Finite-Field Format-Preserving Encryption

Affiliations:
College of Computer Science, National University of Defense Technology, Changsha, Hunan;
Hunan Anfang Information Technology Co., Ltd., Changsha, Hunan;
Changsha University of Science and Technology, Changsha, Hunan;
College of Science, National University of Defense Technology, Changsha, Hunan;
Hunan Rural Credit Union, Changsha, Hunan.

Abstract

Format-Preserving Encryption (FPE) is widely utilized for the privacy protection of sensitive data. However, existing standardized algorithms face challenges in resisting slide-association and linear cryptanalysis attacks, and often suffer from low computational efficiency. This paper proposes a parameter vector encryption mechanism and a structured full-association encryption mode for Finite-Field Format-Preserving Encryption (FF-FPE), which effectively defends against slide and linear cryptanalysis attacks. We designed 192-bit and 96-bit block ciphers that maintain the same security strength as the NIST FF1 standard while reducing the number of block cipher calls by half. Based on the Hopping game model, this paper proves that the proposed FF-FPE scheme achieves Strong Pseudorandom Permutation (SPRP) security. Experimental results demonstrate that, under identical plaintext and length conditions, the encryption operations per second of the proposed scheme are significantly improved, with an encrypted data throughput rate increase of 32.79% compared to existing standards.

1 Introduction

With the rapid advancement of information technology, various industries face an urgent need to protect large volumes of fixed-format data, such as credit card numbers and identity identifiers. Traditional block cipher algorithms (e.g., AES) typically require data expansion or padding, resulting in ciphertext that appears as meaningless binary strings. These methods fail to preserve the length, format, and semantics of the original plaintext data.

This lack of format preservation leads to ciphertext data that is incompatible with existing systems or databases, necessitating costly and complex system modifications. To address this, Format-Preserving Encryption (FPE) was proposed. FPE ensures that the ciphertext maintains the same format and data type (e.g., numeric, alphabetic, or alphanumeric) as the plaintext. This technology has received significant attention from both academia and industry. In 1981, the U.S. National Bureau of Standards (now NIST) released FIPS 74, which first proposed the requirement that ciphertext and plaintext share the same format. Black and Rogaway subsequently introduced the Prefix Method, Cycle Walking, and Generalized Feistel Network. Later, NIST published the SP 800-38G standard, while the American National Standards Institute released ANSI X9.124, proposing algorithms based on counter-keystream modes.

While these algorithms have been adopted by numerous international organizations and are widely applied, their security remains a focal point of research. Specifically, slide attacks and linear cryptanalysis pose serious threats to current FPE algorithms. Researchers have developed three types of slide attacks. Among them, slide attacks utilizing cyclic structures achieve optimal data storage and time complexity. Beyne exploited the characteristic where tweak parameters alternate between two values to perform message recovery attacks, probabilistically inferring portions of the plaintext content. Linear cryptanalysis has reduced the data complexity of message recovery attacks to $O(N^{2.5})$. Consequently, two South Korean algorithm standards are no longer considered secure under these attack models.

Currently, the only block cipher standard capable of resisting both slide attacks and linear cryptanalysis is FF1. However, its structural design for arbitrary-length plaintext requires multiple block cipher calls, leading to low efficiency. The Chinese cryptographic industry standardization technical report GM/Y 5007 introduced an approach based on the SMS4 (SM4) algorithm. This method encrypts the tweak parameters and uses the result as the tweak for the round function, thereby resisting linear analysis and other attacks. However, the structure of this approach is not fixed; the tweak parameter length is relatively short, and the encryption interception method results in a loss of ciphertext information entropy, which weakens the pseudorandomness of the algorithm. To address these issues, this paper proposes Finite Radix-oriented Format-Preserving Encryption (FR-FPE). The algorithm features a fixed structure and significantly reduces the number of block cipher calls while remaining resistant to slide attacks and linear cryptanalysis.

2 Related Work

Format-Preserving Encryption (FPE) research primarily encompasses four areas: security models, algorithmic models, attack techniques, and standardization. Regarding security models, Black et al. proposed that FPE is a specialized symmetric cryptographic module where the underlying components are block ciphers and pseudo-random functions; thus, the security of FPE can be reduced to the security of these base modules, typically modeled as a Pseudo-Random Permutation (PRP). Furthermore, security objectives are defined based on security models such as Indistinguishability under Adaptive Chosen Plaintext Attack (IND-CPA) and Indistinguishability under Adaptive Chosen Ciphertext Attack (IND-CCA).

In terms of algorithmic models, Black proposed using pre-computed permutation tables to establish permutations within the message space. The Cycle Walking method ensures that the result falls within a valid domain by repeatedly applying encryption operations. The Generalized Feistel network processes the left and right halves of the data through iterative round functions. Most FPE models are constructed based on the Feistel network, such as the Feistel Finite set Encryption Mode (FFSEM). Bellare further extended the FFSEM model by introducing a tweak factor into the Feistel structure and establishing mapping tables between all character-type data in the message space and the integer domain.

