Format-Preserving Encryption Somitra Kumar Sanadhya Indian Institute of Technology Ropar August 27, 2020 Somitra Format-Preserving Encryption 1 / 68
Credits Credits for the work described: Co-authors (Designs): Donghoon Chang, Mohona Ghosh, Kishan Chand Gupta, Arpan Jati, Abhishek Kumar, Dukjae Moon, Indranil Ghosh Ray. Co-authors (Recent cryptanalysis results): Orr Dunkelman, Abhishek Kumar, Eran Lambooij. Significant contribution in preparing these slides: Abhishek Kumar, IIT Ropar. Funding: India-Israel Collaborative Project, DST, Govt. of India. The research described is a part of the (ongoing) PhD work of Abhishek. Somitra Format-Preserving Encryption 2 / 68
Block cipher Block cipher: A family of permutations indexed by the secret key. Deterministic primitive. Security notion: PRP. Modes of operation and padding schemes are required to construct an encryption scheme. Syntax: E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n Issues: Can’t be used for small domains (Codebook attack) Changing the key is costly. Somitra Format-Preserving Encryption 3 / 68
Tweakable Block Cipher A block cipher with a twist - “tweak”. A public tweak allows switching to a different family of permutations (even for the same key). Changing the tweak is a low cost operation. Syntax: E : { 0 , 1 } k × { 0 , 1 } n × { 0 , 1 } t → { 0 , 1 } n Idea used first in the “Hasty Pudding cipher” by Schroeppel (AES competition, 1998). Formalized by Liskov, Rivest, Wagner (Crypto 2002). Somitra Format-Preserving Encryption 4 / 68
Format Preserving Encryption (FPE) FPE: Encryption scheme where the input and the output have the same format. Why can’t we use a block cipher? Loss of format Ciphertext expansion “Cipher text ... bears roughly the same resemblance to plain text ... as a hamburger to a T-bone steak.” (Brightwell and Smith, 1997). Somitra Format-Preserving Encryption 5 / 68
Is the problem interesting? Applications Credit card encryption, SSN encryption, ... Database Encryption Data capturing devises used to capture data of specific format (PIN pads, used with ATM machines). Product First product of Voltage Security Inc. (Now Microfocus Inc.) Standardization Draft NIST SP 800-38G (March 2016), updated in 2017. Requirements Any (user defined) format should be supported. Ciphertext length expansion is not permitted. First formal treatment by Bellare, Ristenpart, Rogaway, Stegers (Selected Areas in Cryptography 2009). Somitra Format-Preserving Encryption 6 / 68
Draft Standard Figure 1: NIST Document. Somitra Format-Preserving Encryption 7 / 68
FPE Security notions (BRRS’09) Pseudo-Random Permutation (PRP): Distinguishing E k ( · ) from RP ( · ). Single Point Indist. (SPI): Distinguishing E k ( m ) (for adversarial choice of m ) from a c = E k ( r ) for a random message r . Message Privacy (MP): E k ( m ) reveals no information on m , except its format. Formalized by comparing the “performance” of the real-world adversary to that of a degenerate adversary S that can only make equality queries of the form “is m the encrypted message?”). Message Recovery (MR): Adversary can’t “completely reveal” m when supplied with E k ( m ). Somitra Format-Preserving Encryption 8 / 68
Comments on the Security notions (BRRS’09) PRP = ⇒ all other security notions. SPI = ⇒ MP, MR with tight bound. MP and MR are what are needed in applications. PRP is an overkill. Attacks against PRP may not be a threat in practice for an FPE scheme. Somitra Format-Preserving Encryption 9 / 68
Existing FPE Schemes General techniques: (Black and Rogaway, CT-RSA 2002) Prefix Cipher Extension: Rank-then-Encipher (RtE) - BRRS’09 Cycle-walking Generalized-Feistel Cipher Specific constructions: FFSEM (Spies, Voltage Inc.) Superceded by FFX. FFX (FF1, FF2) . (Bellare, Rogaway, Spies, Submitted to NIST, Feb 2010) BPS (renamed FF3 by NIST). (Brier, Peyrin, Stern, Submitted to NIST, March 2010) VFPE (John Sheets, Kim R. Wagner, VISA USA Inc., Submitted to NIST, Oct 2011) FEA-1 and FEA-2 (Lee, Koo, Roh, Kim, Kwon, ICISC 2014, Korean FPE Standard) Somitra Format-Preserving Encryption 10 / 68
General Technique 1: Prefix Cipher (Black and Rogaway, CT-RSA 2002) Domain = { 0 , 1 , . . . , t − 1 } . Use n -bit block cipher E k ( . ) with domain N = 2 n ≥ t . Permut. [0 , 1 , . . . , t − 1] = Ordering [ E k (0) , E k (1) , . . . , E k ( t − 1)]. Method is computationally reasonable for small t (such as t < 2 30 ). Somitra Format-Preserving Encryption 11 / 68
Extension: Rank-then-Encipher (RtE) “ It would be undesirable to design an encryption schemes whose internal workings were tailored to the specialized task in hand. ” – BRRS, SAC 2009. integer domain FPE → arbitrary domain FPE. Given a format space, rank the input, and then use an integer FPE. If E is secure then so is RtE( E , rank, unrank). Figure 2: RtE scheme. Somitra Format-Preserving Encryption 12 / 68
General Technique 2: Cycle Walking (Black and Rogaway, CT-RSA 2002) Domain M = { 0 , 1 , . . . , m − 1 } . Use E k ( . ) with domain N such that | N | ≥ | M | . Map m ∈ M to E k ( . . . E k ( . . . E k ( m )) = c until c ∈ M . Need M to be dense in block cipher domain N , otherwise too may block cipher invocations. c 1 N M m c 2 c c 3 Somitra Figure 3: Cycle Walking Format-Preserving Encryption 13 / 68
General Technique 3: Generalized Feistel (Black and Rogaway, CT-RSA 2002) Let message space size = t . Choose two integers a and b such that ab ≥ t , with a ≥ | L | and b ≥ | R | (Fig 4). L R Perform cycle walking when out F k ( · ) ⊞ of range. Efficient when ( ab − t ) is small. L ′ R ′ Suggested number of rounds is 3. Figure 4: One round of GF. Somitra Format-Preserving Encryption 14 / 68
Specific Construction 1: FFSEM Designed by Terrence Spies and submitted to NIST in 2008. Concrete instance of the Black-Rogaway technique. Uses a tweak to make round-PRFs different. Suggestions: For message domain > 40 bits, use at least 6 rounds (considering Patarin’s attack). For message domain ∈ { 32 , 40 } bits, use extra rounds (not efficient for most of practical FPE applications). Somitra Format-Preserving Encryption 15 / 68
Specific Construction 2: FFX (FF1 and FF2) (BRRS 2009) “Theory” of FPE developed in this work. Two variants: (NIST Special Publication 800-38G) Type-1 Feistel: FF1 Type-2 Feistel: FF2 Both variants have at least 10 rounds of Feistel. (More, if message size or format is large). The round function is one invocation of AES. Thus, at least 10 calls to AES needed for each encryption or decryption. Somitra Format-Preserving Encryption 16 / 68
FF1 Figure 5 and algorithm 1 represent two rounds and encryption function of FF1 respectively. Algorithm 1: FF1 N,T ( X ) K 1 ( a, b ) ← N ; X 0 ← X 2 for i = 1 , 2 , . . . , r ( N ) do A i − 1 ← X i − 1 div b 3 B i − 1 ← X i − 1 mod b 4 C i ← ( A i − 1 + F K ( N, T, i, B i − 1 )) 5 mod a X i ← aB i − 1 + C i 6 7 ret X r ( N ) Figure 5: Two Rounds of FF1. Somitra Format-Preserving Encryption 17 / 68
FF2 Figure 6 and algorithm 2 represent two rounds and encryption function of FF2 respectively. Algorithm 2: FF2 N,T ( X ) K 1 ( a, b ) ← N 2 A i − 1 ← X i − 1 div b ; B i − 1 ← X i − 1 mod b 3 for i = 1 , 2 , . . . , r ( N ) do if i mod 2=1 then s ← a else 4 s ← b A i ← B i − 1 5 B i ← ( A i − 1 + F K ( N, T, i, B i − 1 )) 6 mod s 7 ret sA r ( N ) + B r ( N ) Figure 6: Two Rounds of FF2. Somitra Format-Preserving Encryption 18 / 68
Specific Construction 3: FF3 Designed by Brier, Peyrin, Stern and named as BPS initially. It is a Feistel based design and consists of 8 rounds (faster than FFX). BPS is a combination of the following two components: 1 A length restricted internal block cipher. Initially renamed as FF3 by NIST, later renamed as FF3-1. This internal block cipher is used to encrypt the data while preserving the format. 2 A mode of operation to handle long messages. This mode is malleable and hence not adopted by NIST. Hence, maximum input size is fixed (unlike FF1, and FF2). The tweak size is 64-bits, hence not suitable for very large messages. Somitra Format-Preserving Encryption 19 / 68
Analysis of FF1, FF2 and FF3 (M. Dworkin and R. Perlner, eprint 2015/30): FF2 does not provide the expected 128-bits of security strength. Hence, removed from NIST recommended designs. (Bellare et. al, ACM CCS 2016): A practical attack message recovery attack for small domain messages for FF1 and FF3. – For one byte messages, the data complexity of the attacks is approx 2 34 and 2 42 for FF3 and FF1 respectively. (Hoang et. al, Crypto 2018) Improved attack to recover one byte message with data complexity 2 27 and 2 36 for FF3 and FF1 respectively. (Durak and Vaudenay, Crypto 2017) gave a generic attack against 11 6 ) chosen plaintexts and time FF3 with complexity O ( N complexity O ( N 5 ), where N 2 is the domain size. All these attacks work only for messages of ≈ 15 bits or smaller. Somitra Format-Preserving Encryption 20 / 68
Specific Constructions 4: FEA-1 & FEA-2 Designed by a team of South Korean researchers in 2014. Currently a Korean FPE standard. Feistel based design, with a tweakable round function. The round function of FEA-1 and FEA-2 consists of two iteration of S-box layer and diffusion layer (like DES). Somitra Format-Preserving Encryption 21 / 68
Recommend
More recommend
