Editing Padding (cryptography) (section)

===Randomized padding===

A random number of additional padding bits or bytes may be appended to the end of a message, together with an indication at the end how much padding was added.  If the amount of padding is chosen as a uniform random number between 0 and some maximum M, for example, then an eavesdropper will be unable to determine the message's length precisely within that range.  If the maximum padding M is small compared to the message's total size, then this padding will not add much [[Overhead (computing)|overhead]], but the padding will obscure only the least-significant bits of the object's total length, leaving the approximate length of large objects readily observable and hence still potentially uniquely identifiable by their length.  If the maximum padding M is comparable to the size of the payload, in contrast, an eavesdropper's uncertainty about the message's true payload size is much larger, at the cost that padding may add up to 100% overhead ({{math|2×}} blow-up) to the message.

In addition, in common scenarios in which an eavesdropper has the opportunity to see ''many'' successive messages from the same sender, and those messages are similar in ways the attacker knows or can guess, then the eavesdropper can use statistical techniques to decrease and eventually even eliminate the benefit of randomized padding.  For example, suppose a user's application regularly sends messages of the same length, and the eavesdropper knows or can guess fact based on fingerprinting the user's application for example.  Alternatively,  an active attacker might be able to ''induce'' an endpoint to send messages regularly, such as if the victim is a public server.  In such cases, the eavesdropper can simply compute the average over many observations to determine the length of the regular message's payload.