Advertisement

Breaking the FF3 Format-Preserving Encryption Standard over Small Domains

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10402)

Abstract

The National Institute of Standards and Technology (NIST) recently published a Format-Preserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8-round Feistel network. In CCS 2016, Bellare et al. gave an attack to break FF3 (and FF1) with time and data complexity \(O(N^5\log (N))\), which is much larger than the code book (but using many tweaks), where \(N^2\) is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires \(O(N^{\frac{11}{6}})\) chosen plaintexts with time complexity \(O(N^{5})\). Our attack was successfully tested with \(N\leqslant 2^9\). It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4-round Feistel network. Biryukov et al. already gave a 4-round Feistel structure attack in SAC 2015. However, it works with chosen plaintexts and ciphertexts whereas we need a known-plaintext attack. Therefore, we developed a new generic known-plaintext attack to 4-round Feistel network that reconstructs the entire tables for all round functions. It works with \(N^{\frac{3}{2}} \left( \frac{N}{2} \right) ^{\frac{1}{6}}\) known plaintexts and time complexity \(O(N^{3})\). Our 4-round attack is simple to extend to five and more rounds with complexity \(N^{(r-5)N+o(N)}\). It shows that FF1 with \(N=7\) and FF3 with \(7\leqslant N\leqslant 10\) do not offer a 128-bit security. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our \(O(N^{5})\) attack.

Keywords

Format-preserving Encryption (FPE) Tweakable Block Cipher (TBC) Feistel Network (FN) Round Function Slide Attacks 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Format-Preserving Encryption (FPE) provides a method to encrypt data in a specific format into a ciphertext of the same format. A format in FPE schemes refers to a finite set of characters such as the decimal (or binary) numerals or alpha-numerals along with the length of the sequence of the characters that form the plaintexts. FPE has been staging in applied cryptography community due to the desirable functionality. It secures data while keeping the database scheme intact. For instance, given a legacy database system, upgrading the database security requires a way for encrypting credit card numbers (CCN) or social security numbers (SSN) in a transparent way to its applications.

Brightwell and Smith [9] introduced a first known format-preserving encryption which was termed as data-type preserving encryption in 1997. They wanted to encrypt an existing database to let all the applications access encrypted data just as they access non-encrypted data. Their solution for this was reduced to preserve the particular datatype of entries in the databases. The term format-preserving encryption is due to Terence Spies from Voltage Security [21]. Though FPE dates back to late 90’s, the demand to make FPE based databases has created an active area of research during last few years. There have been many techniques proposed to build FPE schemes such as prefix cipher, cycle walking, Feistel network, Feistel modes [2, 4, 5, 7, 16, 20, 21]. The complete list of FPE schemes for small domain size along with their description and their security level can be found in a synopsis by Rogaway [18, pp. 6, 7]. In his list, Rogaway considers the schemes that are built with pseudorandom functions (that itself might be constructed from block ciphers).

Probably, it is natural to build FPE schemes based on a Feistel network (FN) since it can be used with already existing conventional block ciphers, such as AES. Indeed, the National Institute of Standards and Technology (NIST) published an FPE standard [1] (finalized in March 2016) that includes two-approved Feistel-based FPE schemes: FF1 [5] and FF3 [8]. Both are expected to offer a 128-bit security. In this work, we are particularly interested in the attacks for breaking the FN-based standard FF3 [1] and attacks against Feistel network. The former attack utilizes the latter that is designed as a generic round-function-recovery attack.

The FF3 construction is an 8-round FN that uses a tweak XORed with a round counter as an input to the block cipher. The XOR operation guarantees that round functions are pairwise different. This is usually called “domain separation”. The security of FF3 asserts that it achieves several cryptographic goals including chosen-plaintext security or even PRP-security against an adaptive chosen-ciphertext attack under the assumption that the underlying round function is a good pseudorandom function (PRF). Our work shows that its security goal has not met even when the round functions are replaced by secure PRFs and gives a round-function-recovery attack on FF3.

Our Contributions. Our work covers three significant contributions. (a). We give a total practical break to 8-round Feistel network based FF3 FPE standard over a small domain. Our attack exploits the “bad domain separation” in FF3. Namely, the specific design choice of FF3 allows us permuting the round functions by changing the tweak and it leads us to develop a slide attack (using only two tweaks). The attack works with chosen plaintexts and tweaks when the message domain is small. It requires \(O(N^{\frac{7}{4}+ \frac{1}{4L}})\) chosen plaintexts and two tweaks, with time complexity \(O(N^{5})\), where \(N^2\) is input domain size to the Feistel network and L is a parameter in our attack which is typically set to \(L=3\) in experimental results. Luckily, the fix to prevent FF3 against our attack is quick and easy to maintain without changing the main structure of the scheme. (b). While we form our slide attack to break FF3, we develop a new generic known-plaintext attack on 4-round Feistel networks and we insert it in our slide attack. Our techniques to develop a 4-round attack is novel and different than previously known attacks on Feistel networks. In our attack, we compute the full recovery of round functions with \(N^{\frac{3}{2}} \left( \frac{N}{2} \right) ^{\frac{1}{2L}}\) known plaintext and time complexity \(O(N^{2+\frac{3}{L}})\) for four rounds. (c). We utilize our 4-round FN attack to extend the round function recovery on more rounds. Due to the generic and known plaintext nature of our 4-round FN attack, we easily adapt it to a chosen-plaintext attack to apply it on 5 and more rounds Feistel structures. Our attack shows that neither FF1 with \(N=7\) nor FF3 with \(7\leqslant N\leqslant 10\) (even with our fix) offer a 128-bit security.

Overview Of Previous Works. A security for message recovery in FPE constructions along with many other notions for FPE was first defined by Bellare et al. [4]. A recent work by Bellare et al. [3] gives a practical message recovery attack on NIST standard Feistel-based FPE schemes (both FF1 and FF3) on small domain sizes. In their work, however, the security definition they consider is under the new message recovery security that they define in the same work. Briefly, consider two messages X and \(X'\) which share the same right (or left) half of the messages. In their attack, the adversary is given \(X'\) together with the encryption of X and \(X'\) under q tweaks. The adversary wins if it can fully recover X, in particular, its unknown half. The attack by Bellare et al. uses a data complexity that exceeds the message space size. Clearly stating, their work shows that Feistel-based FPE with the standardized number of rounds does not achieve good enough security on small domain sizes.

The attack by Bellare et al. works using \(O(N^{5} \log N )\) data and time complexity with many tweaks on eight rounds. This is quite interesting when the amount of data is limited for each tweak. It is a decryption attack. Our attack herein is more traditional. It uses only two tweaks, but \(O(N^{\frac{11}{6}})\) chosen plaintexts with \(O(N^5)\) time complexity. We recover the entire codebook (for both tweaks).

To apply the slide attack to recover the entire round functions of Feistel networks, we develop a generic known-plaintext attack on 4-rounds.

Since its invention, Feistel networks have created active research areas for cryptographers (both in theory and in practice) due to its applications and influence on the development of major constructions such as DES. The security for Feistel networks has been investigated for very long time and there already exist interesting results for cryptanalysis. The security of Feistel schemes aims either to distinguish a Feistel scheme from a random permutation or to recover the round functions. In their famous work [15], Luby and Rackoff proved the indistinguishability of 3-round Feistel network against chosen-plaintext attacks and 4-rounds against chosen-plaintext and ciphertext attacks for the number of queries \(q \ll \sqrt{N}\), where \(N^2\) is the size of the input domain. The directions derived from this result tried to improve the security bounds until \(q \ll N\) (that is called the “birthday bound”) which was a natural bound from information theory.1 A work by Patarin [17], using the mirror theory, showed improved proofs and stronger security bounds for four, five, and six rounds Feistel networks. Namely, for \(q \ll N\), four rounds are secure against known-plaintext attacks, five rounds are secure against chosen-plaintext attacks, and six rounds are secure against chosen-plaintext and ciphertext attacks.

From an information theory viewpoint, we could recover all functions in time \(N^{\mathcal {O}(N)}\) by exhaustive search. As far as we know, there is no efficient generic attack which is polynomial in N on the Feistel scheme with \(q\sim N\). Our attack uses \(q\sim N^{\frac{3}{2}}\) and is polynomial in N with known plaintexts up to four rounds.

