Is there a length-preserving encryption scheme, that preserves the lengths of input sizes such that the length of the input plain text is same as length of the output cipher text ?
Asked
Active
Viewed 4,734 times
3 Answers
6
As @fgrieu mentioned, what you're after is FPE. The papers he linked deal with FPE on a very small domain, but it looks like you're interested in encrypting longer strings.
For that, you need a wide block cipher. Unlike traditional blockciphers, these typically allow different input lengths, which is a plus. They meet your criterion of not revealing shared prefixes/suffixes. Examples (any of which will be secure): EME, EME2, HCTR, HEH, TET, PEP. Tracking down a good implementation might be problematic; I don't know any off-hand. Some, including EME/EME2, are patented (but can be licenced under "reasonable, non-discriminatory" terms). Depending on the mode, they operate at roughly half the speed of standard encryption algorithms.
In terms of providing confidentiality, a result by Bellare and Rogaway ("Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography") shows that you get it for free as long as you can guarantee that all plantexts are distinct (e.g., they already have distinct sequence numbers encoded into them somehow). The only information these ciphers leak is plaintext length, and whether or not a plaintext is repeated.
You said authenticity was not a concern, but perhaps it's worth noting that you can get this fairly cheaply if the plaintext contains some type of redundancy that you check upon decryption.
Finally, these algorithms are tweakable ciphers, which means the take an additional input, called the tweak. You can use (meta)data from any accompanying headers as the tweak (or just used a fixed string). Again, if the tweak is distinct each time, then you have confidentiality even if a plaintext is repeated. But at that point it might be easier to, e.g., take a 64-bit nonce from the headers and use that as the high-order bits of a counter-mode IV.
4
One could design length (and format) preserving encryption schemes using Luby Rackoff Constructions (which are based on Feistel Networks)
While there are variety of variants to achieve (especially , the FFX modes of encryption ) one more notable work is done by Naor and Reigold [1]. They introduce another layer to classic Feistel networks by using Pair-wise Independent Functions ( PWIP), which they prove to be more secure than classic version.
We have very recently re-designed their work and proposed a new, FNR mode of encryption [2] which is practical arbitrary length block cipher algorithm to do the same . One could build format-preserving-encryption using such scheme. Which is variant of Naor and Reingold's work .
[1] Naor, Moni, and Omer Reingold. "On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited." Journal of Cryptology 12.1 (1999): 29-66.
[2] http://eprint.iacr.org/2014/421
Mike Edward Moras
- 18,161
- 12
- 87
- 240
sashank
- 6,234
- 4
- 36
- 68
3
Your are looking for a encryption scheme that supports length preserving encryption. I recommend to use an authenticated encryption scheme like OCB or McOE. There are two common techniques to achieve this goal:
Note that you need at least either a nonce or authentication tag -- or better both -- to preserve data privacy, i.e., security against chosen plaintext attacks (CPA).
Maybe I got you wrong. Maybe you are looking for format-preserving encryption or something else. Hence, a more detailed problem description would be great.
Christian Forler
- 199
- 4