'll help
> you.

It might seem as a result of this thread, that if you own both endpoints
of the crypted stream, and have validated proper connection to yourself
such as through certs, that sending CTE bulk data isn't going to be
an issue. ex: A lot of people just want to save space/bandwidth for
their own personal backups or distribution... a one way push or pull
not subject to injection/iteration, even in that case if you don't own both.
It would also seem that to be injected, your hash+sign algo is broke, or
the attacker can already see you plaintext beyond the stream, or you're
involved in CSRF or some other three or more way communications ie:
including backend external database inclusions in your primary website
data. Overall, specific instances than general "compression bad."


More information about the cryptography mailing list