Abstract
We improve the attack of Durak and Vaudenay (CRYPTO’17) on NIST Format-Preserving Encryption standard FF3, reducing the running time from \(O(N^5)\) to \(O(N^{17/6})\) for domain \(\mathbb {Z}_N \times \mathbb {Z}_N\). Concretely, DV’s attack needs about \(2^{50}\) operations to recover encrypted 6-digit PINs, whereas ours only spends about \(2^{30}\) operations. In realizing this goal, we provide a pedagogical example of how to use distinguishing attacks to speed up slide attacks. In addition, we improve the running time of DV’s known-plaintext attack on 4-round Feistel of domain \(\mathbb {Z}_N \times \mathbb {Z}_N\) from \(O(N^3)\) time to just \(O(N^{5/3})\) time. We also generalize our attacks to a general domain \(\mathbb {Z}_M \times \mathbb {Z}_N\), allowing one to recover encrypted SSNs using about \(2^{50}\) operations. Finally, we provide some proof-of-concept implementations to empirically validate our results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
While Patarin’s attack is given for classic Feistel (meaning that \(N = 2^n\), and the underlying operator is xor), generalizing it to cover FF3 setting is straightforward.
- 2.
While the notion of chosen-plaintext codebook-recovery attacks on blockciphers is folklore, one has to exercise some care in carrying this notion to FPE, because FPE domains can be tiny. In the full version we give a formal definition of chosen-plaintext codebook-recovery attacks on FPE.
- 3.
In NIST specification, the \(\boxplus \) operation is the modular addition in \(\mathbb {Z}_N\) and \(\mathbb {Z}_M\), but here we will consider a generic group operator. Moreover, FF3 uses near-balanced Feistel, and thus the values of M and N are very close: if one wants to encrypt m characters in radix d, then \(M = d^{\lceil m / 2\rceil }\) and \(N = d^{\lfloor m / 2 \rfloor }\).
- 4.
DV actually use different concrete choices of p and s to aggressively improve the recovery rate.
- 5.
To test if, say a \(\mathtt {U}\)-chain \((U_0, \ldots , U_{2p})\) contains at least p distinct elements, we only need to check if \(U_0 \not \in \{U_1, \ldots , U_{p - 1} \}\), since \(|\{U_0, \ldots , U_{2p}\}| < p\) if and only if \(U_0\) is within a cycle of length \(k < p\) in the functional graph of the permutation \(f(g(\cdot ))\).
- 6.
While DV only consider balanced Feistel networks, their heuristic can be easily generalized to the general case. For completeness, in the proof of Lemma 1, we also describe this heuristic argument.
- 7.
Recall that in our attack, we require \(M \ge N \ge 64\). This ensures that \(m \le p\), so that we can select m right-matching messages from p known messages.
- 8.
In fact, the dual version of Lemma 9 would yield the bound \(\frac{1}{1 + \epsilon ^*}\), where \(\epsilon ^* = \frac{M}{N - 9}\left( \frac{4}{N} + \frac{33 M}{(M - 2) N^2} + \frac{39}{N^2} \right) \). Concretely, for \(M = 100\) and \(N = 10\), the bound in our Lemma 9 is 0.9947, whereas its dual is much poorer, just 0.0089.
- 9.
We note that here \(\mu = 10\) means that the attack will iterate up to 10 times, each time with an independent choice of the initial node \(x^*\), until it succeeds in recovering the entire codebook. The expected number of the iterations is often smaller than 10. For example, with \(M = 1000\) and \(N = 100\), empirically the attack would succeed at the first iteration, and thus it only performs a single iteration.
References
Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_27
Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2018)
Bellare, M., Hoang, V.T.: Identity-based format-preserving encryption. In: CCS 2017, pp. 1515–1532 (2017)
Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 444–455. ACM Press, October 2016
Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: CCS 2016 (2016)
Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_19
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial observations on Skipjack: cryptanalysis of Skipjack-3XOR (invited talk). In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–375. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_27
Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel networks with secret round functions. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_6
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_18
Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_41
Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_9
Brier, E., Peyrin, T., Stern, J.: BPS: a format-preserving encryption proposal. Submission to NIST (2010). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/bps/bps-spec.pdf
Dara, S., Fluhrer, S.: FNR: arbitrary length small domain block cipher proposal. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 146–154. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12060-7_10
Durak, F.B., Vaudenay, S.: Breaking the FF3 format-preserving encryption standard over small domains. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 679–707. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_23
Durak, F.B., Vaudenay, S.: Generic round-function-recovery attacks for Feistel networks over small domains. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 440–458. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_23
Durrett, R.: Random Graph Dynamics. Cambridge University Press, Cambridge (2008)
Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_1
Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Hoang, V.T., Tessaro, S., Trieu, N.: The curse of small domains: new attacks on format-preserving encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 221–251. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_8
Mattsson, U.: Format controlling encryption using datatype preserving encryption. Cryptology ePrint Archive, Report 2009/257 (2009). http://eprint.iacr.org/2009/257
Morris, B., Rogaway, P.: Sometimes-recurse shuffle. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 311–326. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_18
Motwani, R., Raghavan, P.: Randomized Algorithms. Cambridge University Press, Cambridge (1995)
Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_25
Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_14
Ristenpart, T., Yilek, S.: The mix-and-cut shuffle: small-domain encryption secure against N queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 392–409. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_22
Saltykov, A.: The number of components in a random bipartite graph. Discrete Math. Appl. 5(6), 515–524 (1995)
Vance, J., Bellare, M.: Delegatable Feistel-based format preserving encryption mode. Submission to NIST, November 2015
Acknowledgments
We thank anonymous reviewers of EUROCRYPT 2019 for insightful feedback. Viet Tung Hoang was supported by NSF grants CICI-1738912 and CRII-1755539. Ni Trieu was supported by NSF award #1617197.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Hoang, V.T., Miller, D., Trieu, N. (2019). Attacks only Get Better: How to Break FF3 on Large Domains. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-17656-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17655-6
Online ISBN: 978-3-030-17656-3
eBook Packages: Computer ScienceComputer Science (R0)
