FNR - Arbitrary length small domain block cipher proposal

1
Karunakar SarojM.TechIIT PATNA

• FNR - Arbitrary length small domain block cipher
  proposal

2
Motivation

• Traditional block ciphers work on fixed blocks of
  dataas an example, AES is well-defined for
  128/192/256 bits. But one of the issues is the
  need for paddingso if you need to encrypt small
  amounts of data you may end with a huge
  difference in input vs. output size. As an
  example, using AES/128 on ECB mode to encrypt an
  IPv4 address results in an input size of 32 bits,
  but an output size of 128 bits. This may not be
  desired for some applications. To address such
  needs, we have designed the FNR encryption
  scheme.
• Variable Length Block Ciphers-
• More useful
• Storage gain (cloud storage would blow up)
• Aids in preserving formats of the input
  (Port(16), IPv4(32), MAC (48) , IPv6 (128) etc.)

3
About

• There is a compelling need for privacy of
  sensitive elds before data is shared with any
  cloud provider, semi-trusted vendors, partners
  etc.
• This paper propose a practical flexible length
  small domain block cipher,FNR encryption scheme.
• FNR denotes Flexible Naor and Reingold.
• It can cipher small domain data formats like
  IPv4, Port numbers, MAC Addresses, Credit card
  numbers, any random short strings while
  preserving their input length.
• While designing privacy for sensitive elds, it
  may be desirable to preserve the length of the
  inputs.
• Small domain block ciphers are useful tool in
  designing privacy of sensitive data fields of
  smaller length (lt128 bits).

4
Design Goals
D G
Intellectual Property Free
Arbitrary length
Key Length
Supporting software platforms
Secure building blocks
Leveraging hardware support
5
Cont

• Arbitrary length - Input domains of variable
  lengths need to be supported. For example,a
  system that consists of NetFlow would have
  dierent domains like IPv4, Port, IPv6 etc. all
  are of dierent lengths.
• Key Length- A system might contain multiple
  domains of various lengths. If the key size is
  dependent on the input length, then managing key
  sizes of various lengths would be cumbersome. For
  this reasons key sizes should not depend on input
  length.
• Secure building blocks- The building blocks used
  for such design should be considered secure. For
  example techniques based on Feistel Networks of
  Luby Racko constructions, Substitution and
  Permutation Networks of AES are considered good
  blue prints for block cipher designs.

6
Cont

• Leveraging hardware support - Modern processors
  support AES at assembly level (say AES-NI of
  Intel and AMD). Such provisions should be
  leveraged for faster software implementations
• Supporting software platforms- Due to the
  advances in cloud computing technology, privacy
  of smaller data fields may need to be implemented
  in variety of software platforms. For example
  browsers that run Java, JavaScript, thin clients
  based on REST interfaces etc. apart from
  ubiquitous C, CPP implementations. For this
  reason, variety of software platforms should be
  easily supportable.
• Intellectual Property Free- Either the building
  blocks that are used in the block cipher design
  or the block cipher itself should be free from
  any intellectual property rights.

7
Useful Terms

• Key- A 128 bit long secret key, K, is needed.
  This is used internally by Pseudo Random Function
  (PRF).
• Tweak- A tweak, T, is like IV. It should be
  nearly n/2 bits length, where n is number of
  input bits.
• A, B are two matrices- A is invertible binary
  matrix of N X N dimension. B is binary vector of
  1 X N dimension. Where N denotes number of bits
  in the input.
• FNR, like any other block cipher, has two
  operations encryption and decryption. There are
  three inputs and an output for both of these
  operations. Typically the size of Plain text P is
  n bits such that n is in between 32 to 128 bits.

8
Feistel Cipher Structure

• The plaintext is divided into two halves L0 and
  R0. Then the two halves pass through n rounds of
  processing then combine to produce the cipher
  block.
• Each round has as input L and R derived from
  the previous round as well as a sub-key derived
  from the overall K .
• All rounds have the same structure.
• A substitution is performed on the left half of
  the data. This is done by applying a round
  function to the right half of the data followed
  by the XOR of the output of that function and the
  left half of the data.
• Feistel is symmetric structure to construct block
  ciphers. One round of Feistel is a 2n bit
  permutation d with an n bit round function as
  defined below

9
Cont

• An r round Feistel network is simply the
  composition of r one round Feistel structures,
  transforming r n-bit functions f1, f2,fr into a
  2n bit permutation

Pseudorandom Function
10
Pairwise Independent Random Variables
11
Cont

• Pair-wise Independent Permutations (PwIP)
  Algorithm -

(Output, B)
12

• Inverse PwIP Algorithm-

13
Two Round FNR
14
FNR Encryption
15
FNR Decryption
16
FNRs Security Measure
Security

• Security of LR (Luby Rackoff) schemes under went
  rigorous analysis by the community over many
  years.
• Also usage of PWIP is later proven to mitigate
  basic linear and differential cryptanalysis.

Round Count
Round Functions
17
Cont

• Round Functions- If assume that the AES output
  for any given input is uniformly distributed,
  that means the AES output bits we actually use in
  the Feistel will be independent between even and
  odd rounds if the attacker could engineer a
  collision with probability 1 the fact that the
  collision probability between even and odd round
  is actually considerably smaller turns out to be
  irrelevant.
• Round Count- A minimum of 7 rounds are needed to
  mitigate adaptive chosen plaintext and chosen
  ciphertext attacks due to Patarin's proof.
• The security measure of block ciphers is
  based on the probability with which an attacker
  can distinguish the ciphertext from a random
  text. Although our PwIP is different from theirs,
  without loss of generality, holds good for FNR.

18
Cont

• Security measure using PwIP functions
• Classic fiestel network without PwIP
• Where r is round count, n is number of bits of
  input domain, m is number of queries an attacker
  needs to make.
• So for example an input domain of 32 bits and
  round count of 7, it requires approximately 8757
  pairs of plain text and cipher text. Where as
  without the use of PwIP functions attacker just
  needs around 950 pairs of plain text and cipher
  text.

19
FPE (Format Preserving Encryption) on Test Vector
Plain Text
Rank
Encrypt
Derank
Cipher Text
20
Cont

• IPv4 addresses- Each IPv4 is ranked as 32 bit
  integer before it is encrypted, the resultant
  cipher text is a 32 bit integer which is
  de-ranked into a dotted notation.

21
Cont

• Credit card numbers- Each CC number is ranked as
  15 digit number by dropping the LUHN CHECKSUM.
  The ranked integer is then encrypted to get a
  cipher text that is again 15 digit number. Such
  integer is de-ranked by appending a LUHN CHECKSUM
  at the end into a valid Credit card number.

22
Advantages Disadvantages
Advantages
No length expansion
Key Length
Range Preservation
Arbitrary Length
23
Cont

• No length expansion -The length of plain text and
  cipher text is same. No expansion in cipher text
  facilitates avoiding re-engineering of packet
  formats, database columns etc.
• Range Preservation- The encryption function
  results in the cipher which is in the same range
  of input values. This aides in designing format
  preservation of input domains.
• Arbitrary Length -The design does not mandate any
  xed input lengths. FNR is flexible for input
  domains that are 32 bits and 128 bits.
• Key Length -The key length is not dependent on
  the input length and rather depends on underlying
  PRF (in this case AES-128/256).

24
Disadvantages
Performance
Deterministic
No Integrity
25
Cont

• Performance- The usage of matrices might add
  performance over head.
• No Integrity - FNR does not provide
  authentication and integrity.
• Deterministic- FNR does not provide any
  semantic security when used in ECB mode (like all
  other deterministic modes)