February 2019: Draft Special Publication 800-38G Revision 1, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice. The public comment period ended April 15, 2019.
Public Comments Received
March 2016: Special Publication 800-38G specifies the FF1 and FF3 format-preserving encryption (FPE) modes of the AES algorithm. The acronym indicates that each mode is a Feistel-based method for FPE. Previously approved confidentiality modes are designed for binary data; FPE modes are designed for any kind of data, including non-binary formats, such as credit card numbers and social security numbers. Consequently, FPE facilitates the retrofitting of encryption technology to existing devices or software, where a conventional encryption mode might not be feasible.
FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern.
Letter of Assurance: Voltage Security, Inc. (which in the interim was acquired by HP, Inc.) provided NIST with a Letter of Assurance regarding the licensing of patents that may be relevant for the use of FPE modes.