Breaking the FF3 FormatPreserving Encryption Standard over Small Domains
 8 Citations
 2.2k Downloads
Abstract
The National Institute of Standards and Technology (NIST) recently published a FormatPreserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8round Feistel network. In CCS 2016, Bellare et al. gave an attack to break FF3 (and FF1) with time and data complexity \(O(N^5\log (N))\), which is much larger than the code book (but using many tweaks), where \(N^2\) is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires \(O(N^{\frac{11}{6}})\) chosen plaintexts with time complexity \(O(N^{5})\). Our attack was successfully tested with \(N\leqslant 2^9\). It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4round Feistel network. Biryukov et al. already gave a 4round Feistel structure attack in SAC 2015. However, it works with chosen plaintexts and ciphertexts whereas we need a knownplaintext attack. Therefore, we developed a new generic knownplaintext attack to 4round Feistel network that reconstructs the entire tables for all round functions. It works with \(N^{\frac{3}{2}} \left( \frac{N}{2} \right) ^{\frac{1}{6}}\) known plaintexts and time complexity \(O(N^{3})\). Our 4round attack is simple to extend to five and more rounds with complexity \(N^{(r5)N+o(N)}\). It shows that FF1 with \(N=7\) and FF3 with \(7\leqslant N\leqslant 10\) do not offer a 128bit security. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our \(O(N^{5})\) attack.
Keywords
Formatpreserving Encryption (FPE) Tweakable Block Cipher (TBC) Feistel Network (FN) Round Function Slide Attacks1 Introduction
FormatPreserving Encryption (FPE) provides a method to encrypt data in a specific format into a ciphertext of the same format. A format in FPE schemes refers to a finite set of characters such as the decimal (or binary) numerals or alphanumerals along with the length of the sequence of the characters that form the plaintexts. FPE has been staging in applied cryptography community due to the desirable functionality. It secures data while keeping the database scheme intact. For instance, given a legacy database system, upgrading the database security requires a way for encrypting credit card numbers (CCN) or social security numbers (SSN) in a transparent way to its applications.
Brightwell and Smith [9] introduced a first known formatpreserving encryption which was termed as datatype preserving encryption in 1997. They wanted to encrypt an existing database to let all the applications access encrypted data just as they access nonencrypted data. Their solution for this was reduced to preserve the particular datatype of entries in the databases. The term formatpreserving encryption is due to Terence Spies from Voltage Security [21]. Though FPE dates back to late 90’s, the demand to make FPE based databases has created an active area of research during last few years. There have been many techniques proposed to build FPE schemes such as prefix cipher, cycle walking, Feistel network, Feistel modes [2, 4, 5, 7, 16, 20, 21]. The complete list of FPE schemes for small domain size along with their description and their security level can be found in a synopsis by Rogaway [18, pp. 6, 7]. In his list, Rogaway considers the schemes that are built with pseudorandom functions (that itself might be constructed from block ciphers).
Probably, it is natural to build FPE schemes based on a Feistel network (FN) since it can be used with already existing conventional block ciphers, such as AES. Indeed, the National Institute of Standards and Technology (NIST) published an FPE standard [1] (finalized in March 2016) that includes twoapproved Feistelbased FPE schemes: FF1 [5] and FF3 [8]. Both are expected to offer a 128bit security. In this work, we are particularly interested in the attacks for breaking the FNbased standard FF3 [1] and attacks against Feistel network. The former attack utilizes the latter that is designed as a generic roundfunctionrecovery attack.
The FF3 construction is an 8round FN that uses a tweak XORed with a round counter as an input to the block cipher. The XOR operation guarantees that round functions are pairwise different. This is usually called “domain separation”. The security of FF3 asserts that it achieves several cryptographic goals including chosenplaintext security or even PRPsecurity against an adaptive chosenciphertext attack under the assumption that the underlying round function is a good pseudorandom function (PRF). Our work shows that its security goal has not met even when the round functions are replaced by secure PRFs and gives a roundfunctionrecovery attack on FF3.
Our Contributions. Our work covers three significant contributions. (a). We give a total practical break to 8round Feistel network based FF3 FPE standard over a small domain. Our attack exploits the “bad domain separation” in FF3. Namely, the specific design choice of FF3 allows us permuting the round functions by changing the tweak and it leads us to develop a slide attack (using only two tweaks). The attack works with chosen plaintexts and tweaks when the message domain is small. It requires \(O(N^{\frac{7}{4}+ \frac{1}{4L}})\) chosen plaintexts and two tweaks, with time complexity \(O(N^{5})\), where \(N^2\) is input domain size to the Feistel network and L is a parameter in our attack which is typically set to \(L=3\) in experimental results. Luckily, the fix to prevent FF3 against our attack is quick and easy to maintain without changing the main structure of the scheme. (b). While we form our slide attack to break FF3, we develop a new generic knownplaintext attack on 4round Feistel networks and we insert it in our slide attack. Our techniques to develop a 4round attack is novel and different than previously known attacks on Feistel networks. In our attack, we compute the full recovery of round functions with \(N^{\frac{3}{2}} \left( \frac{N}{2} \right) ^{\frac{1}{2L}}\) known plaintext and time complexity \(O(N^{2+\frac{3}{L}})\) for four rounds. (c). We utilize our 4round FN attack to extend the round function recovery on more rounds. Due to the generic and known plaintext nature of our 4round FN attack, we easily adapt it to a chosenplaintext attack to apply it on 5 and more rounds Feistel structures. Our attack shows that neither FF1 with \(N=7\) nor FF3 with \(7\leqslant N\leqslant 10\) (even with our fix) offer a 128bit security.
Overview Of Previous Works. A security for message recovery in FPE constructions along with many other notions for FPE was first defined by Bellare et al. [4]. A recent work by Bellare et al. [3] gives a practical message recovery attack on NIST standard Feistelbased FPE schemes (both FF1 and FF3) on small domain sizes. In their work, however, the security definition they consider is under the new message recovery security that they define in the same work. Briefly, consider two messages X and \(X'\) which share the same right (or left) half of the messages. In their attack, the adversary is given \(X'\) together with the encryption of X and \(X'\) under q tweaks. The adversary wins if it can fully recover X, in particular, its unknown half. The attack by Bellare et al. uses a data complexity that exceeds the message space size. Clearly stating, their work shows that Feistelbased FPE with the standardized number of rounds does not achieve good enough security on small domain sizes.
