 Let's start with the concept of a black cipher for example AES. It encrypts a message of a certain fixed length say 128 bits into the same length of ciphertexts with a hard-wired key, but black ciphers are somewhat rigid because of the fixed black length. A new concept called format preserving encryption has been introduced and it's basically a cipher that encrypts a message from a general domain D into the same domain D and this general domain D is typically like these domains are passcodes or social security numbers or credit card numbers as we can see the they are not specifically binary strings and they are not they're much smaller than 128 bits and FPE provides a method to encrypt those type of domains and FPE specifically designed for legacy databases because it provides a way to encrypt in a transparent way to its application that are running top of the legacy databases So no significant schema changes are required or no significant applications They need to be ready One way to construct and format preserving encryption could be to Use a conventional black cipher AES for example with a padded input and truncated output But as we can guess this disables the decryption So we need more neat methods and they are not easy to construct FPEs Indeed we can classify the FPE constructions in two classes in the first class We have some provably secure constructions, but they are not fast enough for practitioners. Unfortunately On the other hand We have NIST standards. They are fast enough for practice But the security of these constructions are supported by crypt analysis, which is exactly the topic of this talk and it's more importantly The constructions called FF1 and FF3 in NIST standards are based on FISO networks And they are tweakable black ciphers and I will come to that what they mean in a second, but Let me remind you that the topic of this talk is FF3 construction So let's look at the FISO network, which is a widely known iterative cipher It was invented by Dr. Faisal in IBM in early 70s each iteration in this Network is called a round and here we see an example in an instance of a FISO network with four rounds Each round consists of a secure round function a typically secure PRF and a group operation Defined on a domain D and I will explain how encryption happens in a couple of minutes So before that let's look at what tweakable format preserving encryption is as you may guess FPE is a deterministic encryption because the length of the site message has to be preserved in the ciphertext So it cannot be randomized and as I said again FPE is designed for small Messages small domain sizes. So it is vulnerable to the dictionary attacks Which is very likely that we will have two messages equal to each other and they will encrypt to the same ciphertext to prevent dictionary attacks the constructions introduced a tweak and These tweaks as long as they are different than each other for for example for these two Encryptions as long as these two tweaks are different than each other. They define two different sort of random permutations. So this Prevents the dictionary attacks. So tweaks are very essential for FPE and more importantly these tweaks are publicly available and under the control of the adversary So let's look at ff3 FISL networks to simplify ff3 we can look at the Permutation on integer domains say ZN square and ZN square is because of the two branches of FISL network and In here what ff3 does is that it takes the input right off of the input It pads it to the 96 bits and it concatenates it with the 32 bits of tweak and it inputs to the AES The output is truncated with the modular modular operation. So this is basically how FF3 is designed From now on I will drop the secret keys and tweaks from the notation. So don't get confused Again very quickly what ff3 was in NIST standards the Specifications for ff3 is the number of runs are eight and the domain size must be at least hundred and the security So it's targeted security is 128 bits since it's based on FISL network all the security notions the security Coming from FISL networks inherits to ff3 and ff3 additionally asserts PRP security against chosen plain text and ciphertext attacks and In this work, I like to Introduce our Contributions in two parts in the first part I will be only talking about the generic attacks on FISL networks without mentioning f what ff3 is And in this FISL networks I will be specifically focusing on a modular edition as a group operation and on integer domains in the second part I will describe an attack on ff3 construction by using by using a glitch in this in the in the construction the design of the ff3 and As far as we know that our attack works with the best known query and time Complexity and good news is that it is easy to fix in order to prevent it from our present attack And we don't know what happens for the future So I first want to Talk a little bit about equivalent round functions and what they mean because I will use this fact as an intuition for our attack and For that I like to show you how encryption happens very briefly and quickly Maybe most of you guys are already know how encryption happens But for three round FISL network we have seen here with an intermediate value C Which is unknown to the adversary The encryption Happens as follows the for the right half of the message y it is input to the first round function f0 And it's output added to the left part of the message to generate Intermediate value of C and as soon as C is generated The now this intermediate value is input to the second round function and its output is added to the right Half of the message to generate the left right half of the ciphertext and we continue for it. There's last round In a same way in order to generate the left part of the ciphertext This is how the round function f is the set of round functions f0 f1 and f2 encrypts message x y into zt And I will I like to show you that this is not uniquely defined Encryption what I mean is that I like you to assume that I add an delta value over here to the output of the first round function So what happens here is that the additional delta value is transmitted to the intermediate to see value So for the second the aim is that to show that x y is going to be encrypted to zt again But with different triples of round functions, but the input output behavior of the encryption will be same So in the second round function in order to eliminate it this into additional Delta value from the intermediate value. I like to sub substract this delta value before inputting to the second round function So I didn't I this again Generates the same half of the ciphertext and this in the last round function