TY - GEN
T1 - Three Third Generation Attacks on the Format Preserving Encryption Scheme FF3
AU - Amon, Ohad
AU - Dunkelman, Orr
AU - Keller, Nathan
AU - Ronen, Eyal
AU - Shamir, Adi
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021
Y1 - 2021
N2 - Format-Preserving Encryption (FPE) schemes accept plaintexts from any finite set of values (such as social security numbers or birth dates) and produce ciphertexts that belong to the same set. They are extremely useful in practice since they make it possible to encrypt existing databases or communication packets without changing their format. Due to industry demand, NIST had standardized in 2016 two such encryption schemes called FF1 and FF3. They immediately attracted considerable cryptanalytic attention with decreasing attack complexities. The best currently known attack on the Feistel construction FF3 has data and memory complexity of O(N11 / 6) and time complexity of O(N17 / 6), where the input belongs to a domain of size N× N. In this paper, we present and experimentally verify three improved attacks on FF3. Our best attack achieves the tradeoff curve D= M= O~ (N2-t), T= O~ (N2+t) for all t≤ 0.5. In particular, we can reduce the data and memory complexities to the more practical O~ (N1.5), and at the same time, reduce the time complexity to O~ (N2.5). We also identify another attack vector against FPE schemes, the related-domain attack. We show how one can mount powerful attacks when the adversary is given access to the encryption under the same key in different domains, and show how to apply it to efficiently distinguish FF3 and FF3-1 instances.
AB - Format-Preserving Encryption (FPE) schemes accept plaintexts from any finite set of values (such as social security numbers or birth dates) and produce ciphertexts that belong to the same set. They are extremely useful in practice since they make it possible to encrypt existing databases or communication packets without changing their format. Due to industry demand, NIST had standardized in 2016 two such encryption schemes called FF1 and FF3. They immediately attracted considerable cryptanalytic attention with decreasing attack complexities. The best currently known attack on the Feistel construction FF3 has data and memory complexity of O(N11 / 6) and time complexity of O(N17 / 6), where the input belongs to a domain of size N× N. In this paper, we present and experimentally verify three improved attacks on FF3. Our best attack achieves the tradeoff curve D= M= O~ (N2-t), T= O~ (N2+t) for all t≤ 0.5. In particular, we can reduce the data and memory complexities to the more practical O~ (N1.5), and at the same time, reduce the time complexity to O~ (N2.5). We also identify another attack vector against FPE schemes, the related-domain attack. We show how one can mount powerful attacks when the adversary is given access to the encryption under the same key in different domains, and show how to apply it to efficiently distinguish FF3 and FF3-1 instances.
UR - http://www.scopus.com/inward/record.url?scp=85111447565&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-77886-6_5
DO - 10.1007/978-3-030-77886-6_5
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85111447565
SN - 9783030778859
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 127
EP - 154
BT - Advances in Cryptology – EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Canteaut, Anne
A2 - Standaert, François-Xavier
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 17 October 2021 through 21 October 2021
ER -