The attack by Bellare et al. works using \(O(N^{5} \log N )\) data and time complexity with many tweaks on eight rounds. This is quite interesting when the amount of data is limited for each tweak. It is a decryption attack. Our attack herein is more traditional. It uses only two tweaks, but \(O(N^{\frac{11}{6}})\) chosen plaintexts with \(O(N^5)\) time complexity. We recover the entire codebook (for both tweaks).
To apply the slide attack to recover the entire round functions of Feistel networks, we develop a generic knownplaintext attack on 4rounds.
Since its invention, Feistel networks have created active research areas for cryptographers (both in theory and in practice) due to its applications and influence on the development of major constructions such as DES. The security for Feistel networks has been investigated for very long time and there already exist interesting results for cryptanalysis. The security of Feistel schemes aims either to distinguish a Feistel scheme from a random permutation or to recover the round functions. In their famous work [15], Luby and Rackoff proved the indistinguishability of 3round Feistel network against chosenplaintext attacks and 4rounds against chosenplaintext and ciphertext attacks for the number of queries \(q \ll \sqrt{N}\), where \(N^2\) is the size of the input domain. The directions derived from this result tried to improve the security bounds until \(q \ll N\) (that is called the “birthday bound”) which was a natural bound from information theory.^{1} A work by Patarin [17], using the mirror theory, showed improved proofs and stronger security bounds for four, five, and six rounds Feistel networks. Namely, for \(q \ll N\), four rounds are secure against knownplaintext attacks, five rounds are secure against chosenplaintext attacks, and six rounds are secure against chosenplaintext and ciphertext attacks.
From an information theory viewpoint, we could recover all functions in time \(N^{\mathcal {O}(N)}\) by exhaustive search. As far as we know, there is no efficient generic attack which is polynomial in N on the Feistel scheme with \(q\sim N\). Our attack uses \(q\sim N^{\frac{3}{2}}\) and is polynomial in N with known plaintexts up to four rounds.
Roundfunctionrecovery attacks against balanced Feistel schemes with two branches of \(\log _2N\) bits and any addition rule (we omitted polynomial terms in \(\log N\))
# rounds  Mode  Time  Data  Ref 

3  Knownplaintext  N  N  Section 4.1 
4  Chosenplaintext and ciphertext  \(N^{\frac{3}{2}}\)  \(N^{\frac{3}{2}}\)  [6] 
4  Knownplaintext (tested for \(L=3\))  \(N^{2+\frac{3}{L}}\)  \(N^{ \frac{3}{2} + \frac{1}{2}L }\)  Section 4.2 
5  Chosenplaintext and ciphertext  \(N^{N^{\frac{3}{4}}}\)  \(N^2\)  [6] 
5  Chosenplaintext  \(N^{O(N^{\frac{1}{2}})}\)  \(N^{\frac{3}{2}+\frac{1}{2}L}\)  Section 4.3 
\(r\geqslant 6\)  Chosenplaintext  \(N^{(r5)N}\)  \(N^{\frac{3}{2}+\frac{1}{2}L}\)  Section 4.3 
Structure of the Paper. In Sects. 2 and 3, we give the details of FF3 construction and Tweakable Encryption, respectively. In Sect. 4, we develop our new generic attack for Feistel structure on specifically 4rounds and extend it on 5 and more rounds. In Sect. 5, we give our complete slide attack to a NIST standard FF3 scheme.
2 The FF3 Scheme
We use the following notations for the rest of the paper. The domain \(\mathcal {X}\) consists of strings of characters; s represents the cardinality of the set S of characters and b represents the length of the messages in the domain \(\mathcal {X}\). For example, the credit card numbers (CCNs) consists of 16 digits of decimal numerals with \(S= \{0,1, \ldots , 9\}\), \(s=10\) and \(b=16\) where we have \(10^{16} \cong 2^{54}\) possible distinct numeral strings. We set the minimum length of the message block \(minlen=2\) and the maximum length of the message block to \(maxlen=\lfloor \log _{s}(2^{f32})\rfloor \), where \( f \) is the input/output size of the round function used in Feistel scheme in FF3.^{2} We represent the number of rounds in the scheme with \( w \).
Unlike standard Feistel schemes which use the exclusive or (XOR) (denoted by \(\oplus \)), FF3 uses the modular addition that is denoted by \(\boxplus \).
We define the following notations for three functions:
\({\mathbf{{STR^{b}_s:}}}\) a function that maps an integer x where \(0 \leqslant x < s^b\) to a string of length b in base s with most significant character first, e.g. \(STR^{4}_{12}(554)= 03A2\).
\({\mathbf{{NUM_{s}:}}}\) a function that maps a string X to an integer x such that \(STR^{b}_{s}(x)=X\). For instance, \(NUM_{2}(00011010)=26\).
\({\mathbf{{REV(X):}}}\) a function that reverses the order of the characters of string X.
The length of string X is denoted by X. The concatenation of strings is denoted by . The first (leftmost) character of string X is X[0]. The \(i^{th}\) one is \(X[i1]\). We denote \(X[a \cdots b]\) the substring of X formed with \(X[a]X[a+1] \cdots X[b]\).
In lines 1–2, the encryption algorithm splits the input X into two substrings \(L_0\) and \(R_0\). In lines 5–8 (respectively in lines 10–12), the algorithm first takes the tweak \(T_{R}\) (respectively \(T_L\)) XORed with the encoded round index \( i \) and \(R_i\) (respectively \(L_i\)) to input tweakable PRF \(F_{K}\). Second, it applies modular addition of the output of \(F_{K}\) to \(L_i\) (respectively \(R_i\)).
For simplicity and by abuse of notations, we say that FF3 encrypts the plaintext \((L_{0}, R_{0})\) into the ciphertext \((L_{ w }, R_{ w })\) with tweak \((T_{L}, T_{R})\), so that we only concentrate on lines 4–14. We illustrate the 4round FF3 scheme in Fig. 1(b).
