[Cryptography] Low grade randomness for padding.

Donald Eastlake d3e3e3 at gmail.com
Tue Feb 9 20:22:23 EST 2021

On Tue, Feb 9, 2021 at 4:15 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> The ciphertext uses a more flexible tag-length-value encoding. The basic layout will be:
> <stream id>
> <stream sequence#>
> <resend count>
> <payload>
> <padding>
> The basic idea here being that we simply fill each packet out to the max. But should this be set to all zeros or should this be randomized.
> Zeros: simple, minimizes opportunity for side channel games
> Random: minimizes known plaintext for attacker.
> If I do go with random, is there a cheap way to generate random padding I should be thinking of? I don't need this to be particularly random.

I recommend deterministic padding to avoid a high bandwidth side
channel but not always the same padding to avoid making things easier
for an attacker. I suggest, if there are k bytes of padding, just
repeat the bottom byte of k. So three bytes of padding would be


More information about the cryptography mailing list