Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Methods for Format-Preserving Encryption: NIST Requests Public Comments on Draft Special Publication 800-38G Revision 1

NIST requests public comments on Draft SP 800-38G Revision 1, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. Comments are due by April 15, 2019.

Summary

NIST requests public comments on Draft Special Publication 800-38G Revision 1Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption.  In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice. Comments are due by April 15, 2019.

Details

Special Publication 800-38G was published in March of 2016 in order to specify and approve the FF1 and FF3 methods for format-preserving encryption (FPE); see the original announcement for a description of this type of encryption.

Since the release of this publication, several sets of researchers have identified vulnerabilities when the number of possible inputs, i.e., the domain size, is sufficiently small.

In response to the analysis of Durak and Vaudenay on FF3, NIST announced in April of 2017 the intention to either revise the FF3 specification by reducing the size of its tweak parameter from 64 bits to 48 bits, as suggested by the researchers in their paper, or to withdraw FF3. In SP 800-38G Revision 1, the tweak parameter is reduced instead to 56 bits, in a manner that was subsequently developed by the designers of the method in consultation with the researchers. The revised FF3 is named FF3-1.

The domain size for both FF1 and FF3 in SP 800-38G was required to be at least one hundred and recommended to be at least one million. In response to the analysis of Hoang, Tessaro, and Trieu, building on earlier work with Bellare, the recommendation was strengthened to a requirement: the minimum domain size for FF1 and FF3-1 in Draft SP 800-38G Revision 1 is one million.

The revised publication also incorporates some minor editorial changes.

The public comment period closes for this document on April 15, 2019. Send comments to EncryptionModes [at] nist.gov (subject: FPE) with "FPE" in the Subject field.

 

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Released February 28, 2019, Updated March 1, 2019