3 Tweakable Encryption
A tweakable block cipher (TBC) is a tuple \((\mathcal {K}, \mathcal {E}_{K}(\cdot , \cdot ), \mathcal {D}_{K}(\cdot , \cdot ))\) formed of three algorithms for key generation, encryption, and decryption with a key K; all efficiently computable algorithms. We follow the notion of security from [13] as chosenplaintextsecure (CPA) tweakable block cipher.
Definition 1
In the standard model, the tweakable block ciphers [4, 14] are used to construct tweakable formatpreserving encryption schemes since tweakable encryptions provide better security bounds for tweakable FPE in terms of the number of chosen plaintext/ciphertext to attack the system [4].

\(\circ \) Encrypt \((L_{0},R_{0})\) with the tweak T to get \((L_{ w }, R_{ w })\).

\(\circ \) Encrypt \((R_{ w }, L_{ w })\) with the tweak \(T'\) to get \((L', R')\).

\(\circ \) If \(L'=R_{0}\) and \(R'=L_{0}\), output 1. Otherwise, output 0.
The adversary always outputs 1 with \(\mathcal {E}_{K}\). It outputs 1 with \(\Pi (\cdot , \cdot )\) with probability \(\frac{1}{s^b}\). Therefore, the advantage is \(1\frac{1}{s^b}\).
4 KnownPlaintext RoundFunctionRecovery Attack on Feistel Scheme
In this section, we define the Feistel network over a group of order \(\mathsf {N}\). Typically, this group is \(\mathbb {Z}_{\mathsf {N}}\). Later in Sect. 5, we assume \(\mathsf {b}\) is even and \(\mathsf {N}=s^{\frac{b}{2}}\).
The rest of the section is organized as follows: in Sect. 4.1, we give a heuristic attack for 3round FN and analyze its time complexity. We report the ratio of success recovery in Fig. 3 with the parameters the attack takes. In Sect. 4.2, we give an attack for 4round FN that leverage our 3round attack. The correctness and further analysis is presented with formally stated lemmas. In Sect. 4.3, we expand our attack for five rounds and more and derived the time complexities.
4.1 RoundFunctionRecovery on 3Round Feistel Scheme
We model our set S as a bipartite graph with two parties of N vertices (one for the y’s and the other for the t’s) and edges for each (y, t) pair represented by tuples from S. What our algorithm does is just to look for a connected component of a random starting point y with complexity \(O(\theta N)\). Following the theory of random graphs [19], we have \(\theta N\) random edges so that the graph is likely to be fully connected when \(\theta \approx \ln (N)\). For a constant \(\theta \geqslant 1\), it is likely to have a giant connected component. This component corresponds to a constant fraction of the tables of \(F_0\) and \(F_2\). Therefore, after \(\log _{\theta }N\) iterations, we can reconstruct \(F_0\) and \(F_2\) which allow us to reconstruct \(F_1\). For any y, we can see that it does not appear in S with probability \(\left( 1 \frac{1}{N} \right) ^{\theta N} \approx 1  e^{\theta }\). Thus, we can only hope to recover a fraction \(1 e^{ \theta }\) of the table of \(F_0\). The same holds for \(F_1\) and \(F_2\). Therefore, with data and time complexity N, we recover a good fraction of all tables. With data and time complexity \(N\ln N\), we recover the full tables with good probability.
4.2 RoundFunctionRecovery on 4Round Feistel Scheme
In this section, we give an attack to fully recover the round functions of a 4round Feistel scheme.
We form a directed graph \(G=(V,E)\) with the vertex set V as defined above. We take \((x_1y_1x'_1y'_1,x_2y_2 x'_2y'_2) \in E\) if \(y'_1=y_2\) (i.e. a pair of tuples \(x_{1}y_{1}x'_1y'_1\) is connected to a pair \(x_2y_2x'_2y'_2\) if the \(y_2\) in the second message in former tuple is same as in the first message in latter tuple). Furthermore, we let \(E_{good}=(V_{good} \times V_{good}) \cap E\) and define the subgraph \(G_{good}=(V_{good}, E_{good})\).
Then, we have the following Lemma with four properties:
Lemma 1
 1.
\(V_{good} \subseteq V\).
 2.
If \((xy,x'y') \in V\), then \(y \ne y'\).
 3.
If \((xy,x'y') \in V_{good}\), then \(F_{0}(y')  F_{0}(y) = Label(xy,x'y')\).
 4.
For all cycles \(v_{1}v_{2}\cdots v_{L}v_{1}\) of \(G_{good}\), \(\sum _{i=1}^{L}Label(v_{i})=0\).^{3}
Proof
 1.
Clearly, \(z'=z\) and \(c'=c\) imply that \(t'y'=ty\), hence \(V_{good} \subseteq V\).
 2.
If \(t'y'=ty\) and \(y'=y\), then \(t'=t\). If we further have \(z'=z\), then we deduce \(c'=c\). If \(c'=c\), then \(x'=x\), thus \(xy=x'y'\). Hence, we cannot have \((xy,x'y') \in V\).
 3.
If \(c'=c\) then \(F_0(y')F_0(y)=xx'=Label(xy,x'y')\).
 4.
Let \(v_i=(x_iy_i,x'_iy'_i)\). If \(v_i \in V_{good}\) then \(F_0(y'_i)F_0(y_i)=Label(v_i)\). If we have a cycle then \(y'_i=y_{i+1}\) with \(y_{L+1}=y_1\). Hence, \(\sum _i Label(v_i)=0\). \(\square \)
The principle of our attack is as follows: if we get vertices in \(V_{good}\), the property 3 from Lemma 1 gives equations to characterize \(F_{0}\). One problem is that we can identify vertices in V, but we cannot tell apart good and nongood (bad) ones. One way to recognize good vertices is to use property 4 in Lemma 1: to find cycles with zero sum of labels. For this, we will prove in Lemma 4 that this is a characteristic property of good cycles, meaning that all the vertices in these cycles are good vertices. First, we estimate the number of vertices and edges with the following two Lemma.
Lemma 2
Proof
Lemma 3
The expected number of elements in \(V_{good}\) is \(\frac{M(M1)\left( 1 \frac{1}{N} \right) }{N^{2}} \approx \frac{M^{2}}{N^{2}}\).
