ffx-spec.pdf资源-CSDN文库

网络安全

需积分: 5 115 浏览量 2024-09-14 11:10:09 上传评论收藏 471KB PDF 举报

资源推荐

资源详情

资源评论

The FFX Mode of Operation for

Format-Preserving Encryption

Draft 1.1

Mihir Bellare

Phillip Rogaway

Terence Spies

February 20, 2010

1 Introduction

This speciﬁcation document describes FFX, a mechanism for format-preserving encryption (FPE).

Schemes for FPE enable one to encrypt Social Security numbers (SSNs), credit card numbers

(CCNs), and the like, doing so in such a way that the ciphertext has the same format as the

plaintext. In the case of SSNs, for example, this means that the ciphertext, like the plaintext,

consists of a nine decimal-digit string. Similarly, encryption of a 16-digit CCN results in a 16-digit

ciphertext. FPE is rapidly emerging as a useful cryptographic tool, with applications including

ﬁnancial-information security, data sanitization, and transparently encrypting ﬁelds in a legacy

database.

The encryption algorithm of FFX takes in a key K, a plaintext X,and a tweak T . The plain-

text is taken over an arbitrary alphabet Chars. Assuming that n = |X| is a supported length,

FFX.Encrypt will produce—deterministically—a ciphertext Y = FFX.Encrypt

(X) ∈ Chars

One can recover X from Y by way of X = FFX.Decrypt

(X).

FFX mode is ﬂexible and customizable. In particular, unrepresented in the explicitly named argu-

ments to FFX.Encrypt and FFX.Decrypt is the fact that FFX depends on a number of parameters.

Once chosen, it is assumed that they are held ﬁxed for the lifetime of a given user-generated key.

The parameters used in FFX include the number of Feistel rounds rnds(n), the desired degree of

imbalance split(n) in the Feistel network, and the round function F.

As example instantiations of FFX, we consider enciphering (i) binary strings of 8–128 bits, or

(ii) decimal strings of 4–36 digits. In Appendices A and B we specify parameter sets, denoted A2

and A10, to enable these task. Both employ a round function derived from AES. The fully instan-

tiated schemes would be denoted FFX-A2 and FFX-A10.

University of California, San Diego, Dept. of Computer Science & Engineering, 9500 Gilman Drive, La Jolla,

CA 92093, USA. e-mail: mihir@cs.ucsd.edu, url: http://cseweb.ucsd.edu/∼mihir/. Bellare’s work on this spec has

been done in collaboration with Semtek Innovative Solutions Corp; please see the acknowledgments on p. 6.

University of California, Davis, Dept. of Computer Science, One Shields Avenue, Davis, CA 95616, USA.

e-mail: rogaway@cs.ucdavis.edu, url: http://www.cs.ucdavis.edu/∼rogaway/. Rogaway’s work on this spec has been

done in collaboration with Voltage Security; please see the acknowledgments on p. 6.

Voltage Security, 4005 Miranda Ave, Suite 210, Palo Alto, CA 94304, USA. email: terence@voltage.com.

Spies is the Chief Technology Oﬃcer at Voltage.

The name FFX is meant to suggest Format-preserving, Feistel-based encryption. The X reﬂects

there being multiple instantiations (that is, parameter choices). It further reﬂects that FFX is an

outgrowth of, and extension to, the FFSEM speciﬁcation earlier submitted to NIST by Spies [28].

The current draft replaces that contribution. Compared to it, FFX is more general, adding in

support for tweaks, non-binary alphabets, and non-balanced splits. Cycle-walking can now be

avoided in the setting of primary practical importance, encrypting decimal strings.

While this document does not attempt to explain or survey all of the cryptographic results relating

to FFX, their existence—and indeed the entire history of results concerning Feistel networks—

underlies our mechanism’s selection. In general, contemporary cryptographic results and experience

indicate that FFX achieves cryptographic goals including nonadaptive message-recovery security,

chosen-plaintext, and even PRP-security against an adaptive chosen-ciphertext attack. The quan-

titative security depends on the number of rounds used, the imbalance, and the adversary’s access

to plaintext/ciphertext pairs. One assumes that the underlying round function is a good pseudo-

random function (PRF).

While FFX can, in principle, be used to encipher character strings of arbitrary length, the mecha-

nism is intended for message spaces smaller than that of AES (2

128

points). For enciphering longer

strings, other techniques would seem to be preferable. In particular, EME2 [9] can encipher binary

strings of any length n>128.

An earlier version of this speciﬁcation document, version 1.0, was provided to NIST in November

2009. The substantive change we have made since that version is the addition of a parameter proﬁle

for binary strings, A2.

Deﬁnition of FFX

See Figure 1 for an illustration of FFX, Figure 2 for a description of the parameters on which FFX

depends, and Figure 3 for the the deﬁnition of FFX in terms of these parameters. We expect all

parameter choices to be ﬁxed for the lifetime of a given key. Encryption and decryption must use

the same parameters.

3Notation

Throughout this document, a number means a nonnegative integer. Plaintexts and ciphertexts

are regarded as strings over an alphabet Chars = {0, 1,...,radix − 1}. Members of the alphabet

are called characters. The number of characters radix in Chars is referred to as the radix of the

alphabet. Example radix values are 2, 10, and 26, corresponding to bits, digits, and uppercase

English letters. It is required that radix ≥ 2.

If a user wishes to encrypt over a non-numeric alphabet, say {a,...,z}, she must set up a bijective

mapping between this alphabet and Chars = {0,...,radix − 1} via which her inputs and outputs

can be regarded as numeric values, as required for our algorithms.

A string is a ﬁnite sequence of characters from Chars.By | X | we denote the length of string X,

the number of characters in it. For example, X = 00326 is a string of length | 00326 | = 5. Note

parameter description

radix The radix,a number radix ≥ 2 that determines the alphabet Chars = {0,...,radix − 1}.

Plaintexts and ciphertexts are strings of characters from Chars.

Lengths The set of permitted message lengths . For a plaintext to be encrypted, or for a ciphertext

to be decrypted, its length must be in this set.

Keys The key space, a ﬁnite nonempty set of binary strings.

Tweaks The tweak space, a nonempty set of strings. Conceptually, diﬀerent tweaks name unrelated

encryption mappings.

addition The addition operator , either 0 (characterewise addition) or 1 (blockwise addition). De-

termines the meaning of the operators X  Y and X  Y that add or subtract equal-length

strings over the alphabet Chars = {0, 1,...,radix − 1}.

method The Feistel method, either 1 or 2. The value determines which of the two prominent Feistel

variants will be used.

split (n) The imbalance, a function that takes a permitted length n ∈ Lengths and returns a number

1 ≤ split(n) ≤ n/2.

rnds (n) The number of rounds, a function that takes a permitted length n ∈ Lengths and returns

an even number rnds(n).

F The round function, a function that takes in a key K ∈ Keys, a permitted length n ∈

Lengths,a tweak T ∈ Tweaks, a round number i ∈{0,...,rnds(n) − 1},and a string

B ∈ Chars

∗

. It returns a string F

(n, T, i, B) ∈ Chars

∗

.If method =1 or i is even then

| B | = n − split(n)and | F

(n, T, i, B) | = split(n). If method =2 and i is odd then

= n − split(n).| B | = split(n)and | F

(n, T, i, B) |

Figure 2: Parameters of FFX. To have a fully-speciﬁed scheme, each of these parameters must be deﬁned.

unique string Z such that Y  Z = X. As an example, still with radix = 10, we have 32  15 = 27

for characterwise addition and 32  15 = 17 for blockwise addition. Note that when the radix is

two, characterwise addition and subtraction are the same as xor.

We expect radix and Lengths to be determined by the needs of the application, not by security

considerations. The choice of Keys will typically ﬂow from the underlying cryptographic primitive

employed; for example, the key space might consist of AES keys if one uses AES to construct the

round function. The set Tweaks should be large enough to accommodate all non-secret information

that may be associated to a plaintext. Users are strongly encouraged to employ tweaks whenever

possible, as their judicious use can signiﬁcantly enhance security. See Appendix F. The addition

parameter speciﬁes the group over which addition is performed. Eﬃciency considerations determine

its choice; we do not expect the value to be security relevant.

In specifying a collection of parameters one must choose rnds,as well as method and split,in order to

balance performance requirements and security considerations. See Appendix H for a discussion.

To avoid known attacks, we require that rnds(n) ≥ 8if n =2 · split(n)orif method = 2 and

n =2 · split(n) + 1, and we require that rnds(n) ≥ 4n/split(n) otherwise. We emphasize that these

values are minimums, not recommended values. We insist that radix

≥ 100. This last requirement

is to prevent the meet-in-the-middle attack discussed in Appendix H.

The round function F

(n, T, i, B) must be constructed from a blockcipher E or a hash func-

tion H. We recommend AES for the former. Options for an AES-based round function include

剩余17页未读，继续阅读

评论收藏

内容反馈

nfgo

粉丝: 766
资源: 80

ffx-spec.pdf

FFXDemo:针对 ADS-B 1090ES 的 FFX 的示例实现

MELSEC iQ-FFX5-ENETIP用户手册.pdf

FFX4_DXVST_Pack1005_FFX-4RackPlug-in_in_

ST-STA339BW.pdf

ff14-fish-tracker-app:FF14鱼追踪器应用

Handbook_of_Functional_MRI_Data_Analysis_(0521517664).pdf.zip

三菱FX5用户手册（以太网通信篇）.pdf

iQ-F FX5用户手册（定位篇）.pdf

三菱FX5-4AD 模拟量硬件手册.pdf

fenics-中文教程_fenics_fenics中文教程_pdf_thefenicstutorial_

三菱PLC FX3UC使用手册（硬件篇）.pdf

FX5-20PG-P_D用户手册(定位篇 智能功能模块) sh081806chnc.pdf

适合高端移动应用的影像处理器.pdf

ffx2-sphere-break:FFX2 Sphere Break 游戏的小工具

STA350BW：数字音频系统级芯片.pdf

AE脚本 AutoSway_v1.85.zip

移动设备电视输出处理器.pdf

三菱FX5U用户手册(硬件篇).pdf

集成高效音频编解码器的音频处理器.pdf

三菱FX5编程手册（程序设计篇）.pdf

三菱FX5S_FX5UJ_FX5U_FX5UC系列PLC 用户手册 (硬件篇).pdf

北罚调色.ffx

调色斑爷.ffx

Fiddler简单过滤规则1.ffx

perm-crypt:AES-FFX 格式保留加密方案的 Golang 实现

方正飞腾创意-杂志页面

三菱PLC说明书

AE粒子插件Particular动画预设

最新资源

FX5-20PG-P_D用户手册(定位篇智能功能模块) sh081806chnc.pdf