ABSTRACT
Secure network protocols like TLS, QUIC, SSH and IPsec allow for additional padding to be used during encryption in order to hide message lengths. While it is impossible to conceal message lengths completely, without drastically degrading efficiency, such mechanisms aim at causing as much frustration as possible to the prospective attacker. However, none of the protocol specifications provide any guidance on how to select the length of this padding. Several works have highlighted how the leakage of message lengths can be exploited in attacks, but the converse problem of how to best defend against such attacks remains relatively understudied. We make this the focus of our work and present a formal treatment of length hiding security in a general setting. Prior work by Tezcan and Vaudenay suggested that sampling the padding length uniformly at random already achieves the best possible security. However we show that this is only true in the limited setting where only a single ciphertext is available to the adversary. If multiple ciphertexts are available to the adversary, then sampling the padding length according to a Gaussian distribution yields quantifiably better security for the same overhead. In fact, in this setting, uniformly random padding turns out to be among the worst possible choices. We confirm experimentally the superior performance of Gaussian padding over uniform padding in the context of the CRIME/BREACH attack.
Supplemental Material
- Martin R. Albrecht and Kenneth G. Paterson. 2016. Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS. In EUROCRYPT 2016, Part I (LNCS, Vol. 9665), Marc Fischlin and Jean-Sébastien Coron (Eds.). Springer, Heidelberg, 622--643. https://doi.org/10.1007/978--3--662--49890--3_24Google Scholar
- Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. 2009. Plaintext Recovery Attacks against SSH. In 2009 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 16--26. https://doi.org/10.1109/SP.2009.5Google ScholarDigital Library
- Nadhem J. AlFardan and Kenneth G. Paterson. 2013. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 526--540. https://doi.org/10.1109/SP.2013.42Google ScholarDigital Library
- Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda. 2014. How to Securely Release Unverified Plaintext in Authenticated Encryption. In ASIACRYPT 2014, Part I (LNCS, Vol. 8873), Palash Sarkar and Tetsu Iwata (Eds.). Springer, Heidelberg, 105--125. https://doi.org/10.1007/978--3--662--45611--8_6Google ScholarCross Ref
- Gilles Barthe, Sonia Belaïd, Thomas Espitau, Pierre-Alain Fouque, Mélissa Rossi, and Mehdi Tibouchi. 2019. GALACTICS: Gaussian Sampling for Lattice-Based Constant- Time Implementation of Cryptographic Signatures, Revisited. In ACM CCS 2019, Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz (Eds.). ACM Press, 2147--2164. https://doi.org/10.1145/3319535.3363223Google ScholarDigital Library
- Guy Barwell, Daniel Page, and Martijn Stam. 2015. Rogue Decryption Failures: Reconciling AE Robustness Notions. In 15th IMA International Conference on Cryptography and Coding (LNCS, Vol. 9496), Jens Groth (Ed.). Springer, Heidelberg, 94--111. https://doi.org/10.1007/978--3--319--27239--9_6Google Scholar
- Daniel Bleichenbacher. 1998. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In CRYPTO'98 (LNCS, Vol. 1462), Hugo Krawczyk (Ed.). Springer, Heidelberg, 1--12. https://doi.org/10.1007/BFb0055716Google ScholarCross Ref
- Alexandra Boldyreva, Jean Paul Degabriele, Kenneth G. Paterson, and Martijn Stam. 2014. On Symmetric Encryption with Distinguishable Decryption Failures. In FSE 2013 (LNCS, Vol. 8424), Shiho Moriai (Ed.). Springer, Heidelberg, 367--390. https://doi.org/10.1007/978--3--662--43933--3_19Google Scholar
