FNR: Arbitrary length small domain block cipher proposal Sashank Dara , Scott Fluhrer

Cisco Systems Inc

Bangalore

Motivation

¤  AES works on fixed length inputs (128 bits), needs padding for other lengths.

¤  Variable length block ciphers ¤  Well Defined lengths( Network Packets, Database columns)

¤  Storage Gains (Cloud storage would blow up with AES-128 for smaller data types say 32 bits)

¤  Aides in preserving Formats of the inputs ( IPv4 Addresses, Credit Card Numbers, MAC Addresses, Time Stamps)

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Design Goals

¤  Variable Input lengths

¤  To be Practical and Secure

¤  Common Key Length for arbitrary input domains

¤  Secure Building Blocks (Feistel Networks, SPN’s)

¤  Leverage Hardware Support (Say INTEL’s AES-NI)

¤  Don’t re-invent the wheel

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Prior Art

¤  Michael Luby and Charles Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing, 17(2):373{386, 1988.

¤  Mihir Bellare and Phillip Rogaway. On the construction of variable-input-length ciphers. In Fast Software Encryption, pages 231{244. Springer, 1999.

¤  Moni Naor and Omer Reingold. On the construction of pseudorandom permutations: Lubyrackoff revisited. Journal of Cryptology, 12(1):29{66, 1999.

¤  John Black and Phillip Rogaway. Ciphers with arbitrary finite domains. In Topics in CryptologyCT- RSA 2002, pages 114{130. Springer, 2002

¤  Mihir Bellare, Thomas Ristenpart, Phillip Rogaway, and Till Stegers. Format-preserving encryption. In Selected Areas in Cryptography, pages 295{312. Springer, 2009.

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Feistel Networks

Example: DES is Feistel based AES is not Feistel based, it is SPN

Pseudo Random Function

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Pair wise Independent Permutations

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

A family of functions F is a pairwise independent permutation if: 1.  Each member of the family is itself a permutation, and 2.  For any fixed A, B (with A≠B, and both from the input set of the

permutation), and f is a random member from the family F, then the pair f(A),f(B) is equi-distributed over all distinct pairs from the output range of the function.

Naor and Reingold’s (NR) Scheme

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Pwip is defined over an Affine function

y = aX +b where a,b in GF(2^n) Difficult to define GF(2^n) for variable lengths in practice Results in Complex Implementations

Flexible Naor and Reingold’s (FNR)

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Pair wise Independence Based on (Invertible) Matrices

FNR’s Details

¤  Tweakable Variable Length Block Cipher (Precisely)

¤  Matrix Operations to be performed in GF(2)

¤  Number of Round functions is 7 (Pararin’s proof)

¤  Internal PRF is AES in ECB mode (Leverage AES-NI) ¤  To ensure input to PRF is unique we use a round constant

along with tweak string

FNR’s Security Measure

¤  The probability that an attacker can distinguish a cipher text from random text.

¤  Due to Naor and Reingold’s proof, using PWIP functions would result in a security measure as defined below

¤  Classic Feistel networks without PWIP would have as below

¤  Where r is round count, n is number of input bits, m is Number of pairs of plain text, cipher text needed by attacker to

Format Preserving encryption (FPE)

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Samples

Ranking Approach

FPE examples with FNR

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

Performance of FNR

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

IP Addresses Credit Card Numbers

Conclusions and Future work

¤  Proposed a variable length block cipher

¤  Practical and based on secure building blocks

¤  Source code is released under LGPL-v2

¤  Future Work ¤  Exhaustive Cryptanalysis (theoretical and practical)

¤  Support more applications and formats like MAC Addresses, Time Stamps

Resources

¤  Specification ¤  https://eprint.iacr.org/2014/421

¤  Motivation and Applications ¤  http://cisco.github.io/libfnr/

¤  Source code ¤  https://github.com/cisco/libfnr ¤  https://github.com/cisco/jfnr (Java bindings)

¤  Reach out to for questions ¤  libfnr-dev@external.cisco.com

Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)