Cryptology ePrint Archive: Report 2021/1027

On Fingerprinting Attacks and Length-Hiding Encryption

Kai Gellert and Tibor Jager and Lin Lyu and Tom Neuschulten

Abstract: It is well-known that already the length of encrypted messages may reveal sensitive information about encrypted data. Fingerprinting attacks enable an adversary to determine web pages visited by a user and even the language and phrases spoken in voice-over-IP conversations.

Prior research has established the general perspective that a length-hiding padding which is long enough to improve security significantly incurs an unfeasibly large bandwidth overhead. We argue that this perspective is a consequence of the choice of the security models considered in prior works, which are based on classical indistinguishability of two messages, and that this does not reflect the attacker model of typical fingerprinting attacks well. Furthermore, these models also consider a model where the attacker is restricted to choosing messages of bounded length difference, depending on a given length-hiding padding of the encryption scheme. This restriction seems difficult to enforce in practice, because application layer protocols are typically unaware of the concrete length-hiding padding applied by an underlying encryption protocol, such as TLS. We also do not want to make application-layer messages dependent on the underlying encryption scheme, but instead want to provide length hiding encryption that satisfies the requirements of the given application.

Therefore we propose a new perspective on length hiding encryption, which aims to capture security against fingerprinting attacks more accurately. This makes it possible to concretely quantify the security provided by length-hiding padding against fingerprinting attacks, depending on the real message distribution of an application. We find that for many real-world applications (such as webservers with static content, DNS requests, Google search terms, or Wikipedia page visits) and their specific message distributions, even length-hiding padding with relatively small bandwidth overhead of only 2-5% can already significantly improve security against fingerprinting attacks. This gives rise to a new perspective on length-hiding encryption, which helps understanding how and under what conditions length-hiding encryption can be used to improve security.

Category / Keywords: length-hiding, fingerprinting, compression, enryption

Original Publication (with major differences): CT-RSA 2022

Date: received 5 Aug 2021, last revised 3 Dec 2021

Contact author: kai gellert at uni-wuppertal de, tibor jager at uni-wuppertal de, lin lyu at uni-wuppertal de

Available format(s): PDF | BibTeX Citation

Note: A preliminary version of this paper is accepted by CT-RSA 2022. This is the full version.

Version: 20211203:115114 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]