FIPS PUB 1
`
`FEDERAL INFORMATION
`lNG STANDARDS PUBLICATION
`1980 December 2
`
`I
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 1
`
`

`
`Jordan J. Baruch, Assistant
`for Productivity,
`and Innovation
`
`NATIONAL BUREAU OF STANDARDS, Ernt!st Ambler, Director
`
`Foreword
`
`Standards Publication Serle~ of the National Bureau of
`ral Information Process
`ication relat
`ted
`to standards
`under
`89-306
`Act) and under
`6 of Title 15, Code of
`executive mandates have
`of
`the utilization and management of
`in the Federal Government.
`To carry out
`the
`its Institute for
`Sciences and
`and coordination of Government efforts
`in these areas.
`
`process
`the NBS,
`, technical
`~uidelines and standards
`
`1 Information Processin):; Standards Publications are welc'lmed and
`the Di rectnr,
`Institute for
`Sciences
`rds, Washi
`on, DC
`20234.
`
`James H. Burrows, Director
`Institute for
`Sciences
`and
`
`tract
`
`ithm to
`a
`ifiPs a
`computer data.
`but unclassified,
`ich may be used in a wide
`protect-
`(
`included in this standard are the
`(
`mode,
`tht•
`Feedback
`
`til
`
`ritv;
`
`Federa
`
`[nfor-
`
`I,
`
`• ) ,
`
`. (
`
`1, ~
`
`r ,
`
`t' • •
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 2
`
`

`
`FIPS PUB 81
`
`Federal Information
`Processing Standards Publication 81
`
`1980 December 2
`
`ANNOUNCING THE
`STANDARD FOR
`
`DES MODES OF OPERATION
`
`the National Bureau of
`Standards Publications are issued
`Federal Information
`to the Federal
`and Administrative Services Act of
`l949, as
`St. 11dards pursuant
`amended. Public Law 89-306 (79 Stat.
`, Executive Order 11717 (38 FR 12315, dated May
`11, 1973), and Part 6 of Title 15 Code of Federal
`
`1. Name of Standard. DES Modes of
`
`2. Category of Standard. ADP
`
`ions, computer
`
`46)
`a crypto-
`3. Explanation. The Federal Data
`protection of sensitive, but unclassi(cid:173)
`to be used for the
`This FIPS defines four modes of
`the DES which may be
`data.
`will be
`of
`The modes
`in(cid:173)
`The modes
`(returned to
`Block Chaining
`Code book
`mode.
`and the Output
`
`mode,
`
`the
`mode,
`Feedback
`
`fied,
`
`eluded in
`(
`
`of this
`
`hut
`of the recommended modes of
`in
`and sufficient conditions for their secure
`This standard
`the
`of data hits, how the bits
`• and the data paths and the data processing
`for
`data or messages. This standard is based on (and references
`the
`among DES
`next level of detail necessary for
`compat
`This standard
`the deve
`''!mt of a set of
`!cation standards
`it such as communication
`standards, data storage standards, pass(cid:173)
`or
`standards and
`management standards. Cryptographic system
`must select one or more of the
`modes of operat
`DES in a
`system or
`application.
`Tiu~
`tutorial information on the modes of operation and
`correct
`ion.
`The Appendices are
`and
`of this standard.
`
`of Commerce.
`
`of Commerce, National Bureau of Standards, Insti-
`
`are not
`
`4 .•
`
`5. Maintenance
`tute for
`
`u.s.
`Sciences and
`
`6. Related Documents.
`
`PIPS PUB 46, "Data
`
`Standard, 11
`
`15, 1977.
`
`"Telecommunications:
`Federal Standard 1026,
`Use of the Data Enc
`Standard,"
`20, 1980, draft.
`
`for
`
`ths Data
`
`) Federal Standard 1027,
`Standard , 11
`
`"Telecommunications:
`5, 1980, draft.
`
`Sec.urity
`
`for Use of
`
`1
`
`BEST
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 3
`
`

