In September 2017, this (legacy) site will be replaced with the new site you can see at beta.csrc.nist.rip. At that time, links to this legacy site will be automatically redirected to apporpriate links on the new site.

Public Comments

Comments on the Draft Specification of FPE Modes

On July 8, 2013, NIST announced a period of public comment, ending September 3, 2013, on Draft Special Publication 800-38G, which specifies three modes of the AES block cipher for format preserving encryption. The comments that NIST received are posted here.

In subsequent analysis, NIST explains that one of the FPE modes in the draft, FF2, does not provide the expected 128 bits of security for some use cases

Comments on the Draft Specification of Key Wrapping Methods

On August 2011, NIST announced a period of public comments on the draft NIST Special Publication 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping. The public comments that NIST received in response to this request are collected here.

Comments on the Proposal to Approve EAX'

On June 21, 2011, NIST announced a period of public comment, ending July 22, 2011, on a proposal to approve the EAX´ mode of operation. Comments are provided in two files. The first is an updated report from Toshiba. The second is a collection of all the other comments. Subsequently, Tetsu Iwata and Kazuhiko Minematsu provided public comments that reference their paper with HIraku Morita and Stefan Lucks, Cryptanalysis of EAX’ on the IACR eprint archive.

Comments on the Proposal to Approve FFX

On June 9, 2011, NIST announced a period of public comment on a proposal to approve two schemes of the FFX framework for format preserving encryption: FFX[radix] and VAES3. The public comments that NIST received in response to this request are collected here.

Comments on the Proposal to Approve XTS-AES

In Request for Public Comments on XTS, NIST requested public comments on the proposal to approve the XTS-AES confidentiality mode by reference to IEEE Stnd. 1619-2007. The comment period ended September 3, 2008. The following are links to documents that NIST received from the indicated commenter:

response from Laszlo Hars, Seagate Technology

Other public comments that were submitted within email messages are collected here.

Matthew Ball provided follow-up comments to the public comments on XTS-AES.

The public comments on the draft NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality in Block-Oriented Storage Devices are collected here.

Comments on The Draft GCM Specification

The following public comments were submitted on the second (July 2007) draft NIST SP 800-38D: Recomendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC :

Commenter

The following paper was submitted as a public comment on the first (April 2006) draft NIST SP 800-38D: Recomendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM):

Authentication Failures in NIST version of GCM - Antoine Joux

Other comments that NIST received on the draft are available in PDF here.

Comments on the Choice Between CWC or GCM

NIST requested public comments on its intention to recommend either the CWC mode or the GCM mode. Links to PDF files of papers that were submitted are given in the following table:

Authentication Weaknesses in GCM - Niels Ferguson
A High Speed Architecture for Galois/Counter Mode of Operation (GCM) - Bo Yang, Sambit Mishra, Ramesh Karri
GCM Update - David McGrew, John Viega
Multiple forgery attacks against Message Authentication Codes - David McGrew, Scott R. Fluhrer
Comments on CWC and GCM Modes for Authenticated Encryption - Dana Neustadter, Michael Bowler, Tom St. Denis, Mike Borza

Other public comments on the draft are available in PDF here. The comment period ended June 1, 2005.

Comments on the Draft CMAC Specification

The public comments on the draft NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication are collected here.

Comments on the Draft CCM Specification

Links to PDF files of papers that were submitted as public comments on the draft NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality are given in the table below:

A Critique of CCM - Phillip Rogaway, David Wagner
Comments on NIST Draft Pub 800-38C: CCM mode of operation - Rene Struik

Other public comments on the draft, submitted within email messages, are available in PDF here.

Another document briefly describes NIST's responses to the most significant public comments.

Comments on Draft RMAC Specification

Links to PDF files of papers that were submitted as public comments on the early draft of NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The RMAC Authentication Mode are given in the table below. NIST subsequently decided to replace RMAC with CMAC.

An Analysis of RMAC - Jack Lloyd
Analysis of RMAC - Lars R. Knudsen
Comments on NIST's RMAC Proposal - Phillip Rogaway
Related-Key and Key-Collision Attacks Against RMAC - Tadayoshi Kohno
Comments on the security of RMAC as proposed in NIST Draft 800-38B - Éliane Jaulmes, Antoine Joux, and Frédéric Valette
Comments on RMAC - David Wagner
Comments on the RMAC algorithm - John Black
Comparison of CBC MAC Variants and Comments on NIST's Consultation Paper - Tetsu Iwata