User experience of --hidden-recipient encryption

Andrey Utkin andrey.od.utkin at
Sun Jan 31 13:20:26 CET 2016

On 30.01.2016 14:36, Peter Lebbing wrote:
> On 29/01/16 19:32, Bjarni Runar Einarsson wrote:
>> Also, if I go with a), does that leak the fact that there were
>> hidden recipients? Does it leak how many?
> I'd say yes and yes. Every recipient has their own Public Key Encrypted
> Session Key (PKESK) packet with the (shared) session key encrypted to
> their key. The only difference between a regular recipient and a hidden
> one is that the regular ones identify which key the packet is meant for,
> whereas each hidden recipient has a packet without that identification.
> So the number of PKESK packets without identification is equal to the
> number of hidden recipients. It leaks that there were and how many there
> were, just like you can identify all non-hidden recipients by the
> remaining PKESK packets.

Leakage of exact number of hidden recipients can be mitigated by adding
random number of pseudo-recipients (e.g. generate some more keys on your
localhost and add them to recipients).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160131/d1be8df8/attachment.sig>

More information about the Gnupg-users mailing list