[Cryptography] Low grade randomness for padding.

Bill Frantz frantz at pwpconsult.com
Wed Feb 10 10:23:13 EST 2021

On 2/9/21 at 3:40 PM, phill at hallambaker.com (Phillip 
Hallam-Baker) wrote:

>Zeros: simple, minimizes opportunity for side channel games
>Random: minimizes known plaintext for attacker.
>If I do go with random, is there a cheap way to generate random padding I
>should be thinking of? I don't need this to be particularly random.
>One possibility is to put the zeros through GCM with a different key. Seems
>wasteful though.

I generally agree that zeroes are a good padding, but there is 
one situation where they might not be the best choice. That is, 
if the secret needs to be kept for a long time, long enough that 
an exhaustive search attack on AES become feasible, then 
searching for a key which gives zero (or any other known 
plaintext) padding makes the attack easier.

The subliminal channel argument is a good one though. Which one 
is the more likely threat?

Cheers - Bill

Bill Frantz        | Art is how we decorate space,
408-348-7900       | music is how we decorate time.
www.pwpconsult.com |          -Jean-Michel Basquiat

More information about the cryptography mailing list