Three Third Generation Attacks on the Format Preserving Encryption Scheme FF3

Format-Preserving Encryption (FPE) schemes accept plaintexts from any finite set of values (such as social security numbers or birth dates) and produce ciphertexts that belong to the same set. They are extremely useful in practice since they make it possible to encrypt existing databases or communication packets without changing their format. Due to industry demand, NIST had standardized in 2016 two such encryption schemes called FF1 and FF3. They immediately attracted considerable cryptanalytic attention with decreasing attack complexities. The best currently known attack on the Feistel construction FF3 has data and memory complexity of O(N) and time complexity of O(N), where the input belongs to a domain of size N ×N . In this paper, we present and experimentally verify three improved attacks on FF3. Our best attack achieves the tradeoff curve D = M = Õ(N2−t), T = Õ(N) for all t ≤ 0.5. In particular, we can reduce the data and memory complexities to the more practical Õ(N), and at the same time, reduce the time complexity to Õ(N). We also identify another attack vector against FPE schemes, the relateddomain attack. We show how one can mount powerful attacks when the adversary is given access to the encryption under the same key in different domains, and show how to apply it to efficiently distinguish FF3 and FF3-1 instances. ? The first author is supported in part by Len Blavatnik and the Blavatnik Family foundation and by the Blavatnik ICRC. ?? The second author was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19. ? ? ? The third author was supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. † The fourth author is a member of CPIIS.

[1]  M. Bellare,et al.  The FFX Mode of Operation for Format-Preserving Encryption Draft 1 . 1 , 2010 .

[2]  Stephen J. Garland,et al.  Algorithm 97: Shortest path , 1962, Commun. ACM.

[3]  Thomas Peyrin,et al.  BPS : a Format-Preserving Encryption Proposal , 2010 .

[4]  Jacques Patarin,et al.  Security of balanced and unbalanced Feistel Schemes with Linear Non Equalities , 2010, IACR Cryptol. ePrint Arch..

[5]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[6]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[7]  Mihir Bellare,et al.  Format-Preserving Encryption , 2009, IACR Cryptol. ePrint Arch..

[8]  Hongjun Wu,et al.  Related-Cipher Attacks , 2002, ICICS.

[9]  Soichi Furuya,et al.  Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.

[10]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[11]  Mihir Bellare,et al.  Message-Recovery Attacks on Feistel-Based Format Preserving Encryption , 2016, CCS.

[12]  Serge Vaudenay,et al.  Breaking the FF3 Format-Preserving Encryption Standard over Small Domains , 2017, CRYPTO.

[13]  L. A. Shepp,et al.  Ordered cycle lengths in a random permutation , 1966 .

[14]  Eli Biham,et al.  A Unified Approach to Related-Key Attacks , 2008, FSE.

[15]  John Black,et al.  Ciphers with Arbitrary Finite Domains , 2002, CT-RSA.

[16]  T. Spies Feistel Finite Set Encryption Mode , 2008 .

[17]  Eli Biham,et al.  Improved Slide Attacks , 2007, FSE.

[18]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption , 2016 .

[19]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[20]  Jacques Patarin,et al.  Generic Attacks on Feistel Schemes , 2001, ASIACRYPT.

[21]  David Miller,et al.  Attacks Only Get Better: How to Break FF3 on Large Domains , 2019, IACR Cryptol. ePrint Arch..

[22]  Alex Biryukov,et al.  Cryptanalysis of Feistel Networks with Secret Round Functions , 2015, SAC.