`
`FIPS PUB 81
`
`A Hst of
`Inst ,ute
`DC 20234.
`
`7. Applicability.
`
`8.
`tion
`
`be obtained from the Standards Admintst1~ 'tion Office,
`National Bureau of Standards, Washington,
`
`This standard shall be used by Federal
`or services which
`the Data
`the
`
`anyone
`may be used
`one of the
`selection
`considered.
`
`when
`and
`Standard and which are
`unclassified, computer
`the Data
`and use
`will depend
`
`Federal Information Process
`
`Standard (FIPS 81) DES Modes of
`
`The DES modes of operation described in this
`by many sources within the Federal Government
`These
`in
`a standard of this nature must,
`11ices.
`remain flexible enough to
`to advancements and innovations in science and technology. As such,
`this standard
`should not be construed
`either exhaustive or static.
`It wi
`be reviewed every
`five years
`in order to
`technh
`economic merit
`netl
`the issuance of a r,~,·ised standard.
`of
`the DES
`The DES,
`thm
`in electronic devices when used by Federal
`itself, must therefore be in hardware or firmware for Federal
`the
`modes of operation
`in this standard may be
`hardware, or
`firmware.
`
`are based upon
`
`10.
`to Federal Government
`ions, Parts 121
`technical data
`u.
`and
`
`Patents.
`patents.
`
`devices and technical data
`them are
`Title 22, Code of Federal
`this standard and
`
`this standard may be covered
`
`u.s.
`
`12.
`
`Schedule. This standard becomes effec
`
`on June 2, 1981.
`
`13. Waivers. Heads of
`of this standard be
`may request that the
`waivr~d in instances where it can be c
`demonstrated that there are
`interests of the Federal Govern(cid:173)
`mance or cost
`to be
`and when
`served
`ment
`,are best
`the
`requests will be
`Such waiver
`of Commerce.
`The waiver
`reviewed
`and
`in the
`ification
`for
`request must
`the waiver.
`
`waiver.
`the
`cost
`
`Waiver requests
`labeled as a
`agency shall take any
`approval
`from the
`DES mode of
`
`should be allowed for revi.ew and response
`shall b~ submitted to the
`of Commerce,
`for a Waiver to this Federal Information
`action to deviate from this standard
`of Commerce.
`No agency shall
`operation not
`to this standard
`
`Commerce.
`and
`No
`of a waiver
`
`has been
`
`the National
`ication are for sale
`of this
`14. Where
`Obtain
`rtment of Commerce,
`ld, VA 22161.
`When
`Technical Information Service,
`Process
`Standards Publication 81
`PUB 81),
`,
`refer to Federal Information
`this should be specified.
`may be made
`and title. When microfiche is desired,
`account.
`check, money order, or
`
`2
`
`BEST
`
`CUMEN
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 4
`
`

