[Cryptography] Is there a good algorithm providing both compression and encryption at the same time?

Bill Frantz frantz at pwpconsult.com
Fri May 8 17:23:33 EDT 2015

On 5/7/15 at 5:15 PM, bear at sonic.net (Ray Dillinger) wrote:

>There is absolutely nothing wrong with the "compress then
>encrypt" construction. As folks have pointed out, you must
>never rely on imperfect compression to SERVE AS encryption,
>but encrypting compressed text using a good encryption
>primitive is not worse at hiding its contents than
>encrypting uncompressed text using the same good encryption
>We usually accept the opponent knowing approximately how long
>a message is because the encrypted message is that long plus
>the length of a known-length IV and rounded up to a block
>boundary.  So I'm not concerned that message length information
>may be only as well hidden as it is with any kind of encryption.

We do have the well known attacks when the attacker can insert 
data to be compressed in the stream. In this case, the attacker 
can infer the presence of sequences the compressor compresses if 
the compressor is adaptive, i.e. changes its compression 
dictionary based on the data to be compressed. (N.B. most 
general purpose compressors are adaptive.)

These attacks have been sufficient to recover security cookies 
from web traffic in repeated, iterated attacks.

Probably compression is safe if each source of data is 
compressed separately.

Cheers - Bill

Bill Frantz        | Re: Hardware Management Modes: | Periwinkle
(408)356-8506      | If there's a mode, there's a   | 16345 
Englewood Ave
www.pwpconsult.com | failure mode. - Jerry Leichter | Los Gatos, 
CA 95032

More information about the cryptography mailing list