Breaking the FF3 Format Preserving Encryption

Size: px

Start display at page:

Download "Breaking the FF3 Format Preserving Encryption"

Agnes McGee
6 years ago
Views:

1 Breaking the 3 ormat Preserving Encryption. Betül Durak and Serge Vaudenay ÉCOLE POLYTECHNIQUE ÉDÉRALE DE LAUSANNE SV 2017 breaking 3 ESC 17 1 / 23

2 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 2 / 23

3 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 3 / 23

4 An Evolution of Encryption block cipher the encryption of a 128-bit block is a 128-bit block the encryption of a 128k-bit string is a 128k-bit string length-preserving encryption mode the encryption of an l-bit string is an l-bit string format-preserving encryption the encryption of a credit card number is a credit card number the encryption of a phone number is a phone number the encryption of a zip code is a zip code SV 2017 breaking 3 ESC 17 4 / 23

5 Why ormat Preserving Encryption? companies use expensive software with databases they want to encrypt data without rewriting the software simple approach: assume an easy 1-to-1 mapping from the plaintext domain to Z 2 N we need to encrypt on Z 2 N SV 2017 breaking 3 ESC 17 5 / 23

6 Wanted deterministic encryption from Z 2 N to itself N 2 may be really small could add a tweak for more security input: output: plaintext Z 2 N ciphertext Z 2 N key+tweak tweak can be controled by the adversary SV 2017 breaking 3 ESC 17 6 / 23

7 NIST Standard NIST SP G (2016): 1 and 3 tweakable eistel schemes with modular addition balanced, with two branches r = 10 for 1 and r = 8 for 3 security: with q = r N known pt, we have enough information to reconstruct 2 the round functions trivial codebook attack with q = N 2 pt and one tweak (Patarin 2010) r = 4 secure with q N known pt (Patarin 2010) r = 5 secure with q N chosen pt (Patarin 2010) r = 6 secure with q N chosen pt/ct (Bellare-Hoang-Tessaro 2016) attack with q > N 2 (many tweaks) SV 2017 breaking 3 ESC 17 7 / 23

8 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC 17 8 / 23

9 Round unction Recovery r mode time data ref 3 known pt N N our 3R attack 4 chosen pt/ct N 3 2 N 3 2 Biryukov-Leuren-Perrin known pt N 4 N 3 2 our 4R attack 5 chosen pt/ct N N 3 4 N 2 Biryukov-Leuren-Perrin chosen pt N O(N 2 1 ) N 3 2 our 4R attack extended 6 chosen pt N (r 5)N N 3 2 our 4R attack extended SV 2017 breaking 3 ESC 17 9 / 23

10 3R Attack x c z y t input: set S of (xyzt) of size θn 1: take S 1 S with y constant (size θ) 2: fix 0 (y) = 0 arbitrarily and make a 2R attack on θ tuples (cyzt); collect θ equations 2 (t) = z c 3: take S 2 S with t in S 1 (size θ 2 ) 4: using what is known about 2, make a 2R attack on θ 2 tuples (xyct); collect θ 2 equations 0 (y) = c x 5: take S 3 S with y in S 2 (size θ 3 ) 6: using what is known about 0, make a 2R attack on θ 3 tuples (cyzt); collect θ 3 equations 2 (t) = z c 7: play yoyo until nothing new output: (partial) tables for S defines a random bipartite graph between N values of y and t the algorithm looks for the connected component of an arbitrary y fully connected if θ = lnn; with giant component if θ = 1 SV 2017 breaking 3 ESC / 23

11 4R Attack i V = {(xyzt,x y z t ) z = z,t y = t y,xy x y } V good = {(xyzt,x y z t ) z = z,c = c,xy x y } V x y x y = y c 1 c = c 1 2 d 2 d 3 3 z t z = z t = t + Property if in V good, then x x = 0 (y ) 0 (y) define label(xyzt,x y z t ) = x x SV 2017 breaking 3 ESC / 23

12 4R Attack ii define a graph G = (V,E) with E = {(x 1 y 1 z 1 t 1 x 1 y 1 z 1 t 1,x 2 y 2 z 2 t 2 x 2 y 2 z 2 t 2) y 1 = y 2 } x 1 y 1 x 1 y 1 = y1 + 1 x 2 y 2 = y 1 x 2 y 2 = y c 1 1 c 1 1 c 2 1 c d 1 2 d 1 2 d 2 2 d z 1 t 1 z 1 = z1 t 1 = t1 + 1 z 2 t 2 z 2 = z2 t 2 = t2 + 2 Property if v 1 v 2 v L is a cycle with all v i in V good, then L i=1 label(v i ) = 0 SV 2017 breaking 3 ESC / 23

13 4R Attack iii Lemma E ( #Vgood #V ) = 1 1 N 2 1 N 1 2 Lemma Pr[v 1 v 2 V good v 1 v 2 non trivial cycle, 2 i=1 label(v i) = 0] N 5 (trivial cyle: v 1 and v 2 are permutation of each other) Conjecture Pr[v 1 v L V good v 1 v L acceptable cycle, L i=1 label(v i) = 0] 1 (acceptable: with 2L non-repeating plaintexts) SV 2017 breaking 3 ESC / 23

14 4R Attack iv input: M tuples (xyzt) 1: create G = (V,E) 2: collect non-trivial cycles of length L with zero label sum 3: deduce M 2L /N 3L relations label(v i ) = 0 (y ) 0 (y) 4: create the graph G of all y values connected by these relations 5: find a big connected component C in G {works for M N L } 6: assign 0 (y) arbitrarily for one y C, deduce 0 on C 7: we have (M/N) #C tuples with known 0 (y) 8: do a 3R attack for all tuples with known 0 (y) {works since (M/N) #C > N} 9: do a yoyo game on 4 rounds with the results from 3R attack output: (partial) tables for SV 2017 breaking 3 ESC / 23

15 Results results with L = 3 (and M N 3 2 ( N 2 ) 1 2L ) N M #trials Pr[success] (Pr[S 2 ]) % (88.69%) % (78.62%) % (73.27%) % (71.79%) % (77.14%) % (83.83%) % (89.38%) % (92.45%) S 2 : no bad vertices have been collected SV 2017 breaking 3 ESC / 23

16 1 ormat Preserving Encryption 2 Round unction Recovery on 4-Round eistel Schemes 3 Attack on 3 SV 2017 breaking 3 ESC / 23

17 3 (BPS by Brier-Peyrin-Stern) L 0 R 0 T R 0 T L 1 T R 2 T L 3 T R 4 T L 5 T R 6 T L 7 L 8 R 8 SV 2017 breaking 3 ESC / 23

18 XORing 4 to T L and T R L 0 R 0 T R 0 L 0 R 0 T R 4 G T L 1 T R 2 T L 5 T R 6 H T L 3 T R 4 T L 7 T R 0 H T L 5 T R 6 T L 1 T R 2 G T L 7 T L 3 L 8 R 8 L R 8 8 SV 2017 breaking 3 ESC / 23

19 Consequence given a tweak T, for any key Enc T = H G Enc T (4,4) = G H where both G and H are 4-round eistel schemes defined by T if we collect x and x such that x i+1 = Enc T (x i ) x i+1 = Enc T (4,4) (x i ) and if we guess that G(x i ) = x j, then G(x i+k) = x (x i+k,x j+k ) are pt/ct pairs for G j+k so all SV 2017 breaking 3 ESC / 23

20 Chosen Plaintext Attack on BPS H G G H x 10 x 11 x 12 x 1B x 10 x 11 x 12 x 1B x 20 x 21 x 22 x 2B x 20 x 21 x 22 x 2B x A0 x A1 x A2 x AB G x A0 x A1 x A2 x AB x ij x i(j+1) x i(j+2) x i(j+3) x i 0 x i 1 x i 2 x i B H SV 2017 breaking 3 ESC / 23

21 Chosen Plaintext Attack on BPS input: T 1: T = T (4,4) 2: for i = 1 to N α do 3: pick x i0 and set x ij = Enc T (x i(j 1) ) for j = 1,...,N β 4: pick x i0 and set x ij = Enc T (x i(j 1) ) for j = 1,...,Nβ 5: end for 6: for i,i = 1,...,N α do 7: for j = 0 to N β M 1 do 8: assume G(x ij ) = x i 0 : 9: run 4R attack on G with G(x i(j+k) ) = x i k for k = 0,...,Nβ j 10: if successful, do the same with H and conclude 11: end for 12: for j = 0 to N β M 1 do 13: assume G(x i0 ) = x i j : 14:...(same)... 15: end for 16: end for SV 2017 breaking 3 ESC / 23

Results results with L = 3 (and M N 3 2 ( N 2 ) 1 2L ) N M N α N β #run Pr[success] 2 3 1 6 10000 0.00% 4 9 1 18 10000 1.40% 8 29 2 58 10000 17.99% 16 91 2 182 10000 35.

22 Results results with L = 3 (and M N 3 2 ( N 2 ) 1 2L ) N M N α N β #run Pr[success] % % % % % % % % % SV 2017 breaking 3 ESC / 23

23 Conclusion eistel schemes over small domains are not well understood yet bad domain separation in 3 (easy to fix) SV 2017 breaking 3 ESC / 23

Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains

Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains Breaking The 3 ormat-preserving Encryption Standard Over Small Domains. Betül Durak and Serge Vaudenay 2 Rutgers University Department of Computer Science fbdurak@cs.rutgers.edu 2 Ecole Polytechnique édérale