[Cryptography] Low grade randomness for padding.

Tom Mitchell mitch at niftyegg.com
Tue Feb 9 20:39:32 EST 2021

On Tue, Feb 9, 2021 at 4:00 PM Viktor Dukhovni <cryptography at dukhovni.org>

> On Tue, Feb 09, 2021 at 03:40:21PM -0500, Phillip Hallam-Baker wrote:
> > If I do go with random, is there a cheap way to generate random padding I
> > should be thinking of? I don't need this to be particularly random.
> >
> > One possibility is to put the zeros through GCM with a different key.
> Seems
> > wasteful though.
> Perhaps something like Strobe:
>     https://strobe.sourceforge.io/papers/strobe-latest.pdf
> might be a decent framework and may provide a natural way to do padding,
> by just sampling the key stream.
> As for padding with zeros or random, I'd go with zeros.  I'd be more
> concerned about subliminal channels in random data than known plaintext
> attacks on AES.

The use of zeros will frame the portion of data that is important.

A PRN generator or data from the hardware RNG if available might obscure
what is and is not payload.

Benchmark a couple options including a block of zeros.

A limited block of RNs can be XORed with a cache line long RN and the
limited block refreshed cache line by cache line in a lazy async way so the
block bits are only used a small N times.   Tune N over time.

Some cache hardware will be fine without cache line concerns, benchmark.

          T o m    M i t c h e l l ( o n   N i f t y E g g )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210209/ce76a880/attachment.htm>

More information about the cryptography mailing list