[Cryptography] Low grade randomness for padding.
Donald Eastlake
d3e3e3 at gmail.com
Tue Feb 9 20:22:23 EST 2021
On Tue, Feb 9, 2021 at 4:15 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
...
> The ciphertext uses a more flexible tag-length-value encoding. The basic layout will be:
>
> <stream id>
> <stream sequence#>
> <resend count>
> <payload>
> <padding>
>
> The basic idea here being that we simply fill each packet out to the max. But should this be set to all zeros or should this be randomized.
>
> Zeros: simple, minimizes opportunity for side channel games
> Random: minimizes known plaintext for attacker.
>
> If I do go with random, is there a cheap way to generate random padding I should be thinking of? I don't need this to be particularly random.
I recommend deterministic padding to avoid a high bandwidth side
channel but not always the same padding to avoid making things easier
for an attacker. I suggest, if there are k bytes of padding, just
repeat the bottom byte of k. So three bytes of padding would be
0x030303.
Thanks,
Donald
More information about the cryptography
mailing list