`
`FIPS PUB 81
`
`Federal Information
`Processin£:, Standards Publication 81
`
`1980 December 2
`
`Specifications for
`
`DES MODES OF OPERA:noN
`
`CONTENTS
`
`INTRODUCTION ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
`1.
`1.1 Definitions, Abbreviations, and Conventions••••••••••••••••••••••••••••••••••• 4
`
`2.
`3.
`4.
`5.
`
`ELECTRONIC CODEBOOK
`CIPHER BLOCK CHAINING
`CIPHER fEEDBACK
`)
`OUTPUT fEEDBACK (OFB)
`
`) MODE .••••••••••••• *~••••••••••••••••••••••••••••••••••• 5
`) MODE •••••••••••• ~·••••••••••••••••••••••••••••••••••• 5
`MODE •••••• , ........................... ••••••••••••••·••••••• 8
`M.ODE. ,. ••••••••••••••••••••.••••••••••••••••••• .., .......... .,. • • • 8
`
`l.
`2.
`3.
`4.
`
`F
`
`Al: Des
`
`Table IH. An
`Table Cl. An
`Table Dl. An
`Table D2.. An
`Table D3. An
`Table D4. An
`Table D5. An
`Table El. An
`Table E2.. An
`Table Fl. An
`Table F2. An
`
`of
`of
`of
`of
`of
`of
`of
`of
`of
`of
`of
`
`FIGURES
`
`Mode. • • • • • • • • • • • • • •. • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 6
`) Mode ••••••••••••••••••••••••••••••••••••••••••
`7
`9
`)
`Mode ................. • • • • • • • • • • • •· • • • • • • • • • • • • • • •
`) Mode ..................... •••••lit ••••••••••••••• 10
`
`............................... ··············'*···············12
`
`TABLES
`
`the Electronic Cndebook
`Block
`the
`the 1-Bit c
`the 1:>-Bit c
`the 64-Bit
`the 7-Bit
`the 56-Bit
`the 1-Bit
`the 8-lUt
`the
`the
`
`1'-tode ........................... 13
`Mode •••••••••••••••••••••••• lS
`Hode ••••••••••••• '*' ••••••••• 17
`Mode •••••••••••••••••••••••• l8
`) Mode ••••••••••••••••••••••• l9
`Feedback Alternative Mode •••••••••••••••••• 20
`Feedback Alternative Mode ••••••••••••••••• ll
`Feerlback
`Mode •••••••••••••••••••••••• 22
`Mode •••••••••••••••••••••••• l3
`feedback
`Mode for Authentication ••••• 25
`Mode for Authenticat1on ••••.•••••• 2o
`
`Block
`
`APPENDICES
`
`A. General Information ........................................................ 11
`B. Electronic Codebook
`) Mode••••••••••••••••••••••••••••••••••••••••••l2
`C.
`Block
`(CBC) Mode••••••••••••••••••••••••••••••••••••••••l4
`D.
`Mode•••••••!••••••••••••••••••••••••••••••••••••••l6
`E.
`F.
`
`• ............................................ 24
`
`3
`
`BES1 D UMEN
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 5
`
`

`
`RPS PUB 81
`
`l.
`
`the
`cess and
`data.
`secrecy of the
`
`The
`
`to obtain
`depends on
`
`pro(cid:173)
`the
`the
`
`is:
`
`,P7
`
`,P8)
`
`bits
`where
`seven
`for
`on
`of the octet is odd, i.e., there is an odd number
`
`• • •
`
`,P2, ••• ,P8} are reserved
`and set so that the
`the octet.
`
`The hexadecimal format of a
`
`R2 H3H4 ••• Hl5H16)
`
`6} are hexadecimal characters from the set
`t 1 ' •••
`in the format are optional and lower case letters may be
`the up~Jer case letters.
`This standard assumes that a
`into a
`l1,S device
`to
`or
`ion.
`
`The
`at
`entered
`
`1.1 Definitions, Abbreviations, and Conventions. The
`and conventions shall be used
`this standard:
`
`definitions, abbreviations
`
`BIT: A
`
`denoted as a "0" or a "1."
`
`BINARY VECTOR: A sequence of bi.ts.
`
`BLOCK:
`A
`64 and denoted as
`
`vector canst
`
`CBC'
`
`CFB:
`
`Block Chaining.
`
`Feedback.
`
`CIPH~R TEXT:
`
`bits numbered from the left as l, 2 • ••••
`
`CRYPTOGRAPHIC KEY:
`A 614-bit parameter consi.s
`used in a DES device to control the encrypt and
`{
`KEY • KEY
`
`operations.
`
`bits and 8
`
`hits
`
`DATA UNIT:
`(Dl,D2, •••
`
`vector
`A
`where K • 1
`, •••
`
`of K. bits that is
`and where Dl
`
`as an ent
`represent b1 ts.
`
`denoted as
`
`DECRYPTION: The process of
`Verb: DECRYPT.
`(
`DEC
`
`text into
`
`n text.
`
`DECRYPT STATE:
`FIPS PUB 4&.
`
`The state of a DES device execut
`
`the
`
`fed in
`
`DES: Data
`
`ion Standard;
`
`ied in FIPS PUB 46.
`
`DES DEVICE:
`The electronic component used to
`circuit
`or a micro-computer with
`memory program.
`
`DES
`
`INPUT BLOCK:
`The
`
`sent bits.
`
`A block that is entered into the DES device for either
`block shall he
`( Il , I2, ••• • IM)
`
`ion or
`repre-
`
`4
`
`BEST
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 6
`
`