since the additional Delta value stays in the intermediate part again I like to subtract this subtract this delta value from the output of last round function to eliminate it Hence it generates the same left part of the ciphertext So these two triples f0 f1 f2 and the the one that is defined over here Has the same input output behavior of encryption? So what that means is that the adversary can fix or set One output of an arbitrary input for first round function. So it gives a dysflexibility to the adversary So now In my terminology, I like to tell you that the the round function recovery means that Recovering the round functions either the true one which is used for encryption Which is in the previous slide f0 f1 and f2 defined as f0 f1 f2 The ground function recovery mean that means that either this true triple is recovered or one of the equivalent triples is going to be recovered because they all will define the same encryption for as I shown you and There is also round codebook recovery in that case the adversary can recover the mapping of messages to their corresponding ciphertexts and It doesn't have to be the the round function recovery So the very very simple way of codebook recovery is that Make an encryption and make an oracle queries for each Messages and we will be able to learn which messages Map to do which we map to which ciphertext so the decryption will be simple and if these both attack types the Both attacks are as powerful as recovering the secret key Okay Okay, so the first part is going to be the generic attacks on Faisal network in the There are represents here the round numbers So I will first give an attack for three round attacks three round Faisal networks And as far as I know there is no other known attack with round function recovery So this is the only work. I know like the artwork is the only work I have known it's a known plain text attack with given query and time complexities and no gap and We also have for the attack against four round Faisal networks Again round function recovery with non plain text power given to the adversary with the given query and time complexities But we are not alone. There is another work By Biryukov at all they have better time complexity with the same query complexity But in their case the adversary has given chosen plain text and ciphertext power as opposed to known plain text power okay, so the adversary is a little bit more powerful in their attack and Similarly, we have given the attack for against five rounds Faisal network with chosen plain text power And given complexities over here again, we recall at all defines five round Faisal network Attacks with chosen plain text and ciphertext power given to the adversary and Yeah, our complexities are better with the less powerful adversarial model. So And what is good about our work is that we can extend our attacks to six and more rounds and They are again chosen plain text Attacks and I will be just talking about the very detailed three-round attack and very briefly four-round attack in the store So let's start with the three-round attack. The input to the Given to the adversary is that a message ciphertext pairs with unknown intermediate values Okay, and I will call it this set as s and the output of the Attack by the adversary is going to be the either partial tables of round functions or full tables of round functions Okay, so again, I work with the three-round Faisal network with unknown intermediate values So in the first step the adversary picks a pair x0 y0 z0 and t0 arbitrarily starts with an arbitrary input out the message ciphertext pair and As we have talked the adversary is free to set one output of an one arbitrary input in an arbitrary manner So the adversary picks y0 and it evaluates f0 and this point as a zero It's free to do. He's free to do that. The adversary is free to do that. So as soon as the adversary Evaluates y0, evaluates f0 on this y0 point it can start to doing encryption and it learns what is the intermediate value c0 is by doing this encryption and Since it learned what is f what is c0 value is now it can evaluate f1 on this point so we filled one point over here for f0 and one point for f1 and Again, we know intermediate value now and we can learn one point for f2 And this is this has done with only one message ciphertext pair in the second step The adversary will pick a pair with a matching right half of the ciphertext Why because it knows how to evaluate this right half of the right half of the ciphertext And the last round fun in the last round function So the adversary now will try to decrypt backward and it will learn again the intermediate values for this pair which is a c1 and how to evaluate f1 on this point and Similarly how to evaluate f0 on point y1 and the second message ciphertext pair It filled a little bit more the tables and the next step the adversary will pick now message ciphertext pair which With matching right half of the messages from the previous Previously picked pair Why why again because the adversary? Okay, sorry about that. This is supposed to be why to Because because the adversary knows how to evaluate f0 on point y2 and again enable him to encrypt By finding the intermediate values Okay, so the adversary continues this yoyo game until no more Points in any of the round functions at the tables The tables for the round functions are recovered. Okay, so now the question is that how much of these Partial tables are recovered in order to answer this question We like we like to model our set s as bipartite graph and in this bipartite graph the vertices are with right half of the All the possible right half of the messages which are y values and all the possible right half of the ciphertext Which are t values and the domain size to the round function was n So this those are the vertices and the edges are now the defined with Each pair inside the s so as soon as we see a pair y t pair in the set s We will put an edge in this graph So all the algorithm the attack algorithm is doing here Is that to look for a connected component starting from an arbitrary point y0? Okay, so the adversary start with y0 and Founds that it finds an edge between y0 t0 and in the second step It found another edge from t0 to another y value y value and from then it continues exploring this graph and now what is Happening here is that in this trying to the in this algorithm the How do we find a connected component like how big it will look like right and if the side of set s the Realize that the size of set s is going to be the number of edges over here and I like to the adversary is trying to explore All possible vertices over here starting from an arbitrary point so If the