[tahoe-dev] proposal: add padding

Daira Hopwood davidsarah at leastauthority.com
Mon Jul 22 23:37:54 UTC 2013


On 18/07/13 22:34, Nico Williams wrote:
> On Wed, Jul 17, 2013 at 9:27 PM, Pierre Abbat <phma at bezitopo.org> wrote:
>> On Friday, July 12, 2013 16:56:47 Zooko O'Whielacronx wrote:
>>> No, no, we rely on the correctness of our encryption to hide all
>>> information about the plaintext from an attacker who doesn't know the
>>> encryption key. Therefore, the pad bytes are all just zero bytes, and
>>> we believe that this pattern gives nothing useful to the cryptanalyst.
>>
>> Encrypting padding consisting of all zero bytes creates a known-plaintext
>> attack. The padding should be the output of a CSPRNG whose seed is determined
>> by the contents of the file.
> 
> No, because first of all the attacker doesn't know the plaintext (they
> can guess as how much padding there is, and then guess that much of
> the plaintext), and second because it's not chosen plaintext (not
> chosen by the attacker), and third because AES is supposed to leak
> nothing much about either the key nor the rest of the plaintext of a
> given block just because you happen to know some of the plaintext (or
> even all).

It's CTR mode, so a chosen-plaintext attack provides no advantage over a
known-plaintext attack. (Either gets you the keystream, but does not allow
you to influence the input to the block cipher.)

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130723/be9474bd/attachment.asc>


More information about the tahoe-dev mailing list