Re: applying AES-GCM to secure shell: proposed "tweak"

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> Perhaps.  As a cryptographer I'm strictly a dilettante, but even I
>> know that the lower the entropy of the plaintext, the easier it is
>> to attack an encryption algorithm.
> Lossless compression does not alter the amount of entropy in a
> message.

True, but it does alter the entropy density (entropy per encryption
block, per byte, per whatever), and that's what results in the effect I
mentioned.

> Therefore deterministic use/non-use of compression ought to have no
> impact on known-plaintext attacks.

This isn't quite what I understand "known-plaintext" to refer to.  This
is partial and statistical knowledge of the plaintext, whereas
known-plaintext as I understand the term refers to complete knowledge.
Known-plaintext in the sense I understand it, you're right: if you know 
the input bits, it doen't matter whether they come directly from the
protocol engine or from a compression engine.  (Some particular sets of
cleartext bits may make some attacks easier than others, but then we're
heading towards the realm of chosen plaintext.)  But in the partial
sense we have here, it does matter: in the extreme, consider, say, a
block cipher with block size 64, and consider feeding it a stream of 64
uint32s each of which is 0 or 1, versus feeding it a single blob of 64
bits carrying the same information.  In the former case, if you think
maybe you know the key, it's fairly easy to check reliably, even
knowing nothing about the data bits; in the latter, it's theoretically
impossible to tell whether you have the right key if you don't know
anything about the cleartext.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B