Re: [TLS] Why is padding still actively being used?

Ilari Liusvaara <> Sun, 17 May 2015 05:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E9FAC1A897A for <>; Sat, 16 May 2015 22:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id koFQiZuAus8p for <>; Sat, 16 May 2015 22:29:39 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7F0E1A888F for <>; Sat, 16 May 2015 22:29:38 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 8414F817E7; Sun, 17 May 2015 08:29:36 +0300 (EEST)
Date: Sun, 17 May 2015 08:29:36 +0300
From: Ilari Liusvaara <>
To: Jeffrey Walton <>
Message-ID: <20150517052936.GA26393@LK-Perkele-VII>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Why is padding still actively being used?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 May 2015 05:29:42 -0000

On Sat, May 16, 2015 at 08:24:52PM -0400, Jeffrey Walton wrote:
> Integrated Encryption Schemes, like ECIES and DHAES, don't pad in the
> Data Encapsulation Mechanism (DEM) or Key Encapsulation Mechanism
> (KEM). In the case of a KEM, they fill the parameter to the size of
> the underlying field, and then use a derivation function to digest it.
> Removing the padding simplifies the proofs and removes the oracles
> related to the padding.
> When possible, why does TLS still pad and backfill with 0's rather
> than filling to the underlying field size and/or digesting?

Are you talking about leading zero stripping in Diffie-Hellman key

I think many bignum libs perform that kind of thing, which is a
good source of bugs (especially in big-endian).

However, if using dedicated arithmetic (generic bignums are not
safe) for fields available in TLS 1.3, that kind of stripping is
just extra complexity and source of bugs.

Thinking about padding, I think there should be some sort of
payload padding under AE, fro those applications that want to hide
lengths of messages.

In TLS 1.2, it could easily be added as new "compression" mechanism,
but those are not supported in TLS 1.3.