Format-Preserving Encryption

  • Mihir Bellare
  • Thomas Ristenpart
  • Phillip Rogaway
  • Till Stegers
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid credit-card number into a valid credit-card number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rank-then-encipher” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak.


Ranking Function Block Cipher Random Oracle Regular Language Social Security Number 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-Preserving Encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Fischlin, M., O’Neill, A., Ristenpart, T.: Deterministic encryption: definitional equivalences and constructions without random oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 360–378. Springer, Heidelberg (2008)Google Scholar
  4. 4.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Boldyreva, A., Fehr, S., O’Neill, A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 335–359. Springer, Heidelberg (2008)Google Scholar
  6. 6.
    Brightwell, M., Smith, H.: Using datatype-preserving encryption to enhance data warehouse security. In: 20th NISSC Proceedings, pp. 141–149 (1997),
  7. 7.
    Colbourn, C., Day, R., Nel, L.: Unranking and ranking spanning trees of a graph. Journal of Algorithms 10(2), 271–286 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Cover, T.: Enumerative source encoding. IEEE Transactions on Information Theory 19(1), 73–77 (1977)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Desai, A., Miner, S.: Concrete security characterizations of pRFs and pRPs: Reductions and applications. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 503–516. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman and Company, New York (1979)zbMATHGoogle Scholar
  11. 11.
    Goldberg, A., Sipser, M.: Compression and Ranking. In: 17th Annual ACM Symposium on the Theory of Computing (STOC 1985), pp. 440–448. ACM Press, New York (1985)Google Scholar
  12. 12.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Hopcroft, J., Ullman, J.: Formal Languages and their Relation to Automata. Addison-Wesley, Reading (1969)zbMATHGoogle Scholar
  15. 15.
    Jerrum, M.: A very simple algorithm for estimating the number of k-colorings of a low-degree graph. Random Structures and Algorithms 7(2), 157–165 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Knuth, D.: The Art of Computer Programming, 3rd edn. Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1997)Google Scholar
  17. 17.
    Liebehenschel, J.: Ranking and unranking of a generalized Dyck language and the application to the generation of random trees. Séminaire Lotharingien de Combinatoire 43 (2000)Google Scholar
  18. 18.
    ISO/IEC 7812-1:2006. Identification cards – Identification of issuers – Part 1: Numbering systemGoogle Scholar
  19. 19.
    Kelsen, P.: Ranking and unranking trees using regular reductions. In: Puech, C., Reischuk, R. (eds.) STACS 1996. LNCS, vol. 1046, pp. 581–592. Springer, Heidelberg (1996)Google Scholar
  20. 20.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal of Computing 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    Mäkinen, E.: Ranking and unranking left Szilard languages. Report A-1997-2, Department of Computer Science, University of Tampere (1997)Google Scholar
  24. 24.
    Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain: deterministic encryption and the Thorp shuffle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    National Bureau of Standards. FIPS PUB 74. Guidelines for Implementing and Using the NBS Data Encryption Standard (April 1, 1981)Google Scholar
  28. 28.
    Patarin, J.: New results on pseudorandom permutation generators based on the DES Scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992)Google Scholar
  29. 29.
    Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  30. 30.
    Patarin, J.: Luby-Rackoff: 7 rounds are enough for 2n(1 − ε) security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003)Google Scholar
  31. 31.
    Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)Google Scholar
  32. 32.
    Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with contracting functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 396–411. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Patel, S., Ramzan, Z., Sundaram, G.: Efficient constructions of variable-input-length block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 326–340. Springer, Heidelberg (2004)Google Scholar
  34. 34.
    PCI Security Standards Council. Payment Card Industry Data Security Standard Version 1.2,
  35. 35.
    Petrank, E., Rackoff, C.: CBC MAC for real-time data sources. J. of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996)Google Scholar
  37. 37.
    Schroeppel, R.: Personal communication, approximately (2001)Google Scholar
  38. 38.
    Sipser, M.: Introduction to the Theory of Computation, 2nd edn. Thomson Press (2006)Google Scholar
  39. 39.
    Spies, T.: Format preserving encryption. Unpublished white paper, Database and Network Journal (December 2008), Format preserving encryption:
  40. 40.
    Spies, T.: Personal communications (February 2009)Google Scholar
  41. 41.
    Spies, T.: Feistel finite set encryption mode. Manuscript, posted on NIST’s website on (February 6, 2008),
  42. 42.
    Valiant, L.: The complexity of computing the permanent. Theoretical Computer Science 8, 189–201 (1979)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Thomas Ristenpart
    • 1
  • Phillip Rogaway
    • 2
  • Till Stegers
    • 2
  1. 1.Dept. of Computer Science & EngineeringUC San DiegoLa JollaUSA
  2. 2.Dept. of Computer ScienceUC DavisDavisUSA

Personalised recommendations