FF3 - Tweak Fix

[anitgandhi]

Description of Issue

Based on the recent cryptanalysis of FF3, the FF3 algorithm is no longer considered a suitable algorithm for FPE by NIST. However, a simple fix was given:

The researchers proposed a straightforward modification to FF3: require two particular bytes of the tweak to be set to zero, which in effect would reduce the size of the tweak from eight bytes to six bytes. Implementations that properly enforce this requirement should not be vulnerable to the attack. Alternative structures/conditions on the tweak might also preclude the attack.

Enhancement

Based on the above, the ff3 sub-package can be modified to enforce this extra requirement on the tweak.

[raj-jain]

NIST is in the process of revising SP 800-38G to address the FF3 vulnerability reported previously. In a nut shell, FF3 will be revised to FF3-1 that has a smaller tweak size compared to FF3. Also, both FF1 and FF3-1 will now support a minimum domain size of 1 million (raised from 100).

https://csrc.nist.gov/news/2019/nist-requests-comments-on-draft-sp-800-38g-rev-1 https://csrc.nist.gov/publications/detail/sp/800-38g/rev-1/draft

The proposal above is in final call in NIST which is ending on 4/15/19.

[anitgandhi]

Thank you @raj-jain ; once Revision 1 is finalized I will release a new version of this package that reduces the FF3 tweakLen to 7 (bytes), and increase the feistelMin of both FF1 and FF3 implementations from 100 to 1000000