Date Published: February 2019
Comments Due:
Email Questions to:
Author(s)
Morris Dworkin (NIST)
Announcement
In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice.
Details
Special Publication 800-38G was published in March of 2016 in order to specify and approve the FF1 and FF3 methods for format-preserving encryption (FPE); see the original announcement for a description of this type of encryption.
Since the release of this publication, several sets of researchers have identified vulnerabilities when the number of possible inputs, i.e., the domain size, is sufficiently small.
In response to the analysis of Durak and Vaudenay on FF3, NIST announced in April of 2017 the intention to either revise the FF3 specification by reducing the size of its tweak parameter from 64 bits to 48 bits, as suggested by the researchers in their paper, or to withdraw FF3. In SP 800-38G Revision 1, the tweak parameter is reduced instead to 56 bits, in a manner that was subsequently developed by the designers of the method in consultation with the researchers. The revised FF3 is named FF3-1.
The domain size for both FF1 and FF3 in SP 800-38G was required to be at least one hundred and recommended to be at least one million. In response to the analysis of Hoang, Tessaro, and Trieu, building on earlier work with Bellare, the recommendation was strengthened to a requirement: the minimum domain size for FF1 and FF3-1 in Draft SP 800-38G Revision 1 is one million.
The revised publication also incorporates some minor editorial changes.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
This Recommendation specifies two methods, called FF1 and FF3-1, for format-preserving encryption. Both of these methods are modes of operation for an underlying, approved symmetric-key block cipher algorithm. Compared to the original version of this publication, the tweak size for FF3-1 is smaller than the tweak size for FF3; also, for both FF1 and FF3-1, larger domains are required, rather than merely recommended.
This Recommendation specifies two methods, called FF1 and FF3-1, for format-preserving encryption. Both of these methods are modes of operation for an underlying, approved symmetric-key block cipher algorithm. Compared to the original version of this publication, the tweak size for FF3-1 is smaller...
See full abstract
This Recommendation specifies two methods, called FF1 and FF3-1, for format-preserving encryption. Both of these methods are modes of operation for an underlying, approved symmetric-key block cipher algorithm. Compared to the original version of this publication, the tweak size for FF3-1 is smaller than the tweak size for FF3; also, for both FF1 and FF3-1, larger domains are required, rather than merely recommended.
Hide full abstract
Keywords
block cipher; confidentiality; encryption; FF1; FF3; FF3-1; format-preserving encryption; information security; mode of operation
Control Families
System and Communications Protection
