No. Without a message authentication code (MAC) or signature, your ciphertext is insecure. The compression function is not expected to offer any resistance to modification. There is no proof or argument that you cannot "jump in and modify bits".
I don't really see a practical use case for one-time pads. You have to assume that you can securely deliver the pad to someone in advance of any other communications. Then someone may force you to exhaust your pad bits by corrupting or dropping messages in transit. Regardless, you could use a one-time MAC on the ciphertext. Here are some lecture notes on the topic: http://cs.nyu.edu/~dodis/randomness-in-crypto/lecture1.pdf For each message, you will need to uniformly sample a pairwise-independent hash function to compute an authentication tag. That hash function will either limit the max size of your message to the domain of the function, or you will need to use a message digest function and uniformly map its output into the domain of the hash. If the whole premise of using one-time pads is "I don't trust NIST-approved crypto primitives", then you will need to find a non-standard message digest that people will trust to use. Good luck with that. On Wed, Jul 31, 2013 at 10:08 AM, Karl Fogel <[email protected]> wrote: > In practice, they'd have to know all or most of the plaintext, I think? > Because under compression, the later parts of the (compressed) plaintext > depend on earlier parts -- it's not like you can just jump in and modify > bits in the middle of a compression stream. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