Proof
We have \(M(M1)\) possible pair of tuples \(xy,x'y'\) with \(xy\ne x'y'\) to construct \(V_{good}\). From Eq. (2), the probability of each vertex in \(V_{good}\) is \(\frac{1}{N^{2}} \left( 1  \frac{1}{N} \right) \). Thus, we expect to have \(\frac{M(M1)\left( 1 \frac{1}{N} \right) }{N^{2}} \approx \frac{M^{2}}{N^{2}}\) elements in \(V_{good}\). \(\square \)
We have the property that for each cycle \(v_{1}v_{2} \cdots v_{L}v_{1} \in G\), if \(v_{1}, \ldots ,v_{L}\) are all in \(V_{good}\), then the sum of \(Label(v_{i})\) is zero due to Lemma 1, property 4. If one vertex is not good, the sum may be random. This suggests a way to find good vertices in V that is to look for long cycles in G with a zero sum of labels.
Lemma 4
(\(L=2\) case). If \(v_1=(x_1y_1,x'_1y'_1)\) we say that \(v_1\) and \(v_2\) are permuting if \(v_2=(x'_1y'_1,x_1y_1)\). If \(v_{1}v_{2}v_{1}\) is a cycle in G with zero sum of labels, and \(v_{1}, v_{2}\) are not permuting, then \(v_{1}\) and \(v_{2}\) are likely to be good. More precisely, for \(v_{1}=(x_{1}y_{1}x'_{1}y'_{1})\) and \(v_{2}=(x_{2}y_{2}x'_{2}y'_{2})\) random, we have \(\Pr [v_{1},v_{2} \in V_{good} ~~ v_{1}v_{2}v_{1} ~ \text {is a cycle}, v_{1}, v_{2} ~\text {not permuting}, \sum _{i=1}^{2}Label(v_{i}) = 0] \geqslant \frac{1}{1+\frac{10}{N5}}\).
The proof for Lemma 4 is in Appendix A.1. We believe that Lemma 4 remains true for valid cycles of small length except in trivial cases. In Appendix A.2, we extend to \(L>2\) for cycles satisfying some special nonrepeating condition \([\lnot \mathsf {repeat}]\) on the c and d values to rule out many trivial cases. However, this condition \([\lnot \mathsf {repeat}]\) cannot be checked by the adversary. Instead, we could just avoid repetitions of any message throughout the cycle (as repeating messages induce repeating c’s or d’s). We use the following conjecture (which is supported by experiment for \(L=3\)).
Conjecture 1
If \(v_1v_2 \cdots v_Lv_1\) is a cycle of length L in G with zero sum of labels and the vertices use no messages in common, then \(v_1 \cdots v_L \)are all good with probability close to 1.
For M known plaintexts, the expected number of valid cycles in \(G_{good}\) of a given length L is \(\frac{M^{2L}}{N^{3L}}\).
The aim of our attack is to collect as many \(F_0\) outputs as possible to reconstruct a table of this function. Thus, we are interested in vertices whose labels are defined as \(Label(v_i)=F_0(y)F_0(y'), \forall i \in \{0,1, \ldots , V\} \) and we generate another graph to represent the collection of many independent equations for \(F_0\).
When we model \(G'\) as a random graph, we can adjust M so that we can have a large connected component in \(G'\). Given the vertex set size \(V'=N\) and the edge size \(E'=m\), \(m= \frac{N(N1)}{2}p\), where p is the probability that \(G'\) has an edge between two vertices. From ErdősR\(\acute{e}\)nyi model [12] on random graphs, we want \(Np \geqslant 1\). We know that \(Np \sim 2\frac{m}{N}\). So, we want \(m \geqslant \frac{N}{2}\). We have \(\frac{M^{2L}}{L\cdot N^{3L}}\) expected good cycles (counted without repetition of their L circular rotations) of length L, thus \(m \sim \frac{M^{2L}}{N^{3L}}\). Therefore, we need to set \(M = \lambda N^{ \frac{3}{2}} \left( \frac{N}{2}\right) ^{\frac{1}{2L}}\) for a constant \(\lambda \geqslant 1\) to have a large connected component in \(G'\). Our attack works with \(M= N^{\frac{3}{2} + \epsilon }\) for \(\epsilon > 0\) small, with complexity \(O(2^{L}N^{(1+2\epsilon )L})\) and a constant probability of success. If our attack recovers at least \(\sqrt{N}\) points in \(F_0\) correctly (which is the case when we have a large connected component in \(G'\)), we obtain \(M\times \frac{\sqrt{N}}{N} \gg N\) samples to apply the attack on 3rounds so that it recovers a good fraction of \(F_1\), \(F_2\), \(F_3\). It is enough to bootstrap a yoyo attack (Steps 9–18 of Algorithm 3). And, our attack succeeds.
Experimentally, we noticed that \(\lambda =0.8\) is too small to obtain a large enough connected component for \(L=3\). Conversely, for \(\lambda =2\), \(G'\) is more connected but the giant component contains many bad edges that we want to avoid.
Let \(E_{j}\) be the event that the sizes of the \(\mathsf {j}\) largest connected components sum to greater than \(\sqrt{N}\) with no bad edges in \(G'\). Let \(E_{\leqslant j}\) be the event that either of \(E_1, E_2, \ldots ,E_j\) occurs. We simulated the attack for various N values and \(\lambda =1,2,3\) and report the numbers for \(E_{\leqslant 1}, E_{\leqslant 2}, E_{\leqslant 3}\) on Table 2. When we read the table, by taking \(\lambda =1\) and \(\mathsf {j}=3\), our attack recovers \(\sqrt{N}\) points of \(F_0\) with probability at least \(23~\%\). In our attack, if we look at \(\mathsf {j}\) connected components, we need to multiply the complexity by \(N^{j1}\) (We can fix \(F_0\) on one point for free, then all values in its connected components are inferred, but for each additional connected component, we must guess one value of \(F_{0}\)). It is likely that we can mitigate this \(N^{j1}\) factor by early abort during the attack on 3rounds.