`
`RPS PU811
`
`opera(cid:173)
`where
`
`. . .
`
`A block that is the find result of
`DES OUTPUT BLOCk:
`tion of a DES device.
`The output block shall be
`represent bits.
`01
`,...
`
`ECS: Electronic Codebook.
`
`ENCRYPTION: The process of
`Verb: ENCRYPT.
`(
`
`ENCRYPT STAT£~
`FIP~ PUB 46.
`
`EXCLUSIVE-OR
`Th
`
`DES
`
`n text into
`
`text.
`
`left-most bit
`
`to
`
`l •
`
`OCTET:
`
`OFB:
`
`Feedback.
`
`2. Electronic
`follows
`direct
`DES device
`direct
`
`in
`
`the
`
`In ECB
`c
`• a
`The
`block
`(!1,12, •••• !64).
`state.
`resultant
`The
`••••• 064) or
`be used in
`the same
`the ECB
`is
`encryption process except that
`encrypt
`is used rather than the
`
`l,C2, •••
`is then
`
`the DES
`in
`
`text
`process
`device
`
`state of
`
`the
`
`3.
`mode is defined as
`:':lock
`follows
`In CBC encryption,
`divided into blocks.
`block is
`the first DES
`the first block of a
`with a
`) = (IVieDl,IV2eD2,...
`).
`64-bit initialization vector
`The
`nput block
`state, and the result
`i.e.,
`text,
`output block is used as
`).
`This
`first ci
`text block is then exclusive-ORed with the second
`text data block
`to
`i.e., (Il,I2, ••• ,I64) •
`the
`second DES input block,
`• "'"""L'"- ••••• C64$0f>4) •
`that
`and D now refer to the second block.
`The second input block
`is
`DES device in the encrypt state to
`the second
`text
`contlnues to "chain" successive c
`and
`text blocks
`text block in the message is
`If the message
`number of data blocks,
`then the
`final partial ddta block
`
`Note
`
`consist of
`
`r
`does not
`should be
`
`BEST 0
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 7
`
`

`
`RPS PUB 81
`
`1:
`
`(ECB) MODE
`
`ENCRYPTION
`
`ECB DECRYPTION
`
`TEXT
`
`tEXT
`
`(C1, C2, "'' C64)
`
`DES
`
`CIPHER TEXT
`
`PlAIN TEXT
`
`D2, ... , D6
`
`6
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 8
`
`

`
`FIPS PUB 81
`
`FIGURE
`
`CIPHER BLOCK CHAINING (CBC) ODE
`
`IV
`
`DES ENCRYPT
`c
`
`DES ENCRYPT
`c
`
`IV
`
`c
`
`c
`
`111111111111111
`
`DES ENCRYPT
`
`c
`
`c
`
`0 S DECRYPT
`
`DES DECRYPT
`
`DES DECRYPT
`
`LEGEND
`D =DATA BLOCK J
`I =ENCRYPTION INPUT BLOCK J
`C =CIPHER BLOCK J
`
`IV = INITIALIZA liON VECTOR
`=EXClUSIVE-OR
`
`7
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 9
`
`