- G. E. P. Box and Mervin E. Muller. 1958. A Note on the Generation of Random Normal Deviates. The Annals of Mathematical Statistics 29, 2 (1958), 610 -- 611. https://doi.org/10.1214/aoms/1177706645Google ScholarCross Ref
- Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom. 2016. Flush, Gauss, and Reload - A Cache Attack on the BLISS Lattice-Based Signature Scheme. In CHES 2016 (LNCS, Vol. 9813), Benedikt Gierlichs and Axel Y. Poschmann (Eds.). Springer, Heidelberg, 323--345. https://doi.org/10.1007/978--3--662--53140--2_16Google ScholarCross Ref
- Brice Canvel, Alain P. Hiltgen, Serge Vaudenay, and Martin Vuagnoux. 2003. Password Interception in a SSL/TLS Channel. In CRYPTO 2003 (LNCS, Vol. 2729), Dan Boneh (Ed.). Springer, Heidelberg, 583--599. https://doi.org/10.1007/978--3--540--45146--4_34Google ScholarCross Ref
- Benny Chor and Eyal Kushilevitz. 1990. Secret Sharing Over Infinite Domains (Extended Abstract). In CRYPTO'89 (LNCS, Vol. 435), Gilles Brassard (Ed.). Springer, Heidelberg, 299--306. https://doi.org/10.1007/0--387--34805-0_27Google Scholar
- Wei Dai, Viet Tung Hoang, and Stefano Tessaro. 2017. Information-Theoretic Indistinguishability via the Chi-Squared Method. In CRYPTO 2017, Part III (LNCS, Vol. 10403), Jonathan Katz and Hovav Shacham (Eds.). Springer, Heidelberg, 497--523. https://doi.org/10.1007/978--3--319--63697--9_17Google ScholarCross Ref
- Jean Paul Degabriele and Marc Fischlin. 2018. Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove. In ASIACRYPT 2018, Part III (LNCS, Vol. 11274), Thomas Peyrin and Steven Galbraith (Eds.). Springer, Heidelberg, 519--550. https://doi.org/10.1007/978--3-030-03332--3_19Google ScholarCross Ref
- Jean Paul Degabriele and Kenneth G. Paterson. 2007. Attacking the IPsec Standards in Encryption-only Configurations. In 2007 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 335--349. https://doi.org/10.1109/SP.2007.8Google ScholarDigital Library
- Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. Calibrating Noise to Sensitivity in Private Data Analysis. In TCC 2006 (LNCS, Vol. 3876), Shai Halevi and Tal Rabin (Eds.). Springer, Heidelberg, 265--284. https://doi.org/10.1007/11681878_14Google ScholarDigital Library
- Cynthia Dwork and Aaron Roth. 2014. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science 9, 3--4 (2014), 211--407.Google ScholarDigital Library
- Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In 2012 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 332--346. https://doi.org/10.1109/SP.2012.28Google ScholarDigital Library
- Kai Gellert, Tibor Jager, Lin Lyu, and Tom Neuschulten. 2021. On Fingerprinting Attacks and Length-Hiding Encryption. Cryptology ePrint Archive, Report 2020/824. https://eprint.iacr.org/2021/1027.Google Scholar
- Yoel Gluck, Neal Harris, and Angelo Prado. 2013. BREACH: Reviving the CRIME attack, Vol. 2013. Black Hat USA. http://breachattack.comGoogle Scholar
- Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson. 2018. Pump up the Volume: Practical Database Reconstruction from Volume Leakage on Range Queries. In ACM CCS 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM Press, 315--331. https://doi.org/10.1145/3243734.3243864Google ScholarDigital Library
- Andreas Hülsing, Tanja Lange, and Kit Smeets. 2018. Rounded Gaussians - Fast and Secure Constant-Time Sampling for Lattice-Based Crypto. In PKC 2018, Part II (LNCS, Vol. 10770), Michel Abdalla and Ricardo Dahab (Eds.). Springer, Heidelberg, 728--757. https://doi.org/10.1007/978--3--319--76581--5_25Google Scholar
- Svante Janson. 2006. Rounding of continuous random variables and oscillatory asymptotics. Ann. Probab. 34, 5 (09 2006), 1807--1826. https://doi.org/10.1214/009117906000000232Google Scholar
- Angshuman Karmakar, Sujoy Sinha Roy, Oscar Reparaz, Frederik Vercauteren, and Ingrid Verbauwhede. 2018. Constant-Time Discrete Gaussian Sampling. IEEE Trans. Comput. 67, 11 (2018), 1561--1571. https://doi.org/10.1109/TC.2018.2814587Google ScholarDigital Library
- Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2016. Generic Attacks on Secure Outsourced Databases. In ACM CCS 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM Press, 1329--1340. https://doi.org/10.1145/2976749.2978386Google ScholarDigital Library
- John Kelsey. 2002. Compression and Information Leakage of Plaintext. In FSE 2002 (LNCS, Vol. 2365), Joan Daemen and Vincent Rijmen (Eds.). Springer, Heidelberg, 263--276. https://doi.org/10.1007/3--540--45661--9_21Google Scholar
- S. Kent. 2005. IP Encapsulating Security Payload (ESP). RFC 4303. IETF. http://tools.ietf.org/rfc/rfc4303.txtGoogle Scholar
- Solomon Kullback. 1959. Information Theory and Statistics. Wiley, New York.Google ScholarDigital Library
- Marc Liberatore and Brian Neil Levine. 2006. Inferring the source of encrypted HTTP connections. In ACM CCS 2006, Ari Juels, Rebecca N. Wright, and Sabrina De Capitani di Vimercati (Eds.). ACM Press, 255--263. https://doi.org/10.1145/1180405.1180437Google ScholarDigital Library
- David A. McGrew and John Viega. 2004. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In INDOCRYPT 2004 (LNCS, Vol. 3348), Anne Canteaut and Kapalee Viswanathan (Eds.). Springer, Heidelberg, 343--355.Google Scholar
- Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, and Erik Tews. 2014. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In USENIX Security 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 733--748.Google Scholar
- Daniele Micciancio and Michael Walter. 2017. Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time. In CRYPTO 2017, Part II (LNCS, Vol. 10402), Jonathan Katz and Hovav Shacham (Eds.). Springer, Heidelberg, 455--485. https://doi.org/10.1007/978--3--319--63715-0_16Google Scholar
- Jerzy Neyman and Egon Sharpe Pearson. 1933. IX. On the problem of the most efficient tests of statistical hypotheses. Philosophical Transactions of the Royal Society of London. Series A, Containing Papers of a Mathematical or Physical Character 231, 694--706 (1933), 289--337.Google Scholar
- Y. Nir and A. Langley. 2018. ChaCha20 and Poly1305 for IETF Protocols. RFC 8439. IETF. http://tools.ietf.org/rfc/rfc8439.txtGoogle Scholar
- Kenneth G. Paterson and Nadhem J. AlFardan. 2012. Plaintext-Recovery Attacks Against Datagram TLS. In NDSS 2012. The Internet Society.Google Scholar
- Kenneth G. Paterson, Thomas Ristenpart, and Thomas Shrimpton. 2011. Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol. In ASIACRYPT 2011 (LNCS, Vol. 7073), Dong Hoon Lee and Xiaoyun Wang (Eds.). Springer, Heidelberg, 372--389. https://doi.org/10.1007/978--3--642--25385-0_20Google Scholar
- Raphael C. W. Phan and Serge Vaudenay. 2009. On the Impossibility of Strong Encryption Over ?0 . In Coding and Cryptology, Yeow Meng Chee, Chao Li, San Ling, Huaxiong Wang, and Chaoping Xing (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 202--218.Google Scholar
- Alfredo Pironti, Pierre-Yves Strub, and Karthikeyan Bhargavan. 2012. Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures. Research Report RR-8067. INRIA. INRIA Technical Report RR-8067.Google Scholar
- Anup Rao and Amir Yehudayoff. 2020. Communication Complexity: and Applications. Cambridge University Press.Google Scholar
- Renato Renner. 2005. On the variational distance of independently repeated experiments. CoRR abs/cs/0509013 (2005). arXiv:cs/0509013 http://arxiv.org/abs/cs/0509013Google Scholar
- Leonid Reyzin. 2004. A note on the statistical difference of small direct products. Technical Report. Boston University Computer Science Department.Google Scholar
- Juliano Rizzo and Thai Duong. 2012. The CRIME attack. In ekoparty security conference, Vol. 2012.Google Scholar
- Phillip Rogaway. 2002. Authenticated-Encryption With Associated-Data. In ACM CCS 2002, Vijayalakshmi Atluri (Ed.). ACM Press, 98--107. https://doi.org/10.1145/586110.586125Google ScholarDigital Library
- Amit Sahai and Salil P. Vadhan. 1997. Manipulating statistical difference. In Randomization Methods in Algorithm Design, Proceedings of a DIMACS Workshop, Princeton, New Jersey, USA, December 12--14, 1997 (DIMACS Series in Discrete Mathematics and Theoretical Computer Science, Vol. 43), Panos M. Pardalos, Sanguthevar Rajasekaran, and José Rolim (Eds.). DIMACS/AMS, 251--270. http://dimacs.rutgers.edu/Volumes/Vol43.htmlGoogle Scholar
- Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2017. Beauty and the Burst: Remote Identification of Encrypted Video Streams. In USENIX Security 2017, Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 1357--1374.Google Scholar
- W. F. Sheppard. 1897. On the Calculation of the most Probable Values of Frequency-Constants, for Data arranged according to Equidistant Division of a Scale. Proceedings of the London Mathematical Society s1--29, 1 (11 1897), 353--380. https://doi.org/10.1112/plms/s1--29.1.353 arXiv:https://academic.oup.com/plms/article-pdf/s1--29/1/353/4407416/s1--29--1--353.pdfGoogle ScholarCross Ref
- Cihangir Tezcan and Serge Vaudenay. 2011. On Hiding a Plaintext Length by Preencryption. In ACNS 11 (LNCS, Vol. 6715), Javier Lopez and Gene Tsudik (Eds.). Springer, Heidelberg, 345--358. https://doi.org/10.1007/978--3--642--21554--4_20Google Scholar
- M. Thomson. 2019. Example Handshake Traces for TLS 1.3. RFC 8448. IETF. http://tools.ietf.org/rfc/rfc8448.txtGoogle Scholar
- Martin Thomson and Sean Turner. 2021. Using TLS to Secure QUIC -- draft-ietf-quic-tls-34. https://tools.ietf.org/html/draft-ietf-quic-tls-34.Google Scholar
- Serge Vaudenay. 2002. Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS.... In EUROCRYPT 2002 (LNCS, Vol. 2332), Lars R. Knudsen (Ed.). Springer, Heidelberg, 534--546. https://doi.org/10.1007/3--540--46035--7_35Google ScholarCross Ref
- Andrew M. White, Austin R. Matthews, Kevin Z. Snow, and Fabian Monrose. 2011. Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks. In 2011 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 3--18. https://doi.org/10.1109/SP.2011.34Google ScholarDigital Library
- T. Ylonen and C. Lonvick. 2006. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253. IETF. http://tools.ietf.org/rfc/rfc4253.txtGoogle Scholar
Index Terms
- Hiding the Lengths of Encrypted Messages via Gaussian Padding
Recommendations
Multi-use and unidirectional identity-based proxy re-encryption schemes
In a proxy re-encryption scheme, a semi-trusted proxy is given special power that allows it to transform a ciphertext for Alice into a ciphertext for Bob without learning any information about the messages encrypted under either key. When a proxy re-...
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
CT-RSA 2001: Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSAWe show how to construct a practical secure signature padding scheme for arbitrarily long messages from a secure signature padding scheme for fixed-length messages. This new construction is based on a one-way compression function respecting the division ...
Hiding in encrypted images: a three tier security data hiding technique
This paper presents a new crypto domain data hiding technique based on Intermediate Significant Bit Plane Embedding (ISBPE). The cover image is encrypted; the information to be secured is scrambled, and then embedded in the Intermediate Significant Bit (...
Comments