In our experiments, we observe better success probability of our attack with \(\lambda =1\). With \(\lambda \) larger, the attack hardly ever succeeds. It may look paradoxical to say that if \(\lambda \) is too large, then the attack fails, but this is due to higher chances to collect bad edges. However, when \(G'\) is heavily connected, we could propose algorithms to eliminate inconsistencies in labels and get rid of bad edges. It means that we would have a successful attack for any \(\lambda \geqslant 2\). We let it as future work.
Therefore, we have a double phase transition. The first phase transition occurs when we have enough data to be able to make the graph and find cycles. Our attack quickly succeeds after this phase transition. The second phase transition occurs when we start having bad edges in the collected cycles. Then, our attack must be enriched to be able to work any longer. We did not do it on purpose as we noticed there is a sufficient window in between these two phase transitions to break the scheme with good probability of success and without caring about possible bad edges.
Experimental \(\Pr [E_{\leqslant j}]\) over several trials for various N, \(\lambda \), and \(\mathsf {j}\); the number of trials correspond to the successful runs of the whole attack on FF3 in the first step out of \(10\,000\) using \(L=3\).
N  \(M(\lambda )\)  \(\#\mathsf {trials}\)  \(\Pr [E_{\leqslant 1}]\)  \(\Pr [E_{\leqslant 2}]\)  \(\Pr [E_{\leqslant 3}]\) 

2  2(0.71)  5022  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  5(0.56)  7098  \(1.51~\%\)  \(1.51~\%\)  \(1.51~\%\) 
8  15(0.53)  7010  \(0.36~\%\)  \(4.07~\%\)  \(4.07~\%\) 
16  46(0.51)  6665  \(0.05~\%\)  \(1.23~\%\)  \(1.23~\%\) 
32  144(0.50)  6103  \(0.02~\%\)  \(0.03~\%\)  \(0.16~\%\) 
64  457(0.50)  7986  \(0.00~\%\)  \(0.00~\%\)  \(0.01~\%\) 
128  1449(0.50)  7460  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
256  4598(0.50)  6879  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
512  14597(0.50)  4816  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
2  3(1.06)  4316  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  8(0.89)  4153  \(15.19~\%\)  \(15.19~\%\)  \(15.19~\%\) 
8  23(0.81)  6703  \(5.83~\%\)  \(18.54~\%\)  \(18.54~\%\) 
16  73(0.81)  6886  \(4.57~\%\)  \(13.87~\%\)  \(13.87~\%\) 
32  230(0.80)  6952  \(2.52~\%\)  \(7.12~\%\)  \(10.98~\%\) 
64  730(0.80)  6568  \(1.40~\%\)  \(5.65~\%\)  \(9.18~\%\) 
128  2318(0.80)  6189  \(0.29~\%\)  \(1.13~\%\)  \(2.83~\%\) 
256  7357(0.80)  7338  \(0.03~\%\)  \(0.31~\%\)  \(0.89~\%\) 
512  23355(0.80)  469  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
2  3(1.06)  4352  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  9(1.00)  3864  \(23.08~\%\)  \(23.08~\%\)  \(23.08~\%\) 
8  29(1.02)  5791  \(15.59~\%\)  \(35.02~\%\)  \(35.02~\%\) 
16  91(1.01)  6585  \(16.20~\%\)  \(29.90~\%\)  \(29.90~\%\) 
32  288(1.00)  6814  \(14.66~\%\)  \(27.09~\%\)  \(31.67~\%\) 
64  913(1.00)  6981  \(18.16~\%\)  \(34.69~\%\)  \(40.87~\%\) 
128  2897(1.00)  6609  \(16.31~\%\)  \(33.53~\%\)  \(40.73~\%\) 
256  9196(1.00)  6154  \(16.27~\%\)  \(36.90~\%\)  \(46.51~\%\) 
512  29193(1.00)  409  \(11.25~\%\)  \(32.52~\%\)  \(43.77~\%\) 
8  58(2.03)  988  \(22.77~\%\)  \(23.99~\%\)  \(23.99~\%\) 
16  182(2.01)  2504  \(6.71~\%\)  \(6.79~\%\)  \(6.79~\%\) 
32  575(2.00)  3425  \(0.53~\%\)  \(0.55~\%\)  \(0.55~\%\) 
64  1825(2.00)  5727  \(0.02~\%\)  \(0.02~\%\)  \(0.02~\%\) 
128  5793(2.00)  1634  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
256  18391(2.00)  107  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
512  58386(2.00)  6  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
32  863(3.00)  1389  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
64  2737(3.00)  2250  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
128  8689(3.00)  139  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
256  27586(3.00)  7  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
Experimental \(\Pr [S_j]\) and success probability over many trials for various N and j using \(L=3\).
The data complexity of our attack in Algorithm 3 is \(M=O(N^{\frac{3}{2}+\frac{1}{2L}})\) . We compute the time complexity for the algorithm based on the step 2, 3, 4, and 5, since the other steps are much shorter. In step 2, creating our graph G is defined as forming the vertices in G. This can be done in \(M \log (M)\) time with collision detection for M known plaintext/ciphertext pairs. In step 3, we look for the cycles of length L. The cycles of length L in our graph can be found with multiplication on adjacency matrix (which is sparse). Matrix multiplication can be done in \(O(V^2d)\) where \(d=\frac{E}{V}\) is the average degree of a vertex. Therefore, the complexity is O(VE). With the FloydWarshall algorithm, we need \((L1)\) multiplications by the adjacency matrix in the maxplus algebra that leads us to a complexity O(LVE). With \(E \sim \frac{V^2}{N}\), where \(V=2\frac{M^2}{N^2}=2^{3\frac{1}{L}}N^{1+\frac{1}{L}}\) and L constant, we have \(O(\frac{V^3}{N})\) which is equal to \(O(N^{2+\frac{3}{L}})\). Another method to find cycles is to enumerate all Ltuples of vertices in \(O(V^L)\) which is \(O(N^{L+1})\). Therefore, we compute the minimum between the two methods which is \(O(N^3)\) for any L and it is the complexity of step 3. (It can even be lower for \(L>3\).) Step 4 takes N time and finally step 5 takes \(\frac{M^{2L}}{N^{3L}}=\frac{N}{2}\). Since the complexity is weighted by step 3, we have time complexity of our algorithm as \(O(N^3)\) for \(L=3\) and a smaller \(O(N^{2+\frac{3}{L}})\) for \(L>3\). Instead of \(L1\) multiplications to a sparse matrix in the maxplus algebra, we could also use \(O(\log L)\) general purpose matrix multiplications over the integer with the CoppersmithWinograd algorithm [10]. We would reach a complexity of \(O(V^{2.38}\log L)\) which is not better.
