09:45:46 k​ayabanerve:matrix.org: binarybaron: Circling back on, Hermes was it? I recently implemented the encoding of a bitvec to a bytestream, and had the awkwardness I either had to:
09:45:47 k​ayabanerve:matrix.org: 1) Always encode an amount of bits a multiple of 8
09:45:49 k​ayabanerve:matrix.org: 2) Encode the amount of bits, and the encoded as the padded length
09:45:51 k​ayabanerve:matrix.org: But I forgot while doing so, to require the padding bits be encoded as 0.
09:47:13 k​ayabanerve:matrix.org: I was encoding into/from a bitvec, which has sound behavior for 'uninitialized' bits (which the padding would've been seen as), but it would've enabled two values with the same semantics to have different encodings and a bunch of oddities accordingly. It was also just a general footgun for anyone to tried to implement the same functionality without using the bitvec crate.
09:47:57 k​ayabanerve:matrix.org: That's why I suggested requiring the padding in your scheme be explicitly zero. Else it raises the question of 'what happens when they're not zero?'. It either means there's a non-standard encoder _or_ there was a decryption failure, as bytes which should've been zero weren't.
09:48:24 k​ayabanerve:matrix.org: Speaking of, have you considered a MAC instead of a magic to identify successfully decrypted plaintexts? ChachaPoly?