## CryptoDB

### Viet Tung Hoang

#### Publications

Year
Venue
Title
2020
CRYPTO
We study the security of CTR-DRBG, one of NIST’s recommended Pseudorandom Number Generator (PRNG) designs. Recently, Woodage and Shumow (Eurocrypt’ 19), and then Cohney et al. (S&P’ 20) point out some potential vulnerabilities in both NIST specification and common implementations of CTR-DRBG. While these researchers do suggest counter-measures, the security of the patched CTR-DRBG is still questionable. Our work fills this gap, proving that CTR-DRBG satisfies the robustness notion of Dodis et al. (CCS’13), the standard security goal for PRNGs.
2019
EUROCRYPT
We improve the attack of Durak and Vaudenay (CRYPTO’17) on NIST Format-Preserving Encryption standard FF3, reducing the running time from $O(N^5)$O(N5) to $O(N^{17/6})$O(N17/6) for domain $\mathbb {Z}_N \times \mathbb {Z}_N$ZN×ZN. Concretely, DV’s attack needs about $2^{50}$250 operations to recover encrypted 6-digit PINs, whereas ours only spends about $2^{30}$230 operations. In realizing this goal, we provide a pedagogical example of how to use distinguishing attacks to speed up slide attacks. In addition, we improve the running time of DV’s known-plaintext attack on 4-round Feistel of domain $\mathbb {Z}_N \times \mathbb {Z}_N$ZN×ZN from $O(N^3)$O(N3) time to just $O(N^{5/3})$O(N5/3) time. We also generalize our attacks to a general domain $\mathbb {Z}_M \times \mathbb {Z}_N$ZM×ZN, allowing one to recover encrypted SSNs using about $2^{50}$250 operations. Finally, we provide some proof-of-concept implementations to empirically validate our results.
2018
EUROCRYPT
2018
CRYPTO
Format-preserving encryption (FPE) produces ciphertexts which have the same format as the plaintexts. Building secure FPE is very challenging, and recent attacks (Bellare, Hoang, Tessaro, CCS ’16; Durak and Vaudenay, CRYPTO ’17) have highlighted security deficiencies in the recent NIST SP800-38G standard. This has left the question open of whether practical schemes with high security exist.In this paper, we continue the investigation of attacks against FPE schemes. Our first contribution are new known-plaintext message recovery attacks against Feistel-based FPEs (such as FF1/FF3 from the NIST SP800-38G standard) which improve upon previous work in terms of amortized complexity in multi-target scenarios, where multiple ciphertexts are to be decrypted. Our attacks are also qualitatively better in that they make no assumptions on the correlation between the targets to be decrypted and the known plaintexts. We also surface a new vulnerability specific to FF3 and how it handles odd length domains, which leads to a substantial speedup in our attacks.We also show the first attacks against non-Feistel based FPEs. Specifically, we show a strong message-recovery attack for FNR, a construction proposed by Cisco which replaces two rounds in the Feistel construction with a pairwise-independent permutation, following the paradigm by Naor and Reingold (JoC, ’99). We also provide a strong ciphertext-only attack against a variant of the DTP construction by Brightwell and Smith, which is deployed by Protegrity within commercial applications. All of our attacks show that existing constructions fall short of achieving desirable security levels. For Feistel and the FNR schemes, our attacks become feasible on small domains, e.g., 8 bits, for suggested round numbers. Our attack against the DTP construction is practical even for large domains. We provide proof-of-concept implementations of our attacks that verify our theoretical findings.
2017
EUROCRYPT
2017
CRYPTO
2016
CRYPTO
2016
ASIACRYPT
2015
EPRINT
2015
EPRINT
2015
PKC
2015
EUROCRYPT
2015
EUROCRYPT
2015
CRYPTO
2014
CRYPTO
2014
EPRINT
2013
CRYPTO
2012
CRYPTO
2012
ASIACRYPT
2010
EPRINT
We prove beyond-birthday-bound security for the well-known types of generalized Feistel networks, including: (1) unbalanced Feistel networks, where the $n$-bit to $m$-bit round functions may have $n\ne m$; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where $n$-bit to $n$-bit round functions are used to encipher $kn$-bit strings for some $k\ge2$; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework we show that, in any of these settings, for any $\varepsilon>0$, with enough rounds, the subject scheme can tolerate CCA attacks of up to $q\sim N^{1-\varepsilon}$ adversarial queries, where $N$ is the size of the round functions' domain (the size of the larger domain for alternating Feistel). This is asymptotically optimal. Prior analyses for generalized Feistel networks established security to only $q\sim N^{0.5}$ adversarial queries.
2010
CRYPTO

Crypto 2018
Asiacrypt 2018
Crypto 2017
Asiacrypt 2017
Asiacrypt 2016