[Cryptography] Low grade randomness for padding.

Viktor Dukhovni cryptography at dukhovni.org
Tue Feb 9 17:29:43 EST 2021

On Tue, Feb 09, 2021 at 03:40:21PM -0500, Phillip Hallam-Baker wrote:

> If I do go with random, is there a cheap way to generate random padding I
> should be thinking of? I don't need this to be particularly random.
> One possibility is to put the zeros through GCM with a different key. Seems
> wasteful though.

Perhaps something like Strobe:


might be a decent framework and may provide a natural way to do padding,
by just sampling the key stream.

As for padding with zeros or random, I'd go with zeros.  I'd be more
concerned about subliminal channels in random data than known plaintext
attacks on AES.


More information about the cryptography mailing list