A recent work by Dinur et al. [11] gives a new attack on Feistel structures for more than four rounds to recover the round keys with a few known plaintext/ciphertext pairs when the \(i^{th}\) round uses \(\mathsf {x} \mapsto F_{i}(x \oplus k_i)\), where \(F_i\) is public whereas \(k_i\) is being kept secret. Here, we focus on the case where each round function is secret in a balanced 2-branch Feistel scheme. Furthermore, we do not restrict to the XOR addition. Our results also apply to Feistel schemes with modular addition. The new cryptanalysis results against Feistel networks with modular addition for four and five rounds are presented in a recent work by Biryukov et al. [6]. For four rounds, they achieve the full recovery of round functions with data complexity \(O(N^{\frac{3}{2}})\) with a guess and determine technique. However, their attack uses chosen plaintexts and ciphertexts. We summarize their results and ours on Table 1.
Table 1.

Round-function-recovery attacks against balanced Feistel schemes with two branches of \(\log _2N\) bits and any addition rule (we omitted polynomial terms in \(\log N\))

# rounds

Mode

Time

Data

Ref

3

Known-plaintext

N

N

Section 4.1

4

Chosen-plaintext and ciphertext

\(N^{\frac{3}{2}}\)

\(N^{\frac{3}{2}}\)

[6]

4

Known-plaintext (tested for \(L=3\))

\(N^{2+\frac{3}{L}}\)

\(N^{ \frac{3}{2} + \frac{1}{2}L }\)

Section 4.2

5

Chosen-plaintext and ciphertext

\(N^{N^{\frac{3}{4}}}\)

\(N^2\)

[6]

5

Chosen-plaintext

\(N^{O(N^{\frac{1}{2}})}\)

\(N^{\frac{3}{2}+\frac{1}{2}L}\)

Section 4.3

\(r\geqslant 6\)

Chosen-plaintext

\(N^{(r-5)N}\)

\(N^{\frac{3}{2}+\frac{1}{2}L}\)

Section 4.3

Structure of the Paper. In Sects. 2 and 3, we give the details of FF3 construction and Tweakable Encryption, respectively. In Sect. 4, we develop our new generic attack for Feistel structure on specifically 4-rounds and extend it on 5 and more rounds. In Sect. 5, we give our complete slide attack to a NIST standard FF3 scheme.

2 The FF3 Scheme

A Tweakable Format-Preserving Encryption (TFPE) scheme is a block cipher that preserves the format of the domain in the output. A TFPE function \(E: \mathcal {K} \times \mathcal {T} \times \mathcal {X} \mapsto \mathcal {X}\) is defined from a key space \(\mathcal {K}\), a tweak space \(\mathcal {T}\), and a domain \(\mathcal {X}\) to the same domain \(\mathcal {X}\). We are particularly interested in a TFPE scheme by Brier, Peyrin, and Stern (depicted in Fig. 1(b)) [8] whose design is based on Feistel network depicted in Fig. 1(a). It is named as FF3 in the NIST standards.
Fig. 1.

4-round Feistel network and FF3 encryption

We use the following notations for the rest of the paper. The domain \(\mathcal {X}\) consists of strings of characters; s represents the cardinality of the set S of characters and b represents the length of the messages in the domain \(\mathcal {X}\). For example, the credit card numbers (CCNs) consists of 16 digits of decimal numerals with \(S= \{0,1, \ldots , 9\}\), \(s=10\) and \(b=16\) where we have \(10^{16} \cong 2^{54}\) possible distinct numeral strings. We set the minimum length of the message block \(minlen=2\) and the maximum length of the message block to \(maxlen=\lfloor \log _{s}(2^{f-32})\rfloor \), where \( f \) is the input/output size of the round function used in Feistel scheme in FF3.2 We represent the number of rounds in the scheme with \( w \).

Unlike standard Feistel schemes which use the exclusive or (XOR) (denoted by \(\oplus \)), FF3 uses the modular addition that is denoted by \(\boxplus \).

We define the following notations for three functions:

\({\mathbf{{STR^{b}_s:}}}\) a function that maps an integer x where \(0 \leqslant x < s^b\) to a string of length b in base s with most significant character first, e.g. \(STR^{4}_{12}(554)= 03A2\).

\({\mathbf{{NUM_{s}:}}}\) a function that maps a string X to an integer x such that \(STR^{b}_{s}(x)=X\). For instance, \(NUM_{2}(00011010)=26\).

\({\mathbf{{REV(X):}}}\) a function that reverses the order of the characters of string X.

The length of string X is denoted by |X|. The concatenation of strings is denoted by ||. The first (left-most) character of string X is X[0]. The \(i^{th}\) one is \(X[i-1]\). We denote \(X[a \cdots b]\) the substring of X formed with \(X[a]X[a+1] \cdots X[b]\).

The FF3 uses a tweakable block cipher as a round function, \(F_{K}(T,X)=Y\) with \(X,Y \in \{0,1,\ldots ,2^{ f }-1\}\) and \(T \in \{0,1\}^{32}\), where K is a key and T is one half of the FF3 tweak with an offset.

In lines 1–2, the encryption algorithm splits the input X into two substrings \(L_0\) and \(R_0\). In lines 5–8 (respectively in lines 10–12), the algorithm first takes the tweak \(T_{R}\) (respectively \(T_L\)) XORed with the encoded round index \( i \) and \(R_i\) (respectively \(L_i\)) to input tweakable PRF \(F_{K}\). Second, it applies modular addition of the output of \(F_{K}\) to \(L_i\) (respectively \(R_i\)).

For simplicity and by abuse of notations, we say that FF3 encrypts the plaintext \((L_{0}, R_{0})\) into the ciphertext \((L_{ w }, R_{ w })\) with tweak \((T_{L}, T_{R})\), so that we only concentrate on lines 4–14. We illustrate the 4-round FF3 scheme in Fig. 1(b).

In concrete proposal, \( w =8\), \( f =128\) and
$$\begin{aligned} F_{K}(T,X)= NUM_{2}(AES_{K}(T~||~STR_{2}^{ f -32}(X))) \end{aligned}$$
where AES maps an \( f \)-bit bitstring to an \( f \)-bit bitstring [1].

3 Tweakable Encryption

A tweakable block cipher (TBC) is a tuple \((\mathcal {K}, \mathcal {E}_{K}(\cdot , \cdot ), \mathcal {D}_{K}(\cdot , \cdot ))\) formed of three algorithms for key generation, encryption, and decryption with a key K; all efficiently computable algorithms. We follow the notion of security from [13] as chosen-plaintext-secure (CPA) tweakable block cipher.

Definition 1

A TBC is a \((q,t,\epsilon )\)-CPA-secure cipher if for any probabilistic time adversary \(\mathcal {A}\) limited to t steps and q oracle queries, the advantage of distinguishing TBC from \(\Pi \) is bounded by \(\epsilon \):
$$\begin{aligned} Adv^{TBC}(\mathcal {A})=\left| \Pr \left[ \mathcal {A}^{\mathcal {E}_{K}(\cdot , \cdot )}=1 \right] - \Pr \left[ \mathcal {A}^{\Pi (\cdot , \cdot )}=1 \right] \right| \leqslant \epsilon \end{aligned}$$
where \(K \in \mathcal {K}\) is selected at random and \(\Pi (T, \cdot )\) is defined as a random permutation for every T.

In the standard model, the tweakable block ciphers [4, 14] are used to construct tweakable format-preserving encryption schemes since tweakable encryptions provide better security bounds for tweakable FPE in terms of the number of chosen plaintext/ciphertext to attack the system [4].

It is underlined in [8] that using the same round function F twice during an encryption process can introduce some security vulnerability to the system. So, the domain of the tweaks in different rounds must be separated. For this, the scheme in [8] XORs tweaks with a round counters. However, this way to separate domains is not fully effective. Indeed, the tweaks are known to the adversary and are under adversary’s control in chosen-tweak attacks. Consider two 4-round Feistel networks with tweaks \(T_{R}\) and \(T_{L}= T_{R} \oplus STR_{2}^{32}(1)\). For the first round, we have the tweak \(T_{R} \oplus STR_{2}^{32}(0) = T_{R}\) and the second round we have \(T_{L} \oplus STR_{2}^{32}(1)=T_{R}\). Then, for the third round \(T_{R} \oplus STR_{2}^{32}(2)\) and fourth round \(T_{L} \oplus STR_{2}^{32}(3)=T_{R} \oplus STR_{2}^{32}(2)\). We observe the following behavior: round \(2 i \) and \(2 i +1\) uses the same function \(F_i=F_K(T_R \oplus STR_{2}^{32}(2 i ), \cdot )\).
Fig. 2.

Trivial attack on 8-round FF3 encryption with \(\oplus \) instead of modular addition \(\boxplus \).

