Paper 2021/1027

On Fingerprinting Attacks and Length-Hiding Encryption

Kai Gellert, Tibor Jager, Lin Lyu, and Tom Neuschulten


It is well-known that already the length of encrypted messages may reveal sensitive information about encrypted data. Fingerprinting attacks enable an adversary to determine web pages visited by a user and even the language and phrases spoken in voice-over-IP conversations. Prior research has established the general perspective that a length-hiding padding which is long enough to improve security significantly incurs an unfeasibly large bandwidth overhead. We argue that this perspective is a consequence of the choice of the security models considered in prior works, which are based on classical indistinguishability of two messages, and that this does not reflect the attacker model of typical fingerprinting attacks well. Furthermore, these models also consider a model where the attacker is restricted to choosing messages of bounded length difference, depending on a given length-hiding padding of the encryption scheme. This restriction seems difficult to enforce in practice, because application layer protocols are typically unaware of the concrete length-hiding padding applied by an underlying encryption protocol, such as TLS. We also do not want to make application-layer messages dependent on the underlying encryption scheme, but instead want to provide length hiding encryption that satisfies the requirements of the given application. Therefore we propose a new perspective on length hiding encryption, which aims to capture security against fingerprinting attacks more accurately. This makes it possible to concretely quantify the security provided by length-hiding padding against fingerprinting attacks, depending on the real message distribution of an application. We find that for many real-world applications (such as webservers with static content, DNS requests, Google search terms, or Wikipedia page visits) and their specific message distributions, even length-hiding padding with relatively small bandwidth overhead of only 2-5% can already significantly improve security against fingerprinting attacks. This gives rise to a new perspective on length-hiding encryption, which helps understanding how and under what conditions length-hiding encryption can be used to improve security.

Note: A preliminary version of this paper is accepted by CT-RSA 2022. This is the full version.

Available format(s)
Publication info
Published elsewhere. Major revision. CT-RSA 2022
Contact author(s)
kai gellert @ uni-wuppertal de
tibor jager @ uni-wuppertal de
lin lyu @ uni-wuppertal de
2021-12-03: last of 3 revisions
2021-08-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Kai Gellert and Tibor Jager and Lin Lyu and Tom Neuschulten},
      title = {On Fingerprinting Attacks and Length-Hiding Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1027},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.