4.3 RoundFunctionRecovery on 5Round Feistel Scheme and More
Given the 4round full recovery attack from Sect. 4.2, we can extend it to attack 5round Feistel network. The attack for 5round Feistel network is straightforward; it uses chosen plaintexts and guess strategies. First of all, consider our 4round attack and the known plaintexts from this attack. We choose plaintexts for the 5round so that the right half of the messages have as little different values as possible then guess the corresponding images through \(F_0\). It means that for the right halves of the messages, we generate all the possible partial tables of the first round function for these right values. Then, we guess which table is consistent after running the attack on the next 4round. The data complexity of our 4round attack is \(\lambda N^{\frac{3}{2}+\epsilon }\), hence our time complexity for 5round recovery with chosen plaintexts is \(O(N^{\lambda N^{\frac{1}{2}+\epsilon +3}})\). The data complexity is unchanged.
We can attack \(r\) rounds similarly with complexity \(O(N^{(r5)N+\sqrt{N}+3})\) by guessing the round functions on the last \((r5)\) rounds. The data complexity is unchanged. We can apply this to FF1 (\(r=10\)) and FF3 (\(r=8\)). We obtain a complexity lower than \(2^{128}\) for FF1 with \(N=7\) and for FF3 with \(7\leqslant N\leqslant 10\). (For lower N, exhaustive search on either the codebook or the round functions reaches the same conclusion.) Hence, these instances of FF1 and FF3 do not offer a 128bit security.
5 Slide Attack on FF3
We develop an attack on 4round Feistel network in Sect. 4 and we deploy it as a building block for our chosenplaintext and chosentweak attack to FF3 scheme. Our FF3 attack aims to reconstruct the entire codebook for a challenge tweak for a number of queries which is lower than the size of the brute force codebook attack. The main idea of the designed FF3 attack takes advantage of the flexibility to change the tweak to permute the round functions.
We, now, formally prove useful results for the analysis and success probability of the attack in Algorithm 4.
Let \(\Pi \) be a random permutation on \(\{0,\ldots ,N^21\}\). Let \(c_k\) be the number of cycles of length k in \(\Pi \). The total number of elements in a cycle of length k (for all k) is equal to \(N^2\), meaning that \(\sum _{k=1}^{N^2}(kc_{k})=N^2\). It is wellknown that the expected number of cycles of length k over a random \(\Pi \) is \(\mathbb {E}_{\Pi }(c_{k})=\frac{1}{k}\).^{4}
In what follows we show two useful results.
Lemma 5
For a message \(xy^{i}\) picked at random, let \(length(xy^{i})\) be the length of the cycle that contains \(xy^{i}\). For two messages \(xy^{i}\) and \(\overline{xy}^{i'}\) picked at random, let \(E_0\) be an event that \(xy^{i}\) and \(\overline{xy}^{i'}\) are in the same cycle. The expected value of \(length(xy^{i})\) is \(\mathbb {E}_{xy^{i},\Pi }[length(xy^{i})]=\frac{N^2 +1}{2} \) and the expected value of \(length(xy^{i})\) given \(E_{0}\) is \(\mathbb {E} [length(xy^{i}) E_0] = \frac{2N^2 +1}{3}\).
Proof
Experimental probability of success in the FF3 attack for various parameters using strategy \(S_j\)
N  M  \(\lambda \)  A  B  \(\#\mathsf {run}\)  \(\Pr [\mathsf {succ},S_1]\)  \(\Pr [\mathsf {succ},S_2]\)  \(\Pr [\mathsf {succ},S_3]\)  \(\Pr [\mathsf {succ},S_4]\) 

2  2  0.71  1  4  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  5  0.56  2  10  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
8  15  0.53  2  30  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
16  46  0.51  2  92  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
32  144  0.50  2  288  10000  \(0.03~\%\)  \(0.47~\%\)  \(1.38~\%\)  \(1.38~\%\) 
64  457  0.50  3  914  10000  \(0.01~\%\)  \(1.61~\%\)  \(5.08~\%\)  \(5.12~\%\) 
128  1449  0.50  3  2898  10000  \(0.00~\%\)  \(1.51~\%\)  \(5.25~\%\)  \(5.73~\%\) 
256  4598  0.50  3  9196  10000  \(0.00~\%\)  \(0.52~\%\)  \(3.55~\%\)  \(4.59~\%\) 
512  14597  0.50  3  29194  7977  \(0.00~\%\)  \(0.18~\%\)  \(1.82~\%\)  \(3.00~\%\) 
2  3  1.06  1  6  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  8  0.89  1  16  10000  \(0.03~\%\)  \(0.03~\%\)  \(0.48~\%\)  \(0.48~\%\) 
8  23  0.81  2  46  10000  \(2.64~\%\)  \(1.54~\%\)  \(3.29~\%\)  \(3.30~\%\) 
16  73  0.81  2  146  10000  \(7.32~\%\)  \(15.34~\%\)  \(21.04~\%\)  \(21.05~\%\) 
32  230  0.80  2  460  10000  \(7.38~\%\)  \(30.84~\%\)  \(41.19~\%\)  \(41.19~\%\) 
64  730  0.80  2  1460  10000  \(5.90~\%\)  \(39.58~\%\)  \(50.78~\%\)  \(50.73~\%\) 
128  2318  0.80  2  4636  10000  \(1.69~\%\)  \(41.36~\%\)  \(53.14~\%\)  \(53.16~\%\) 
256  7357  0.80  3  14714  9114  \(0.70~\%\)  \(54.56~\%\)  \(71.78~\%\)  \(72.24~\%\) 
512  23355  0.80  3  46710  618  \(0.00~\%\)  \(50.97~\%\)  \(69.74~\%\)  \(70.71~\%\) 
