Ask or search…



The length of a ciphertext from a stream cipher is equal to the length of the plaintext. In most cases, this is not considered an issue. However, hiding the length of a message can be desirable, and ISO/IEC 7816-4 padding can be used to do this.
The amount of padding, determined by the block size, can either be deterministic or randomised. Both have their strengths and weaknesses.
Padding to a block size much smaller than the message length leaves the approximate unpadded length largely unprotected. PADMÉ can be used to limit leakage.
Padding should be applied to the plaintext before encryption and removed from the plaintext after decryption. The amount of padding does not need to be stored.



Fills a span with padding. This can then be manually concatenated with some data.
Padding.Fill(Span<byte> buffer)


buffer has a length of 0.


Returns the required buffer size for Pad() based on the unpadded length and a block size (e.g. 16 bytes).
Padding.GetPaddedLength(int unpaddedLength, int blockSize)


unpaddedLength is less than 0.
blockSize is less than or equal to 0.
The amount of padding is too large.


Fills a span with the data padded up to the specified block size (e.g. a multiple of 16 bytes).
Padding.Pad(Span<byte> buffer, ReadOnlySpan<byte> data, int blockSize)


buffer has a length not equal to GetPaddedLength(data.Length, blockSize).
blockSize is less than or equal to 0.


Returns the number of bytes to slice from the end of the padded data.
Padding.GetUnpaddedLength(ReadOnlySpan<byte> paddedData, int blockSize)


paddedData has a length of 0.
blockSize is less than or equal to 0.
Incorrect padding.


It is very difficult to hide that cryptography is being used. For example, even if padding is done appropriately and there are no plaintext headers, X25519 public keys are distinguishable from random.
Using padding to hide the length of a password is NOT recommended. Instead, the password can be prehashed using BLAKE2b or Argon2id on the client before being sent to the server for password hashing.
Last modified 4mo ago