Skip to content Skip to navigation

Pre-Defense: Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains


The National Institute of Standards and Technology (NIST) recently published a Format-Preserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8-round Feistel network. In CCS~2016, Bellare et. al. gave an attack to break FF3 (and FF1) with time and data complexity $O(N^5\log(N))$, which is much larger than the code book (using many tweaks), where $N^2$ is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $O(N^{5})$. Our attack is practical when the message domain is small with less than $2^9$. It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4-round Feistel network. Biryukov et. al. already gave a 4-round Feistel structure attack in SAC~2015. However, it works with chosen plaintexts and ciphertexts whereas we need a known-plaintext attack. Therefore, we developed a new generic known-plaintext attack to 4-round Feistel network that reconstructs the entire tables for all round functions. It works with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $O(N^{3})$. Our 4-round attack is simple to extend to five and more rounds. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our attack.

Fatma Betül Durak
CoRE B (305)
Event Date: 
05/30/2017 - 2:00pm
Prof. David Cash (Chair), Prof. Rebecca Wright, Prof. Shubhangi Saraf, Prof. Thomas Ristenpart (Cornell Tech)
Event Type: 
Department of Computer Science