For a variant of FF3 with \(\oplus \) instead of \(\boxplus \), we present a trivial attack: Consider an FF3 encryption with a key \(K \in \mathcal {K}\), a tweak \(T=T_{L}||T_{R} \in \mathcal {T}\) and domain \(\mathcal {X}\). Each round \( i \) defines a random function \(F_{ i }=F_{K}(T_{R} \oplus STR_{2}^{32}( i ), \cdot )\) for \( i \) even (\(F_{ i }=F_{K}(T_{L} \oplus STR_{2}^{32}( i ), \cdot )\) for \( i \) odd). We use the encryption with an input message \(X=(L_{0}, R_{0})\) and output ciphertext \(Y=(L_{ w }, R_{ w })\) with output \(X_ i \) from each round in Fig. 2(a). We assume that \( b \) is even so that \(\ell = r \). Now, we take the ciphertext Y from Fig. 2(a) and reverse it into \((L'_{0},R'_0)= (R_{ w }, L_{ w })\) to encrypt it with a new tweak \(T'=T_{R} \oplus STR_{2}^{32}( w -1) || T_{L} \oplus STR_{2}^{32}( w -1) \in \mathcal {T}\). We show this encryption in Fig. 2(b). We assume that \( w \) is a power of two (Fig. 2 uses \( w =8\)). With given encryption, we obtain the round functions \(F'_{ i }=F_{ w -1- i }\) as shown on Fig. 2(a). More precisely, the attack works as follows:
  • \(\circ \) Encrypt \((L_{0},R_{0})\) with the tweak T to get \((L_{ w }, R_{ w })\).

  • \(\circ \) Encrypt \((R_{ w }, L_{ w })\) with the tweak \(T'\) to get \((L', R')\).

  • \(\circ \) If \(L'=R_{0}\) and \(R'=L_{0}\), output 1. Otherwise, output 0.

The adversary always outputs 1 with \(\mathcal {E}_{K}\). It outputs 1 with \(\Pi (\cdot , \cdot )\) with probability \(\frac{1}{s^b}\). Therefore, the advantage is \(1-\frac{1}{s^b}\).

4 Known-Plaintext Round-Function-Recovery Attack on Feistel Scheme

In this section, we define the Feistel network over a group of order \(\mathsf {N}\). Typically, this group is \(\mathbb {Z}_{\mathsf {N}}\). Later in Sect. 5, we assume \(\mathsf {b}\) is even and \(\mathsf {N}=s^{\frac{b}{2}}\).

First of all, we observe that the round functions are not uniquely defined by the codebook. Namely, if \((F_0,\ldots ,F_{r-1})\) is a solution to map given sample plaintexts to the corresponding ciphertexts, then we can construct many other solutions. Indeed, for any set of values \(\alpha _0,\ldots ,\alpha _{r-1}\) such that \(\alpha _1+\alpha _3+\alpha _5+\cdots =\alpha _0+\alpha _2+\alpha _4+\cdots =0\), we can define
$$\begin{aligned} F'_j(u)=F_j(u-\alpha _{j-1}-\alpha _{j-3}-\alpha _{j-5}-\cdots )+\alpha _j \end{aligned}$$
for all j and u to obtain another solution. Therefore, we can fix one point arbitrarily in \(F_0,\ldots ,F_{r-3}\) when looking for a solution. All the other solutions are obtained by the above transformation of the round functions.

The rest of the section is organized as follows: in Sect. 4.1, we give a heuristic attack for 3-round FN and analyze its time complexity. We report the ratio of success recovery in Fig. 3 with the parameters the attack takes. In Sect. 4.2, we give an attack for 4-round FN that leverage our 3-round attack. The correctness and further analysis is presented with formally stated lemmas. In Sect. 4.3, we expand our attack for five rounds and more and derived the time complexities.

4.1 Round-Function-Recovery on 3-Round Feistel Scheme

Consider a 3-round Feistel Scheme with three round functions \(F_0, F_1, F_2\) and modular addition. Given x and y in \(\mathcal {X}\), we define:
$$\begin{aligned} \begin{aligned} c&= x+F_0(y),\\ t&= y+F_1(c),\\ z&= c+F_2(t). \\ \end{aligned} \end{aligned}$$
(1)
Due to the symmetry of the set of solutions \((F_0,F_1,F_2)\) (as already observed), we can fix \(F_0\) on one point arbitrarily. The idea of our attack is to concentrate on data for which we know how to evaluate \(F_0\) so that we can deduce the output for the round function \(F_2\). Then, we concentrate on data for which we know how to evaluate \(F_2\) and we deduce more points in \(F_0\). We continue by alternating the deduction between \(F_0\) and \(F_2\) until we recover them all. When we continue iterating as described, we can fully recover the tables for all three round functions \((F_0, F_1, F_2)\). Our attack is presented in Algorithm 2 in more detail.

We model our set S as a bipartite graph with two parties of N vertices (one for the y’s and the other for the t’s) and edges for each (yt) pair represented by tuples from S. What our algorithm does is just to look for a connected component of a random starting point y with complexity \(O(\theta N)\). Following the theory of random graphs [19], we have \(\theta N\) random edges so that the graph is likely to be fully connected when \(\theta \approx \ln (N)\). For a constant \(\theta \geqslant 1\), it is likely to have a giant connected component. This component corresponds to a constant fraction of the tables of \(F_0\) and \(F_2\). Therefore, after \(\log _{\theta }N\) iterations, we can reconstruct \(F_0\) and \(F_2\) which allow us to reconstruct \(F_1\). For any y, we can see that it does not appear in S with probability \(\left( 1- \frac{1}{N} \right) ^{\theta N} \approx 1 - e^{-\theta }\). Thus, we can only hope to recover a fraction \(1- e^{- \theta }\) of the table of \(F_0\). The same holds for \(F_1\) and \(F_2\). Therefore, with data and time complexity N, we recover a good fraction of all tables. With data and time complexity \(N\ln N\), we recover the full tables with good probability.

We implemented our attack. On Fig. 3, we plot the average fraction of recovered \(F_0\) values depending on \(\theta \) for several values of N. For this, we computed an average over 10,000 independent runs. For \(\theta =1\), the fraction is about \(40\%\). We also plot the fraction of the trials which fully recovered all functions. These two values can be taken as an approximation of the expected fraction of recovered table for \(F_0\) and the probability to fully recover all functions, respectively. As we can see, the first value does not depend so much on N (we have a giant connected component for \(\theta \) around 1), but the second one jumps for \(\theta \) proportional to \(\ln N\) (the graph becomes fully connected). For \(\theta =\ln N\), the probability is roughly \(\frac{1}{3}\).
Fig. 3.

Fraction of recovered \(F_0\) depending on \(\theta \) in the 3-round attack (in thin) and fraction of experiments which fully recovered all functions (in bold) over 10,000 trials.

4.2 Round-Function-Recovery on 4-Round Feistel Scheme

In this section, we give an attack to fully recover the round functions of a 4-round Feistel scheme.

Consider a 4-round Feistel scheme with round functions \(F_{0}, F_{1}, F_{2}, F_{3}\). Given x and y in \(\mathcal {X}\), we define the following equations (see Fig. 4(a)):
$$\begin{aligned} c= & {} x+F_0(y),\\ d= & {} y+F_1(c),\\ z= & {} c+F_2(d), \\ t= & {} d+F_3(z). \end{aligned}$$
Assume that we collected M random pairwise different plaintext messages (xy). We collect the pairs:
$$\begin{aligned} V=\{(xy , x'y')~ |~ z'=z, t'-y'=t-y, xy \ne x'y'\} \end{aligned}$$
 and,
$$\begin{aligned} V_{good}=\{(xy , x'y') ~ | ~ z'=z, c'=c, xy \ne x'y' \} \end{aligned}$$
where cdzt (respectively \(c',d',z',t'\)) are defined from (xy) (respectively form \((x'y')\)) as above. We define \(Label(xy, x'y')=x-x'\).
Fig. 4.

4-round Feistel scheme attack

We form a directed graph \(G=(V,E)\) with the vertex set V as defined above. We take \((x_1y_1x'_1y'_1,x_2y_2 x'_2y'_2) \in E\) if \(y'_1=y_2\) (i.e. a pair of tuples \(x_{1}y_{1}x'_1y'_1\) is connected to a pair \(x_2y_2x'_2y'_2\) if the \(y_2\) in the second message in former tuple is same as in the first message in latter tuple). Furthermore, we let \(E_{good}=(V_{good} \times V_{good}) \cap E\) and define the sub-graph \(G_{good}=(V_{good}, E_{good})\).

Then, we have the following Lemma with four properties:

Lemma 1

Given a graph G with a vertex set V defined as above:
  1. 1.

