jdev - 2022-04-28

  1. Martin

    From the Ox XEP 373: > The <signcrypt/> and <crypt/> elements SHOULD furthermore contain a 'rpad' element which text content is a random-length random-content padding. Are there any best practices about the length range for rpads?

  2. Martin

    Mine is in the range of 20 to 49 chars, but as long as it is random I think I could just use a 0 to 10 chars rpad and don't add unnecessary bloat.

  3. flow

    Martin, depends on your paranoia level

  4. flow

    For example, you could calculate the length of the pad so that a certain minimum total length is guranteed

  5. flow

    For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed

  6. Zash

    beware statistics!

  7. Martin

    > For example, you could calculate the length of the pad so that a certain minimum total length is guaranteed Yes, but is 20 to 40 chars better than 0 to 20 chars? I don't think so, but I'm no cryptography expert.

  8. Zash

    I feel like the thing is to pad up to the next multiple of X, but best ask some cryptogopher about how to safely use padding

  9. flow

    Martin, the idea is that you take the actualy payload length into account when calculating rpad's length

  10. flow

    There are near endless possiblities how to determine rpad, and given that most cryptographic messaging systems don't even have a thing like rpad, it is potentially not super important, but still nice to have

  11. flow

    especially in IM communcation where the length of the reponse may provide some insights to an outside observer

  12. Zash

    What's it for here?

  13. Zash

    AIUI you can counteract padding meant to hide the length of a message using statistics

  14. flow

    primary to conceal the length of the plaintext

  15. flow

    Zash, I am happy about some pointers to reserach in that direction

  16. Zash

    "yes".length+rand(10) > "no".length+rand(10) given enough samples, that kind of thing

  17. Zash

    I've got no pointers, sorry. RFCs for TLS &c might have references

  18. Zash

    Wikipedia! 🙂

  19. flow

    the one true truth

  20. flow


  21. thomaslewis

    Couldn’t you randomize the argument to rand()? 🤔

  22. pep.

    Then one would "just" have to run stats with the same method? :p

  23. thomaslewis

    Well, if the padding is of random length and content, it would make statistical analysis near meaningless, no?

  24. jonas’


  25. jonas’

    the point of statistics is to get signal out of noise :)

  26. Martin

    So rpadlength=messagelength%100 would make sense?

  27. Martin

    Instead of using random length.

  28. Zash

    Martin, that's what I think is the sensible thing.

  29. jonas’

    Martin, there is a `100-` missing in that, but yes.

  30. jonas’

    `rpadlength = 100 - (messagelength%100)`

  31. Zash

    that reduces the available entropy, right?

  32. Martin

    Why? Using modulo 100 would make messagelength + rpadlength always a multiple of 100 or am I wrong?

  33. Zash throws some math and statistics words around

  34. jonas’

    Martin, you're wrong

  35. Martin

    Oh yeah

  36. jonas’

    len = 120, 120 % 100 = 20, 120 + 20 != 200

  37. Zash

    if you pad or crop all messages to the same size, that would leak the least data, right?

  38. jonas’


  39. jonas’

    requires you to pad them all to the maximum stanza size though, otherwise you lose data, obviously :)

  40. Zash


  41. Zash

    hence the pad to multiple of X

  42. jonas’

    I'm still trying to figure out how much entropy that gives you

  43. Zash

    depends on ... distribution of message sizes, no?

  44. jonas’


  45. jonas’

    also possibly on the maximum message siz

  46. jonas’

    also possibly on the maximum message size

  47. jonas’

    another way to think about it: it conceals log_2(modulus) bits of the real message length

  48. jonas’

    (the logic of which is obvious, if you assume modulus = 2^n (i.e. a power of two); the message length L is a k-bit number. if you pad to a multiple of 2^n, the new message length is L' = m*2^n, with L+2^n >= L' >= L. multiplication by 2^n is identical to left shift by n bits, hence the lowest n bits of the message length are zero, hence the lowest n bits are concealed).

  49. Martin