[Cryptography] Low grade randomness for padding.
Bill Frantz
frantz at pwpconsult.com
Wed Feb 10 10:23:13 EST 2021
On 2/9/21 at 3:40 PM, phill at hallambaker.com (Phillip
Hallam-Baker) wrote:
>Zeros: simple, minimizes opportunity for side channel games
>Random: minimizes known plaintext for attacker.
>
>If I do go with random, is there a cheap way to generate random padding I
>should be thinking of? I don't need this to be particularly random.
>
>One possibility is to put the zeros through GCM with a different key. Seems
>wasteful though.
I generally agree that zeroes are a good padding, but there is
one situation where they might not be the best choice. That is,
if the secret needs to be kept for a long time, long enough that
an exhaustive search attack on AES become feasible, then
searching for a key which gives zero (or any other known
plaintext) padding makes the attack easier.
The subliminal channel argument is a good one though. Which one
is the more likely threat?
Cheers - Bill
----------------------------------------------------
Bill Frantz | Art is how we decorate space,
408-348-7900 | music is how we decorate time.
www.pwpconsult.com | -Jean-Michel Basquiat
More information about the cryptography
mailing list