Faisal network is a secure Faisal network this graph should look like a random graph So what we know from random graph theory is that If the size of s or number of edges is n log n then this graph is With high probability this graph is going to be fully connected and if it is not fully connected What is the probability that the being a giant having a giant connected component? so again from random graph theory the size of s if the size of s is n with high probability did this Bipartite graph will have a giant connected component and this is basically the Justification of our algorithm and here are some experimental results in the in here we have Set s the size of set s parameterized with the theta value Which is shown in the x-axis here and the y-axis is basically stands for two different things for thick lines It stands for the fraction of experiments, which is fully recovered recovering all the round functions over ten thousand Experiments in independent runs in the team lines It shows the fraction of recovered f0s depending on theta and if you see here the fraction of recovered recovered f0s Are they are not to depend on depending on n at all? So the fraction is always regardless of n the fraction of recovered f0 is always giving dissimilar similar figures Okay, so and I like to quickly switch to the four round attack But I'm not going to get into details because we don't have time for that But the basic idea over here is that since we know how to We know how to reconstruct the tables for three rounds if we know if we have a set of non plain text ciphertext pairs The question is can we reduce the attack for four round FISA networks into three round FISA network attacks? And the way to do that is to basically try to characterize f0 Which is the first round function over here in a way that we learn some intermediate values see values And then the rest of the graph will look like a three round FISA network And we already know how to reconstruct these round functions with a three round attack with the non plain text ciphertext pairs and the To characterize the first round function is not easy. First of all, it's not so intuitive but Yeah, I don't have time for details and you can talk to me after the presentation if you like and The results I would like to show you is you is here It's important because of the data query complexity, which is shown with M value Which is parameterized with L and it is typically set to three in the experimental results I like what I like to say is that the the success probability means that the entire round function Have been recovered out of these many trials and these trials are run for different independent keys Okay, and when n gets larger and larger the success probability gets larger as well It gets close to one the four round attack succeeds as well So we are good to go now. I like to switch the gears to the ff3 construction very quickly This is the how the ff3 construction looks like it's a eight round FISA network with the different round functions and the way to The round functions are basically all our same functions under the same key and What happens over here is that the generic the tweak generic tweak t is divided into two halves left and right halves and It is extort with the round index for each round Okay, so these two round functions now pair wise the different round functions defining different PRP So PAP defining different PRS Okay, so this is the domain separation ff3 construction is considering and We will exploit this design because it is some weaknesses before that and this work The again we give a round function recovery attack with chosen plain text and tweak Power that adversary has and the query complexity is in this times the tweaks And the time complexity is n to the fifth and there is another work given by Bellara in ccs 2015 which is slightly different flavor and because it's not the round function recovery it is a different security notion and against the this security notion they give an attack and In here the time and tweak complexity are equal to this I didn't have space So I'm sorry for that but these two are same time complexity and complexity here And they give an attack against ff3 and ff1 not only ff3 So this is maybe not so failure to compare these results, but yeah So again coming back to the ff3 construction with tweak t. I like to introduce its sibling with tweak t prime t prime is basically t extort with four and why it is The basically it's a chosen tweak attack the attack I'm presenting now and it is basically important to tweak the peak at another tweak t prime with extort with tweak t because It gives us this nice slighted Versions of each other. So what is happening here is that the upper half of the left encryption is equal to the bottom Half of the right encryption and vice versa. Oh, yeah running out of time. So please wrap up Okay So very quickly We start with an arbitrary message We apply a chain chain encryption with the tweak t and secret key key key and we do it a many times and same Is done with the tweak t prime which is x t extort with four and all the adversaries trying to do is that to find a mapping of XY ij, which is the jth encryption of it column over here and this Is going to be mapped to XY by bar i prime zero under G And if the adversary can detect that the rest will follow and the we will have some input outputs of for round Faisal network, which is defined with G and H Okay, so we will be able to reduce our attack to four round attack okay over here and what is the To see the success probability of our attack We just need to see these two segments of length B should overlap at at least m points And M was the query complexity of our known for round for round Faisal network attack Non plain text attack. So all we need to look at is that what is the probability of these two segments overlap on m points? and if they do Overlap on its end point We have enough data to reconstruct for round functions defined with G and H both of them Okay, and here are the results again AMB are defined here the number of arbitrary plane takes to apply chain encryption and B is the length of the chain encryption and When n goes larger the success probability gets larger the success probability is again to recover all the round functions eight round functions and the conclusion is that we We are not sure how Faisal networks behave with small domain sizes We need a little more research for that and also FF3 suffers from the bad domain separation We and it is luckily easy to fix instead of exploring the round tweak with the round index It's just a concatenated and it will be preventing our Against our attack. Thank you so much for your attention