    \(V_{good} \subseteq V\).

     
  2. 2.

    If \((xy,x'y') \in V\), then \(y \ne y'\).

     
  3. 3.

    If \((xy,x'y') \in V_{good}\), then \(F_{0}(y') - F_{0}(y) = Label(xy,x'y')\).

     
  4. 4.

    For all cycles \(v_{1}v_{2}\cdots v_{L}v_{1}\) of \(G_{good}\), \(\sum _{i=1}^{L}Label(v_{i})=0\).3

     

Proof

The proofs are straightforward:
  1. 1.

    Clearly, \(z'=z\) and \(c'=c\) imply that \(t'-y'=t-y\), hence \(V_{good} \subseteq V\).

     
  2. 2.

    If \(t'-y'=t-y\) and \(y'=y\), then \(t'=t\). If we further have \(z'=z\), then we deduce \(c'=c\). If \(c'=c\), then \(x'=x\), thus \(xy=x'y'\). Hence, we cannot have \((xy,x'y') \in V\).

     
  3. 3.

    If \(c'=c\) then \(F_0(y')-F_0(y)=x-x'=Label(xy,x'y')\).

     
  4. 4.

    Let \(v_i=(x_iy_i,x'_iy'_i)\). If \(v_i \in V_{good}\) then \(F_0(y'_i)-F_0(y_i)=Label(v_i)\). If we have a cycle then \(y'_i=y_{i+1}\) with \(y_{L+1}=y_1\). Hence, \(\sum _i Label(v_i)=0\).   \(\square \)

     

The principle of our attack is as follows: if we get vertices in \(V_{good}\), the property 3 from Lemma 1 gives equations to characterize \(F_{0}\). One problem is that we can identify vertices in V, but we cannot tell apart good and non-good (bad) ones. One way to recognize good vertices is to use property 4 in Lemma 1: to find cycles with zero sum of labels. For this, we will prove in Lemma 4 that this is a characteristic property of good cycles, meaning that all the vertices in these cycles are good vertices. First, we estimate the number of vertices and edges with the following two Lemma.

Lemma 2

For \(x,y,x',y'\) random and \(F_{0}, F_{1}, F_{2}, F_{3}\) random,
$$\begin{aligned} \Pr [(xy,x'y') \in V_{good}~ |~ (xy,x'y') \in V]= \frac{1}{2 - \frac{1}{N}} \approx \frac{1}{2}. \end{aligned}$$

Proof

We compute the following probabilities:
$$\begin{aligned} \Pr [xy,x'y' \in V_{good}]= & {} \Pr [z'=z, c'=c, x'y' \ne xy] \nonumber \\= & {} \Pr [z'=z, c'=c, y' \ne y] \nonumber \\= & {} \Pr [y'\ne y] \Pr [c'=c ~|~y' \ne y] \Pr [z' = z ~|~ c'=c, y' \ne y] \nonumber \\= & {} \left( 1- \frac{1}{N} \right) \frac{1}{N^2}. \end{aligned}$$
(2)
$$\begin{aligned} \Pr [xy,x'y' \in V \setminus V_{good}]= & {} \Pr [z'=z, t'-y'=t-y, c' \ne c, xy \ne x'y'] \\= & {} \Pr [z'=z, d'-y'=d-y, c' \ne c, y' \ne y] \\= & {} \Pr [y' \ne y] \Pr [c' \ne c~|~y' \ne y] \\&\Pr [d'-y'=d-y~|~y' \ne y, c' \ne c] \\&\Pr [z'=z~|~d'-y'=d-y, y' \ne y, c' \ne c] \\= & {} \left( 1- \frac{1}{N}\right) \left( 1- \frac{1}{N}\right) \left( \frac{1}{N} \right) \left( \frac{1}{N} \right) . \end{aligned}$$
Hence,
$$\begin{aligned} \Pr [xy,x'y' \in V_{good}~|~xyx'y' \in V]= & {} \frac{\Pr [xy,x'y' \in V_{good}]}{\Pr [xy,x'y' \in V]} \\= & {} \frac{1}{1 + \frac{\Pr [xy,x'y' \in V \setminus V_{good}]}{\Pr [xy,x'y' \in V_{good}]}} \\= & {} \frac{1}{2- \frac{1}{N}}\approx \frac{1}{2}. \end{aligned}$$
   \(\square \)

Lemma 3

The expected number of elements in \(V_{good}\) is \(\frac{M(M-1)\left( 1- \frac{1}{N} \right) }{N^{2}} \approx \frac{M^{2}}{N^{2}}\).

Proof

We have \(M(M-1)\) possible pair of tuples \(xy,x'y'\) with \(xy\ne x'y'\) to construct \(V_{good}\). From Eq. (2), the probability of each vertex in \(V_{good}\) is \(\frac{1}{N^{2}} \left( 1 - \frac{1}{N} \right) \). Thus, we expect to have \(\frac{M(M-1)\left( 1- \frac{1}{N} \right) }{N^{2}} \approx \frac{M^{2}}{N^{2}}\) elements in \(V_{good}\).   \(\square \)

We have the property that for each cycle \(v_{1}v_{2} \cdots v_{L}v_{1} \in G\), if \(v_{1}, \ldots ,v_{L}\) are all in \(V_{good}\), then the sum of \(Label(v_{i})\) is zero due to Lemma 1, property 4. If one vertex is not good, the sum may be random. This suggests a way to find good vertices in V that is to look for long cycles in G with a zero sum of labels.

Lemma 4

(\(L=2\) case). If \(v_1=(x_1y_1,x'_1y'_1)\) we say that \(v_1\) and \(v_2\) are permuting if \(v_2=(x'_1y'_1,x_1y_1)\). If \(v_{1}v_{2}v_{1}\) is a cycle in G with zero sum of labels, and \(v_{1}, v_{2}\) are not permuting, then \(v_{1}\) and \(v_{2}\) are likely to be good. More precisely, for \(v_{1}=(x_{1}y_{1}x'_{1}y'_{1})\) and \(v_{2}=(x_{2}y_{2}x'_{2}y'_{2})\) random, we have \(\Pr [v_{1},v_{2} \in V_{good} ~|~ v_{1}v_{2}v_{1} ~ \text {is a cycle}, v_{1}, v_{2} ~\text {not permuting}, \sum _{i=1}^{2}Label(v_{i}) = 0] \geqslant \frac{1}{1+\frac{10}{N-5}}\).

The proof for Lemma 4 is in Appendix A.1. We believe that Lemma 4 remains true for valid cycles of small length except in trivial cases. In Appendix A.2, we extend to \(L>2\) for cycles satisfying some special non-repeating condition \([\lnot \mathsf {repeat}]\) on the c and d values to rule out many trivial cases. However, this condition \([\lnot \mathsf {repeat}]\) cannot be checked by the adversary. Instead, we could just avoid repetitions of any message throughout the cycle (as repeating messages induce repeating c’s or d’s). We use the following conjecture (which is supported by experiment for \(L=3\)).

Conjecture 1

If \(v_1v_2 \cdots v_Lv_1\) is a cycle of length L in G with zero sum of labels and the vertices use no messages in common, then \(v_1 \cdots v_L \)are all good with probability close to 1.

For M known plaintexts, the expected number of valid cycles in \(G_{good}\) of a given length L is \(\frac{M^{2L}}{N^{3L}}\).

The aim of our attack is to collect as many \(F_0\) outputs as possible to reconstruct a table of this function. Thus, we are interested in vertices whose labels are defined as \(Label(v_i)=F_0(y)-F_0(y'), \forall i \in \{0,1, \ldots , |V|\} \) and we generate another graph to represent the collection of many independent equations for \(F_0\).

We have a valid cycle \(v_1v_2 \cdots v_Lv_1\) of length L in G when \(v_i \in V\),
$$\begin{aligned} \sum _{i=1}^{L} Label(v_i)=0 \end{aligned}$$
and vertices use no messages in common. Now, let us define an undirected graph \(G'=(V', E')\), where \(V'=\{0,1, \ldots , N-1\}\) and \(E'\) is defined as follows: for each vertex \(v_i=(xy,x'y')\) in a valid cycle \(v_1v_2 \cdots v_Lv_1\) of length L, add \(\{ y_i,y'_i \}\) as an edge in \(E'\) with label set to \(Label(v_i)\). The purpose of such a graph \(G'\) is to put y values which are dependent on each other in a single connected component and put apart with independent y values in separate connected components.