`
`RPS PUB 81
`
`in
`C of
`
`for the
`
`One such method
`
`is described
`
`in
`
`of an
`encrypted message is u.sed as the input
`(11,12, ••• ,164) •
`the
`state,
`i.e.,
`output block, which
`original input block to the
`exc1usive""'0Red with the
`same as that used during
`block,
`the first plain
`text
`to
`i.e.,
`(Dl,D2,...
`•
`,o2elV2, ••• ,0640IV64). The second cipher text block is then used as the input block
`the DES in the
`and the
`and 1s
`block
`is
`the first cir:ter
`exclusive-ORed with
`the second
`text data
`· and o
`block,
`i.e.,
`)
`(Dl
`Note that again
`The CBC
`refer
`to the second block.
`in this mannet r nUl the
`last
`block has been
`a partial
`data block must be
`
`4. Cipher Feedback
`follows
`mode is defined as
`Feedback
`Rode. The
`is dtvided into data units each containing K bits (K
`3). A message to be
`= 1,2, ••• ,64).
`In both the CFB encrypt ~md
`operations, an initialization vector
`L 1s used.
`flcant bits of the DES
`(
`of
`The IV is
`in the least
`{I ,I2, ••• ,I64)
`blr,ck with
`"'
`, •••
`,IVl,
`••• ,IVL).
`the DES device in the encrypt state
`a
`an output block.
`text is produced by
`i.e ••
`text data unit with
`K b:i ts of the output block,
`•
`l
`• plain text is pro-
`with the most significant K bits of
`exclus
`duced
`the output block. i.e.,
`In both cases the unused
`bits of the DES output block are disc, ,ded.
`In both cases the next i.nput block is created
`most
`ficant K bits of the
`block, shifting the remai-
`K ~ositions to the left and then
`the K bits of
`text
`least
`in the encryption
`or
`used in the
`operation into the
`i.e., {Il.I2, ••• ,
`bit
`• ( K+l},I[K+2], ••• ,I64,Cl
`, ••• ,
`:l.nput block is then
`the DES device in he encrypt state to produce
`This
`the next output block. This process continues until the entire
`text message has been
`or unt i 1 the entire
`text message has been
`
`CFB mode may openne on data units of
`to be the CFB mode
`defined
`on data
`each operation of the DES device one K-bit unit of
`text or one K-b:lt unit of
`text
`d
`
`for 8-bit CFB when
`alternative
`to insert a "I'' bit in bit
`results in a "1"
`).
`This
`This alternative is called
`
`64 inclusive. K-bit CFB
`K for K = 1
`one K-bit unit
`text.
`
`is
`For
`of
`
`an R-bit
`7-bit entities
`, i.e. ,
`the 8-bit
`feedback
`in bit location 57 of
`
`follows
`mode is defined as
`Feedback
`Mode. The
`Feedback
`is divided into data units each
`K bits
`mess,1ge to be
`(
`= 1, 2, ••• ,64).
`In both the OFB encrypt and
`operatf.ons, an initialization vector
`L is used.
`The IV is
`in the least
`!cant bits of the DES 1 nput
`(
`of
`the
`unused
`bits
`"O's,"
`i.e.,
`(Il,I2, ••• ,I64
`with
`block
`, !Vi , IV2, ••• , IVL).
`This
`the DES device in the
`(
`, 0,...
`encrypt state to
`output block.
`cipher text is
`exc
`ficant K bits of the
`block, t.e.,
`text is
`i.e.,
`bits of the output
`In both cases the
`output block are discarded.
`the unused bits of the
`the most s
`ficant K bits of the
`is created
`discard
`the
`bits K posit ions
`the left a.nd then insert
`i.e.,
`used
`the
`least
`s
`ficant
`bit
`positions,
`Into
`{I
`},I[K+2) , ••. ,164,01
`This
`block is then
`
`In both cases
`i~Kt Input block
`block. shift
`bits of output
`(U~I2, ••• ,I64)
`the DES
`
`t
`
`8
`
`BEST
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 10
`
`

`
`FIPS PUB 81
`
`FIGURE 3: K·BIT CIPHER FEEDBACK (CFB) MODE
`
`ENCRYPTION
`
`SHIFT
`
`DECRYPTION
`
`SHIFT
`
`INPUT BLOCK .
`. .
`
`(64~K) BITS
`
`: K BITS
`
`K
`
`FEED BACK
`K BITS
`
`K
`
`INPUT BLOC!( .
`.
`
`(64-K) BITS
`
`: K BITS
`
`ES ENCRYPT
`
`DES ENCRYPT
`
`OUTPUT BLOCK
`SELECT
`: DISCARD
`K BITS
`; (64-K) BITS
`
`OUT~UT BLOCK
`SELECT
`: DISCARD
`K B
`(64-K) BITS
`
`l ~ K
`CIPHER TEXT
`~P---------·
`
`r-
`
`K BITS
`
`P-~
`K
`
`PLAIN TEXT
`K BITS
`
`__....
`
`CIPHER TEXT
`K BITS
`
`l
`
`PLAIN TEXT
`K BITS
`
`K
`INPUT BLOCK INITIALLY CONTAINS AN INIT1ALIZA TION VECTOR (IV) RIGHT JUSTIFIED.
`
`BEST
`
`AVAILABLE
`
`9
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 11
`
`

