Compression and Information Leakage of Plaintext
Cryptosystems like AES and triple-DES are designed to encrypt a sequence of input bytes (the plaintext) into a sequence of output bytes (the ciphertext) in such a way that the output carries no information about that plaintext except its length. In recent years, concerns have been raised about ”side-channel” attacks on various cryptosystems—attacks that make use of some kind of leaked information about the cryptographic operations (e.g., power consumption or timing) to defeat them. In this paper, we describe a somewhat different kind of side-channel provided by data compression algorithms, yielding information about their inputs by the size of their outputs. The existence of some information about a compressor’s input in the size of its output is obvious; here, we discuss ways to use this apparently very small leak of information in surprisingly powerful ways.
KeywordsCompression Ratio Compression Algorithm Side Channel Stream Cipher Information Leakage
- [BCL02]Benedetto, Caglioti, and Loreto, Physical Review Letters, 28 January 2002.Google Scholar
- [CCF01a]Usenet group comp.compression FAQ file, available at http://www.faqs.org/faqs/compression-faq/, 2001.
- [KJY00]Kocher, Jaffe, Jun, “Differential power analysis: Leaking secrets,” in Advances in Cryptology-CRYPTO’99, Springer-Verlag, 1999Google Scholar
- [Koc96]Kocher, “Timing Attack on Implementations of Diffie-Hellman, RSA, DSS and other systems,” in Advances in Cryptology-CRYPTO’ 96, Springer-Verlag, 1996.Google Scholar
- [KSHW00]Kelsey, Schneier, Wagner, Hall, “Side Channel Cryptanalysis of Product Ciphers,” in Advances in Cryptology-ESORICS 96, Springer-Verlag, 1996.Google Scholar
- [Sal97a]David Salomon, Data Compression: The Complete Reference, Springer-Verlag, 1997.Google Scholar
- [Whi02]Doug Whiting, personal communication, 2002.Google Scholar