Format-Preserving Encryption

Somitra Kumar Sanadhya

Indian Institute of Technology Ropar

August 27, 2020

Somitra Format-Preserving Encryption 1 / 68

Credits

Credits for the work described:

Co-authors (Designs): Donghoon Chang, Mohona Ghosh, Kishan
Chand Gupta, Arpan Jati, Abhishek Kumar, Dukjae Moon,
Indranil Ghosh Ray.
Co-authors (Recent cryptanalysis results): Orr Dunkelman,
Abhishek Kumar, Eran Lambooij.

Significant contribution in preparing these slides:

Abhishek Kumar, IIT Ropar.

Funding: India-Israel Collaborative Project, DST, Govt. of India.

The research described is a part of the (ongoing) PhD work of

Abhishek.

Somitra Format-Preserving Encryption 2 / 68

Block cipher

Block cipher: A family of permutations indexed by the secret key.

Deterministic primitive.
Security notion: PRP.
Modes of operation and padding schemes are required to construct
an encryption scheme.
Syntax:
E : {0, 1}k × {0, 1}n → {0, 1}n

Issues:
Can’t be used for small
domains (Codebook attack)
Changing the key is costly.

Somitra Format-Preserving Encryption 3 / 68

Tweakable Block Cipher

A block cipher with a twist - “tweak”.

A public tweak allows switching to a different family of
permutations (even for the same key).
Changing the tweak is a low cost operation.
Syntax:
E : {0, 1}k × {0, 1}n × {0, 1}t → {0, 1}n

Idea used first in the “Hasty

Pudding cipher” by Schroeppel
(AES competition, 1998).
Formalized by Liskov, Rivest,
Wagner (Crypto 2002).

Somitra Format-Preserving Encryption 4 / 68

Format Preserving Encryption (FPE)

FPE: Encryption scheme where the input and the output have the
same format.

Why can’t we use a block cipher?

Loss of format
Ciphertext expansion
“Cipher text ... bears roughly the same resemblance to plain text ...
as a hamburger to a T-bone steak.” (Brightwell and Smith, 1997).

Somitra Format-Preserving Encryption 5 / 68

Is the problem interesting?

Applications
Credit card encryption, SSN encryption, ...
Database Encryption
Data capturing devises used to capture data of specific format (PIN
pads, used with ATM machines).
Product
First product of Voltage Security Inc. (Now Microfocus Inc.)
Standardization
Draft NIST SP 800-38G (March 2016), updated in 2017.
Requirements
Any (user defined) format should be supported.
Ciphertext length expansion is not permitted.

First formal treatment by Bellare, Ristenpart, Rogaway, Stegers

(Selected Areas in Cryptography 2009).

Somitra Format-Preserving Encryption 6 / 68

Draft Standard

Somitra Figure 1: NIST Document.

Format-Preserving Encryption 7 / 68
FPE Security notions (BRRS’09)

Pseudo-Random Permutation (PRP):

Distinguishing Ek (·) from RP (·).
Single Point Indist. (SPI):
Distinguishing Ek (m) (for adversarial choice of m) from a c = Ek (r)
for a random message r.
Message Privacy (MP):
Ek (m) reveals no information on m, except its format.
Formalized by comparing the “performance” of the real-world
adversary to that of a degenerate adversary S that can only make
equality queries of the form “is m the encrypted message?”).
Message Recovery (MR):
Adversary can’t “completely reveal” m when supplied with Ek (m).

Somitra Format-Preserving Encryption 8 / 68

Comments on the Security notions (BRRS’09)

PRP =⇒ all other security notions.

SPI =⇒ MP, MR with tight bound.
MP and MR are what are needed in applications.

PRP is an overkill.
Attacks against PRP may not be a threat in practice for an FPE
scheme.

Somitra Format-Preserving Encryption 9 / 68

Existing FPE Schemes

General techniques: (Black and Rogaway, CT-RSA 2002)

Prefix Cipher
Extension: Rank-then-Encipher (RtE) - BRRS’09
Cycle-walking
Generalized-Feistel Cipher
Specific constructions:
FFSEM (Spies, Voltage Inc.) Superceded by FFX.
FFX (FF1, FF2). (Bellare, Rogaway, Spies, Submitted to NIST,
Feb 2010)
BPS (renamed FF3 by NIST). (Brier, Peyrin, Stern, Submitted to
NIST, March 2010)
VFPE (John Sheets, Kim R. Wagner, VISA USA Inc., Submitted
to NIST, Oct 2011)
FEA-1 and FEA-2 (Lee, Koo, Roh, Kim, Kwon, ICISC 2014,
Korean FPE Standard)

Somitra Format-Preserving Encryption 10 / 68

General Technique 1: Prefix Cipher

(Black and Rogaway, CT-RSA 2002)

Domain = {0, 1, . . . , t − 1}.

Use n-bit block cipher Ek (.) with domain N = 2n ≥ t.

Permut. [0, 1, . . . , t − 1] = Ordering [Ek (0), Ek (1), . . . , Ek (t − 1)].

Method is computationally reasonable for small t (such as t < 230 ).

Somitra Format-Preserving Encryption 11 / 68

Extension: Rank-then-Encipher (RtE)

“It would be undesirable to design an encryption schemes whose

internal workings were tailored to the specialized task in hand.”
– BRRS, SAC 2009.

integer domain FPE →

arbitrary domain FPE.
Given a format space, rank
the input, and then use an
integer FPE.
If E is secure then so is
RtE(E, rank, unrank).

Figure 2: RtE scheme.

Somitra Format-Preserving Encryption 12 / 68

General Technique 2: Cycle Walking
(Black and Rogaway, CT-RSA 2002)
Domain M = {0, 1, . . . , m − 1}.
Use Ek (.) with domain N such that |N | ≥ |M |.
Map m ∈ M to Ek (. . . Ek (. . . Ek (m)) = c until c ∈ M .
Need M to be dense in block cipher domain N , otherwise too may
block cipher invocations.
N c1
M
m
c2
c
c3

Somitra Format-Preserving Encryption 13 / 68

General Technique 3: Generalized Feistel

(Black and Rogaway, CT-RSA 2002)

Let message space size = t.
Choose two integers a and b such that ab ≥ t, with a ≥ |L| and
b ≥ |R| (Fig 4).

L R

Fk (·)
Perform cycle walking when out

of range.
Efficient when (ab − t) is small.
L0 R0 Suggested number of rounds is 3.

Figure 4: One round of GF.

Somitra Format-Preserving Encryption 14 / 68

Specific Construction 1: FFSEM

Designed by Terrence Spies and submitted to NIST in 2008.

Concrete instance of the Black-Rogaway technique.

Uses a tweak to make round-PRFs different.

Suggestions:
For message domain > 40 bits, use at least 6 rounds (considering
Patarin’s attack).
For message domain ∈ {32, 40} bits, use extra rounds (not efficient
for most of practical FPE applications).

Somitra Format-Preserving Encryption 15 / 68

Specific Construction 2: FFX (FF1 and FF2)

(BRRS 2009) “Theory” of FPE developed in this work.

Two variants: (NIST Special Publication 800-38G)

Type-1 Feistel: FF1
Type-2 Feistel: FF2

Both variants have at least 10 rounds of Feistel. (More, if message

size or format is large).
The round function is one invocation of AES.
Thus, at least 10 calls to AES needed for each encryption or
decryption.

Somitra Format-Preserving Encryption 16 / 68

FF1
Figure 5 and algorithm 1 represent two rounds and encryption function
of FF1 respectively.

Algorithm 1: FF1N,T
K (X)
1 (a, b) ← N ; X0 ← X
2 for i = 1, 2, . . . , r(N ) do
3 Ai−1 ← Xi−1 div b
4 Bi−1 ← Xi−1 mod b
5 Ci ← (Ai−1 + FK (N, T, i, Bi−1 ))
mod a
6 Xi ← aBi−1 + Ci
7 ret Xr(N )

Figure 5: Two Rounds of FF1.

Somitra Format-Preserving Encryption 17 / 68
FF2
Figure 6 and algorithm 2 represent two rounds and encryption function
of FF2 respectively.

Algorithm 2: FF2N,T
K (X)
1 (a, b) ← N
2 Ai−1 ← Xi−1 div b ; Bi−1 ← Xi−1
mod b
3 for i = 1, 2, . . . , r(N ) do
4 if i mod 2=1 then s ← a else
s←b
5 Ai ← Bi−1
6 Bi ← (Ai−1 + FK (N, T, i, Bi−1 ))
mod s
7 ret sAr(N ) + Br(N )

Figure 6: Two Rounds of FF2.

Somitra Format-Preserving Encryption 18 / 68
Specific Construction 3: FF3

Designed by Brier, Peyrin, Stern and named as BPS initially.

It is a Feistel based design and consists of 8 rounds (faster than

FFX).

BPS is a combination of the following two components:

1 A length restricted internal block cipher.
Initially renamed as FF3 by NIST, later renamed as FF3-1.
This internal block cipher is used to encrypt the data while
preserving the format.

2 A mode of operation to handle long messages.

This mode is malleable and hence not adopted by NIST.
Hence, maximum input size is fixed (unlike FF1, and FF2).
The tweak size is 64-bits, hence not suitable for very large messages.

Somitra Format-Preserving Encryption 19 / 68

Analysis of FF1, FF2 and FF3

(M. Dworkin and R. Perlner, eprint 2015/30): FF2 does not

provide the expected 128-bits of security strength. Hence, removed
from NIST recommended designs.
(Bellare et. al, ACM CCS 2016): A practical attack message
recovery attack for small domain messages for FF1 and FF3.
– For one byte messages, the data complexity of the attacks is
approx 234 and 242 for FF3 and FF1 respectively.
(Hoang et. al, Crypto 2018) Improved attack to recover one byte
message with data complexity 227 and 236 for FF3 and FF1
respectively.
(Durak and Vaudenay, Crypto 2017) gave a generic attack against
11
FF3 with complexity O(N 6 ) chosen plaintexts and time
complexity O(N 5 ), where N 2 is the domain size.
All these attacks work only for messages of ≈ 15 bits or smaller.

Somitra Format-Preserving Encryption 20 / 68

Specific Constructions 4: FEA-1 & FEA-2

Designed by a team of South Korean researchers in 2014.

Currently a Korean FPE standard.

Feistel based design, with a tweakable round function.

The round function of FEA-1 and FEA-2 consists of two iteration

of S-box layer and diffusion layer (like DES).

Somitra Format-Preserving Encryption 21 / 68

Specific Constructions 4: FEA-1 & FEA-2

Suggested number of rounds for FEA-1 and FEA-2 for different

key sizes.

Key length FEA-1 FEA-2

128 12 18
192 14 21
256 16 24

As per designer’s claim, both FEA-1 and FEA-2 are almost two
times faster than FF1 and FF3.

Somitra Format-Preserving Encryption 22 / 68

Status of FEA-1 and FEA-2

No publicly known results.

Somitra Format-Preserving Encryption 23 / 68

Summary

Feistel based designs (FF1, FF2 and FF3) requires many

invocation of internal primitives (due to Patarin’s attack).
Attack complexities for FF1 and FF3 (corresponding to the
domain size {0, . . . , 9}3 ).

Scheme Design Key Attack Status

Strategy Size Exists Complexity
FF1 Feistel 128 Yes 258
FF2 Feistel 128 Yes Dropped by NIST
FF3 Feistel 128 Yes 221
FEA-1/-2 Feistel 128/192/256 No –

Somitra Format-Preserving Encryption 24 / 68

New Designs

Problems with existing designs:

All the existing designs are based on Feistel structure.
Due to Patarin’s attacks, the number of Feistel rounds needed are
high, thus efficient issues.
Large modular operations used in these designs, which makes them
unsuitable for resource constrained devices.
Can we have a different structure? And more efficient designs?

Somitra Format-Preserving Encryption 25 / 68

Substitution-Permutation Network (SPN)

Basic transformations: Key

addition, confusion
(substitution) and diffusion.
A round transformations are
combination of all these basic
transformations.
Finally the cipher consists
iteration of many rounds.

Figure 7: One round of SPN.

Somitra Format-Preserving Encryption 26 / 68

Designing FPE using SPN paradigm

FPE may be designed in several ways using SPN as follows:

1 Every transformation of SPN preserves the format.
– Our design: SPF (Inscrypt 2016).
2 Each round preserves the format (but individual operation are not
format preserving).
3 Entire cipher is format preserving (but each round does not
necessarily preserves the format).
– Our design: eSPF (HASS 2019).

We use SPN in counter mode to generate FP stream, which is then

modularly added to the message to encrypt.

Somitra Format-Preserving Encryption 27 / 68

The Operating Mode of SPF

We adopt the Counter Mode of operation using SPF routine

internally to handle variable lengths of messages.

Generate j blocks of plaintexts, i.e., M = M1 ||M2 || . . . ||Mj such

that ∀i, 1 ≤ i < (j − 1), |Mi | = n and |Mj | ≤ n.

Invoke SPF for each counter blocks T1 , T2 , . . . , Tj corresponding to

the message blocks to generate corresponding ciphertext blocks
C1 , C2 , . . . , Cj .

The chiphertext C is concatenation of these blocks.

Somitra Format-Preserving Encryption 28 / 68

Encryption process

Block input = A counter made up of 16 symbols.

Note that the entropy of the input is not necessarily 128 bits.
Arrange the input in a 4 × 4 matrix.
Apply operations like AES. Explained ahead.
Output is a stream of symbols.
Modular addition of the stream to input message produces the
ciphertext.

Somitra Format-Preserving Encryption 29 / 68

SPF

‘SPF’ stands for Substitution-Permutation based, Format

preserving encryption.

Motivated by AES design.

All basic transformations preserve the format, hence the cipher

preserves the format.

SPFN
r , a member of SPF family consist r-rounds and works for the
alphabet set Σ, where |Σ| = N .

Somitra Format-Preserving Encryption 30 / 68

Basic Transformations

Format-Preserving SubBytes (FPSB).

– A bijective mapping form Σ → Σ.
ShiftRows.
– Rotates the rows cyclically.
Format-Preserving MixColumns (FPMC).
– Explained at next slide.
Format-Preserving Key Addition (FPKA).
– Symbol wise modular addition of round-key and current state.
Format-Preserving Tweak Addition (FPTA).
–Symbol wise modular addition of round tweak and current state.

Somitra Format-Preserving Encryption 31 / 68

FP MixColumn Transformation

Binary Matrix: All elements are either 1 or 0.

The binary matrix M used for presented scheme has branch
number 4.
 
1 1 1 0
0 1 1 1
M= 1 0 1 1

1 1 0 1

The transformation of a column of state is represented as:

     
br,0 1 1 1 0 ar,0
br,1 = 0 1 1 1 × ar,1

br,2 1 0 1 1 ar,2
 mod N
br,3 1 1 0 1 ar,3

Somitra Format-Preserving Encryption 32 / 68

SPF for Digits

The motivating applications of FPE are CCN and SSN, i.e, string of
digits.

We present an instance of SPF construction for digits.

Somitra Format-Preserving Encryption 33 / 68

S-boxes for Digits

We use a single S-box S : Σ → Σ, where |Σ| = 10.

We analyzed all possible 10! mapping of S exhaustively and picked

up mappings that have good differential and linear probabilities.

Finally, we used hardware implementation cost as the final metric

to choose the S-box for digits
Using Karnaugh-map, we can compute the number of Boolean gates
required for any mapping.

x 0 1 2 3 4 5 6 7 8 9
S[x] 2 6 8 7 1 4 9 5 3 0

Table 1: Representation of S-box for digits.

Somitra Format-Preserving Encryption 34 / 68

Key Schedule

We propose a new format preserving key scheduling algorithm

(KSA) for the SPF cipher (Inscrypt 2016).
The key schedule algorithm takes the 128-bit cipher key K input
and generates (r + 1) round subkeys as outputs.

Somitra Format-Preserving Encryption 35 / 68

Tweak Schedule

Choice of tweak addition of SPF construction is motivated by the

tweak addition of KIASU-BC cipher (Jean et. al, Asiacrypt 2014).

An 16 symbol long tweak T w is used to generate two subtweaks

T w0 and T w1. These are added to the first two rows of the state
for each even and odd numbered rounds correspondingly.

Somitra Format-Preserving Encryption 36 / 68

Security Analysis

We analyzed security of SPF against following attacks:

Differential Attack.
Linear Attack.
Square Attack.
Impossible Differential Attack.
Key Related Attacks.
Related Tweak Attacks.
Multiset Attack.

Nine rounds of SPF are secure against these attacks. By considering

performance and security margin, we recommend r = 14.

Somitra Format-Preserving Encryption 37 / 68

Performance Analysis

Efficiency comparison of FF1, FF3-1 and SPF for digits.

Table 2: An entry corresponding to FPE schemes and number of symbols

represent number of substitution and permutation required.
FPE No. of Symbols
schemes 16 32 64 128
SPF 14 28 56 112
FF1 110 110 310 410
FF3-1 80 80 160 240

SPF is 5 to 7 times efficient than NIST standards for most of

practical applications.

Somitra Format-Preserving Encryption 38 / 68

Implementations

We implemented SPF1014 on different 64-bit platforms and compared

the performance with FFX.
Similar to AES, table lookups in SPF can be used to combine
different round transforms, leading to very fast implementations.
Interestingly, the lookup tables are much smaller compared to AES.
Apart from making such implementations more interesting for
resource constrained environments, the small lookup tables also
reduce risk of timing attacks.
Unlike AES, SPF uses a binary matrix for the FPMC operation, as
a result the implementation can be much more efficient on
constrained devices.

Somitra Format-Preserving Encryption 39 / 68

Implementations

We tested our implementation on high performance platforms, for

server as well as mobile platforms, the experimental results are shown
below.

Table 3: Experimental results on various 64-bit processors for digits.

Processor Clock Speed for SPF10
14
Speed Symbols/s. Cycles/Symbol
Intel Core i7 6700 3.4 GHz 132.4 ×106 25.6
Intel Core i7 4770 3.4 GHz 117.2 ×10 6 29.0
Intel Core i5 5200 2.2 GHz 26.8 ×106 82.0
Intel Xeon E5 2630 2.3 GHz 52.9 ×106 43.4

Somitra Format-Preserving Encryption 40 / 68

Limitations

Uses binary matrix in diffusion layer to meet the goal of designing

format preserving basic transformations.
– Non optimal choice due to non-availability of MDS matrix.
Need to design specific basic transformations for each format-sizes.
– One instantiation will not work for other formats.
This construction will not work for some specific formats.

Somitra Format-Preserving Encryption 41 / 68

Availability of MDS matrix for some specific formats

Lemma 1
Let M = (mi,j ) be a d × d MDS matrix over a field F2b . Let S be a set
of v elements such that S = {0, 1, . . . , v − 1}; and S ∗ = S − {0}.
Further, let S be a subset of F2b such that {0, 1} ⊂ S and ∀X ∈ S d ,
Y = M × X T ∈ S d . Then :
1 mi,j ∈ S ∗ , ∀ 0 ≤ i, j ≤ d,
2 S ∗ = mi,j S ∗ , ∀ 0 ≤ i, j ≤ d,
3 For any i, j ∈ {0, . . . , d − 1}, the cyclic group generated by mi,j
with respect to multiplication is subset of S ∗ , i.e., hmi,j i ⊆ S ∗ ,
4 S is an additive subgroup of F2b .

The above lemma shows existence of a d × d format-preserving

MDS matrix exists if |S| = v is of the form 2b .

Somitra Format-Preserving Encryption 42 / 68

Non-availability of MDS matrix for an arbitrary format

(Gupta et al., Indocrypt 2016) It is impossible to construct any

cryptographically significant 4 × 4 matrix over the field F24 in the
diffusion layer which yields a format preserving set of cardinality
10.
(Barua et al., Indocrypt 2018) Method to construct format
preserving sets of cardinality 20 with respect to 3 × 3 MDS
matrices; and of cardinality 103 and 263 with respect to 4 × 4
MDS matrices.
They leave finding any format preserving sets of cardinality 10 and
26 with respect to 4 × 4 MDS matrices as open problems.

Somitra Format-Preserving Encryption 43 / 68

eSPF

We present a new approach to construct efficient

format-preserving encryption schemes.

Use of MDS matrix in the diffusion layer (unlike SPF construction

where binary matrix is used) results in optimal diffusion.

The proposed construction works for any domain size.

One instantiation may work for many formats.

Somitra Format-Preserving Encryption 44 / 68

eSPF Construction

The eSPF cipher contains two components:

A non format preserving encryption.

– The MDS matrix and substitution mappings are defined over the
finite field Fpb , where p is a prime and b is an integer and N ≤ pb .

A Discarding Algorithm (DA).

– In order to retain the format preserving property.

Somitra Format-Preserving Encryption 45 / 68

Basic Transformations

SubBytes (SB).
– A bijective mapping S : Fpb → Fpb .
ShiftRows (SR).
– Rotates symbols of the rows cyclically.
MixColumns (MC).
– A MDS matrix defined over Fpb such that N ≤ pb .
Key Addition (KA).
– Symbol wise modular addition of round-key and the current
state.
Tweak Addition (TA).
– Symbol wise modular addition of round tweak and the current
state.

Somitra Format-Preserving Encryption 46 / 68

 Discarding Algorithm

As the operations are performed over Fpb , we need to discard

symbols which are not in format.
The discarding process is equivalent of cycle-walking or using
modular operation to ensure non-violation of the format.
Algorithm 3: DA(S)
input : String S
output: String S 0
1 Initialize a string S 0 =NULL;
2 For i ← 1 to n
3 if S[i] ∈ Σ
4 S 0 = S 0 ||S[i];
5 else
6 S0 ;
7 return S 0 ;

Somitra Format-Preserving Encryption 47 / 68

Discarding rate

Let Σ = {0, 1, 2, . . . , N − 1} be the alphabet set of format size N .

Let Σ0 = {0, 1, 2, . . . , N 0 − 1}, where Σ0 is the alphabet set
containing all the elements of Fpb and N 0 > N .
Let pr be the probability of not discarding an output symbol of
Ek , i.e., pr = NN0 .
As the ciphertext state consists of 16 symbols, the likelihood of
getting a format compliant symbol 16 times can be modelled using
binomial distribution.

Somitra Format-Preserving Encryption 48 / 68

Discarding rate

In the following table, we are mentioning the candidate Galois Field for
formats of different sizes with discarding details.

Table 4: Galois Field Size for formats of different sizes.

Use Format Fp b Field pr Exp. Val.(µ) Binom. Pr.
Case Size (N) Size (N’) (for x = 16) Pr.[Z ≥ 13]
Digits 10 F11 11 0.9 14.54 0.94
Alphabets 26 F29 29 0.89 14.24 0.9
Case sensitive 36 F37 37 0.97 15.5 0.98
alphanumeric
Case insensitive- 62 F67 67 0.92 14.8 0.96
alphanumeric

Somitra Format-Preserving Encryption 49 / 68

S-boxes for Digits

We use a single S-box S: F11 → F11 .

We analyzed all possible 11! mapping of S exhaustively and picked

up mappings that have good differential and linear probabilities.

Finally, we used hardware implementation cost as the final metric

to choose the S-box for digits
Using Karnaugh-map, we can compute the number of Boolean gates
required for any mapping.

x 0 1 2 3 4 5 6 7 8 9 10
S[x] 2 0 10 6 3 8 9 4 7 5 1

Table 5: Representation of S-box.

Somitra Format-Preserving Encryption 50 / 68

MixColumns Transformation

We choose a 4 x 4 MDS diffusion layer over GF(11) such that it

violates the format size.
The matrix M used for the presented scheme has a branch number
5.
 
1 1 2 5
5 1 1 2
M = 2 5 1 1

1 2 5 1

Somitra Format-Preserving Encryption 51 / 68

Security Analysis

We analyzed security of eSPF against the following attacks:

Differential Attack.
Linear Attack.
Square Attack.
Impossible Differential Attack.
Key Related Attacks.
Related Tweak Attacks.

Seven rounds of eSPF are secure against these attacks. By considering

performance and security margin, we recommend r = 10.

Somitra Format-Preserving Encryption 52 / 68

Implementations

eSPF is suitable for efficient implementation on a wide range of

devices.
We implemented eSPF1010 on 64-bit platforms and compared the
performance with FFX.
Similar to AES, table lookups in eSPF can be used to combine
different round transforms, leading to very fast implementations.
Interestingly, the lookup tables are much smaller compared to AES.
Apart from making such implementations more interesting for
resource constrained environments, the small lookup tables also
reduce risk of timing attacks.

Somitra Format-Preserving Encryption 53 / 68

Performance Analysis

Efficiency comparison of FF1, FF3-1, SPF and eSPF for digits.

Table 6: An entry corresponding to FPE schemes and number of symbols

represent number of substitution and permutation required.
FPE No. of Symbols
schemes 8 16 32 64
eSPF 10 20 30 50
SPF 14 14 28 56
FF1 110 110 110 310
FF3-1 80 80 80 160

Somitra Format-Preserving Encryption 54 / 68

Implementations

We tested our implementation on high performance platforms, for

server as well as mobile platforms, the experimental results are
shown in Table 7.
Table 7: Experimental results on various 64-bit processors for digits.
Processor Clock Speed for eSPF10
10
Speed Symbols/s. Cycles/Symbol
Intel Core i7 6700 3.4 GHz 201.2 ×106 16.8
Intel Core i7 4770 3.4 GHz 168.1 ×10 6 20.2
Intel Core i5 2400 3.1 GHz 44.8 ×106 70.5

For other format sizes, performance would be very similar, till the
lookup-tables can be kept in the L1 cache.
Hardware implementation of eSPF is almost 10 times faster than
the software implementations considering the clock frequency.

Somitra Format-Preserving Encryption 55 / 68

Attacks on FF1, FF3-1, FEA-1 and FEA-2

Joint work with Eran Lambooij, Orr Dunkelman, Abhishek

Kumar.

Supported by MOST and DST.

Somitra Format-Preserving Encryption 56 / 68

Generic Construction
The design of a block cipher over small domains has two inherent
problems:
1 Enumeration attacks.
2 Constructing good components that work for a wide range of input
sizes is not trivial.
One round of generic construction of FPE designs.

L Ti Ki R

F P RF/P RP F0 ⊕

L0 R0

Figure 8: One round of the construction

Somitra Format-Preserving Encryption 57 / 68

Security Analysis of FF1 and FF3

We show how to construct a generic differential distinguisher for

FF1 and FF3-1.

This distinguisher is independent of the components used in the

constructions and can be used for every cipher using an equivalent
construction.

We show that the amount of data needed to mount the attack is

well within the security bounds of both FF1 and FF3-1.

Somitra Format-Preserving Encryption 58 / 68

Distinguishing Attack

For a PRF:
Given a non-zero difference ∆, we can get a zero output difference.

Using this property we can construct the following two round

iterative differential characteristic with probability 2−n .

1 2−n
(0|∆) →
− (∆|0) −−→ (0|∆)

Somitra Format-Preserving Encryption 59 / 68

Distinguishing Attack

We argue that if the characteristic given above is not followed, the

probability that we see the output difference (∆|0) is 2−2n .

Thus the probability of seeing this output when using an FFX like
scheme with 2r rounds is 2−2n + 2−rn .

In other words, there is a 2−rn positive bias to observe the output

difference (0|∆).

Somitra Format-Preserving Encryption 60 / 68

Distinguishing Attack

Normally, a bias 0f 2−rn would not be distinguishable in a cipher

with a blocksize of size 22n (for r > 1).

However, the addition of the tweak in the construction increases

the amount of samples we can gather using a single key.

Somitra Format-Preserving Encryption 61 / 68

Attack Idea for FEA-1 and FEA-2

The basic idea is same as discussed for FF1 and FF3-1.

We may construct the following two round iterative differential

characteristic with probability 2−n .

1 2−n
(0|∆) →
− (∆|0) −−→ (0|∆)

Somitra Format-Preserving Encryption 62 / 68

Complexity of the Attack
The number of rounds specified for each key size and the data
needed to distinguish the permutation from random.

Complexity
Algorithm Rounds Block size Keysize Time Data
FEA1 12 8 128 236 232
FEA1 14 8 192 244 240
FEA1 16 8 256 252 248
FEA2 18 8 128 260 256
FEA2 21 8 192 272 268
FEA2 24 8 256 284 280
FF1 10 20 128 270 260
FF3-1 8 40 128 2100 280
Generic 2r 2n - 22n(r−1.5) 22n(r−1.5)−n
Table 8: Comparison of distinguishing attacks.

Somitra Format-Preserving Encryption 63 / 68

Key Recovery Attack

FF1 and FF3-1 use AES as the round function, and hence key
recovery attack is not possible.

However, the round function of the FEA-1 and FEA-2 is

cryptographically weaker than AES.

Given the above mentioned distinguisher, key recovery attacks

against all key-sizes are possible for FEA-1 and FEA-2 (details
skipped).

Somitra Format-Preserving Encryption 64 / 68

References I

1. Morris Dworkin. Recommendation for Block Cipher Modes of

Operation: Methods for Format-Preserving Encryption. NIST
Special Publication, 800:38G.
2. J. Daemen, V. Rijmen, AES proposal: Rijndael, in NIST AES
Proposal (1998).
3. J. Black and P. Rogaway. Ciphers with arbitrary finite domains.
In B. Preneel, editor, CT-RSA 2002.
4. Schroeppel, R.: The Hasty Pudding Cipher (1998).
5. Liskov et. al, Tweakable Block Ciphers. In: Yung, M. (ed.)
CRYPTO 2002.
6. Gupta et. al, Format Preserving Sets: On Diffusion Layers of
Format Preserving Encryption Schemes. INDOCRYPT 2016.

Somitra Format-Preserving Encryption 65 / 68

References II

7. Barua et. al, On Diffusion Layers of SPN Based Format

Preserving Encryption Schemes: Format Preserving Sets
Revisited. INDOCRYPT 2018.
8. Lee et. al, Format-preserving encryption algorithms using families
of Tweakable Blockciphers. In: Lee J, Kim J (eds). ICISC 2014.
9. Chang et. al, A Generalized Format Preserving Encryption
Framework Using MDS Matrices. Journal of Hardware and
Systems Security, Vol. 3, 2019, Springer.
10. Chang et. al, SPF: A New Family of Efficient Format-Preserving
Encryption Algorithms, Inscrypt 2016.
11. M. Dworkin and R. Perlner, Analysis of VAES3 (FF2), Report
no. 2015/306, IACR Cryptology ePrint Archive, April 2, 2015.
12 Bellare at. al, Message-recovery attacks on feistel-based format
preserving encryption, ACM CCS 2016.

Somitra Format-Preserving Encryption 66 / 68

References III

13 F. B. Durak and S. Vaudenay, Breaking the FF3

Format-Preserving Encryption Standard Over Small Domains,
CRYPTO 2017.
14 Hoang et. al, The Curse of Small Domains: New Attacks on
Format-Preserving Encryption, CRYPTO 2018.
15 Jean et.al, Tweaks and keys for block ciphers: the TWEAKEY
framework, ASIACRYPT 2014.

Somitra Format-Preserving Encryption 67 / 68

 THANK YOU

Somitra Format-Preserving Encryption 68 / 68