On Wed, Mar 19, 2014 at 5:43 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
In general, I see two patterns:
- Compression incidentally thwarts some attacks
- Compression fundamentally breaks privacy by leaking plaintext entropy
(see the Wikimedia Foundation case for a quite convincing example)
In general, compression does the opposite of your second bullet. It
*protects* privacy by taking things that are typically not pseudo-random
(what you're calling entropic) -- e.g. text -- into something that is
highly pseudo-random.
Just to clarify, I was talking in terms of the length side-channel entailed
by compression. If the attacker knows the uncompressed plaintext length,
and can measure the compressed ciphertext length, then some information
about the uncompressed plaintext content is leaked.
It may be not common, but it seems to me that this attacker model is well
within the scope of OpenPGP.
In specific cases, *flaws* in this conversion when combined with an
interactive protocol can lead to an attack that is in general, not
applicable to a non-interactive protocol with large amounts of compressed
data.
But in general, this benefits the defender, as the attacker has no idea
what the *actual* plaintext is (the compressed data) unless they know the
base plaintext is, and small inaccuracies in the attackers guess lead to
large differences.
Of course, I could be wrong. I offered an outline for research where you
could come up with some results that would be impressive. Why not do some
work on it?
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp