Date Published: February 2019
Comments Due: April 15, 2019
Email Comments to: EncryptionModes@nist.gov
Morris Dworkin (NIST)
In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice.
Special Publication 800-38G was published in March of 2016 in order to specify and approve the FF1 and FF3 methods for format-preserving encryption (FPE); see the original announcement for a description of this type of encryption.
Since the release of this publication, several sets of researchers have identified vulnerabilities when the number of possible inputs, i.e., the domain size, is sufficiently small.
In response to the analysis of Durak and Vaudenay on FF3, NIST announced in April of 2017 the intention to either revise the FF3 specification by reducing the size of its tweak parameter from 64 bits to 48 bits, as suggested by the researchers in their paper, or to withdraw FF3. In SP 800-38G Revision 1, the tweak parameter is reduced instead to 56 bits, in a manner that was subsequently developed by the designers of the method in consultation with the researchers. The revised FF3 is named FF3-1.
The domain size for both FF1 and FF3 in SP 800-38G was required to be at least one hundred and recommended to be at least one million. In response to the analysis of Hoang, Tessaro, and Trieu, building on earlier work with Bellare, the recommendation was strengthened to a requirement: the minimum domain size for FF1 and FF3-1 in Draft SP 800-38G Revision 1 is one million.
The revised publication also incorporates some minor editorial changes.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Keywords block cipher; confidentiality; encryption; FF1; FF3; FF3-1; format-preserving encryption; information security; mode of operation
System and Communications Protection;