MartinFrom the Ox XEP 373:
> The <signcrypt/> and <crypt/> elements SHOULD furthermore contain a 'rpad' element which text content is a random-length random-content padding.
Are there any best practices about the length range for rpads?
MartinMine is in the range of 20 to 49 chars, but as long as it is random I think I could just use a 0 to 10 chars rpad and don't add unnecessary bloat.
nephelehas left
norayrhas left
Alexhas left
marc0shas left
marc0shas joined
nephelehas joined
lovetoxhas left
lovetoxhas joined
nephelehas left
nephelehas joined
Alexhas joined
nephelehas left
marc0shas left
marc0shas joined
dezanthas joined
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
dezanthas left
nephelehas left
nephelehas joined
nephelehas left
nephelehas joined
marc0shas left
marc0shas joined
nephelehas left
raghavgururajanhas joined
nephelehas joined
nephelehas left
pulkomandyhas joined
dezanthas joined
amee2khas joined
Samhas left
xeckshas joined
nephelehas joined
nephelehas left
Samhas joined
Samhas left
marc0shas left
marc0shas joined
nephelehas joined
nephelehas left
nephelehas joined
amee2khas left
emushas left
nephelehas left
lovetoxhas left
flowMartin, depends on your paranoia level
flowFor example, you could calculate the length of the pad so that a certain minimum total length is guranteed✎
flowFor example, you could calculate the length of the pad so that a certain minimum total length is guaranteed ✏
Zashbeware statistics!
lovetoxhas joined
Martin> For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed
Yes, but is 20 to 40 chars better than 0 to 20 chars? I don't think so, but I'm no cryptography expert.
ZashI feel like the thing is to pad up to the next multiple of X, but best ask some cryptogopher about how to safely use padding
adxhas left
dezanthas left
flowMartin, the idea is that you take the actualy payload length into account when calculating rpad's length
thomaslewishas joined
antranigvhas left
antranigvhas joined
adxhas joined
thomaslewishas left
flowThere are near endless possiblities how to determine rpad, and given that most cryptographic messaging systems don't even have a thing like rpad, it is potentially not super important, but still nice to have
flowespecially in IM communcation where the length of the reponse may provide some insights to an outside observer
ZashWhat's it for here?
ZashAIUI you can counteract padding meant to hide the length of a message using statistics
flowprimary to conceal the length of the plaintext
flowZash, I am happy about some pointers to reserach in that direction
Zash"yes".length+rand(10) > "no".length+rand(10) given enough samples, that kind of thing
ZashI've got no pointers, sorry. RFCs for TLS &c might have references
lovetoxhas left
lovetoxhas joined
thomaslewishas joined
marchas left
ZashWikipedia! 🙂
flowthe one true truth
flow:)
thomaslewisCouldn’t you randomize the argument to rand()? 🤔
thomaslewishas left
pep.Then one would "just" have to run stats with the same method? :p
lovetoxhas left
amee2khas joined
thomaslewishas joined
marc0shas left
marc0shas joined
larmahas joined
thomaslewisWell, if the padding is of random length and content, it would make statistical analysis near meaningless, no?
marc0shas left
marc0shas joined
thomaslewishas left
dezanthas joined
thomaslewishas joined
thomaslewishas left
jonas’incorrect
jonas’the point of statistics is to get signal out of noise :)
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
lovetoxhas joined
marc0shas left
marc0shas joined
MartinSo rpadlength=messagelength%100 would make sense?
MartinInstead of using random length.
ZashMartin, that's what I think is the sensible thing.
jonas’Martin, there is a `100-` missing in that, but yes.
jonas’`rpadlength = 100 - (messagelength%100)`
Zashthat reduces the available entropy, right?
MartinWhy? Using modulo 100 would make messagelength + rpadlength always a multiple of 100 or am I wrong?
Zashthrows some math and statistics words around
jonas’Martin, you're wrong
MartinOh yeah
jonas’len = 120, 120 % 100 = 20, 120 + 20 != 200
Zashif you pad or crop all messages to the same size, that would leak the least data, right?
antranigvhas left
jonas’yes
Dele Olajidehas joined
jonas’requires you to pad them all to the maximum stanza size though, otherwise you lose data, obviously :)
Zashindeed
Zashhence the pad to multiple of X
Dele Olajidehas left
jonas’I'm still trying to figure out how much entropy that gives you
antranigvhas joined
thomaslewishas joined
Zashdepends on ... distribution of message sizes, no?
jonas’another way to think about it: it conceals log_2(modulus) bits of the real message length
thomaslewishas left
jonas’(the logic of which is obvious, if you assume modulus = 2^n (i.e. a power of two); the message length L is a k-bit number. if you pad to a multiple of 2^n, the new message length is L' = m*2^n, with L+2^n >= L' >= L. multiplication by 2^n is identical to left shift by n bits, hence the lowest n bits of the message length are zero, hence the lowest n bits are concealed).