[cryptography] Isn't it odd that...

Nico Williams nico at cryptonector.com
Tue Jan 29 23:39:15 EST 2013

On Tue, Jan 29, 2013 at 9:40 PM, Thor Lancelot Simon <tls at panix.com> wrote:
> ...despite all the attacks we've seen on compresion-before-encryption, and all the timing
> atatacks we've seen on encryption, [...]
> ..we haven't really seen any known-plaintext key recovery attacks facilitated by timing
> analysis of compressors applied prior to encryption?

Yup!  It is.  But as you reason, compression must leak some data
through timing (and power) side channels.

BTW, it's not compression before encryption that's the problem -as if
we could compress after encryption instead :)- but compression without
discrimination, often because compression occurs at layers that don't
know what to compress.  Compression in SSH, TLS, IPsec -- all bad.
Compression at the app layer can be OK.  Sending compressed image
files is fine, say, but compressing everything is not.

FYI, in the HTTPbis WG they are considering using forms of stateful
compression (hop-by-hop) for HTTP/2.0 so that things that repeat
frequently in HTTP traffic can be compressed safely, like cookies and
URL prefixes.


More information about the cryptography mailing list