Possible security weaknesses incurred by compression before encryption

gnupg+Steven.Murdoch at cl.cam.ac.uk gnupg+Steven.Murdoch at cl.cam.ac.uk
Tue Feb 25 13:02:02 CET 2003

It is commonly thought that compressing data before encrypting it is a good
idea since it increases the unicity distance, however a paper by John Kelsey
presented at FSE 2002 show how that in the vast majority of circumstances
compression adds no security and that in some circumstances it substantially
decreases security.

The paper is online at:

I cannot see any obvious ways in which this attack can be used against GnuPG
in the general case, however has there been any discussion about the
repercussions of this paper since there may be cases where the attacks against
a system using GnuPG are feasible?

In particular, cases where the size of the original data, before compression
can be found or estimated lead to many of the weaknesses - is there any way of
doing this for a general GnuPG message? Of course there will be some
applications where this information can be obtained without GnuPG divulging
it, and some attacks do not require this information.

Also this attack is particularly powerful in situations where an attacker can
append/prepend arbitrary plaintext to a secret. While not feasible in the
case this could be a valid attack in some circumstances.

Maybe it would be a good idea to make people aware of the potential problems
in encrypting, or perhaps even change the default mode of GnuPG to not
compress. Also it might be worthwhile to consider some of the defenses
suggested for inclusion in GnuPG and/or a future OpenPGP standard.

Thank you,
Steven Murdoch.

More information about the Gnupg-devel mailing list