2  3  1.06  1  6  10000  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
4  9  1.00  1  18  10000  \(1.18~\%\)  \(1.40~\%\)  \(2.84~\%\)  \(2.84~\%\) 
8  29  1.02  2  58  10000  \(17.24~\%\)  \(17.99~\%\)  \(21.46~\%\)  \(21.46~\%\) 
16  91  1.01  2  182  10000  \(20.15~\%\)  \(35.35~\%\)  \(38.85~\%\)  \(38.85~\%\) 
32  288  1.00  2  576  10000  \(22.01~\%\)  \(45.89~\%\)  \(48.29~\%\)  \(48.24~\%\) 
64  913  1.00  2  1826  10000  \(28.20~\%\)  \(54.14~\%\)  \(54.41~\%\)  \(54.15~\%\) 
128  2897  1.00  2  5794  10000  \(26.24~\%\)  \(56.85~\%\)  \(55.14~\%\)  \(54.65~\%\) 
256  9196  1.00  2  18392  9961  \(28.10~\%\)  \(55.90~\%\)  \(54.65~\%\)  \(54.15~\%\) 
512  29193  1.00  3  58386  500  \(35.00~\%\)  \(77.40~\%\)  \(76.20~\%\)  \(75.40~\%\) 
2  6  2.12  1  12  10000  \(12.20~\%\)  \(12.20~\%\)  \(12.20~\%\)  \(12.20~\%\) 
4  18  2.00  1  36  10000  \(14.15~\%\)  \(15.62~\%\)  \(16.48~\%\)  \(16.48~\%\) 
8  58  2.03  1  116  10000  \(12.96~\%\)  \(13.92~\%\)  \(14.40~\%\)  \(14.40~\%\) 
16  182  2.01  1  364  10000  \(6.10~\%\)  \(7.37~\%\)  \(7.65~\%\)  \(7.65~\%\) 
32  575  2.00  1  1150  10000  \(2.20~\%\)  \(3.62~\%\)  \(3.80~\%\)  \(3.80~\%\) 
64  1825  2.00  2  3650  10000  \(2.80~\%\)  \(5.59~\%\)  \(6.34~\%\)  \(6.32~\%\) 
128  5793  2.00  2  11586  2512  \(2.43~\%\)  \(4.34~\%\)  \(4.70~\%\)  \(4.66~\%\) 
256  18391  2.00  2  36782  162  \(1.23~\%\)  \(3.70~\%\)  \(3.70~\%\)  \(3.70~\%\) 
512  58386  2.00  2  116772  10  \(10.00~\%\)  \(10.00~\%\)  \(10.00~\%\)  \(10.00~\%\) 
2  9  3.18  1  18  10000  \(12.38~\%\)  \(12.38~\%\)  \(12.38~\%\)  \(12.38~\%\) 
4  27  3.01  1  54  10000  \(13.92~\%\)  \(15.62~\%\)  \(16.46~\%\)  \(16.46~\%\) 
8  86  3.02  1  172  10000  \(12.79~\%\)  \(13.95~\%\)  \(14.31~\%\)  \(14.31~\%\) 
16  272  3.01  1  544  10000  \(5.13~\%\)  \(6.56~\%\)  \(6.91~\%\)  \(6.91~\%\) 
32  863  3.00  1  1726  10000  \(2.04~\%\)  \(3.25~\%\)  \(3.47~\%\)  \(3.46~\%\) 
64  2737  3.00  1  5474  8051  \(1.25~\%\)  \(2.22~\%\)  \(2.50~\%\)  \(2.51~\%\) 
128  8689  3.00  1  17378  380  \(0.26~\%\)  \(0.79~\%\)  \(1.05~\%\)  \(1.05~\%\) 
256  27586  3.00  2  55172  9  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
512  87579  3.00  2  175158  2  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\)  \(0.00~\%\) 
This means that if we pick \(xy^{i}\) and \(\overline{xy}^{i'}\) at random and let \(xy^{j}=G^{1}(\overline{xy}^{i'})\) then \(xy^{i}\) and \(\overline{xy}^{i'}\) are in the same cycle with probability close to \(\frac{1}{2}\) and we will observe Fig. 6. One problem is that the cycle is typically long, i.e. \(\frac{2N^2}{3}\) as shown in Lemma 5, but we want that two segments of length B starting from \(xy^{i}\) and \(\overline{xy}^{i'}\) intersect on at least M points. Therefore, we need the probability of two segments overlapping in a cycle of length k on at least M points.
Lemma 6
Let two segments \(xy^{i}\Pi (xy^{i})\Pi ^2(xy^{i}) \cdots  \Pi ^{B}(xy^{i})\) and \(\overline{xy}^{i'}\Pi (\overline{xy}^{i'})\Pi ^2(\overline{xy}^{i'}) \cdots  \Pi ^{B}(\overline{xy}^{i'})\) overlap in a given cycle of length k on at least M points be the event \(E_1^{k}\). Let \(E_1\) be the union of all \(E_1^{k}\) for every possible length of k. The probability that \(E_{1}\) occurs is equivalent to \(\frac{2(BM)}{N^2}\) for \(M=o(N^2)\).
Proof
Our attack has 2AB data complexity. The time complexity is \(A^{2}B\) times the complexity of 4round recovery attack on Feistel network. To minimize the data complexity 2AB with \(A^{2}(BM) = N^{2}\) and \(B \geqslant M\), we set \(B=2M\), then \(A=\frac{N}{\sqrt{M}}\). Therefore, we have data complexity of FF3 attack as \(4N\sqrt{M}\) and time complexity as \(2N^2\) times the complexity of 4round recovery attack on Feistel network and \(p_{success} \approx 1  e^{p_{success}^{Feistel}}\).
We fully implemented the attack but to test its success probability we could skip some parts of the running time we knew the attack would fail. Namely, in Algorithm 4 we can identify directly which segments overlap (using the key) and proceed directly to the 4round Feistel attack on the right pair of segments. We show on Table 4 the experimental probability of success of the whole attack following the strategies \(S_j\), \(j=1,\ldots ,4\). The probability was computed for 10,000 executions.^{5} We also took the executions collecting less than M samples, as long as they succeed to recover all tables. Curiously, the \(N\leqslant 4\) and \(\lambda =1\) cases seem to take M too low to be able to find cycles. As we can see, the success probability is pretty good (\(18\%\)–\(77\%\) for \(8\leqslant N\leqslant 512\)) for \(\lambda =1\) and the strategy \(S_2\) collecting the largest connected components in \(G'\).
