[Cryptography] Low grade randomness for padding.
Christian Huitema
huitema at huitema.net
Tue Feb 9 20:44:46 EST 2021
On 2/9/2021 2:29 PM, Viktor Dukhovni wrote:
> On Tue, Feb 09, 2021 at 03:40:21PM -0500, Phillip Hallam-Baker wrote:
>
>> If I do go with random, is there a cheap way to generate random padding I
>> should be thinking of? I don't need this to be particularly random.
>>
>> One possibility is to put the zeros through GCM with a different key. Seems
>> wasteful though.
> Perhaps something like Strobe:
>
> https://strobe.sourceforge.io/papers/strobe-latest.pdf
>
> might be a decent framework and may provide a natural way to do padding,
> by just sampling the key stream.
>
> As for padding with zeros or random, I'd go with zeros. I'd be more
> concerned about subliminal channels in random data than known plaintext
> attacks on AES.
That's pretty much the reason why QUIC uses zeros for padding.
Otherwise, you are opening the gates for creative use of padding, and
you can be pretty sure that you will not like the final result.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210209/1db1b3b8/attachment.htm>
More information about the cryptography
mailing list