84 research outputs found
Message-recovery attacks on Feistel-based Format Preserving Encryption
We give attacks on Feistel-based format-preserving encryption (FPE) schemes that succeed in message recovery (not merely distinguishing scheme outputs from random) when the message space is small. For -bit messages, the attacks fully recover the target message using examples for the FF3 NIST standard and examples for the FF1 NIST standard. The examples include only three messages per tweak, which is what makes the attacks non-trivial even though the total number of examples exceeds the size of the domain. The attacks are rigorously analyzed in a new definitional framework of message-recovery security. The attacks are easily put out of reach by increasing the number of Feistel rounds in the standards
The Curse of Small Domains: New Attacks on Format-Preserving Encryption
Format-preserving encryption (FPE) produces ciphertexts which have the same format as the plaintexts. Building secure FPE is very challenging, and recent attacks (Bellare, Hoang, Tessaro, CCS\u2716; Durak and Vaudenay, CRYPTO\u2717) have highlighted security deficiencies in the recent NIST SP800-38G standard. This has left the question open of whether practical schemes with high security exist.
In this paper, we continue the investigation of attacks against FPE schemes. Our first contribution are new known-plaintext message recovery attacks against Feistel-based FPEs (such as FF1/FF3 from the NIST SP800-38G standard) which improve upon previous work in terms of amortized complexity in multi-target scenarios, where multiple ciphertexts are to be decrypted. Our attacks are also qualitatively better in that they make no assumptions on the correlation between the targets to be decrypted and the known plaintexts. We also surface a new vulnerability specific to FF3 and how it handles odd length domains, which leads to a substantial speedup in our attacks.
We also show the first attacks against non-Feistel based FPEs. Specifically, we show a strong message-recovery attack for FNR, a construction proposed by Cisco which replaces two rounds in the Feistel construction with a pairwise-independent permutation, following the paradigm by Naor and Reingold (JoC,\u2799). We also provide a strong ciphertext-only attack against a variant of the DTP construction by Brightwell and Smith, which is deployed by Protegrity within commercial applications.
All of our attacks show that existing constructions fall short of achieving desirable security levels. For Feistel and the FNR schemes, our attacks become feasible on small domains, e.g., 8 bits, for suggested round numbers. Our attack against the DTP construction is practical even for large domains. We provide proof-of-concept implementations of our attacks that verify our theoretical findings
Interpolation Cryptanalysis of Unbalanced Feistel Networks with Low Degree Round Functions
Arithmetisierungs-Orientierte Symmetrische Primitive (AOSPs) sprechen das bestehende Optimierungspotential bei der Auswertung von Blockchiffren und Hashfunktionen als Bestandteil von sicherer Mehrparteienberechnung, voll-homomorpher Verschlüsselung und Zero-Knowledge-Beweisen an. Die Konstruktionsweise von AOSPs unterscheidet sich von traditionellen Primitiven durch die Verwendung von algebraisch simplen Elementen. Zusätzlich sind viele Entwürfe über Primkörpern statt über Bits definiert. Aufgrund der Neuheit der Vorschläge sind eingehendes Verständnis und ausgiebige Analyse erforderlich um ihre Sicherheit zu etablieren. Algebraische Analysetechniken wie zum Beispiel Interpolationsangriffe sind die erfolgreichsten Angriffsvektoren gegen AOSPs. In dieser Arbeit generalisieren wir eine existierende Analyse, die einen Interpolationsangriff mit geringer Speicherkomplexität verwendet, um das Entwurfsmuster der neuen Chiffre GMiMC und ihrer zugehörigen Hashfunktion GMiMCHash zu untersuchen. Wir stellen eine neue Methode zur Berechnung des Schlüssels basierend auf Nullstellen eines Polynoms vor, demonstrieren Verbesserungen für die Komplexität des Angriffs durch Kombinierung mehrere Ausgaben, und wenden manche der entwickelten Techniken in einem algebraischen Korrigierender-Letzter-Block
Angriff der Schwamm-Konstruktion an. Wir beantworten die offene Frage einer früheren Arbeit, ob die verwendete Art von Interpolationsangriffen generalisierbar ist, positiv. Wir nennen konkrete empfohlene untere Schranken für Parameter in den betrachteten Szenarien. Außerdem kommen wir zu dem Schluss dass GMiMC und GMiMCHash gegen die in dieser Arbeit betrachteten Interpolationsangriffe sicher sind. Weitere kryptanalytische Anstrengungen sind erforderlich um die Sicherheitsgarantien von AOSPs zu festigen
Format and Order Revealing Encryption
As more and more cloud services emerge so does the need for new methods for securing the
data these services consume, especially since data leaks have become the norm rather than the
exception. Since most cloud services require some kind of access to our private data in order to
perform searches and provide services, new ways of securing our data in the cloud is needed.
