From the Ox XEP 373:
> The <signcrypt/> and <crypt/> elements SHOULD furthermore contain a 'rpad' element which text content is a random-length random-content padding.
Are there any best practices about the length range for rpads?
Martin
Mine is in the range of 20 to 49 chars, but as long as it is random I think I could just use a 0 to 10 chars rpad and don't add unnecessary bloat.
nephelehas left
norayrhas left
Alexhas left
marc0shas left
marc0shas joined
nephelehas joined
lovetoxhas left
lovetoxhas joined
nephelehas left
nephelehas joined
Alexhas joined
nephelehas left
marc0shas left
marc0shas joined
dezanthas joined
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
dezanthas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
marc0shas left
marc0shas joined
nephelehas left
raghavgururajanhas joined
nephelehas joined
nephelehas left
pulkomandyhas joined
dezanthas joined
amee2khas joined
Samhas left
xeckshas joined
nephelehas joined
nephelehas left
Samhas joined
Samhas left
marc0shas left
marc0shas joined
nephelehas joined
nephelehas left
nephelehas joined
amee2khas left
emushas left
nephelehas left
lovetoxhas left
flow
Martin, depends on your paranoia level
flow
For example, you could calculate the length of the pad so that a certain minimum total length is guranteed✎
flow
For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed ✏
Zash
beware statistics!
lovetoxhas joined
Martin
> For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed
Yes, but is 20 to 40 chars better than 0 to 20 chars? I don't think so, but I'm no cryptography expert.
Zash
I feel like the thing is to pad up to the next multiple of X, but best ask some cryptogopher about how to safely use padding
adxhas left
dezanthas left
flow
Martin, the idea is that you take the actualy payload length into account when calculating rpad's length
thomaslewishas joined
antranigvhas left
antranigvhas joined
adxhas joined
thomaslewishas left
flow
There are near endless possiblities how to determine rpad, and given that most cryptographic messaging systems don't even have a thing like rpad, it is potentially not super important, but still nice to have
flow
especially in IM communcation where the length of the reponse may provide some insights to an outside observer
Zash
What's it for here?
Zash
AIUI you can counteract padding meant to hide the length of a message using statistics
flow
primary to conceal the length of the plaintext
flow
Zash, I am happy about some pointers to reserach in that direction
Zash
"yes".length+rand(10) > "no".length+rand(10) given enough samples, that kind of thing
Zash
I've got no pointers, sorry. RFCs for TLS &c might have references
lovetoxhas left
lovetoxhas joined
thomaslewishas joined
marchas left
Zash
Wikipedia! 🙂
flow
the one true truth
flow
:)
thomaslewis
Couldn’t you randomize the argument to rand()? 🤔
thomaslewishas left
pep.
Then one would "just" have to run stats with the same method? :p
lovetoxhas left
amee2khas joined
thomaslewishas joined
marc0shas left
marc0shas joined
larmahas joined
thomaslewis
Well, if the padding is of random length and content, it would make statistical analysis near meaningless, no?
marc0shas left
marc0shas joined
thomaslewishas left
dezanthas joined
thomaslewishas joined
thomaslewishas left
jonas’
incorrect
jonas’
the point of statistics is to get signal out of noise :)
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
lovetoxhas joined
marc0shas left
marc0shas joined
Martin
So rpadlength=messagelength%100 would make sense?
Martin
Instead of using random length.
Zash
Martin, that's what I think is the sensible thing.
jonas’
Martin, there is a `100-` missing in that, but yes.
jonas’
`rpadlength = 100 - (messagelength%100)`
Zash
that reduces the available entropy, right?
Martin
Why? Using modulo 100 would make messagelength + rpadlength always a multiple of 100 or am I wrong?
Zashthrows some math and statistics words around
jonas’
Martin, you're wrong
Martin
Oh yeah
jonas’
len = 120, 120 % 100 = 20, 120 + 20 != 200
Zash
if you pad or crop all messages to the same size, that would leak the least data, right?
antranigvhas left
jonas’
yes
Dele Olajidehas joined
jonas’
requires you to pad them all to the maximum stanza size though, otherwise you lose data, obviously :)
Zash
indeed
Zash
hence the pad to multiple of X
Dele Olajidehas left
jonas’
I'm still trying to figure out how much entropy that gives you
another way to think about it: it conceals log_2(modulus) bits of the real message length
thomaslewishas left
jonas’
(the logic of which is obvious, if you assume modulus = 2^n (i.e. a power of two); the message length L is a k-bit number. if you pad to a multiple of 2^n, the new message length is L' = m*2^n, with L+2^n >= L' >= L. multiplication by 2^n is identical to left shift by n bits, hence the lowest n bits of the message length are zero, hence the lowest n bits are concealed).