Most encrypted data formats leak metadata via their plaintext headers, such as format version, encryption schemes used, number of recipients who can decrypt the data, and even the recipients’ identities. This leakage can pose security and privacy risks to users, e.g., by revealing the full membership of a group of collaborators from a single encrypted e-mail, or by enabling an eavesdropper to fingerprint the precise encryption software version and configuration the sender used.
We propose that future encrypted data formats improve security and privacy hygiene by producing Padded Uniform Random Blobs or PURBs: ciphertexts indistinguishable from random bit strings to anyone without a decryption key. A PURB’s content leaks nothing at all, even the application that created it, and is padded such that even its length leaks as little as possible.
Encoding and decoding ciphertexts with no cleartext markers presents efficiency challenges, however. We present cryptographically agile encodings enabling legitimate recipients to decrypt a PURB efficiently, even when encrypted for any number of recipients’ public keys and/or passwords, and when these public keys are from different cryptographic suites. PURBs employ Padmé, a novel padding scheme that limits information leakage via ciphertexts of maximum length M to a practical optimum of O(log log M) bits, comparable to padding to a power of two, but with lower overhead of at most 12% and decreasing with larger payloads.
 Michel Abdalla, Mihir Bellare, and Phillip Rogaway. The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In Cryptographers’ Track at the RSA Conference, pages 143–158, 2001.
 Diego F Aranha, Pierre-Alain Fouque, Chen Qian, Mehdi Tibouchi, and Jean-Christophe Zapalowicz. Binary Elligator Squared. In International Workshop on Selected Areas in Cryptography, pages 20–37, 2014.
 Adam Barth, Dan Boneh, and Brent Waters. Privacy in Encrypted Content Distribution Using Private Broadcast Encryption. In International Conference on Financial Cryptography and Data Security, pages 52–64, 2006.
 Tal Be’ery and Amichai Shulman. A Perfect CRIME? Only TIME Will Tell. Black Hat Europe, 2013.
 Mihir Bellare, Alexandra Boldyreva, Anand Desai, and David Pointcheval. Key-Privacy in Public-Key Encryption. In Advances in Cryptology – ASIACRYPT 2001, pages 566–582, 2001.
 Mihir Bellare, Alexandra Boldyreva, Kaoru Kurosawa, and Jessica Staddon. Multi-Recipient Encryption Schemes: Efficient Constructions and Their Security. IEEE Transactions on Information Theory, 53(11):3927–3943, 2007.
 Mihir Bellare and Chanathip Namprempre. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. Journal of Cryptology, 21(4):469–491, 2008.
 Mihir Bellare and Björn Tackmann. The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3. In Annual International Cryptology Conference, pages 247–276, 2016.
 Daniel J Bernstein, Mike Hamburg, Anna Krasnova, and Tanja Lange. Elligator: Elliptic-curve points indistinguishable from uniform random strings. In ACM Conference on Computer and Communications Security, CCS ’13, 2013.
 Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications. Technical report, 2015.
 Dan Boneh, Craig Gentry, and Brent Waters. Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In Advances in Cryptology – CRYPTO, pages 258–275, 2005.
 J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. OpenPGP Message Format. RFC 4880, Nov 2007.
 Yu-Chun Chang, Kuan-Ta Chen, Chen-Chi Wu, and Chin-Laung Lei. Inferring speech activity from encrypted Skype traffic. In IEEE Global Telecommunications Conference, GLOBECOM, pages 1–5, 2008.
 Giovanni Cherubin, Jamie Hayes, and Marc Juarez. Website Fingerprinting Defenses at the Application Layer. In Privacy Enhancing Technologies Symposium, PETS ’17, pages 2:186–2:203, 2017.
 George Danezis and Richard Clayton. Introducing Traffic Analysis. 2007.
 George Danezis and Ian Goldberg. Sphinx: A Compact and Provably Secure Mix Format. In IEEE Symposium on Security and Privacy, S&P ’09, pages 269–282, 2009.
 Cécile Delerablée. Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys. In International Conference on the Theory and Application of Cryptology and Information Security, pages 200–215, 2007.
 T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Aug 2008.
 Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In IEEE Symposium on Security and Privacy, S&P ’12, pages 332–346, 2012.
 Nelly Fazio and Irippuge Milinda Perera. Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts. In International Workshop on Public Key Cryptography, pages 225–242, 2012.
 Sergey Frolov and Eric Wustrow. The use of TLS in Censorship Circumvention. In Network and Distributed System Security (NDSS) Symposium, 2019.
 Craig Gentry and Brent Waters. Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts). In Antoine Joux, editor, Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 171–188, 2009.
 Yoel Gluck, Neal Harris, and Angelo Prado. BREACH: reviving the CRIME attack. Black Hat USA, 2013.
 B. Greschbach, G. Kreitz, and S. Buchegger. The devil is in the metadata 2014 – New privacy challenges in Decentralised Online Social Networks. In IEEE International Conference on Pervasive Computing and Communications Workshops, pages 333–339, March 2012.
 Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-bayes Classifier. In ACM Workshop on Cloud Computing Security, CCSW ’09, pages 31–42, 2009.
 P. Hoffman and J. Schlyter. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698, August 2012.
 Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. The parrot is dead: Observing unobservable network communications. In IEEE Symposium on Security and Privacy, S&P ’13, pages 65–79, 2013.
 Jonathan Katz and Yehuda Lindell. Introduction to modern cryptography. CRC press, 2014.