This dissertation examines the current state of the cryptographic world in order to try to and
understand and resume what solutions currently exist for this particular type of problem.
This work is motivated by a particular problem of data delegation to a cloud infrastructure. This
problem involves the protection of sensitive data whilst it’s analysed by a third party. While
there is no simple approach to solve this particular problem, this dissertation discusses three
main approaches to tackle this problem. One approach attempts to define a new cryptographic
scheme with a leakage profile that would allow a third party to only have access to some information
of the plaintext but, at the same time, keep the plaintext safe from attackers. Another
approach attempts to use already existing cryptographic schemes, such as, Format Preserving
Encryption and Order Revealing Encryption to solve this particular problem. A final approach
tries to solve this problem by utilising cryptographic tools, such as hash-functions and hash-based
message authentication codes.
An extended study was also conducted in many cryptographic schemes, both current and old
cryptographic schemes. This study allowed for a better view of the cryptographic world and
how these schemes could help us achieve a solution. For this dissertation, a prototype was also
implemented of some recent cryptographic schemes. These prototype implementations allowed
for a deeper understanding of how these schemes work and also allowed us to conduct some
experiments while trying to combine two cryptographic schemes.
The results of this dissertation show that that trying to solve a problem via creating a new
cryptographic scheme is not an easy feat especially when one wants to define correctly the strict
security requirements and also the work needed to understand the mathematical workings of
similar schemes. Lastly we conclude that solving the problem with the help of already existing
tools may be the easiest solution, but, it may also only work for a specific scenario and hence is
of no use in other similar situations. A solution to the particular problem studied in this thesis is
also presented at the end of this dissertation, although, it only applies to this specific problem
and does not solve the more general problem of privacy of data delegation to the cloud.Com a explosão de serviços baseados na nuvem que ocorre nos dias de hoje, torna-se imperativo
que os dados que são consumidos por este tipo de serviços sejam de alguma forma protegidos
contra ataques ou roubos[Cen18]. O principal problema com este tipo de serviços é que, normalmente,
estes serviços precisam de acesso aos dados para conseguirem fazer pesquisas e
correlacionar dados de forma a que seja possível fornecer diversos serviços. Esta dissertação
tem como objetivo estudar o mundo da criptografia de forma a perceber que tipo de garantias
são oferecidas pelos esquemas criptográficos existentes nos dias de hoje para serviços baseados
na nuvem.
Este trabalho é motivado por um problema real de delegação de dados para a nuvem. Este
problema envolve a proteção de dados sensíveis que precisam de ser analisados por entidades
externas. Embora não haja uma abordagem simples para resolver este tipo de problemas, nesta
dissertação iremos discutir três abordagens que, potencialmente, poderão resolver este problema.
Uma abordagem tenta definir o que poderia ser a estrutura geral de um novo esquema
criptográfico que pudesse lidar com o problema específico em análise. Numa outra abordagem
iremos utilizar ferramentas existentes para tentar resolver o problema em questão. Iremos
também tentar unir dois esquemas criptográficos existentes, de forma a tentar combater este
problema em específico.
Foi também realizado um estudo a vários esquemas criptográficos de forma a perceber quais as
soluções que existem hoje em dia para problemas relacionados com a delegação de dados para
entidades externas, como também, tentar perceber que esquemas criptográficos que ainda são
resultados meramente teóricos mas que possam vir, no futuro, a ser úteis para combater esta
problemática.