`
`FIPS PUB 81
`
`FIGURE 4: K-BIT OUTPUT FEEDBACK (OFB) MODE
`
`ENCRYPTION
`
`SHIFT
`111111
`
`IIIII
`
`DECRYPTION
`
`SHIFT
`
`INPUT BLOCK .
`. •
`
`(64~KI BITS
`
`: K BITS
`
`1
`
`K
`
`FEED BAC K
`K BITS
`
`(64-K) BITS
`
`INPUT BLOCK
`•
`: K BITS
`•
`l
`
`K
`
`DES ENCRYPT
`
`DES ENCRYPT
`
`OUTPUT BLOCK
`SELECT
`: DISCARD
`K BITS ! (64-Kl BITS
`
`K +')!------
`
`CIPHER TEXT ll-mlllllil8"""
`K BITS
`
`K
`
`PLAIN TEXT
`K BITS
`
`OUT~UT BLOCK
`: DISCARD
`: (64-K) BITS
`
`K BITS
`
`PLAIN TEXT
`K BITS
`
`1
`K
`1
`INPUT BLOCK INITIALlY CONTAINS AN INITIALIZATION VECTOR {IV) RIGHT JUSTIFIED.
`
`K
`
`thf' next output block. This process continues unt U
`device in the encrypt state to
`the entire plain text messag~, has been
`or until the entire ci
`text message
`has been
`
`The OFB mode may operate on data units of
`defined
`to be the OFB mode operating on data units
`each operation of the DES device one K-bit unit
`c
`text or one K-bit unit of
`text
`
`64 inclusive. K-bit OFB
`is
`K forK= 1,2, ••• ,64.
`For
`one K-hit unit of
`n text
`one K-blt unit of plain text.
`
`10
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 12
`
`

`
`GENERAL INFORMATION
`
`APPENDIX A
`
`FIPS PUB 81
`
`The National Bureau of Standards issued Federal
`tion 46
`PUB 46) in 1977. That standard
`called the Data Encryption Standard
`ment for the
`DES
`submitted to
`
`Publica-
`commonly
`a
`Federal Govern-
`to be used
`of sensitive, but unclassified. computer data. The
`by the International Business Machines
`and
`(IBM)
`National Bureau of Standards during an NBS
`solicitation for ceypto-
`be used in a Federal Information Process
`Standard.
`Several meth-
`system are
`this
`ods
`methods, external to the DES
`, have come to be called the "modes
`Four modes, called
`the Electronic Codebook
`mode,
`the Cipher Block Chaining
`mode,
`the
`Feedback
`mode, and the
`Feedback
`mode, are specified in
`this standard.
`ECB is a direct application of the DES
`to encrypt and
`data; CBC is an enhanced mode of ECB which chains
`text; CFB
`of
`c
`text as
`the
`generate
`are combined with the plain text to
`text,
`OFB
`identical to CFB except that the
`the
`text is used
`The
`these
`for all
`
`which
`the
`DES
`does
`
`modes because they
`unclassified
`
`text into
`rrocesses are
`inverse transformation. The encryption and
`based on a parameter
`of rules, called an
`thm,
`that is
`ded to or
`the usera
`usually
`the
`parameter that
`of time over which a
`system and must be
`secret.
`to encrypt or
`data is called its cryptoperiod.
`
`a
`
`64-blt vectors onto
`the DES maps the set
`elements in this set.
`( 2 ra 1 sed to
`2
`The DES
`up to, but not
`, i.e., transformations that are
`user to select any one of
`56 possible
`When
`the DES in ECB mode
`one-to-one.
`Selec
`a
`selects one of
`and
`this
`and any particular
`• each
`iterative, block,
`an
`output
`is
`back onto the
`cipher system mixes transpo-
`systero (i.e., encryption
`Because the DES
`thm
`manner.
`substltutlon operations in an alternat
`the DES is called a
`a 64-bit
`block onto a 64-bit output
`maps
`for another
`system.
`Iterative refers to the use of the output of an operation as the
`iteration of the same
`The DES internal
`uses sixteen iterations of a pair of
`block. A
`transposition and substlLut:lon
`to e~crypt or
`an
`thm is found In FIPS PUB 46.
`specification of the DES
`
`itself.
`
`See
`all
`
`and
`
`Two
`of methods for
`methods.
`In a block
`methods
`text to be
`function
`stream method is based on
`the exclusive-OR
`to
`text:
`the
`inverse,
`and
`text, P,
`then C = P It 0
`
`output
`stream of bits,
`sequence with
`combine this
`Since the exclusive-OR operator is
`its
`stream is used for both the
`C. If 0 is tile
`
`are block
`a si
`text. A
`then
`the
`
`plain
`stream,
`
`11
`
`BEST D UMENT
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 13
`
`

