[heavenlyblue]

I also don’t understand how padding oracle attack corresponds to this if all IDs are under 128 bits.

[blattimwind]

While AES(0||id) is subject to a padding oracle, it's not immediately obvious why this would be a useful capability to an attacker, since you can't tweak your input based on the oracle's output (unlike e.g. AES-CBC).

[tptacek]

How is AES(0||id) subject to a padding oracle? Am I misunderstanding the notation?

[blattimwind]

Yeah, that's not a padding oracle, but it's similar in concept, because the prefix check after decryption will likely leak whether the app considers the ciphertext valid, ala:

    pk = decrypt(params.id)
    if pk[0:8] != EIGHT_ZEROS:
        return Http404
    id = int(pk[8:16])
    object = db.query(id)

Also stuff like this isn't really specific to using this particular construction. Even if systems are designed to return "does not exist" instead of "forbidden", it's hard to make authorization checks constant time and I've never seen code to even try that.

[tptacek]

Sure, but you can't adaptively choose a new ciphertext to iterate with. Which is the core of the concept.

[blattimwind]

Yeah, exactly. I don't think we disagree, I just abused the name a little bit - not a good idea in this field!