Date Published: February 3, 2025
Comments Due: April 4, 2025
Email Comments to:
ciphermodes@nist.gov
NIST has released a second public draft (2PD) of Special Publication (SP) 800-38Gr1 (Revision 1), Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, for public comment. The main technical changes to the original publication are the following:
The public comment period for this draft is open through April 4, 2025. Submit comments to ciphermodes@nist.gov with the subject “Comments on SP 800-38Gr1 Second Public Draft.” Comments received in response to this request will be posted on this page under "Supplemental Material" after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
SP 800-38G was published in March of 2016 in order to specify and approve the FF1 and FF3 methods for format-preserving encryption (FPE); see the original announcement for a description of this type of encryption. Since the release of this publication, several sets of researchers have identified vulnerabilities when the number of possible inputs (i.e., the domain size) is sufficiently small.
In response to the analysis of Durak and Vaudenay on FF3, NIST announced the intention to either revise the FF3 specification by reducing the size of its tweak parameter from 64 bits to 48 bits, as suggested by the researchers in their paper, or to withdraw FF3. In the initial public draft (IPD) of SP 800-38Gr1, the tweak parameter was reduced instead to 56 bits in a manner that was subsequently developed by the designers of the method in consultation with the researchers. The revised FF3 was named FF3-1.
The domain size for both FF1 and FF3 in SP 800-38G was required to be at least one hundred and recommended to be at least one million. In response to the analysis of Hoang, Tessaro, and Trieu and building on earlier work with Bellare, this recommendation was strengthened to a requirement in the IPD revision: the minimum domain size for FF1 and FF3-1 was one million.
In follow-up work, Beyne described a weakness in the tweak schedule that affected both FF3 and FF3-1 but not FF1. This led to the removal of FF3 in the 2PD revision. For compatibility with existing implementations of FF1, the use of the inverse AES cipher function is no longer allowed in the 2PD revision. Additionally, Bleichenbacher discovered an implementation bug in an earlier version of Bouncy Castle due to floating point arithmetic. To avoid this class of bugs, the use of floating point arithmetic is disallowed in the 2PD revision.
The 2PD revision also incorporates some minor editorial changes.
None selected
Publication:
https://doi.org/10.6028/NIST.SP.800-38Gr1.2pd
Download URL
Supplemental Material:
None available
Document History:
02/28/19: SP 800-38G Rev. 1 (Draft)
02/03/25: SP 800-38G Rev. 1 (Draft)