Can we compress the main document contents?

[cyphar]

Compress-then-encrypt is known to be unsafe for interactive sessions such as web browsers since 2012 (thanks to CRIME and BREACH). However, since paperback does not operate as an interactive session system (and we have pretty strong density requirements since we need to fit QR codes on paper), maybe it would be safe to compress the main document contents?

It would be nice to get a cryptographer's opinion on this...

[Z3r0byte]

(CS student, not a cryptographer) In my opinion this seems totally fine. Crime abuses the fact that an attacker can add chosen data to unknown data and use the resulting size of the message to check if the unkown data contains the added part. In the use case of Paperback, this is not possible because to encrypt a document you need to feed Paperback all data (and thus there is no unknown data).

PS I really like the idea of this project, keep up the good work :)