Os resultados desta dissertação mostram que resolver um problema relacionado com criptografia
nem sempre é fácil, uma vez que, a má utilização destes esquemas poderá levar a uma falha
grave de segurança. Por fim, concluímos que, resolver um problema desta natureza através de
ferramentas existentes é bastante mais fácil do que tentar desenvolver esquemas criptográficos
novos, mas que irá perder o poder de poder ser aplicado a outros problemas semelhantes
Breaking the FF3 Format Preserving Encryption
The NIST standard FF3 scheme (also known as BPS scheme) is a tweakable block cipher based on a 8-round Feistel Network. We break it with a practical attack. Our attack exploits the bad domain separation in FF3 design. The attack works with chosen plaintexts and tweaks when the message domain is small. Our FF3 attack requires chosen plaintexts with time complexity , where is domain size to the Feistel Network. Due to the bad domain separation in 8-round FF3, we reduced the FF3 attack to an attack on 4-round Feistel Networks. In our generic attack, we reconstruct the entire codebook of 4-round Feistel Network with known plaintexts and time complexity
Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains
The National Institute of Standards and Technology (NIST) recently published a Format-Preserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8-round Feistel network. In CCS~2016, Bellare et. al. gave an attack to break FF3 (and FF1) with time and data complexity , which is much larger than the code book (but using many tweaks), where is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires chosen plaintexts with time complexity . Our attack was successfully tested with . It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4-round Feistel network. Biryukov et. al. already gave a 4-round Feistel structure attack in SAC~2015. However, it works with chosen plaintexts and ciphertexts whereas we need a known-plaintext attack. Therefore, we developed a new generic known-plaintext attack to 4-round Feistel network that reconstructs the entire tables for all round functions. It works with known plaintexts and time complexity . Our 4-round attack is simple to extend to five and more rounds with complexity . It shows that FF1 with and FF3 with do not offer a 128-bit security. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our attack
Cryptanalysis of Feistel-Based Format-Preserving Encryption
Format-Preserving Encryption (FPE) is a method to encrypt non-standard domains, thus allowing for securely encrypting not only binary strings, but also special domains, e.g., social security numbers into social security numbers. The need for those resulted in a few standardized constructions such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2. Moreover, there are currently efforts both in ANSI and in ISO to include such block ciphers to standards (e.g., the ANSI X9.124 discussing encryption for financial services).
Most of the proposed FPE schemes, such as the NIST standardized FF1 and FF3-1 and the Korean Standards FEA-1 and FEA-2, are based on a Feistel construction with pseudo-random round functions. Moreover, to mitigate enumeration attacks against the possibly small domains, they all employ tweaks, which enrich the actual domain sizes.
In this paper we present distinguishing attacks against Feistel-based FPEs. We show a distinguishing attack against the full FF1 with data complexity of 20-bit plaintexts, against the full FF3-1
with data complexity of 20-bit plaintexts. For FEA-1 with 128-bit, 192-bit and 256-bit keys, the data complexity of the distinguishing attack is , , and 8-bit plaintexts, respectively. The data complexity of the distinguishing attack against the full FEA-2 with 128-bit, 192-bit and 256-bit is , , and 8-bit plaintexts, respectively. Moreover, we show how to extend the distinguishing attack on FEA-1 and FEA-2 using 192-bit and 256-bit keys into key recovery attacks with time complexity (for both attacks)
Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains
Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called ) is small. We investigate round-function-recovery attacks. The best known attack so far is an improvement of Meet-In-The-Middle (MITM) attack by Isobe and Shibutani from ASIACRYPT~2013 with optimal data complexity and time complexity , where is the round number in FN. We construct an algorithm with a surprisingly better complexity when is too low, based on partial exhaustive search. When the data complexity varies from the optimal to the one of a codebook attack , our time complexity can reach . It crosses the complexity of the improved MITM for . We also estimate the lowest secure number of rounds depending on and the security goal. We show that the format-preserving-encryption schemes FF1 and FF3 standardized by NIST and ANSI cannot offer 128-bit security (as they are supposed to) for and , respectively (the NIST standard only requires ), and we improve the results by Durak and Vaudenay from CRYPTO~2017
Linear Cryptanalysis of FF3-1 and FEA
Improved attacks on generic small-domain Feistel ciphers with alternating round tweaks are obtained using linear cryptanalysis. This results in practical distinguishing and message-recovery attacks on the United States format-preserving encryption standard FF3-1 and the South-Korean standards FEA-1 and FEA-2. The data-complexity of the proposed attacks on FF3-1 and FEA-1 is , where is the domain size and is the number of rounds. For example, FF3-1 with can be distinguished from an ideal tweakable block cipher with advantage using encryption queries. Recovering the left half of a message with similar advantage requires data. The analysis of FF3-1 serves as an interesting real-world application of (generalized) linear cryptanalysis over the group
Physical Layer Encryption for Industrial Ethernet in Gigabit Optical Links
Industrial Ethernet is a technology widely spread in factory floors and
critical infrastructures where a high amount of data need to be collected and
transported. Fiber optic networks at gigabit rates fit well with that type of
environments where speed, system performance and reliability are critical. In
this work a new encryption method for high speed optical communications
suitable for such kind of networks is proposed. This new encryption method
consists of a symmetric streaming encryption of the 8b/10b data flow at PCS
(Physical Coding Sublayer) level. It is carried out thanks to an FPE (Format
Preserving Encryption) blockcipher working in CTR (Counter) mode. The overall
system has been simulated and implemented in an FPGA (Field Programmable Gate
Array). Thanks to experimental results it can be concluded that it is possible
to cipher traffic at this physical level in a secure way. In addition, no
overhead is introduced during encryption, getting minimum latency and maximum
throughput
- …