The National Institute of Standards and Technology (NIST) specified three methods for format-preserving encryption (FPE) in Draft NIST Special Publication (SP) 800-38G, which was released for public comment in July, 2013. Each method was a mode of operation of the Advanced Encryption Standard (AES). One of the three modes, VAES3, was specified under the name FF2 in the NIST draft. This note describes a theoretical chosen-plaintext attack that shows the security strength of FF2 is less than 128 bits.
and Perlner, R.
Analysis of VAES3 (FF2), Cryptology ePrint Archive, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917829, http://eprint.iacr.org/2015/306
(Accessed September 22, 2023)