We propose a practical flexible (or arbitrary) length small domain block cipher, FNR encryption scheme. FNR denotes Flexible Naor and Reingold. It can cipher small domain data formats like IPv4, Port numbers, MAC Addresses, Credit card numbers, any random short strings while preserving their input length. In addition to the classic Feistel networks, Naor and Reingold propose usage of Pair-wise independent permutation (PwIP) functions based on Galois Field GF(2 n). Instead we propose usage of random N ×N Invertible matrices in GF(2)

1. FNR: Arbitrary length small domain
block cipher proposal
Sashank Dara , Scott Fluhrer
Cisco Systems Inc
Bangalore

2. Motivation
¤ AES works on fixed length inputs (128 bits), needs
padding for other lengths.
¤ Variable length block ciphers
¤ Well Defined lengths( Network Packets, Database columns)
¤ Storage Gains (Cloud storage would blow up with AES-128
for smaller data types say 32 bits)
¤ Aides in preserving Formats of the inputs ( IPv4 Addresses,
Credit Card Numbers, MAC Addresses, Time Stamps)
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

3. Design Goals
¤ Variable Input lengths
¤ To be Practical and Secure
¤ Common Key Length for arbitrary input domains
¤ Secure Building Blocks (Feistel Networks, SPN’s)
¤ Leverage Hardware Support (Say INTEL’s AES-NI)
¤ Don’t re-invent the wheel
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

4. Prior Art
¤ Michael Luby and Charles Rackoff. How to construct pseudorandom
permutations from pseudorandom functions. SIAM Journal on Computing, 17(2):
373{386, 1988.
¤ Mihir Bellare and Phillip Rogaway. On the construction of variable-input-length
ciphers. In Fast Software Encryption, pages 231{244. Springer, 1999.
¤ Moni Naor and Omer Reingold. On the construction of pseudorandom
permutations: Lubyrackoff revisited. Journal of Cryptology, 12(1):29{66, 1999.
¤ John Black and Phillip Rogaway. Ciphers with arbitrary finite domains. In Topics in
CryptologyCT- RSA 2002, pages 114{130. Springer, 2002
¤ Mihir Bellare, Thomas Ristenpart, Phillip Rogaway, and Till Stegers. Format-preserving
encryption. In Selected Areas in Cryptography, pages 295{312.
Springer, 2009.
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

5. Feistel Networks
Pseudo
Random
Function
Example:
DES is Feistel based
AES is not Feistel
based, it is SPN
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

6. Pair wise Independent Permutations
A family of functions F is a pairwise independent permutation if:
1. Each member of the family is itself a permutation, and
2. For any fixed A, B (with A≠B, and both from the input set of the
permutation), and f is a random member from the family F, then the pair
f(A),f(B) is equi-distributed over all distinct pairs from the output range of
the function.
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

7. Naor and Reingold’s (NR) Scheme
Pwip is defined over an
Affine function
y = aX +b where a,b in GF(2^n)
Difficult to define GF(2^n) for
variable lengths in practice
Results in Complex Implementations
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

8. Flexible Naor and Reingold’s (FNR)
Pair wise Independence Based on (Invertible) Matrices
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

9. FNR’s Details
¤ Tweakable Variable Length Block Cipher (Precisely)
¤ Matrix Operations to be performed in GF(2)
¤ Number of Round functions is 7 (Pararin’s proof)
¤ Internal PRF is AES in ECB mode (Leverage AES-NI)
¤ To ensure input to PRF is unique we use a round constant
along with tweak string

10. FNR’s Security Measure
¤ The probability that an attacker can distinguish a cipher
text from random text.
¤ Due to Naor and Reingold’s proof, using PWIP functions
would result in a security measure as defined below
¤ Classic Feistel networks without PWIP would have as
below
¤ Where r is round count, n is number of input bits, m is Number
of pairs of plain text, cipher text needed by attacker to

11. Format Preserving encryption (FPE)
Samples
Ranking Approach
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

12. FPE examples with FNR
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

13. Performance of FNR
IP Addresses Credit Card Numbers
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)

14. Conclusions and Future work
¤ Proposed a variable length block cipher
¤ Practical and based on secure building blocks
¤ Source code is released under LGPL-v2
¤ Future Work
¤ Exhaustive Cryptanalysis (theoretical and practical)
¤ Support more applications and formats like MAC Addresses,
Time Stamps

15. Resources
¤ Specification
¤ https://eprint.iacr.org/2014/421
¤ Motivation and Applications
¤ http://cisco.github.io/libfnr/
¤ Source code
¤ https://github.com/cisco/libfnr
¤ https://github.com/cisco/jfnr (Java bindings)
¤ Reach out to for questions
¤ libfnr-dev@external.cisco.com
Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering (SPACE 2014)