Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-38G Rev. 1 (Initial Public Draft)

Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption

Date Published: February 2019
Comments Due: April 15, 2019 (public comment period is CLOSED)
Email Questions to:


Morris Dworkin (NIST)


In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice.


Special Publication 800-38G was published in March of 2016 in order to specify and approve the FF1 and FF3 methods for format-preserving encryption (FPE); see the original announcement for a description of this type of encryption.

Since the release of this publication, several sets of researchers have identified vulnerabilities when the number of possible inputs, i.e., the domain size, is sufficiently small.

In response to the analysis of Durak and Vaudenay on FF3, NIST announced in April of 2017 the intention to either revise the FF3 specification by reducing the size of its tweak parameter from 64 bits to 48 bits, as suggested by the researchers in their paper, or to withdraw FF3. In SP 800-38G Revision 1, the tweak parameter is reduced instead to 56 bits, in a manner that was subsequently developed by the designers of the method in consultation with the researchers. The revised FF3 is named FF3-1.

The domain size for both FF1 and FF3 in SP 800-38G was required to be at least one hundred and recommended to be at least one million. In response to the analysis of Hoang, Tessaro, and Trieu, building on earlier work with Bellare, the recommendation was strengthened to a requirement: the minimum domain size for FF1 and FF3-1 in Draft SP 800-38G Revision 1 is one million.

The revised publication also incorporates some minor editorial changes.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



block cipher; confidentiality; encryption; FF1; FF3; FF3-1; format-preserving encryption; information security; mode of operation
Control Families

System and Communications Protection