[tahoe-dev] proposal: add padding
Daira Hopwood
davidsarah at leastauthority.com
Thu Jul 18 19:06:28 UTC 2013
On 18/07/13 03:27, Pierre Abbat wrote:
> On Friday, July 12, 2013 16:56:47 Zooko O'Whielacronx wrote:
>> No, no, we rely on the correctness of our encryption to hide all
>> information about the plaintext from an attacker who doesn't know the
>> encryption key. Therefore, the pad bytes are all just zero bytes, and
>> we believe that this pattern gives nothing useful to the cryptanalyst.
>
> Encrypting padding consisting of all zero bytes creates a known-plaintext
> attack. The padding should be the output of a CSPRNG whose seed is determined
> by the contents of the file.
If, for the sake of argument, we're worried about known-plaintext attacks
against AES-CTR mode, a solution would be to use XSalsa+AES for all encryption
(https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1164). It wouldn't be necessary
to complicate the padding mechanism if we added padding.
--
Daira Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130718/b102c23c/attachment.pgp>
More information about the tahoe-dev
mailing list