Draft Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, released for public comment in July 2013, included three methods for format-preserving encryption (FPE). Called FF1, FF2, and FF3, these methods are modes for using the Advanced Encryption Standard (AES). All of the FPE modes were submitted to NIST by the private sector.
As part of the public review of Draft SP 800-38G and as part of its routine consultation with other agencies, NIST was advised by the National Security Agency that the FF2 mode in the draft did not provide the expected 128 bits of security strength for some use cases. NIST cryptographers confirmed this assessment in an analysis that is posted on the modes public comments page.
The FF2 mode was submitted by VeriFone Systems, Inc., for NIST¹s consideration in 2011 and was originally designed for use by the payment card industry.
Implementations of FF2 within the payment card industry are not vulnerable to this analysis in practice. Nevertheless, in order for FF2 to meet NIST¹s security requirements for other potential applications, VeriFone Systems, Inc., has indicated that it will submit a revised proposal for NIST to review. NIST intends to finalize SP 800-38G with FF1 and FF3 as it considers VeriFone's revised proposal of FF2.