When we model \(G'\) as a random graph, we can adjust M so that we can have a large connected component in \(G'\). Given the vertex set size \(|V'|=N\) and the edge size \(|E'|=m\), \(m= \frac{N(N-1)}{2}p\), where p is the probability that \(G'\) has an edge between two vertices. From Erdős-R\(\acute{e}\)nyi model [12] on random graphs, we want \(Np \geqslant 1\). We know that \(Np \sim 2\frac{m}{N}\). So, we want \(m \geqslant \frac{N}{2}\). We have \(\frac{M^{2L}}{L\cdot N^{3L}}\) expected good cycles (counted without repetition of their L circular rotations) of length L, thus \(m \sim \frac{M^{2L}}{N^{3L}}\). Therefore, we need to set \(M = \lambda N^{ \frac{3}{2}} \left( \frac{N}{2}\right) ^{\frac{1}{2L}}\) for a constant \(\lambda \geqslant 1\) to have a large connected component in \(G'\). Our attack works with \(M= N^{\frac{3}{2} + \epsilon }\) for \(\epsilon > 0\) small, with complexity \(O(2^{L}N^{(1+2\epsilon )L})\) and a constant probability of success. If our attack recovers at least \(\sqrt{N}\) points in \(F_0\) correctly (which is the case when we have a large connected component in \(G'\)), we obtain \(M\times \frac{\sqrt{N}}{N} \gg N\) samples to apply the attack on 3-rounds so that it recovers a good fraction of \(F_1\), \(F_2\), \(F_3\). It is enough to bootstrap a yoyo attack (Steps 9–18 of Algorithm 3). And, our attack succeeds.

Now, we give the full algorithm of our attack to 4-round Feistel scheme.

Experimentally, we noticed that \(\lambda =0.8\) is too small to obtain a large enough connected component for \(L=3\). Conversely, for \(\lambda =2\), \(G'\) is more connected but the giant component contains many bad edges that we want to avoid.

Let \(E_{j}\) be the event that the sizes of the \(\mathsf {j}\) largest connected components sum to greater than \(\sqrt{N}\) with no bad edges in \(G'\). Let \(E_{\leqslant j}\) be the event that either of \(E_1, E_2, \ldots ,E_j\) occurs. We simulated the attack for various N values and \(\lambda =1,2,3\) and report the numbers for \(E_{\leqslant 1}, E_{\leqslant 2}, E_{\leqslant 3}\) on Table 2. When we read the table, by taking \(\lambda =1\) and \(\mathsf {j}=3\), our attack recovers \(\sqrt{N}\) points of \(F_0\) with probability at least \(23~\%\). In our attack, if we look at \(\mathsf {j}\) connected components, we need to multiply the complexity by \(N^{j-1}\) (We can fix \(F_0\) on one point for free, then all values in its connected components are inferred, but for each additional connected component, we must guess one value of \(F_{0}\)). It is likely that we can mitigate this \(N^{j-1}\) factor by early abort during the attack on 3-rounds.

In our experiments, we observe better success probability of our attack with \(\lambda =1\). With \(\lambda \) larger, the attack hardly ever succeeds. It may look paradoxical to say that if \(\lambda \) is too large, then the attack fails, but this is due to higher chances to collect bad edges. However, when \(G'\) is heavily connected, we could propose algorithms to eliminate inconsistencies in labels and get rid of bad edges. It means that we would have a successful attack for any \(\lambda \geqslant 2\). We let it as future work.

Therefore, we have a double phase transition. The first phase transition occurs when we have enough data to be able to make the graph and find cycles. Our attack quickly succeeds after this phase transition. The second phase transition occurs when we start having bad edges in the collected cycles. Then, our attack must be enriched to be able to work any longer. We did not do it on purpose as we noticed there is a sufficient window in between these two phase transitions to break the scheme with good probability of success and without caring about possible bad edges.

In Table 3, we show the experimental results of success probability of the entire attack for various strategies. Let \(S_j\) be an event with strategy j. In \(S_1\), we accumulate the three largest connected components and abort unless the accumulated size is at least \(\sqrt{N}\) and they have no bad edges. I.e., \(S_1\) is exactly \(E_{\leqslant 3}\). In \(S_2\), we just look at the largest connected component and fail unless it has no bad edges in \(G'\) (we remove the condition on size of the connected component that is greater than \(\sqrt{N}\)). In \(S_3\) (and \(S_4\) resp.), we look at the two largest (three largest resp.) connected components that have no bad edges. What we report in Table 3 includes the success probability \(\Pr _{succ}\) of \(S_i\) and we recover the entire tables for each round function. These various strategies considered for experimental purpose even though we have the theory results that suggests to condition on the size of the connected component.
Table 2.

Experimental \(\Pr [E_{\leqslant j}]\) over several trials for various N, \(\lambda \), and \(\mathsf {j}\); the number of trials correspond to the successful runs of the whole attack on FF3 in the first step out of \(10\,000\) using \(L=3\).

N

\(M(\lambda )\)

\(\#\mathsf {trials}\)

\(\Pr [E_{\leqslant 1}]\)

\(\Pr [E_{\leqslant 2}]\)

\(\Pr [E_{\leqslant 3}]\)

2

2(0.71)

5022

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

5(0.56)

7098

\(1.51~\%\)

\(1.51~\%\)

\(1.51~\%\)

8

15(0.53)

7010

\(0.36~\%\)

\(4.07~\%\)

\(4.07~\%\)

16

46(0.51)

6665

\(0.05~\%\)

\(1.23~\%\)

\(1.23~\%\)

32

144(0.50)

6103

\(0.02~\%\)

\(0.03~\%\)

\(0.16~\%\)

64

457(0.50)

7986

\(0.00~\%\)

\(0.00~\%\)

\(0.01~\%\)

128

1449(0.50)

7460

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

256

4598(0.50)

6879

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

512

14597(0.50)

4816

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

2

3(1.06)

4316

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

8(0.89)

4153

\(15.19~\%\)

\(15.19~\%\)

\(15.19~\%\)

8

23(0.81)

6703

\(5.83~\%\)

\(18.54~\%\)

\(18.54~\%\)

16

73(0.81)

6886

\(4.57~\%\)

\(13.87~\%\)

\(13.87~\%\)

32

230(0.80)

6952

\(2.52~\%\)

\(7.12~\%\)

\(10.98~\%\)

64

730(0.80)

6568

\(1.40~\%\)

\(5.65~\%\)

\(9.18~\%\)

128

2318(0.80)

6189

\(0.29~\%\)

\(1.13~\%\)

\(2.83~\%\)

256

7357(0.80)

7338

\(0.03~\%\)

\(0.31~\%\)

\(0.89~\%\)

512

23355(0.80)

469

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

2

3(1.06)

4352

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

9(1.00)

3864

\(23.08~\%\)

\(23.08~\%\)

\(23.08~\%\)

8

29(1.02)

5791

\(15.59~\%\)

\(35.02~\%\)

\(35.02~\%\)

16

91(1.01)

6585

\(16.20~\%\)

\(29.90~\%\)

\(29.90~\%\)

32

288(1.00)

6814

\(14.66~\%\)

\(27.09~\%\)

\(31.67~\%\)

64

913(1.00)

6981

\(18.16~\%\)

\(34.69~\%\)

\(40.87~\%\)

128

2897(1.00)

6609

\(16.31~\%\)

\(33.53~\%\)

\(40.73~\%\)

256

9196(1.00)

6154

\(16.27~\%\)

\(36.90~\%\)

\(46.51~\%\)

512

29193(1.00)

409

\(11.25~\%\)

\(32.52~\%\)

\(43.77~\%\)

8

58(2.03)

988

\(22.77~\%\)

\(23.99~\%\)

\(23.99~\%\)

16

182(2.01)

2504

\(6.71~\%\)

\(6.79~\%\)

\(6.79~\%\)

32

575(2.00)

3425

\(0.53~\%\)

\(0.55~\%\)

\(0.55~\%\)

64

1825(2.00)

5727

\(0.02~\%\)

\(0.02~\%\)

\(0.02~\%\)

128

5793(2.00)

1634

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

256

18391(2.00)

107

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

512

58386(2.00)

6

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

32

863(3.00)

1389

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

64

2737(3.00)

2250

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

128

8689(3.00)

139

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

256

27586(3.00)

7

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

Table 3.

Experimental \(\Pr [S_j]\) and success probability over many trials for various N and j using \(L=3\).

The data complexity of our attack in Algorithm 3 is \(M=O(N^{\frac{3}{2}+\frac{1}{2L}})\) . We compute the time complexity for the algorithm based on the step 2, 3, 4, and 5, since the other steps are much shorter. In step 2, creating our graph G is defined as forming the vertices in G. This can be done in \(M \log (M)\) time with collision detection for M known plaintext/ciphertext pairs. In step 3, we look for the cycles of length L. The cycles of length L in our graph can be found with multiplication on adjacency matrix (which is sparse). Matrix multiplication can be done in \(O(|V|^2d)\) where \(d=\frac{|E|}{|V|}\) is the average degree of a vertex. Therefore, the complexity is O(|V||E|). With the Floyd-Warshall algorithm, we need \((L-1)\) multiplications by the adjacency matrix in the max-plus algebra that leads us to a complexity O(L|V||E|). With \(|E| \sim \frac{|V|^2}{N}\), where \(|V|=2\frac{M^2}{N^2}=2^{3-\frac{1}{L}}N^{1+\frac{1}{L}}\) and L constant, we have \(O(\frac{|V|^3}{N})\) which is equal to \(O(N^{2+\frac{3}{L}})\). Another method to find cycles is to enumerate all L-tuples of vertices in \(O(|V|^L)\) which is \(O(N^{L+1})\). Therefore, we compute the minimum between the two methods which is \(O(N^3)\) for any L and it is the complexity of step 3. (It can even be lower for \(L>3\).) Step 4 takes N time and finally step 5 takes \(\frac{M^{2L}}{N^{3L}}=\frac{N}{2}\). Since the complexity is weighted by step 3, we have time complexity of our algorithm as \(O(N^3)\) for \(L=3\) and a smaller \(O(N^{2+\frac{3}{L}})\) for \(L>3\). Instead of \(L-1\) multiplications to a sparse matrix in the max-plus algebra, we could also use \(O(\log L)\) general purpose matrix multiplications over the integer with the Coppersmith-Winograd algorithm [10]. We would reach a complexity of \(O(|V|^{2.38}\log L)\) which is not better.

4.3 Round-Function-Recovery on 5-Round Feistel Scheme and More

Given the 4-round full recovery attack from Sect. 4.2, we can extend it to attack 5-round Feistel network. The attack for 5-round Feistel network is straightforward; it uses chosen plaintexts and guess strategies. First of all, consider our 4-round attack and the known plaintexts from this attack. We choose plaintexts for the 5-round so that the right half of the messages have as little different values as possible then guess the corresponding images through \(F_0\). It means that for the right halves of the messages, we generate all the possible partial tables of the first round function for these right values. Then, we guess which table is consistent after running the attack on the next 4-round. The data complexity of our 4-round attack is \(\lambda N^{\frac{3}{2}+\epsilon }\), hence our time complexity for 5-round recovery with chosen plaintexts is \(O(N^{\lambda N^{\frac{1}{2}+\epsilon +3}})\). The data complexity is unchanged.

We can attack \(r-\) rounds similarly with complexity \(O(N^{(r-5)N+\sqrt{N}+3})\) by guessing the round functions on the last \((r-5)\) rounds. The data complexity is unchanged. We can apply this to FF1 (\(r=10\)) and FF3 (\(r=8\)). We obtain a complexity lower than \(2^{128}\) for FF1 with \(N=7\) and for FF3 with \(7\leqslant N\leqslant 10\). (For lower N, exhaustive search on either the codebook or the round functions reaches the same conclusion.) Hence, these instances of FF1 and FF3 do not offer a 128-bit security.

5 Slide Attack on FF3

We develop an attack on 4-round Feistel network in Sect. 4 and we deploy it as a building block for our chosen-plaintext and chosen-tweak attack to FF3 scheme. Our FF3 attack aims to reconstruct the entire codebook for a challenge tweak for a number of queries which is lower than the size of the brute force codebook attack. The main idea of the designed FF3 attack takes advantage of the flexibility to change the tweak to permute the round functions.

Consider two functions G and H, where G is a 4-round Feistel scheme using tweakable block cipher F with tweaks \((T_R \oplus STR^{32}_2(0), T_L \oplus STR^{32}_2(1), T_R \oplus STR^{32}_2(2), T_L \oplus STR^{32}_2(3))\) and H is a 4-round Feistel scheme using tweakable block cipher F with tweaks \((T_R \oplus STR^{32}_2(4), T_L \oplus STR^{32}_2(5), T_R \oplus STR^{32}_2(6), T_L \oplus STR^{32}_2(7))\). In Fig. 5, we show two runs of FF3 encryption with tweak \(T=T_L || T_R\) in (a) and tweak \(T'= T_L \oplus STR^{32}_2(4) || T_R \oplus STR^{32}_2(4)\) in (b) on two distinct plaintext. We observe that \(FF3.E(K,T, \cdot )= H \circ G\) and \(FF3.E(K,T', \cdot )= G \circ H\). For simplicity, we do not explicitly write \(STR^{32}_{2}(\cdot )\) any longer. Given this permuting ability by setting the tweaks XORed with round functions, we desire to form a “cyclic” behavior of plaintext/ciphertext pairs under two FF3 encryption with sliding G and H.
Fig. 5.

FF3 encryption with sliding round functions

We pick at random two sets of messages \(X=\{xy_{0}^{1}, \ldots , xy_{0}^{i}, \ldots ,\) \(xy_{0}^{A}\}\) and \(\overline{X}=\{ \overline{xy}_{0}^{1}, \ldots , \overline{x}\overline{y}_{0}^{i}, \ldots , \overline{x}\overline{y}_{0}^{A}\}\) of size A. For each message \(xy_{0}^{i}\) in X, set \(xy_{j+1}^{i}= Enc(K,T, xy_{j}^{i})\) with a fixed tweak \(T \in \mathcal {T}\) and a fixed key \(K \in \mathcal {K}\). We repeat the chain encryption of outputs B times for each message in X. Let XC be the set of chain encryption of elements of X. It contains segments of length B of cycles of \(H \circ G\). Similarly, for each message \(\overline{xy}_{0}^{i}\) in \(\overline{X}\), set \(\overline{xy}_{j+1}^{i}= Enc(K,T', \overline{xy}_{j}^{i})\) with the fixed tweak \(T' \in \mathcal {T}\) under the same key K. Let \(\overline{XC}\) be the set of chain encryption of elements of \(\overline{X}\). Apparently, we have \(|XC|=AB\) and \(|\overline{XC}|=AB\). Given these 2 sets XC and \(\overline{XC}\), we attempt to find a collision between XC and \(\overline{XC}\) such that \(G(xy_{j}^{i})=\overline{xy}_{0}^{i'}\) or \(G(xy_{0}^{i})=\overline{xy}_{j'}^{i'}\) for \(1 \leqslant i,i' \leqslant A\) and \(1\leqslant j,j' \leqslant B\). (See Fig. 6.) Upon having a table with inputs to G and H, we can apply the known-plaintext recovery attack on 4-round Feistel networks. The concrete algorithm to collect plaintext/ciphertext pairs is given in Algorithm 4.
Fig. 6.

Circular behavior of plaintext/ciphertext pairs.

We, now, formally prove useful results for the analysis and success probability of the attack in Algorithm 4.

Let \(\Pi \) be a random permutation on \(\{0,\ldots ,N^2-1\}\). Let \(c_k\) be the number of cycles of length k in \(\Pi \). The total number of elements in a cycle of length k (for all k) is equal to \(N^2\), meaning that \(\sum _{k=1}^{N^2}(kc_{k})=N^2\). It is well-known that the expected number of cycles of length k over a random \(\Pi \) is \(\mathbb {E}_{\Pi }(c_{k})=\frac{1}{k}\).4

In what follows we show two useful results.

Lemma 5

For a message \(xy^{i}\) picked at random, let \(length(xy^{i})\) be the length of the cycle that contains \(xy^{i}\). For two messages \(xy^{i}\) and \(\overline{xy}^{i'}\) picked at random, let \(E_0\) be an event that \(xy^{i}\) and \(\overline{xy}^{i'}\) are in the same cycle. The expected value of \(length(xy^{i})\) is \(\mathbb {E}_{xy^{i},\Pi }[length(xy^{i})]=\frac{N^2 +1}{2} \) and the expected value of \(length(xy^{i})\) given \(E_{0}\) is \(\mathbb {E} [length(xy^{i})| E_0] = \frac{2N^2 +1}{3}\).

