Attacks only Get Better: How to Break FF3 on Large Domains

  • Viet Tung HoangEmail author
  • David Miller
  • Ni Trieu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)


We improve the attack of Durak and Vaudenay (CRYPTO’17) on NIST Format-Preserving Encryption standard FF3, reducing the running time from \(O(N^5)\) to \(O(N^{17/6})\) for domain \(\mathbb {Z}_N \times \mathbb {Z}_N\). Concretely, DV’s attack needs about \(2^{50}\) operations to recover encrypted 6-digit PINs, whereas ours only spends about \(2^{30}\) operations. In realizing this goal, we provide a pedagogical example of how to use distinguishing attacks to speed up slide attacks. In addition, we improve the running time of DV’s known-plaintext attack on 4-round Feistel of domain \(\mathbb {Z}_N \times \mathbb {Z}_N\) from \(O(N^3)\) time to just \(O(N^{5/3})\) time. We also generalize our attacks to a general domain \(\mathbb {Z}_M \times \mathbb {Z}_N\), allowing one to recover encrypted SSNs using about \(2^{50}\) operations. Finally, we provide some proof-of-concept implementations to empirically validate our results.


Format-Preserving Encryption Attacks 



We thank anonymous reviewers of EUROCRYPT 2019 for insightful feedback. Viet Tung Hoang was supported by NSF grants CICI-1738912 and CRII-1755539. Ni Trieu was supported by NSF award #1617197.


  1. 1.
    Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996). Scholar
  2. 2.
    Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2018)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Bellare, M., Hoang, V.T.: Identity-based format-preserving encryption. In: CCS 2017, pp. 1515–1532 (2017)Google Scholar
  4. 4.
    Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 444–455. ACM Press, October 2016Google Scholar
  5. 5.
    Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: CCS 2016 (2016)Google Scholar
  6. 6.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). Scholar
  7. 7.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). Scholar
  8. 8.
    Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial observations on Skipjack: cryptanalysis of Skipjack-3XOR (invited talk). In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–375. Springer, Heidelberg (1999). Scholar
  9. 9.
    Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel networks with secret round functions. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Cham (2016). Scholar
  10. 10.
    Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). Scholar
  11. 11.
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). Scholar
  12. 12.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). Scholar
  13. 13.
    Brier, E., Peyrin, T., Stern, J.: BPS: a format-preserving encryption proposal. Submission to NIST (2010).
  14. 14.
    Dara, S., Fluhrer, S.: FNR: arbitrary length small domain block cipher proposal. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 146–154. Springer, Cham (2014). Scholar
  15. 15.
    Durak, F.B., Vaudenay, S.: Breaking the FF3 format-preserving encryption standard over small domains. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 679–707. Springer, Cham (2017). Scholar
  16. 16.
    Durak, F.B., Vaudenay, S.: Generic round-function-recovery attacks for Feistel networks over small domains. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 440–458. Springer, Cham (2018). Scholar
  17. 17.
    Durrett, R.: Random Graph Dynamics. Cambridge University Press, Cambridge (2008)zbMATHGoogle Scholar
  18. 18.
    Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012). Scholar
  19. 19.
    Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). Scholar
  20. 20.
    Hoang, V.T., Tessaro, S., Trieu, N.: The curse of small domains: new attacks on format-preserving encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 221–251. Springer, Cham (2018). Scholar
  21. 21.
    Mattsson, U.: Format controlling encryption using datatype preserving encryption. Cryptology ePrint Archive, Report 2009/257 (2009).
  22. 22.
    Morris, B., Rogaway, P.: Sometimes-recurse shuffle. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 311–326. Springer, Heidelberg (2014). Scholar
  23. 23.
    Motwani, R., Raghavan, P.: Randomized Algorithms. Cambridge University Press, Cambridge (1995)CrossRefGoogle Scholar
  24. 24.
    Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992). Scholar
  25. 25.
    Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001). Scholar
  26. 26.
    Ristenpart, T., Yilek, S.: The mix-and-cut shuffle: small-domain encryption secure against N queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 392–409. Springer, Heidelberg (2013). Scholar
  27. 27.
    Saltykov, A.: The number of components in a random bipartite graph. Discrete Math. Appl. 5(6), 515–524 (1995)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Vance, J., Bellare, M.: Delegatable Feistel-based format preserving encryption mode. Submission to NIST, November 2015Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceFlorida State UniversityTallahasseeUSA
  2. 2.Department of Computer ScienceOregon State UniversityCorvallisUSA

Personalised recommendations