Reverse Cycle Walking and Its Applications

  • Sarah Miracle
  • Scott Yilek
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


We study the problem of constructing a block-cipher on a “possibly-strange” set \(\mathcal{S}\) using a block-cipher on a larger set \(\mathcal{T}\). Such constructions are useful in format-preserving encryption, where for example the set \(\mathcal{S}\) might contain “valid 9-digit social security numbers” while \(\mathcal{T}\) might be the set of 30-bit strings. Previous work has solved this problem using a technique called cycle walking, first formally analyzed by Black and Rogaway. Assuming the size of \(\mathcal{S}\) is a constant fraction of the size of \(\mathcal{T}\), cycle walking allows one to encipher a point \(x \in \mathcal{S}\) by applying the block-cipher on \(\mathcal{T}\) a small expected number of times and O(N) times in the worst case, where \(N = |\mathcal{T}|\), without any degradation in security. We introduce an alternative to cycle walking that we call reverse cycle walking, which lowers the worst-case number of times we must apply the block-cipher on \(\mathcal{T}\) from O(N) to \(O(\log N)\). Additionally, when the underlying block-cipher on \(\mathcal{T}\) is secure against \(q = (1-\epsilon )N\) adversarial queries, we show that applying reverse cycle walking gives us a cipher on \(\mathcal{S}\) secure even if the adversary is allowed to query all of the domain points. Such fully secure ciphers have been the the target of numerous recent papers.


Format-preserving encryption Small-domain block ciphers Markov chains 



We thank Tom Ristenpart for his very helpful comments on an earlier draft of this paper. We also thank the anonymous Asiacrypt reviewers for their detailed feedback.


  1. 1.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-05445-7_19 CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption. Submission to NIST, February 2010Google Scholar
  3. 3.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). doi: 10.1007/3-540-45760-7_9 CrossRefGoogle Scholar
  4. 4.
    Brightwell, M., Smith, H.: Using datatype-preserving encryption to enhance data warehouse security. In: National Information Systems Security Conference (NISSC) (1997)Google Scholar
  5. 5.
    Bubley, R., Dyer, M.E.: Faster random generation of linear extensions. In: Karloff, H.J. (ed.) 9th SODA, January 1998, pp. 350–354. ACM-SIAM (1998)Google Scholar
  6. 6.
    Czumaj, A.: Random permutations using switching networks. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, June 2015, pp. 703–712. ACM Press (2015)Google Scholar
  7. 7.
    Czumaj, A., Kanarek, P., Kutylowski, M., Lorys, K.: Delayed path coupling and generating random permutations via distributed stochastic processes. In: Tarjan, R.E., Warnow, T. (eds.) 10th SODA, January 1999, pp. 271–280. ACM-SIAM (1999)Google Scholar
  8. 8.
    Czumaj, A., Kanarek, P., Kutylowski, M., Lorys, K.: Fast generation of random permutations via networks simulation. In: European Symposium on Algorithms, pp. 246–260 (1996)Google Scholar
  9. 9.
    Czumaj, A., Kutylowski, M.: Delayed path coupling and generating random permutations. Random Struct. Algorithms 17, 238–259 (2000)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Granboulan, L., Pornin, T.: Perfect block ciphers with small blocks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 452–465. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74619-5_28 CrossRefGoogle Scholar
  11. 11.
    Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_1 CrossRefGoogle Scholar
  12. 12.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  13. 13.
    Levin, D.A., Peres, Y., Wilmer, E.L.: Markov Chains and Mixing Times. American Mathematical Society (2006)Google Scholar
  14. 14.
    Luchaup, D., Dyer, K.P., Jha, S., Ristenpart, T., Shrimpton, T.: LibFTE: a toolkit for constructing practical, format-abiding encryption schemes. In: Proceedings of the 23rd USENIX Security Symposium, pp. 877–891 (2014)Google Scholar
  15. 15.
    Luchaup, D., Shrimpton, T., Ristenpart, T., Jha, S.: Formatted encryption beyond regular languages. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 14, November 2014, pp. 1292–1303. ACM Press (2014)Google Scholar
  16. 16.
    Morris, B., Rogaway, P.: Sometimes-recurse shuffle. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 311–326. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_18 CrossRefGoogle Scholar
  17. 17.
    Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_17 CrossRefGoogle Scholar
  18. 18.
    Ristenpart, T., Yilek, S.: The mix-and-cut shuffle: small-domain encryption secure against N queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 392–409. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_22 CrossRefGoogle Scholar
  19. 19.
    Sinclair, A.: Algorithms for Random Generation and Counting. Progress in Theoretical Computer Science. Birkhäuser, Boston (1993)CrossRefMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.University of St. ThomasSt. PaulUSA

Personalised recommendations