Re: Plaintext inference

Aaron J. Ferguson writes:
> Wow! This is an interesting comment (see below). Until now, I was unaware that
> there were ways to infer the length of plaintext from the length of ciphertext.
> It is my understanding that the initialization and/or synchronization vector
> used in encryption would mitigate the potential for plaintext length inference.
> Can you
> give me some examples of algorithms that do this because this has me really
> curious.

The most commonly used ciphers like DES, Blowfish, IDEA and the new
AES all are block ciphers with a relatively small block size of 64 bits
for the first three and 128 bits for AES.  This means that they encrypt
data a block at a time.  Generally the plaintext will be padded up to
be a multiple of the block size, then encrypted.  This will make the
ciphertext be the size of the plaintext, rounded up to the next multiple
of 64 or 128 bits.

Other ciphers, like RC4, are stream ciphers, which don't do any padding
at all.  The ciphertext size in bytes will be the same as the plaintext
size.  The encryption program PGP uses block ciphers in a mode called
cipher feedback (CFB) which makes them work something like stream ciphers
in this regard.  In CFB mode the output will be the same number of bytes
as the input.

The initialize vector (IV) for block ciphers is the size of the encryption
block (64 or 128 bits).  If this is stored with the ciphertext it adds a
fixed, known size to that data which does not hide the plaintext size.
For stream ciphers the IV or synchronization vector may be larger,
but it is typically of known size in that case as well.

Hope this helps -

Hal Finney
PGP Security

Received on Monday, 13 November 2000 11:57:11 UTC