jdev - 2022-04-28

From the Ox XEP 373: > The <signcrypt/> and <crypt/> elements SHOULD furthermore contain a 'rpad' element which text content is a random-length random-content padding. Are there any best practices about the length range for rpads?

Mine is in the range of 20 to 49 chars, but as long as it is random I think I could just use a 0 to 10 chars rpad and don't add unnecessary bloat.

Martin, depends on your paranoia level

For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed ✏

beware statistics!

> For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed Yes, but is 20 to 40 chars better than 0 to 20 chars? I don't think so, but I'm no cryptography expert.

I feel like the thing is to pad up to the next multiple of X, but best ask some cryptogopher about how to safely use padding

Martin, the idea is that you take the actualy payload length into account when calculating rpad's length

There are near endless possiblities how to determine rpad, and given that most cryptographic messaging systems don't even have a thing like rpad, it is potentially not super important, but still nice to have

especially in IM communcation where the length of the reponse may provide some insights to an outside observer

What's it for here?

AIUI you can counteract padding meant to hide the length of a message using statistics

primary to conceal the length of the plaintext

Zash, I am happy about some pointers to reserach in that direction

"yes".length+rand(10) > "no".length+rand(10) given enough samples, that kind of thing

I've got no pointers, sorry. RFCs for TLS &c might have references

Wikipedia! 🙂

the one true truth

:)

Couldn’t you randomize the argument to rand()? 🤔

Then one would "just" have to run stats with the same method? :p

Well, if the padding is of random length and content, it would make statistical analysis near meaningless, no?

incorrect

the point of statistics is to get signal out of noise :)

So rpadlength=messagelength%100 would make sense?

Instead of using random length.

Martin, that's what I think is the sensible thing.

Martin, there is a `100-` missing in that, but yes.

`rpadlength = 100 - (messagelength%100)`

that reduces the available entropy, right?

Why? Using modulo 100 would make messagelength + rpadlength always a multiple of 100 or am I wrong?

Martin, you're wrong

Oh yeah

len = 120, 120 % 100 = 20, 120 + 20 != 200

if you pad or crop all messages to the same size, that would leak the least data, right?

yes

requires you to pad them all to the maximum stanza size though, otherwise you lose data, obviously :)

indeed

hence the pad to multiple of X

I'm still trying to figure out how much entropy that gives you

depends on ... distribution of message sizes, no?

possibly

also possibly on the maximum message size ✏

another way to think about it: it conceals log_2(modulus) bits of the real message length

(the logic of which is obvious, if you assume modulus = 2^n (i.e. a power of two); the message length L is a k-bit number. if you pad to a multiple of 2^n, the new message length is L' = m*2^n, with L+2^n >= L' >= L. multiplication by 2^n is identical to left shift by n bits, hence the lowest n bits of the message length are zero, hence the lowest n bits are concealed).

😳