`
`FIPS PUB 81
`
`FIGURE A1: DES MAPPINGS
`
`INPUT SPACE
`
`256
`
`MAPPINGS
`
`DECRYPT
`
`ELECTRONIC CODEBOOK (
`
`MODE
`
`APPENDIX B
`
`The Electronic Codebook
`to 64
`M4 bits of
`~odebaok arises because
`block
`
`ing
`electronic
`to be enc
`
`method which
`) mode is a basic, black,
`bits of output as specified in FIPS PUB 46.
`The ana
`a
`to
`text
`r
`the same
`in text block
`the same
`c
`1 ist (or
`ln text blocks and
`could be constructed for any given
`ln
`are calc•tlated each time for the pla,ln
`text
`text to ne
`
`the
`64 hits of
`function of
`block is a
`Since
`ty) bits of the
`block and
`• a s
`bit error
`or the non-parity
`bits used for
`ln either a c
`lon will cause the
`plain text block to have an ave rage error rate of fl
`percent.
`However,
`an
`ECB c
`text block will not affect the
`Lon of 11the r
`blocks,
`i.e.,
`in
`error
`there is no error extension hetween ECB blocks.
`
`If block boundaries are lost between encryption and decryption (e.~., a bit sl ),
`then
`ronizat ion between the encryption and
`ion operations will he lost until correct
`block boundaries are
`reestablished.
`T11e results of all
`ion ope rat hms will be
`incorrect until this occnrs.
`
`Since
`multi
`least
`filled
`
`block.
`
`the ECB mode is a 04-bi t block d
`If a user has
`of s
`four bits.
`lficant bits of the unused portion
`with
`or
`random bl ts,
`i og device must then discard th1~st~
`
`1
`device must encrypt data In
`an
`less than sixty-four hits to encrypt, then the
`of the
`datA block must be
`e.~.,
`or to ECR encryption.
`The corres
`in~
`inR hits after decryption of the cl
`
`in ECH
`the s:1me output block under a fixe••!
`same input block always
`The
`1:1otie.
`If this is undesirable in a pa:rticul~Ir application,
`the CBC,
`CFR or OFB modes shn11ld
`he
`t., Table B 1.
`used. An
`of the ECB mode ls
`ven
`
`12
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 14
`
`

