[Cryptography] Low grade randomness for padding.

[Jerry Leichter]

> The ciphertext uses a more flexible tag-length-value encoding. The basic layout will be:
> 
> <stream id>
> <stream sequence#>
> <resend count>
> <payload>
> <padding>
> 
> The basic idea here being that we simply fill each packet out to the max. But should this be set to all zeros or should this be randomized.
> 
> Zeros: simple, minimizes opportunity for side channel games
> Random: minimizes known plaintext for attacker.
> 
> If I do go with random, is there a cheap way to generate random padding I should be thinking of? I don't need this to be particularly random. 
> 
> One possibility is to put the zeros through GCM with a different key. Seems wasteful though.
Well ... any acceptable cipher today is supposed to be proof against known plaintext attacks.  But a belt and suspenders approach certainly can't hurt I suppose (though if you add any kind of random padding you're opening up things like subliminal channels, which might or might not be relevant here).

Since the goal is simply to make it hard for an attacker to know what's in this bytes, you don't need any real degree of randomness - just enough unpredictability that an attacker wouldn't gain any advantage by trying a "probably plaintext" attack using the known-plaintext assumed weakness.  I'd suggest generating a single key-size random value and then just repeating it through the filler.  Guessing the filler is as hard as guessing the key.  If your cipher/mode is weak against repeated patterns you have other problems....

                                                        -- Jerry


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210209/dd155119/attachment.htm>