Skip to main content
SpringerLink
Log in

Linear Cryptanalysis of FF3-1 and FEA

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12825))

Included in the following conference series:

Abstract

Improved attacks on generic small-domain Feistel ciphers with alternating round tweaks are obtained using linear cryptanalysis. This results in practical distinguishing and message-recovery attacks on the United States format-preserving encryption standard FF3-1 and the South-Korean standards FEA-1 and FEA-2. The data complexity of the proposed attacks on FF3-1 and FEA-1 is \(\widetilde{\mathcal {O}}(N^{r/2 - 1.5})\), where \(N^2\) is the domain size and r is the number of rounds. For example, FF3-1 with \(N = 10^3\) can be distinguished from an ideal tweakable block cipher with advantage \(\ge 1/10\) using \(2^{23}\) encryption queries. Recovering the left half of a message with similar advantage requires \(2^{24}\) data. The analysis of FF3-1 serves as an interesting real-world application of (generalized) linear cryptanalysis over the group \(\mathbb {Z}/N\mathbb {Z}\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://homes.esat.kuleuven.be/~tbeyne/fpe.

  2. 2.

    I thank Dongyoung Roh for bringing the trails with \(u \ne v\) to my attention.

  3. 3.

    This result is a useful approximation even when n is small (for example, when \(n \ge 8\)).

  4. 4.

    Relative compared to the required number of queries q.

References

  1. Amon, O., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Three third generation attacks on the format preserving encryption scheme FF3. Cryptology ePrint Archive, Report 2021/335 (2021). https://eprint.iacr.org/2021/335

  2. Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_31

    Chapter  Google Scholar 

  3. Baignères, T., Stern, J., Vaudenay, S.: Linear cryptanalysis of non binary ciphers. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 184–211. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_13

    Chapter  Google Scholar 

  4. Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 444–455. ACM (2016). https://doi.org/10.1145/2976749.2978390

  5. Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_19

    Chapter  Google Scholar 

  6. Beyne, T.: Linear Cryptanalysis in the Weak Key Model. Master’s thesis, KU Leuven (2019). https://homes.esat.kuleuven.be/~tbeyne/masterthesis/thesis.pdf

  7. Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_9

    Chapter  Google Scholar 

  8. Daemen, J., Govaerts, R., Vandewalle, J.: Correlation matrices. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 275–285. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_21

    Chapter  Google Scholar 

  9. Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007)

    Google Scholar 

  10. Dunkelman, O., Kumar, A., Lambooij, E., Sanadhya, S.K.: Cryptanalysis of Feistel-based format-preserving encryption. Cryptology ePrint Archive, Report 2020/1311 (2020). https://eprint.iacr.org/2020/1311

  11. Durak, F.B., Vaudenay, S.: Breaking the FF3 format-preserving encryption standard over small domains. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 679–707. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_23

    Chapter  Google Scholar 

  12. Dworkin, M.: Recommendation for block cipher modes of operation: methods for format-preserving encryption. NIST Special Publication 800 38Gr1 (February 2019). https://doi.org/10.6028/NIST.SP.800-38Gr1-draft

  13. Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional linear cryptanalysis of reduced round serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_15

    Chapter  Google Scholar 

  14. Hoang, V.T., Miller, D., Trieu, N.: Attacks only get better: how to break ff3 on large domains. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 85–116. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_4

    Chapter  Google Scholar 

  15. Hoang, V.T., Tessaro, S., Trieu, N.: The curse of small domains: new attacks on format-preserving encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 221–251. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_8

    Chapter  Google Scholar 

  16. Lee, J.-K., Koo, B., Roh, D., Kim, W.-H., Kwon, D.: Format-preserving encryption algorithms using families of tweakable blockciphers. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 132–159. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15943-0_9

    Chapter  Google Scholar 

  17. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

    Chapter  Google Scholar 

  18. Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_25

    Chapter  Google Scholar 

  19. Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_14

    Chapter  Google Scholar 

  20. Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_7

    Chapter  Google Scholar 

  21. Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win, E.: The cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 99–111. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_47

    Chapter  Google Scholar 

  22. Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008). https://doi.org/10.1007/s00145-007-9013-7

    Article  MathSciNet  MATH  Google Scholar 

  23. Tardy-Corfdir, A., Gilbert, H.: A known plaintext attack of FEAL-4 and FEAL-6. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 172–182. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_12

    Chapter  Google Scholar 

  24. Terras, A.: Fourier Analysis on Finite Groups and Applications. Cambridge University Press (1999)

    Google Scholar 

  25. Vaudenay, S.: An experiment on DES statistical cryptanalysis. In: Gong, L., Stern, J. (eds.) ACM CCS 96, pp. 139–147. ACM Press (March 1996). https://doi.org/10.1145/238168.238206

Download references

Acknowledgments

I thank Dongyoung Roh (ETRI) and Morris Dworkin (NIST) for useful comments on an early draft of this work, and Vincent Rijmen for proofreading the paper. The author is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO).

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Leuven, Belgium

    Tim Beyne

Authors
  1. Tim Beyne
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tim Beyne .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Beyne, T. (2021). Linear Cryptanalysis of FF3-1 and FEA. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84242-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84241-3

  • Online ISBN: 978-3-030-84242-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation