[tahoe-dev] proposal: add padding

Nico Williams nico at cryptonector.com
Thu Jul 18 21:34:06 UTC 2013


On Wed, Jul 17, 2013 at 9:27 PM, Pierre Abbat <phma at bezitopo.org> wrote:
> On Friday, July 12, 2013 16:56:47 Zooko O'Whielacronx wrote:
>> No, no, we rely on the correctness of our encryption to hide all
>> information about the plaintext from an attacker who doesn't know the
>> encryption key. Therefore, the pad bytes are all just zero bytes, and
>> we believe that this pattern gives nothing useful to the cryptanalyst.
>
> Encrypting padding consisting of all zero bytes creates a known-plaintext
> attack. The padding should be the output of a CSPRNG whose seed is determined
> by the contents of the file.

No, because first of all the attacker doesn't know the plaintext (they
can guess as how much padding there is, and then guess that much of
the plaintext), and second because it's not chosen plaintext (not
chosen by the attacker), and third because AES is supposed to leak
nothing much about either the key nor the rest of the plaintext of a
given block just because you happen to know some of the plaintext (or
even all).

Nico
--



More information about the tahoe-dev mailing list