On 18/07/13 22:34, Nico Williams wrote: > On Wed, Jul 17, 2013 at 9:27 PM, Pierre Abbat <p...@bezitopo.org> wrote: >> On Friday, July 12, 2013 16:56:47 Zooko O'Whielacronx wrote: >>> No, no, we rely on the correctness of our encryption to hide all >>> information about the plaintext from an attacker who doesn't know the >>> encryption key. Therefore, the pad bytes are all just zero bytes, and >>> we believe that this pattern gives nothing useful to the cryptanalyst. >> >> Encrypting padding consisting of all zero bytes creates a known-plaintext >> attack. The padding should be the output of a CSPRNG whose seed is determined >> by the contents of the file. > > No, because first of all the attacker doesn't know the plaintext (they > can guess as how much padding there is, and then guess that much of > the plaintext), and second because it's not chosen plaintext (not > chosen by the attacker), and third because AES is supposed to leak > nothing much about either the key nor the rest of the plaintext of a > given block just because you happen to know some of the plaintext (or > even all).
It's CTR mode, so a chosen-plaintext attack provides no advantage over a known-plaintext attack. (Either gets you the keystream, but does not allow you to influence the input to the block cipher.) -- Daira Hopwood ⚥
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tahoe-dev mailing list tahoe-dev@tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev