Breaking the FF3 Format Preserving Encryption

The NIST standard FF3 scheme (also known as BPS scheme) is a tweakable block cipher based on a 8-round Feistel Network. We break it with a practical attack. Our attack exploits the bad domain separation in FF3 design. The attack works with chosen plaintexts and tweaks when the message domain is small. Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $N^{5}$, where $N^2$ is domain size to the Feistel Network. Due to the bad domain separation in 8-round FF3, we reduced the FF3 attack to an attack on 4-round Feistel Networks. In our generic attack, we reconstruct the entire codebook of 4-round Feistel Network with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $N^{4}$.


Published in:
Early Symmetric Crypto 2017
Presented at:
Early Symmetric Crypto, Canach, Luxembourg, January 16-20, 2017
Year:
2017
ISBN:
978-99959-814-2-6
Laboratories:




 Record created 2017-10-02, last modified 2018-03-17

n/a:
Download fulltextPDF
External link:
Download fulltextURL
Rate this document:

Rate this document:
1
2
3
 
(Not yet reviewed)