The Curse of Small Domains: New Attacks on Format-Preserving Encryption

  • Viet Tung HoangEmail author
  • Stefano Tessaro
  • Ni Trieu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)


Format-preserving encryption (FPE) produces ciphertexts which have the same format as the plaintexts. Building secure FPE is very challenging, and recent attacks (Bellare, Hoang, Tessaro, CCS ’16; Durak and Vaudenay, CRYPTO ’17) have highlighted security deficiencies in the recent NIST SP800-38G standard. This has left the question open of whether practical schemes with high security exist.

In this paper, we continue the investigation of attacks against FPE schemes. Our first contribution are new known-plaintext message recovery attacks against Feistel-based FPEs (such as FF1/FF3 from the NIST SP800-38G standard) which improve upon previous work in terms of amortized complexity in multi-target scenarios, where multiple ciphertexts are to be decrypted. Our attacks are also qualitatively better in that they make no assumptions on the correlation between the targets to be decrypted and the known plaintexts. We also surface a new vulnerability specific to FF3 and how it handles odd length domains, which leads to a substantial speedup in our attacks.

We also show the first attacks against non-Feistel based FPEs. Specifically, we show a strong message-recovery attack for FNR, a construction proposed by Cisco which replaces two rounds in the Feistel construction with a pairwise-independent permutation, following the paradigm by Naor and Reingold (JoC, ’99). We also provide a strong ciphertext-only attack against a variant of the DTP construction by Brightwell and Smith, which is deployed by Protegrity within commercial applications. All of our attacks show that existing constructions fall short of achieving desirable security levels. For Feistel and the FNR schemes, our attacks become feasible on small domains, e.g., 8 bits, for suggested round numbers. Our attack against the DTP construction is practical even for large domains. We provide proof-of-concept implementations of our attacks that verify our theoretical findings.


Format-preserving encryption Attacks 



We thank Mihir Bellare and the anonymous CCS and CRYPTO reviewers for insightful feedback. We also thank Michael Maloney and Clyde Williamson of Protegrity Corp. for providing the information of the DTP scheme.

Viet Tung Hoang was supported by NSF grants CICI-1738912 and CRII-1755539. Stefano Tessaro was supported by NSF grants CNS-1553758 (CAREER), CNS-1423566, CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship. Ni Trieu was supported by NSF award #1617197.


  1. 1.
    Bellare, M., Hoang, V.T., Tessaro, S.: Message-recovery attacks on Feistel-based format preserving encryption. In: ACM CCS 2016, pp. 444–455. ACM Press (2016)Google Scholar
  2. 2.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). Scholar
  3. 3.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption. Submission to NIST, February 2010.
  4. 4.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). Scholar
  5. 5.
    Brier, E., Peyrin, T., Stern, J.: BPS: a format-preserving encryption proposal. Submission to NIST (2010)Google Scholar
  6. 6.
    Brightwell, M., Smith, H.: Using datatype-preserving encryption to enhance data warehouse security. In: 20th National Information Systems Security Conference Proceedings (NISSC), pp. 141–149 (1997)Google Scholar
  7. 7.
    Dara, S., Fluhrer, S.: FNR: arbitrary length small domain block cipher proposal. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 146–154. Springer, Cham (2014). Scholar
  8. 8.
    Durak, F.B., Vaudenay, S.: Breaking the FF3 format-preserving encryption standard over small domains. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 679–707. Springer, Cham (2017). Scholar
  9. 9.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. NIST Special Publication 800–38G, March 2016.
  10. 10.
    Dworkin, M., Perlner, R.: Analysis of VAES3 (FF2). Cryptology ePrint Archive, Report 2015/306 (2015).
  11. 11.
    Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012). Scholar
  12. 12.
    Mattsson, U.: Format controlling encryption using datatype preserving encryption. Cryptology ePrint Archive, Report 2009/257 (2009).
  13. 13.
    Morris, B., Rogaway, P.: Sometimes-Recurse shuffle: almost-random permutations in logarithmic expected time. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 311–326. Springer, Heidelberg (2014). Scholar
  14. 14.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Ristenpart, T., Yilek, S.: The Mix-and-Cut shuffle: small-domain encryption secure against N queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 392–409. Springer, Heidelberg (2013). Scholar
  16. 16.
    Vance, J.: VAES3 scheme for FFX: An addendum to The FFX mode of operation for Format Preserving Encryption. Submission to NIST, May 2011Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceFlorida State UniversityTallahasseeUSA
  2. 2.Department of Computer ScienceUniversity of California Santa BarbaraSanta BarbaraUSA
  3. 3.Department of Computer ScienceOregon State UniversityCorvallisUSA

Personalised recommendations