We conclude that the full attack succeeds with good probability.
6 Repairing FF3
As a quick fix, we can propose to change the length of the tweak in FF3 so that the adversary has no longer control on what is XORed to the round index. The same should hold if some other part of the tweak is XORed to a counter in a CBC mode, as proposed by the authors of the construction [8]. We obtain a scheme with a shorter tweak, to which we concatenate the round index instead of XORing it.
The original LubyRackoff results [15] was extended following this idea by Black and Rogaway [7], but the obtained security result is quite weak as we can only prove that for a number of queries \(q\ll \sqrt{N}\), the cipher resists to chosenplaintext attacks, even with only three rounds. By similarly extending the results by Patarin [17], we can obtain that for \(q\ll N\), the cipher resists to chosenplaintext and ciphertext attacks, even with only six rounds. However, this says nothing in the case \(q\sim N^{\frac{3}{2}}\) which is the case of our 4round attack.^{6}
7 Conclusion
We took the NIST standard FF3 and investigated its security on small domain sizes. We started exploiting that we can permute the round functions due to a bad domain separation in the tweak scheme which uses an XOR with the round index. This permutation leads us to develop a slide attack on FF3 based on our own design for 4round Feistel schemes attack that works with known plaintexts/ciphertexts. Our FF3 attack works with chosen plaintexts and two tweaks. It improves the recent results from Bellare et al. [3] on data and time complexity to break FF3. Our 4round Feistel network attack is a full roundfunctionrecovery attack that works with known plaintexts instead of chosen plaintexts and ciphertexts unlike the recent results from Biryukov et al. [6].
Footnotes
 1.
In an rround FN, q samples give \(2q\log _2N\) bits of information but functions are defined by a table of \(rN\log _2N\) bits. Thus, \(q=\frac{r}{2}N\) queries is enough to reconstruct the round functions, in theory.
 2.
We consider here the FF3 block cipher. However, there is a mode of operation for FF3 allowing variablelength messages in the original paper [8].
 3.
Note that the cycle length notation L should not be confused with the subscript L indicating the left part of a plaintext or a ciphertext.
 4.
The probability that a given point is in a cycle of length exactly \(\mathsf {k}\) is \(\frac{(N^21)\cdots (N^2k+1)}{N^2(N^21) \cdots (N^2k+1)}=\frac{1}{N^2}\). Hence, the expected number of points in a cycle of length \(\mathsf {k}\) is \(1=\mathbb {E}_{\Pi }(kc_k)\).
 5.
Executions of the attack on the 4round Feistel scheme which we used to fill our previous tables are precisely those getting the M samples in this experiment. For some rows with M too large, no experiments collected M pairwise different messages so they are not reported in the previous table. Nevertheless, our attack may still work even though we collect less than M samples. This is why they appear on Table 4.
 6.
In reaction to this attack, NIST released the following announcement:
https://beta.csrc.nist.gov/News/2017/RecentCryptanalysisofFF3.
Notes
Acknowledgments
The work was done while the first author was visiting EPFL. It was supported by NSF grant CNS1453132. This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center, Pacific (SSC Pacific) under contract No. N6600115C4070.
We thank Adi Shamir for the useful comments and Stefano Tessaro for the discussions.
References
 1.Recommendation for Block Cipher Modes of Operation: Methods for Format Preserving Encryption. National Institute of Standards and Technology (2016)Google Scholar
 2.Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). doi: 10.1007/3540608656_48 CrossRefGoogle Scholar
 3.Bellare, M., Hoang, V.T., Tessaro, S.: Messagerecovery attacks on Feistelbased format preserving encryption. In: 23th CCS Proceedings (2016)Google Scholar
 4.Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Formatpreserving encryption. In: Jacobson, M.J., Rijmen, V., SafaviNaini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). doi: 10.1007/9783642054457_19 CrossRefGoogle Scholar
 5.Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for formatpreserving encryption. Draft 1.1. Submission to NIST, Feburary 2010. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffxspec.pdf
 6.Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel networks with secret round functions. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Cham (2016). doi: 10.1007/9783319313016_6 CrossRefGoogle Scholar
 7.Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CTRSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). doi: 10.1007/3540457607_9 CrossRefGoogle Scholar
 8.Brier, E., Peyrin, T., Stern, J.: BPS: a formatpreserving encryption proposal. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/bps/bpsspec.pdf
 9.Brightwell, M., Smith, H.E.: Using datatypepreserving encryption to enchance data warehouse security (1997). http://csrc.nist.gov/nissc/1997/proceedings/141.pdf
 10.Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. J. Symb. Comput. 9(3), 251–280 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_21 CrossRefGoogle Scholar
 12.Erdős, P., Renyi, A.: On random graphs I. Publicationes Mathematicae 6, 290–297 (1959)MathSciNetzbMATHGoogle Scholar
 13.Goldenberg, D., Hohenberger, S., Liskov, M., Schwartz, E.C., Seyalioglu, H.: On tweaking LubyRackoff blockciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 342–356. Springer, Heidelberg (2007). doi: 10.1007/9783540769002_21 CrossRefGoogle Scholar
 14.Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Lucks, S.: Faster LubyRackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996). doi: 10.1007/3540608656_53 CrossRefGoogle Scholar
 17.Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities (2010). http://eprint.iacr.org/2010/293
 18.Rogaway, P.: A synopsis of format preserving encryption. http://web.cs.ucdavis.edu/~rogaway/papers/synopsis.pdf
 19.Saltykov, A.I.: The number of components in a random bipartite graph. Discrete Math. Appl. 5, 515–523 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
 20.Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). doi: 10.1007/3540608656_49 CrossRefGoogle Scholar
 21.Spies, T.: Format preserving encryption. Unpublished white paper (2008). https://www.voltage.com/wpcontent/uploads/VoltageSecurityWhitePaperFormatPreservingEncryption.pdf