NIST is pleased to announce the release of Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. This publication specifies and approves the FF1 and FF3 encryption modes of operation of the AES algorithm.
The previously approved encryption modes are not designed for non-binary data such as Social Security numbers (SSNs); in particular, the decimal representation of an encrypted SSN might consist of more than nine digits, so it would not look like an SSN.
By contrast, format-preserving encryption (FPE) methods such as FF1 and FF3 are designed for data that is not necessarily binary. In particular, given any finite set of symbols, like the decimal numerals, a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format, including the length, as the original data. Thus, an FPE-encrypted SSN would be a sequence of nine decimal digits.
FPE modes facilitate the retrofitting of encryption technology to existing devices or software, where a conventional encryption mode might not be feasible. In particular, database applications may not support changes to the length or format of data fields.
More generally, FPE can support the “sanitization” of databases, i.e., the targeting of encryption to personally identifiable information (PII), such as SSNs. The encrypted SSNs could still serve as an index to facilitate statistical research, perhaps across multiple databases. An important caveat to this application of FPE is that re-identification is sometimes feasible through the analysis of the unencrypted data and other information.
The commercial impetus comes from the payments industry, where FPE methods have already been deployed in merchants’ credit card readers. NIST is also considering for approval a third mode from that industry, the extension/revision of the VAES3 mode, which was named FF2 in the draft SP 800-38G that was released for public comment. This revision of FF2 is listed by the name “DFF” at the Modes Development page.
NIST received patent disclosures that are claimed to apply to FPE modes. Letters of Assurance to NIST regarding the licensing of these patents are available at the Current Modes page.
NIST Public Affairs Office issued a press release about SP 800-38G.