[Cryptography] Low grade randomness for padding.
mitch at niftyegg.com
Tue Feb 9 20:39:32 EST 2021
On Tue, Feb 9, 2021 at 4:00 PM Viktor Dukhovni <cryptography at dukhovni.org>
> On Tue, Feb 09, 2021 at 03:40:21PM -0500, Phillip Hallam-Baker wrote:
> > If I do go with random, is there a cheap way to generate random padding I
> > should be thinking of? I don't need this to be particularly random.
> > One possibility is to put the zeros through GCM with a different key.
> > wasteful though.
> Perhaps something like Strobe:
> might be a decent framework and may provide a natural way to do padding,
> by just sampling the key stream.
> As for padding with zeros or random, I'd go with zeros. I'd be more
> concerned about subliminal channels in random data than known plaintext
> attacks on AES.
The use of zeros will frame the portion of data that is important.
A PRN generator or data from the hardware RNG if available might obscure
what is and is not payload.
Benchmark a couple options including a block of zeros.
A limited block of RNs can be XORed with a cache line long RN and the
limited block refreshed cache line by cache line in a lazy async way so the
block bits are only used a small N times. Tune N over time.
Some cache hardware will be fine without cache line concerns, benchmark.
T o m M i t c h e l l ( o n N i f t y E g g )
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography