On Hiding a Plaintext Length by Preencryption

Creative Commons License

Tezcan C., Vaudenay S.

9th International Conference on Applied Cryptography and Network Security (ACNS), Spain, 7 - 10 June 2011, vol.6715, pp.345-358 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Volume: 6715
  • Doi Number: 10.1007/978-3-642-21554-4_20
  • Country: Spain
  • Page Numbers: pp.345-358
  • Middle East Technical University Affiliated: No


It is a well known fact that encryption schemes cannot hide a plaintext length when it is unbounded. We thus admit that an approximation of it may leak and we focus on hiding its precise value. Some standards such as TLS or SSH offer to do it by applying some pad-then-encrypt techniques. In this study, we investigate the information leakage when these techniques are used. We define the notion of padding scheme and its associated security. We show that when a padding length is uniformly distributed, the scheme is nearly optimal. We also show that the insecurity degrades linearly with the padding length.