 John Kelsey. Compression and information leakage of plaintext. In International Workshop on Fast Software Encryption, Lecture Notes in Computer Science, pages 263–276, 2002.
 Hugo Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In Annual Cryptology Conference, pages 631–648, 2010.
 Kaoru Kurosawa. Multi-recipient public-key encryption with shortened ciphertext. In International Workshop on Public Key Cryptography, pages 48–63, 2002.
 Stevens Le Blond, Chao Zhang, Arnaud Legout, Keith Ross, and Walid Dabbous. I Know Where You Are and What You Are Sharing: Exploiting P2P Communications to Invade Users’ Privacy. In ACM SIGCOMM Conference on Internet Measurement Conference, IMC ’11, 2011.
 Jonathan Mayer, Patrick Mutchler, and John C. Mitchell. Evaluating the privacy properties of telephone metadata. Proceedings of the National Academy of Sciences, 113(20):5536–5541, 2016.
 Hooman Mohajeri Moghaddam, Baiyu Li, Mohammad Derakhshani, and Ian Goldberg. SkypeMorph: Protocol Obfuscation for Tor Bridges. In ACM Conference on Computer and Communications Security, CCS ’12, pages 97–108, 2012.
 Rebekah Overdorf, Mark Juarez, Gunes Acar, Rachel Greenstadt, and Claudia Diaz. How Unique is Your .onion?: An Analysis of the Fingerprintability of Tor Onion Services. In ACM Conference on Computer and Communications Security, CCS ’17, pages 2021–2036, 2017.
 Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. Website fingerprinting in onion routing based anonymization networks. In ACM Workshop on Workshop on Privacy in the Electronic Society, pages 103–114, 2011.
 Jeffrey Pang, Ben Greenstein, Ramakrishna Gummadi, Srinivasan Seshan, and David Wetherall. 802.11 User Fingerprinting. In ACM International Conference on Mobile Computing and Networking, MobiCom ’07, pages 99–110, 2007.
 Colin Percival. Stronger key derivation via sequential memory-hard functions. Self-published, pages 1–16, 2009.
 Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. In USENIX Security Symposium, USENIX ’18, 2018.
 Andrew Reed and Benjamin Klimkowski. Leaky streams: Identifying variable bitrate DASH videos streamed over encrypted 802.11n connections. In IEEE Consumer Communications & Networking Conference (CCNC), pages 1107–1112, 2016.
 Andrew Reed and Michael Kranch. Identifying HTTPS-protected Netflix videos in real-time. In ACM Conference on Data and Application Security and Privacy, pages 361–368, 2017.
 E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, Aug 2018.
 Tom Ritter and Daniel Kahn Gillmor. Protecting the TLS Handshake. IETF Interim, May 2014.
 Juliano Rizzo and Thai Duong. The CRIME attack. Ekoparty, 2012.
 Phillip Rogaway. Nonce-based symmetric encryption. In International Workshop on Fast Software Encryption, pages 348–358, 2004.
 Roei Schuster, Vitaly Shmatikov, and Eran Tromer. Beauty and the Burst: Remote Identification of Encrypted Video Streams. In USENIX Security Symposium, USENIX ’17, pages 1357–1374, 2017.
 Mehdi Tibouchi. Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings. In International Conference on Financial Cryptography and Data Security, pages 139–156, 2014.
 Liang Wang, Kevin P Dyer, Aditya Akella, Thomas Ristenpart, and Thomas Shrimpton. Seeing through network-protocol obfuscation. In ACM Conference on Computer and Communications Security, CCS ’15, 2015.
 Qiyan Wang, Xun Gong, Giang TK Nguyen, Amir Houmansadr, and Nikita Borisov. Censorspoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing. In ACM Conference on Computer and Communications Security, pages 121–132, 2012.
 Tao Wang and Ian Goldberg. Improved Website Fingerprinting on Tor. In ACM Workshop on Workshop on Privacy in the Electronic Society, pages 201–212, 2013.
 Tao Wang and Ian Goldberg. On realistically attacking Tor with website fingerprinting. In Privacy Enhancing Technologies Symposium, PETS ’16, pages 4:21–4:36, 2016.
 Tao Wang and Ian Goldberg. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In USENIX Security Symposium, USENIX ’17, pages 1375–1390, 2017.
 Zachary Weinberg, Jeffrey Wang, Vinod Yegneswaran, Linda Briesemeister, Steven Cheung, Frank Wang, and Dan Boneh. StegoTorus: a camouflage proxy for the Tor anonymity system. In ACM Conference on Computer and Communications Security, pages 109–120, 2012.
 Philipp Winter, Tobias Pulls, and Juergen Fuss. Scramble-Suit: A polymorphic network protocol to circumvent censorship. In ACM Workshop on Workshop on Privacy in the Electronic Society, pages 213–224, 2013.
 Charles V Wright, Lucas Ballard, Fabian Monrose, and Gerald M Masson. Language identification of encrypted VoIP traffic: Alejandra y Roberto or Alice and Bob? In USENIX Security Symposium, USENIX ’07, pages 43–54, 2007.
 Charles V. Wright, Scott E. Coull, and Fabian Monrose. Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis. In Network and Distributed Security Symposium, pages 237–250, 2009.
 Fan Zhang, Wenbo He, Xue Liu, and Patrick G. Bridges. Inferring Users’ Online Activities Through Traffic Analysis. In ACM Conference on Wireless Network Security, WiSec ’11, pages 59–70, 2011.
 Philip R. Zimmermann. The Official PGP User’s Guide. MIT Press, Cambridge, MA, USA, 1995.