[Cryptography] Low grade randomness for padding.
Tom Mitchell
mitch at niftyegg.com
Tue Feb 9 20:39:32 EST 2021
On Tue, Feb 9, 2021 at 4:00 PM Viktor Dukhovni <cryptography at dukhovni.org>
wrote:
> On Tue, Feb 09, 2021 at 03:40:21PM -0500, Phillip Hallam-Baker wrote:
>
> > If I do go with random, is there a cheap way to generate random padding I
> > should be thinking of? I don't need this to be particularly random.
> >
> > One possibility is to put the zeros through GCM with a different key.
> Seems
> > wasteful though.
>
> Perhaps something like Strobe:
>
> https://strobe.sourceforge.io/papers/strobe-latest.pdf
>
> might be a decent framework and may provide a natural way to do padding,
> by just sampling the key stream.
>
> As for padding with zeros or random, I'd go with zeros. I'd be more
> concerned about subliminal channels in random data than known plaintext
> attacks on AES.
>
The use of zeros will frame the portion of data that is important.
A PRN generator or data from the hardware RNG if available might obscure
what is and is not payload.
Benchmark a couple options including a block of zeros.
A limited block of RNs can be XORed with a cache line long RN and the
limited block refreshed cache line by cache line in a lazy async way so the
initial
block bits are only used a small N times. Tune N over time.
Some cache hardware will be fine without cache line concerns, benchmark.
--
T o m M i t c h e l l ( o n N i f t y E g g )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210209/ce76a880/attachment.htm>
More information about the cryptography
mailing list