3 Preliminaries and Formal Definitions

3.1 Algorithm Syntax

The syntax for a tweakable FPE scheme is defined as:
- $E: \mathcal{K} \times \mathcal{T} \times \mathcal{X} \to \mathcal{X}$
- $D: \mathcal{K} \times \mathcal{T} \times \mathcal{X} \to \mathcal{X}$

The set of effective keys for the underlying block cipher, the set of data format spaces, the $radix$ block encryption algorithm, the $radix$ tweak parameter space, and the set of allowable tweak parameters form the core components. For a fixed key and $radix$, the decryption function is the inverse of the encryption function.

3.2 Security

The essence of FPE is a pseudorandom permutation (PRP) acting on a specific message space. Its security objective is to achieve indistinguishability from a truly random permutation. The Strong Pseudorandom Permutation (SPRP) advantage is defined as:

$$\mathbf{Adv}_{FPE}^{\text{sprp}}(\mathcal{A}) = \left| \Pr[\mathcal{A}^{E_K(\cdot), D_K(\cdot)} \Rightarrow 1] - \Pr[\mathcal{A}^{\pi(\cdot), \pi^{-1}(\cdot)} \Rightarrow 1] \right|$$

where $E_K$ and $D_K$ are the encryption and decryption functions under key $K$, and $\pi$ is a permutation chosen uniformly at random from the set of all permutations over the message space.

4 Proposed FR-FPE Mechanism

The overall architecture of the encryption and decryption algorithm is based on a Feistel network for iterative processing. This ensures that the format of the encrypted data remains identical to that of the original plaintext. The fixed Feistel structure supports the encryption of plaintexts up to 192 bits and tweaks up to 96 bits.

The algorithm constructs the initial vector by incorporating plaintext parameters, the block cipher identifier, and the high-order bytes of the tweak. This vector is then processed using a block cipher (such as SM4). Simultaneously, the algorithm XORs the low-order bytes of the tweak with the current round number, concatenates this with the plaintext, and combines it with the initial vector. This design ensures that the tweak participates in every Feistel round and decryption operation, guaranteeing the pseudo-random permutation property of the encryption and the correlation of the overall plaintext encryption.

4.1 Encryption Process

The $Encrypt$ process for a given $radix$ is as follows:
1. Input the plaintext string $X$, the algorithm identifier $CipherID$, the $radix$, and the tweak $T$.
2. Construct the initial vector $IV$ using tweak length, $radix$, plaintext length, and $CipherID$.
3. Generate $IV_{cipher} = CIPH(K, IV)$.
4. In each Feistel round, the low-order bytes of the tweak are XORed with the round index and concatenated with the data.
5. The result is XORed with $IV_{cipher}$ and encrypted using the block cipher.
6. Concatenate the final left and right parts to obtain the ciphertext.

5 Security Analysis

Based on the Hopping game model, we prove the resistance of the algorithm against Strong Pseudorandom Permutation (SPRP) attacks.

5.1 Game Sequence

• Game 0: This constitutes the real-world experiment. A key $K$ is selected.
• Game 1: The block cipher computation is replaced by a truly random function. The advantage in distinguishing Game 0 from Game 1 is:
  $$\left| \Pr [ \mathcal{A}^{G0} \Rightarrow 1 ] - \Pr [ \mathcal{A}^{G1} \Rightarrow 1 ] \right| \le q \cdot \mathbf{Adv}_{CIPH, K}^{SPRP} + \frac{q^2}{2^n}$$
• Game 2: The calculation of the round function $F_i$ is replaced by a truly independent random function.

The total advantage is bounded by:
$$\mathbf{Adv}{FPE}^{\text{sprp}}(\mathcal{A}) \le q \cdot \mathbf{Adv} + \epsilon$$}^{SPRP} + (10 \cdot q) \cdot \mathbf{Adv}_{CIPH, K}^{PRF} + \frac{q^2}{2^n

5.2 Resistance to Attacks

• Small-Domain Attacks: The condition $radix^{minlen} \ge 1,000,000$ ensures the operational domain is sufficiently large to resist exhaustive search.
• Slide Attacks: The introduction of round counters $i$ and precomputed vectors ensures that each round is unique, preventing "slid pairs."
• Linear Cryptanalysis: By ensuring both high-order and low-order bytes of the tweak participate in all rounds, the correlation between tweak and plaintext is maximized, effectively defending against linear distinguishers.

6 Experimental Results

A comparative performance analysis was conducted against the GM/T 5007 algorithm and NIST FF1. The underlying block cipher used is SM4.

[TABLE:1] (Performance Comparison)

The FR-FPE algorithm significantly reduces the number of block cipher calls. For long plaintext encryption (above 100 characters), the throughput advantages of FR-FPE over TE-FPE and FF1 are approximately 23.3% and 15.1%, respectively. Experimental results show that the average number of encryptions per second is 41.56% higher than FF1.

7 Conclusion

This paper proposes the Finite Radix-oriented Format-Preserving Encryption (FR-FPE) algorithm. By utilizing a structured tweak full-correlation encryption model and an optimized Feistel network, the algorithm effectively resists sliding and linear cryptanalysis attacks. The design reduces the number of block cipher invocations by approximately 45% compared to the FF1 standard while maintaining SPRP security. Experimental data confirms that FR-FPE achieves a 32.79% increase in data throughput, making it highly suitable for high-performance privacy protection scenarios.