Proof

We use the same notation for \(c_k\) as above.
$$\begin{aligned} \mathbb {E}_{xy^{i},\Pi }[length(xy)] = \mathbb {E}_{xy^{i},\Pi } \left[ \sum _{k=1}^{N^2} k c_k \frac{k}{N^2} \right] = \sum _{k=1}^{N^2} \mathbb {E}[c_k] \frac{k^2}{N^2} =\sum _{k=1}^{N^2} \frac{k}{N^2} = \frac{N^2 +1}{2} \end{aligned}$$
We first, observe that for any messages \(xy^{i}\) and \(\overline{xy}^{i'}\), being in the same cycle of every possible length occurs with probability \(\frac{1}{2}\). Then,
$$\begin{aligned} \Pr [E_0] = \mathbb {E}_{\Pi } \left[ \sum _{k=1}^{N^2} c_k \left( \frac{k}{N^2} \right) ^{2} \right] = \sum _{k=1}^{N^2} \frac{k}{N^4} = \frac{1}{2} + \frac{1}{2N^2} \approx \frac{1}{2} \end{aligned}$$
$$\begin{aligned} \mathbb {E} [length(xy^{i})| E_0]= & {} \mathbb {E}_{\Pi } \left[ \sum _{k=1}^{N^2} k c_k \left( \frac{k^2}{N^4} \right) \frac{1}{\Pr (E_0)} \right] = \frac{\sum _{k=1}^{N^2} \frac{k^2}{N^4} }{ \Pr (E_0) } \\= & {} \frac{2N^2}{N^2+1} \times \frac{(N^2+1)(2N^2+1)}{6N^2} = \frac{2N^2 +1}{3} \\ \end{aligned}$$
   \(\square \)
Table 4.

Experimental probability of success in the FF3 attack for various parameters using strategy \(S_j\)

N

M

\(\lambda \)

A

B

\(\#\mathsf {run}\)

\(\Pr [\mathsf {succ},S_1]\)

\(\Pr [\mathsf {succ},S_2]\)

\(\Pr [\mathsf {succ},S_3]\)

\(\Pr [\mathsf {succ},S_4]\)

2

2

0.71

1

4

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

5

0.56

2

10

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

8

15

0.53

2

30

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

16

46

0.51

2

92

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

32

144

0.50

2

288

10000

\(0.03~\%\)

\(0.47~\%\)

\(1.38~\%\)

\(1.38~\%\)

64

457

0.50

3

914

10000

\(0.01~\%\)

\(1.61~\%\)

\(5.08~\%\)

\(5.12~\%\)

128

1449

0.50

3

2898

10000

\(0.00~\%\)

\(1.51~\%\)

\(5.25~\%\)

\(5.73~\%\)

256

4598

0.50

3

9196

10000

\(0.00~\%\)

\(0.52~\%\)

\(3.55~\%\)

\(4.59~\%\)

512

14597

0.50

3

29194

7977

\(0.00~\%\)

\(0.18~\%\)

\(1.82~\%\)

\(3.00~\%\)

2

3

1.06

1

6

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

8

0.89

1

16

10000

\(0.03~\%\)

\(0.03~\%\)

\(0.48~\%\)

\(0.48~\%\)

8

23

0.81

2

46

10000

\(2.64~\%\)

\(1.54~\%\)

\(3.29~\%\)

\(3.30~\%\)

16

73

0.81

2

146

10000

\(7.32~\%\)

\(15.34~\%\)

\(21.04~\%\)

\(21.05~\%\)

32

230

0.80

2

460

10000

\(7.38~\%\)

\(30.84~\%\)

\(41.19~\%\)

\(41.19~\%\)

64

730

0.80

2

1460

10000

\(5.90~\%\)

\(39.58~\%\)

\(50.78~\%\)

\(50.73~\%\)

128

2318

0.80

2

4636

10000

\(1.69~\%\)

\(41.36~\%\)

\(53.14~\%\)

\(53.16~\%\)

256

7357

0.80

3

14714

9114

\(0.70~\%\)

\(54.56~\%\)

\(71.78~\%\)

\(72.24~\%\)

512

23355

0.80

3

46710

618

\(0.00~\%\)

\(50.97~\%\)

\(69.74~\%\)

\(70.71~\%\)

2

3

1.06

1

6

10000

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

4

9

1.00

1

18

10000

\(1.18~\%\)

\(1.40~\%\)

\(2.84~\%\)

\(2.84~\%\)

8

29

1.02

2

58

10000

\(17.24~\%\)

\(17.99~\%\)

\(21.46~\%\)

\(21.46~\%\)

16

91

1.01

2

182

10000

\(20.15~\%\)

\(35.35~\%\)

\(38.85~\%\)

\(38.85~\%\)

32

288

1.00

2

576

10000

\(22.01~\%\)

\(45.89~\%\)

\(48.29~\%\)

\(48.24~\%\)

64

913

1.00

2

1826

10000

\(28.20~\%\)

\(54.14~\%\)

\(54.41~\%\)

\(54.15~\%\)

128

2897

1.00

2

5794

10000

\(26.24~\%\)

\(56.85~\%\)

\(55.14~\%\)

\(54.65~\%\)

256

9196

1.00

2

18392

9961

\(28.10~\%\)

\(55.90~\%\)

\(54.65~\%\)

\(54.15~\%\)

512

29193

1.00

3

58386

500

\(35.00~\%\)

\(77.40~\%\)

\(76.20~\%\)

\(75.40~\%\)

2

6

2.12

1

12

10000

\(12.20~\%\)

\(12.20~\%\)

\(12.20~\%\)

\(12.20~\%\)

4

18

2.00

1

36

10000

\(14.15~\%\)

\(15.62~\%\)

\(16.48~\%\)

\(16.48~\%\)

8

58

2.03

1

116

10000

\(12.96~\%\)

\(13.92~\%\)

\(14.40~\%\)

\(14.40~\%\)

16

182

2.01

1

364

10000

\(6.10~\%\)

\(7.37~\%\)

\(7.65~\%\)

\(7.65~\%\)

32

575

2.00

1

1150

10000

\(2.20~\%\)

\(3.62~\%\)

\(3.80~\%\)

\(3.80~\%\)

64

1825

2.00

2

3650

10000

\(2.80~\%\)

\(5.59~\%\)

\(6.34~\%\)

\(6.32~\%\)

128

5793

2.00

2

11586

2512

\(2.43~\%\)

\(4.34~\%\)

\(4.70~\%\)

\(4.66~\%\)

256

18391

2.00

2

36782

162

\(1.23~\%\)

\(3.70~\%\)

\(3.70~\%\)

\(3.70~\%\)

512

58386

2.00

2

116772

10

\(10.00~\%\)

\(10.00~\%\)

\(10.00~\%\)

\(10.00~\%\)

2

9

3.18

1

18

10000

\(12.38~\%\)

\(12.38~\%\)

\(12.38~\%\)

\(12.38~\%\)

4

27

3.01

1

54

10000

\(13.92~\%\)

\(15.62~\%\)

\(16.46~\%\)

\(16.46~\%\)

8

86

3.02

1

172

10000

\(12.79~\%\)

\(13.95~\%\)

\(14.31~\%\)

\(14.31~\%\)

16

272

3.01

1

544

10000

\(5.13~\%\)

\(6.56~\%\)

\(6.91~\%\)

\(6.91~\%\)

32

863

3.00

1

1726

10000

\(2.04~\%\)

\(3.25~\%\)

\(3.47~\%\)

\(3.46~\%\)

64

2737

3.00

1

5474

8051

\(1.25~\%\)

\(2.22~\%\)

\(2.50~\%\)

\(2.51~\%\)

128

8689

3.00

1

17378

380

\(0.26~\%\)

\(0.79~\%\)

\(1.05~\%\)

\(1.05~\%\)

256

27586

3.00

2

55172

9

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

512

87579

3.00

2

175158

2

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

\(0.00~\%\)

This means that if we pick \(xy^{i}\) and \(\overline{xy}^{i'}\) at random and let \(xy^{j}=G^{-1}(\overline{xy}^{i'})\) then \(xy^{i}\) and \(\overline{xy}^{i'}\) are in the same cycle with probability close to \(\frac{1}{2}\) and we will observe Fig. 6. One problem is that the cycle is typically long, i.e. \(\frac{2N^2}{3}\) as shown in Lemma 5, but we want that two segments of length B starting from \(xy^{i}\) and \(\overline{xy}^{i'}\) intersect on at least M points. Therefore, we need the probability of two segments overlapping in a cycle of length k on at least M points.

Lemma 6

Let two segments \(xy^{i}-\Pi (xy^{i})-\Pi ^2(xy^{i})- \cdots - \Pi ^{B}(xy^{i})\) and \(\overline{xy}^{i'}-\Pi (\overline{xy}^{i'})-\Pi ^2(\overline{xy}^{i'})- \cdots - \Pi ^{B}(\overline{xy}^{i'})\) overlap in a given cycle of length k on at least M points be the event \(E_1^{k}\). Let \(E_1\) be the union of all \(E_1^{k}\) for every possible length of k. The probability that \(E_{1}\) occurs is equivalent to \(\frac{2(B-M)}{N^2}\) for \(M=o(N^2)\).

Proof

We use the same notation for \(c_k\) as above.
$$\begin{aligned} \Pr [E_1]= & {} \mathbb {E}_{\Pi } \left[ \sum _{k=M}^{N^2} c_k \Pr [E_1^{k}] \right] = \mathbb {E}_{\Pi } \left[ \sum _{k=M}^{N^2} c_k \frac{k}{N^2} \frac{min \{k,2(B-M)+1\}}{N^2} \right] \\\sim & {} \frac{2(B-M)}{N^2} ~\text {for}~ M=o(N^2)\\ \end{aligned}$$
   \(\square \)
The probability of success of our FF3 attack depends on \(\Pr [E_1]\) and on the success probability of our 4-round recovery attack on Feistel network. More clearly,
$$p_{success}= \left( 1 -( 1- \Pr [E_1])^{A^{2}}\right) p_{success}^{Feistel}$$
which is equivalent to \(\left( 1- e^{\frac{-2(B-M)A^{2}}{N^2}}\right) p_{success}^{Feistel}\). Thus, we need \(A^2(B-M) \approx N^2\) to obtain a constant \(p_{success}\). We can neglect the cost of the attack on H as we have plenty of samples and we only run it once G is recovered.

Our attack has 2AB data complexity. The time complexity is \(A^{2}B\) times the complexity of 4-round recovery attack on Feistel network. To minimize the data complexity 2AB with \(A^{2}(B-M) = N^{2}\) and \(B \geqslant M\), we set \(B=2M\), then \(A=\frac{N}{\sqrt{M}}\). Therefore, we have data complexity of FF3 attack as \(4N\sqrt{M}\) and time complexity as \(2N^2\) times the complexity of 4-round recovery attack on Feistel network and \(p_{success} \approx 1 - e^{-p_{success}^{Feistel}}\).

We fully implemented the attack but to test its success probability we could skip some parts of the running time we knew the attack would fail. Namely, in Algorithm 4 we can identify directly which segments overlap (using the key) and proceed directly to the 4-round Feistel attack on the right pair of segments. We show on Table 4 the experimental probability of success of the whole attack following the strategies \(S_j\), \(j=1,\ldots ,4\). The probability was computed for 10,000 executions.5 We also took the executions collecting less than M samples, as long as they succeed to recover all tables. Curiously, the \(N\leqslant 4\) and \(\lambda =1\) cases seem to take M too low to be able to find cycles. As we can see, the success probability is pretty good (\(18\%\)\(77\%\) for \(8\leqslant N\leqslant 512\)) for \(\lambda =1\) and the strategy \(S_2\) collecting the largest connected components in \(G'\).

We conclude that the full attack succeeds with good probability.

6 Repairing FF3

As a quick fix, we can propose to change the length of the tweak in FF3 so that the adversary has no longer control on what is XORed to the round index. The same should hold if some other part of the tweak is XORed to a counter in a CBC mode, as proposed by the authors of the construction [8]. We obtain a scheme with a shorter tweak, to which we concatenate the round index instead of XORing it.

The original Luby-Rackoff results [15] was extended following this idea by Black and Rogaway [7], but the obtained security result is quite weak as we can only prove that for a number of queries \(q\ll \sqrt{N}\), the cipher resists to chosen-plaintext attacks, even with only three rounds. By similarly extending the results by Patarin [17], we can obtain that for \(q\ll N\), the cipher resists to chosen-plaintext and ciphertext attacks, even with only six rounds. However, this says nothing in the case \(q\sim N^{\frac{3}{2}}\) which is the case of our 4-round attack.6

7 Conclusion

We took the NIST standard FF3 and investigated its security on small domain sizes. We started exploiting that we can permute the round functions due to a bad domain separation in the tweak scheme which uses an XOR with the round index. This permutation leads us to develop a slide attack on FF3 based on our own design for 4-round Feistel schemes attack that works with known plaintexts/ciphertexts. Our FF3 attack works with chosen plaintexts and two tweaks. It improves the recent results from Bellare et al. [3] on data and time complexity to break FF3. Our 4-round Feistel network attack is a full round-function-recovery attack that works with known plaintexts instead of chosen plaintexts and ciphertexts unlike the recent results from Biryukov et al. [6].

Footnotes

  1. 1.

    In an r-round FN, q samples give \(2q\log _2N\) bits of information but functions are defined by a table of \(rN\log _2N\) bits. Thus, \(q=\frac{r}{2}N\) queries is enough to reconstruct the round functions, in theory.

  2. 2.

    We consider here the FF3 block cipher. However, there is a mode of operation for FF3 allowing variable-length messages in the original paper [8].

  3. 3.

    Note that the cycle length notation L should not be confused with the subscript L indicating the left part of a plaintext or a ciphertext.

  4. 4.

    The probability that a given point is in a cycle of length exactly \(\mathsf {k}\) is \(\frac{(N^2-1)\cdots (N^2-k+1)}{N^2(N^2-1) \cdots (N^2-k+1)}=\frac{1}{N^2}\). Hence, the expected number of points in a cycle of length \(\mathsf {k}\) is \(1=\mathbb {E}_{\Pi }(kc_k)\).

  5. 5.

    Executions of the attack on the 4-round Feistel scheme which we used to fill our previous tables are precisely those getting the M samples in this experiment. For some rows with M too large, no experiments collected M pairwise different messages so they are not reported in the previous table. Nevertheless, our attack may still work even though we collect less than M samples. This is why they appear on Table 4.

  6. 6.

    In reaction to this attack, NIST released the following announcement:

    https://beta.csrc.nist.gov/News/2017/Recent-Cryptanalysis-of-FF3.

Notes

Acknowledgments

The work was done while the first author was visiting EPFL. It was supported by NSF grant CNS-1453132. This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center, Pacific (SSC Pacific) under contract No. N66001-15-C-4070.

We thank Adi Shamir for the useful comments and Stefano Tessaro for the discussions.

References

  1. 1.
    Recommendation for Block Cipher Modes of Operation: Methods for Format Preserving Encryption. National Institute of Standards and Technology (2016)Google Scholar
  2. 2.
    Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). doi: 10.1007/3-540-60865-6_48 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: 23th CCS Proceedings (2016)Google Scholar
  4. 4.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-05445-7_19 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption. Draft 1.1. Submission to NIST, Feburary 2010. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffx-spec.pdf
  6. 6.
    Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel networks with secret round functions. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Cham (2016). doi: 10.1007/978-3-319-31301-6_6 CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). doi: 10.1007/3-540-45760-7_9 CrossRefGoogle Scholar
  8. 8.
    Brier, E., Peyrin, T., Stern, J.: BPS: a format-preserving encryption proposal. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/bps/bps-spec.pdf
  9. 9.
    Brightwell, M., Smith, H.E.: Using datatype-preserving encryption to enchance data warehouse security (1997). http://csrc.nist.gov/nissc/1997/proceedings/141.pdf
  10. 10.
    Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. J. Symb. Comput. 9(3), 251–280 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_21 CrossRefGoogle Scholar
  12. 12.
    Erdős, P., Renyi, A.: On random graphs I. Publicationes Mathematicae 6, 290–297 (1959)MathSciNetzbMATHGoogle Scholar
  13. 13.
    Goldenberg, D., Hohenberger, S., Liskov, M., Schwartz, E.C., Seyalioglu, H.: On tweaking Luby-Rackoff blockciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_21 CrossRefGoogle Scholar
  14. 14.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996). doi: 10.1007/3-540-60865-6_53 CrossRefGoogle Scholar
  17. 17.
    Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities (2010). http://eprint.iacr.org/2010/293
  18. 18.
    Rogaway, P.: A synopsis of format preserving encryption. http://web.cs.ucdavis.edu/~rogaway/papers/synopsis.pdf
  19. 19.
    Saltykov, A.I.: The number of components in a random bipartite graph. Discrete Math. Appl. 5, 515–523 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). doi: 10.1007/3-540-60865-6_49 CrossRefGoogle Scholar
  21. 21.
    Spies, T.: Format preserving encryption. Unpublished white paper (2008). https://www.voltage.com/wp-content/uploads/Voltage-Security-WhitePaper-Format-Preserving-Encryption.pdf

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Department of Computer ScienceRutgers UniversityNew BrunswickUSA
  2. 2.LASEC - Security and Cryptography LaboratoryEcole Polytechnique Fédérale de Lausanne (EPFL)LausanneSwitzerland

Personalised recommendations