[Cryptography] Low grade randomness for padding.

[Jon Callas]

> 
> Zeros: simple, minimizes opportunity for side channel games
> Random: minimizes known plaintext for attacker.
> 
> If I do go with random, is there a cheap way to generate random padding I should be thinking of? I don't need this to be particularly random. 
> 
> One possibility is to put the zeros through GCM with a different key. Seems wasteful though.

I would do zeros. It minimizes all sorts of issues, starting with side channels, going through covert channels etc. (remember when people stressed out over DSA covert channels?) as well as other things like the inevitable subtle error of the random stuff being interpreted and not being able to actually test the bizarre behavior after the fact.

If you wanted a quick way to do random numbers, run AES in counter mode or something like it, or iterate your favorite hash function.

However, zeros are also a form of low grade randomness, too, and minimizes all sorts of issues, as stated above.

	Jon