IETF Logo Mail Archive

Re: [openpgp] Deprecating compression support

Gregory Maxwell <gmaxwell@gmail.com> Thu, 21 March 2019 00:30 UTC

Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76FAB127917 for <openpgp@ietfa.amsl.com>; Wed, 20 Mar 2019 17:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcDoT8JFutSw for <openpgp@ietfa.amsl.com>; Wed, 20 Mar 2019 17:30:22 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048F31275F3 for <openpgp@ietf.org>; Wed, 20 Mar 2019 17:30:22 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id a16so3598869edn.1 for <openpgp@ietf.org>; Wed, 20 Mar 2019 17:30:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=NOujZlN1+glzdeAwJ3Mw8PuKXiHMiuSdnF63Alg0UAg=; b=Bnzbv/coVmAoY8/MDVWB6okSobdQhHbTRt+FtwyBt1xGt1+x8s8f/aturrm1GxXjjy uCBAqbzz8QMixUxZ/zEEI81bf8cLnWecZ3I9fmTB+0H+7Q84UyxFk4qSlJYg0UW+OOTS cPqTJWlQf8rEzzb8QpsvuTkVDdmRbjrcAgZPmHL9JpX3639Eaii9TrrGdNACaCcJoKQM ZEEghrPnmF5KwgMf2NaKdP+5cYl6JcDiruVeqVdc05JbrcHnN8YB/Kl9V0dKNSkvxZ2p YfY77PFFaeajE4XOJE4vffqU6XpH53iZDUK2JVlXcG2kk/eLRNaeMPZWBqlMkbobo6CH T/QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NOujZlN1+glzdeAwJ3Mw8PuKXiHMiuSdnF63Alg0UAg=; b=Lxp8t4DgLuxclLZKX7C6iF356CA2f/QqA0WkLeWsYit2f5Qg1oAVOCr4nHFLs/VQFX SyK8yW0QRs8BQxQxCnYtcbH6itNiUwY6/n4qrjzasHNavU8q0JYdXeq2gzjvOqMKOX8A D72gna/rvWMMDCGrZL4WRVs8gdRurWfzqstL+mJHpgqdpY6ZLvPGvIVyPXjJhJFR5nQm SbCyouNYdVSlIzjQuqeXqYRgt/EN680QmiS3fTFhfvaQcQsQ31FagsuBGYx37b3MUfYO uoNHIlvKI+Ut1iSp0x+XBePB7O1W/XsDR6rbeFrFIaoSvE0i1yw3u/ZrEFrLsB1JTHKF FsCA==
X-Gm-Message-State: APjAAAXDDqi8XNCwy9cGTy2TvzROv20HTKMJH+eyrVJFyMdcgLJMHiOV Oyrro2ZYGCnpvifqDF1owRm6okCwBuUnp3ZUg+I=
X-Google-Smtp-Source: APXvYqwigCRdv9gdHAxjmzDhomHKJ7jcSq9KDvdv8BcMOVuAd3iFjgfkK+o4Lwtl7VgV9yF3SMlVNTkLIyIXdZFLv6U=
X-Received: by 2002:a17:906:a841:: with SMTP id dx1mr507869ejb.99.1553128220589; Wed, 20 Mar 2019 17:30:20 -0700 (PDT)
MIME-Version: 1.0
References: <871s3475dy.fsf@europa.jade-hamburg.de> <14617627-542E-4672-B83C-1B5E87561B50@icloud.com>
In-Reply-To: <14617627-542E-4672-B83C-1B5E87561B50@icloud.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
Date: Thu, 21 Mar 2019 00:30:07 +0000
Message-ID: <CAAS2fgQdUdV5hmffPrsv=PR87rx+JuXH5NNkhKgcOcMxEnm8xw@mail.gmail.com>
To: Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
Cc: "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>, Jon Callas <joncallas@icloud.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/MSgpCuH3mfE5Y9BIYDMDFpDhUFA>
Subject: Re: [openpgp] Deprecating compression support
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 00:30:25 -0000

On Wed, Mar 20, 2019 at 8:57 PM Jon Callas
<joncallas=40icloud.com@dmarc.ietf.org> wrote:
> There are a number of attacks on interactive encryption protocols that use differences in different compressed plaintext to learn something about the internal structure of the plaintext. This is obviously bad.
> However, *static* encryption, like OpenPGP doesn’t have this problem.
> Here’s a challenge I give.
> Create two plaintexts, P and P’ where P’ = compress(P). Pick any compression function and any plaintext. Now, encrypt them both, so we have E_1 = encrypt(P) and E_2 = encrypt(P’). Show that there is an advantage to an attacker for recovering P’ from E_2 over recovering P from E_1.
> I assert that if you can, then your cipher is flawed and you need to replace it. There is nothing magical about compressed plaintext that makes it easier to recover.

We've been here before:

https://mailarchive.ietf.org/arch/msg/openpgp/rG-X9rp2jlbyACoosnbxRXjCeys

I buy the combining encryption with compression being useful
argument... but at the same time, openpgp compression is increasingly
far from the state-of-the-widespread-art (e.g. xz) and there probably
isn't much interest in updating it to chase the state of the art
compression (and for short human texts, I think recent machine
learning progress look like they're resulting in significantly higher
amounts of compression, -- just no one has productionized that work
yet).

v2.23.0 | Report a Bug | By Email