[Cryptography] Summary: compression before encryption

[Peter Gutmann]

ianG <iang at iang.org> writes:

>It occurs to me that what we need, and I may be talked out my posterior here,
>is keyed compression.

This doesn't work.  I looked at this in the early 1990s, the problem is that
any decent compressor adapts to the characteristics of the source that it's
processing, so you rapidly lose any unpredictability caused by the keying.
What I played with was creating a synthetic source based on a user-supplied
key and feeding that to the compressor so that the source model it built was
key-dependent.  Since the compressor adapts rapidly to changes in source
characteristics, after seeing data from the real rather than synthetic source
it had discarded all the synthetic-source information and was only using the
real source characteristics.  You can inject noise back into the source to
avoid this, but all you're doing there is screwing up the compression
performance.

In order to compress well, the compressor has to track the source as precisely
as possible.  What keyed compression does is mess up this capability, so that
the better the keying is, the worse the compression gets, until your ultimate
keyed compression is incompressible.  Redde Caesari quae sunt Caesaris, do
your compression with your compressor and your encryption with your encryptor,
don't try and mix the two.

Peter.