CRITICAL: Fix FF1 expandS — XOR with R not previous block (NIST SP 800-38G)

lgutschow · lgutschow · commit 0ac7106e1113 · 2026-04-08T04:55:30.000-04:00
Same bug as Java, Rust, Node. Verified against independent fpe crate v0.6.1.
diff --git a/cyphera/ff1.py b/cyphera/ff1.py
@@ -50,13 +50,12 @@ def _prf(self, data: bytes) -> bytes:
     def _expand_s(self, r: bytes, d: int) -> bytes:
         blocks = (d + 15) // 16
         out = bytearray(r)
-        prev = r
         for j in range(1, blocks):
             x = j.to_bytes(16, "big")
-            x = bytes(a ^ b for a, b in zip(x, prev))
+            # XOR with R (not previous block) per NIST SP 800-38G
+            x = bytes(a ^ b for a, b in zip(x, r))
             enc = self._aes_ecb(x)
             out.extend(enc)
-            prev = enc
         return bytes(out[:d])
 
     def _num(self, digits: list[int]) -> int:
