## Cryptology ePrint Archive: Report 2021/815

Linear Cryptanalysis of FF3-1 and FEA

Tim Beyne

Abstract: Improved attacks on generic small-domain Feistel ciphers with alternating round tweaks are obtained using linear cryptanalysis. This results in practical distinguishing and message-recovery attacks on the United States format-preserving encryption standard FF3-1 and the South-Korean standards FEA-1 and FEA-2. The data-complexity of the proposed attacks on FF3-1 and FEA-1 is $O(N^{r/2 - 1.5})$, where $N^2$ is the domain size and $r$ is the number of rounds. For example, FF3-1 with $N = 10^3$ can be distinguished from an ideal tweakable block cipher with advantage $\ge 1/10$ using $2^{23}$ encryption queries. Recovering the left half of a message with similar advantage requires $2^{24}$ data. The analysis of FF3-1 serves as an interesting real-world application of (generalized) linear cryptanalysis over the group $\mathbb{Z}/N\mathbb{Z}$.

Category / Keywords: secret-key cryptography / Linear cryptanalysis, Format-preserving encryption, FF3-1, FEA-1, FEA-2

Original Publication (in the same form): IACR-CRYPTO-2021

Date: received 15 Jun 2021, last revised 15 Jun 2021

Contact author: tim beyne at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2021/815

[ Cryptology ePrint archive ]