plain text size prediction

nano toster

7/5/24, 3:19 PM

In your opinion, is the correlation between the length of the ciphertext and the decrypted text (even if it is approximate) a cipher vulnerability? Or is there a solution to this problem outside of it? After all, if the attacker knows the approximate size of the message, he has some information about what type of information the victim transmitted.

2 + 0

cryptanalysis

protocol-design

Score:1

Crypto

Paul Uszak

7/5/24, 9:48 PM

Yes, there is a solution to this problem.

You simply transmit all of the time. Perfect if you have an unlimited ADSL/FTTP contract. You transmit dummy noise in the off periods, and send real messages as needed. Just set and stick to a transmission rate. Computational indistinguishability means that the man can't tell the difference between good pseudo random cipher gibberish and one time padded messages. It's a traffic analysis countermeasure.

I imagine this has spiked ECHELON. They know where I live.

+ 3

Paul Uszak

7/5/24, 9:50 PM

Oh, and hi......!

fgrieu

7/6/24, 6:34 AM

Good point. The proposed solution works well for communication across a fiber or other dedicated link, though with increased energy consumption. For almost everything else (networks, radio), there's the issue of occupancy of the medium. Tough problem.

Paul Uszak

7/6/24, 11:41 PM

@fgrieu-onstrike Isn't the major concern of traffic analysis that we preserve the illusion of communications normality? So the baud rate isn't important whilst it remains constant. So 1 kbs (out of 20 Mbs ADSL up) is fine unless you're sending 8K UHD porn films which isn't the best use of this protocol. 0.005% occupancy. Hi GCHQ...

Score:1

Crypto

poncho

7/5/24, 3:28 PM

In your opinion, is the correlation between the length of the ciphertext and the decrypted text (even if it is approximate) a cipher vulnerability? Or is there a solution to this problem outside of it?

It may be a weakness; however the solution is often too expensive to use, so we often live with this weakness.

The obvious way to address this is to pad all ciphertexts to a fixed length. Now, if we want to be able to encrypt 1 Megabyte random plaintexts, then obviously the ciphertext must be at least 1 Megabyte. Now, if we pad all ciphertexts to 1 Megabyte, that means that even a 1 byte plaintext encrypts to that 1 Megabyte.

This solution works; however in practice, it is often considered too costly (what "costly" means in this case depends on how we store or transport the ciphertext). What we can do which isn't nearly as costly is reduce the amount of size information the adversary gets (rather than eliminate it entirely). For example, if we always pad the ciphertext to the next multiple of 256 [1], then the adversary is able to deduce the approximate size of the plaintext, but not the exact value. This still leaks some information, but not as much (and is far cheaper to implement).

[1]: Alternatively, add a small random amount of padding.

+ 1

nano toster

7/5/24, 3:33 PM

well, that's pretty much what I was thinking, thanks for your opinion!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: plain text size prediction

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.