Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betül Durak Serge Vaudenay 1
Block Ciphers ∈ {0,1} 128 0x149E00A50F0F00D6 K AES ∈ {0,1} 128 0xA4F22C1B78HE90A9 2
Block Ciphers ∈ {0,1} 128 0x149E00A50F0F00D6 K AES ∈ {0,1} 128 0xA4F22C1B78HE90A9 Strict with specific domains: bit-strings of length 128. 2
Format-Preserving Encryption (FPE) [Brightwell and Smith, 1997], [Black and Rogaway, 2002], [Spies’08],[BRRS’09],… ∈ D 2938 K FPE ∈ D 7381 3
Format-Preserving Encryption (FPE) [Brightwell and Smith, 1997], [Black and Rogaway, 2002], [Spies’08],[BRRS’09],… ∈ D 2938 K FPE ∈ D 7381 Legacy databases: ‣ Passcodes ‣ Social security numbers (SSN) |D| ≈ 2 30 ‣ Credit card numbers (CCN) |D| ≈ 2 51 3
FPE in Practice: Encrypted Databases Patients Passcode SSN Alice Yan 2356 34-582-9381 Bob Wu 4567 75-682-8345 … … … Sam Xi 9056 26-734-2108 4
FPE in Practice: Encrypted Databases Patients Passcodes SSNs Alice Yan xxxx xxxxx-9381 Bob Wu xxxx xxxxx-8345 … … … Sam Xi xxxx xxxxx-2108 ‣ Transparent encryption in legacy databases. 4
Main FPE Challenge: Domain Mismatch ∈ {0,1} 128 padded 0x149E00A50F0F00D6 passcode K AES ∈ {0,1} 128 0xA4F22C1B78HE90D8 truncated 90D8 ciphertext 5
Main FPE Challenge: Domain Mismatch ∈ {0,1} 128 padded 0x149E00A50F0F00D6 passcode K AES ∈ {0,1} 128 0xA4F22C1B78HE90D8 truncated 90D8 ciphertext We cannot decrypt! 5
FPE Constructions ‣ Provably secure [HMR’12, RY’13, MR’14] ‣ Not fast enough to use in practice. 6
FPE Constructions ‣ Provably secure [HMR’12, RY’13, MR’14] ‣ Not fast enough to use in practice. ‣ NIST Special Publications 800-38G: ‣ Practical [BRS (FF1), V (FF2), BPS (FF3)] ‣ Security by cryptanalysis ( Voilà! ). ‣ FF1 and FF3 (somewhat balanced Feistel). 6
Feistel Network (1973) P=x||y c = x ⊞ F 0 ( y ) d = y ⊞ F 1 ( c ) C=z||t An instance of (balanced) Feistel network on domain D 2 7
Feistel Network (1973) any secure PRF P=x||y onto domain D c = x ⊞ F 0 ( y ) d = y ⊞ F 1 ( c ) C=z||t An instance of (balanced) Feistel network on domain D 2 7
Feistel Network (1973) group operation any secure PRF defined on D P=x||y onto domain D c = x ⊞ F 0 ( y ) d = y ⊞ F 1 ( c ) C=z||t An instance of (balanced) Feistel network on domain D 2 7
Tweakable Format Preserving Encryption Pr[P 1 =P 2 ] is high with small domains, hence C 1 =C 2 ∈ D ∈ D P 2 P 1 K K FPE FPE ∈ D ∈ D C 2 C 1 8
Tweakable Format Preserving Encryption ∈ D ∈ D P 2 P 1 K K FPE FPE T 1 T 2 ∈ D ∈ D C 2 C 1 When P 1 =P 2 and T 1 ≠ T 2 , C 1 ≠ C 2 8
Feistel Networks in FF3 FPE : An encryption scheme on domain (i.e, domain size Z N × Z N N ≪ 2 128 N 2 is ) when is really small, typically defined as . N 9
Feistel Networks in FF3 padded 96-bit K y || mod N AES T 0 32-bit tweak FPE : An encryption scheme on domain (i.e, domain size Z N × Z N N ≪ 2 128 N 2 is ) when is really small, typically defined as . N 9
Feistel Networks in FF3 padded 96-bit K y || mod N AES T 0 32-bit tweak FPE : An encryption scheme on domain (i.e, domain size Z N × Z N N ≪ 2 128 N 2 is ) when is really small, typically defined as . N The secret key and tweaks are dropped in notation from now on. 9
NIST Standard SP-800-38G (2016): FF3 ‣ Round number r=8 for FF3 (r=10 for FF1). ‣ Domain size is at least 100. ‣ Security: ‣ Targeted security is 128-bit. ‣ Security of Feistel networks inherits to FF3 . ‣ FF3 asserts chosen-plaintext security and even PRP security against chosen-plaintext/-ciphertext attack. 10
Our Contributions (Briefly) Part 1: We develop a new generic attack on Feistel networks. 11
Our Contributions (Briefly) Part 1: We develop a new generic attack on Feistel networks. Part 2: We give a total practical break to FF3 standard when the message domain is small. 11
Our Contributions (Briefly) Part 1: We develop a new generic attack on Feistel networks. Part 2: We give a total practical break to FF3 standard when the message domain is small. ‣ Our attack works with the best known query and time complexity. 11
Our Contributions (Briefly) Part 1: We develop a new generic attack on Feistel networks. Part 2: We give a total practical break to FF3 standard when the message domain is small. ‣ Our attack works with the best known query and time complexity. ‣ It is easy fix in order to prevent it from present attack. 11
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? x ⊞ y F 0 c 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? x ⊞ y F 0 c y ⊞ F 1 c t 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? x ⊞ y F 0 c y ⊞ F 1 c t c ⊞ F 2 t z 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? + δ x x ⊞ c + δ ⊞ y F 0 y F 0 c y ⊞ F 1 c t c ⊞ F 2 t z 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? + δ x x ⊞ c + δ ⊞ y F 0 y F 0 c − δ y y ⊞ ⊞ F 1 F 1 c + δ c t t c ⊞ F 2 t z 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? + δ x x ⊞ c + δ ⊞ y F 0 y F 0 c − δ y y ⊞ ⊞ F 1 F 1 c + δ c t t c + δ − δ c ⊞ ⊞ F 2 F 2 t t z z 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? + δ x x ⊞ c + δ ⊞ y F 0 y F 0 c − δ y y ⊞ ⊞ F 1 F 1 c + δ c t t c + δ − δ c ⊞ ⊞ F 2 F 2 t t z z ( F 0 ( y ) + δ , F 1 ( c − δ ) , F 2 ( t ) − δ ) ( F 0 , F 1 , F 2 ) 12
Equivalent Round Functions [BLP’15] Are the round functions uniquely defined to encrypt messages? + δ x x ⊞ c + δ ⊞ y F 0 y F 0 c − δ y y ⊞ ⊞ F 1 F 1 c + δ c t t c + δ − δ c ⊞ ⊞ F 2 F 2 t t z z ( F 0 ( y ) + δ , F 1 ( c − δ ) , F 2 ( t ) − δ ) ( F 0 , F 1 , F 2 ) The output of one arbitrary input y can be set arbitrarily in F 0 , yet it still gives the same input/output behavior of (F 0 , F 1 , F 2 ). 12
Terminology ‣ attacker goal: ‣ round-function-recovery: The adversary recovers the round functions or one of the equivalent set of round functions in a Feistel network. ‣ codebook-recovery: The adversary can recover the mapping of each plaintext to its ciphertext. ‣ Both attack goals are as powerful as secret key recovery. 13
Our Contributions, Part 1: Generic Attacks on Feistel Networks cite r attack type attack goal query time round-function- N ln N N ln N this work 3 known-plaintext recovery 14
Our Contributions, Part 1: Generic Attacks on Feistel Networks cite r attack type attack goal query time round-function- N ln N N ln N this work 3 known-plaintext recovery N 3 round-function- this work 4 known-plaintext recovery [Biryukov- chosen-plaintext round-function- 4 Leurent- and ciphertext recovery Perrin’15] 15
Our Contributions, Part 1: Generic Attacks on Feistel Networks cite r attack type attack goal query time round-function- N ln N N ln N this work 3 known-plaintext recovery N 3 round-function- this work 4 known-plaintext recovery [Biryukov- chosen-plaintext round-function- 4 Leurent- and ciphertext recovery Perrin’15] round-function- this work 5 chosen-plaintext recovery [Biryukov- chosen-plaintext round-function- 5 Leurent- and ciphertext recovery Perrin’15] round-function- this work ≥ 6 chosen-plaintext recovery 16
Our Contributions, Part 1: Generic Attacks on Feistel Networks cite r attack type attack goal query time round-function- N ln N N ln N this work 3 known-plaintext recovery N 3 round-function- this work 4 known-plaintext recovery [Biryukov- chosen-plaintext round-function- 4 Leuren- and ciphertext recovery Perrin’15] round-function- this work 5 chosen-plaintext recovery [Biryukov- chosen-plaintext round-function- 5 Leurent- and ciphertext recovery Perrin’15] round-function- this work ≥ 6 chosen-plaintext recovery 17
The Sketch of 3-round Attack S input: The set that consists of (x k y k z k t k ) pairs with unknown intermediate values c k . output: (partial) tables for F 0 ,F 1 ,F 2. F 0 F 1 F 2 0 0 0 1 1 1 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ y 1 c 1 t 2 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ y 0 c 2 t 0 ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ y k c 0 t k ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ N-1 N-1 N-1 18
Recommend
More recommend