`
`FIPS PUB 81
`
`AN EXAMPLE OF THE ELECTRONIC CODEBOOK (ECB) MODE
`
`The ECB mode tn the
`
`state has been selected.
`
`TABLE Bl
`
`- 01
`
`t"~xt is the ASCII cod'! for
`is the time for all • " These seven-bit charac-
`The
`ters are wr tten in hexadecimal notation (O,b7,b6, ••• ,bl).
`
`TIME
`
`PLAIN TEXT
`
`INPUT
`DES
`BLOCK
`
`DES OUTPUT
`BLOCK
`
`CIPHER TEXT
`
`1 4e6f772069732074 4e6f772069732074 3fa40e8a984d4815 3fa40e8a984d4815
`2 68652074696d6520 68652074696d6520 6a271787ab8883f9 6a271787ab8883f9
`3 666f7220616c6c20 666f7220616~6c20 893d5lec4b563b53 893d5lec4b563b53
`
`The ECB mode in the
`
`state has been selected.
`
`TIME
`
`CIPRER TEXT
`
`INPUT
`DES
`BLOCK
`
`DES OUTPUT
`BLOCK
`
`PLAIN TEXT
`
`1
`2
`3
`
`'•815
`j
`6a271787ab8883f9
`893d51ec4b563b53
`
`4e6f772069732074
`68652074696d6520
`666f7220616c6c20
`
`4e6f772069732074
`68652074696d6520
`666f7220616c6c20
`
`BEST
`
`13
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 15
`
`

`
`FIPS PUB 81
`
`APPENDIX C
`
`is a block
`CBC
`with a block of
`blfl·'l<
`
`is exclu~ive-oRed
`which the first plain text data block
`prior to being processed through the DES. The resulting
`i.s then exclusive-ORed with the next plain text data block to form
`the
`the DES, thus
`together blocks of
`text. The chaining of
`an error extension characteristic which is valuable in protect(cid:173)
`fraudulent data alteration.
`A CBC authentication technique is described
`in
`
`text whenever the same plain text is encrypted
`the same
`The CBC mode
`the same
`and IV. Users who are concerned about this characteri.stic should incorporate
`a unique identifier (e.g., a one-up counter) at the beginning of each
`message within a
`cryptographic
`in order to insure unique cipher text.
`If the key and the IV are the
`;same
`and no identifier precedes each message, messages that: have the same beginning will
`have
`the sat:.e
`t:ext when encrypted in t:he CBC mode until the blocks that differ
`in
`the two messages are
`
`Since the CBC mode is a block method of encryption, it must operate on 64-bit data blocks.
`Partial data blocKs (blocks of less than 64 bits) require
`handling. One method of
`final
`data block of a message is described below. Others may be
`applications.
`
`defined for
`
`text.
`
`The
`method may be used for
`fo]
`be greater
`than the length of the plain
`a message
`is
`in the least
`random bits.
`The
`will have
`Thi.s can be
`tl '"
`
`where the length of the cipher text can
`In this case the final
`data block of
`bits positions with "O"s,
`to know when and to what extent
`, e.g.,
`e.g., using 'l
`indicator, or
`The
`indicator will depend on t:he data being
`the data is pure u.1nary,
`then the
`ial dat:a block should be left
`block and t:he unushl bits of the block set to the
`of the last
`in the
`fied
`if the last data bit of the message is "0" then "l"s are used as
`data bit,
`i.e.,
`bits and if the last data bi.t ~s "1" then "O"s are used.
`The input block is then encryp-
`ted.
`The
`output block is the cipher text.
`The
`text message
`n11~st be
`marked as being
`so that the decryptor can r~verse
`process,
`remove
`the
`bi t:s and produce the original
`text. The
`scans t:he decrypted padded
`If the data consists
`and di~cards the least
`bits that are all identical.
`.g., 8-bit ASCII characters) then the
`indicator should be a character
`the number of padding bytes,
`including itself, and should be placed in the least
`ficant
`of the
`block before encrypting. For
`if there are five ASCII
`then an ASCI! "3"
`data characters in the final
`block of a message to be encrypted.
`is put in the least
`icant byte of the
`block (any pad characters may be used
`in
`the other
`before encryption. Again the cipher text message must be
`marked as
`
`In
`
`text block will affect t:he
`the CBC mode. one or mo<e bit errors within a
`ion of two blocks (the block in which the error occurs and the
`If
`text
`the errors cccur in the n-th
`block.
`then each bit of the n-th plain
`block will have an average error rate
`percent.
`The
`text block will
`on
`those bits in '!rror which
`direct
`to the ctpher text bits in error.
`
`for the CBC mode.
`operations is
`on between encrypt
`Block
`block so that block boundaries are
`lost
`If bits are added or are lost in a
`then
`ion is lost. However,
`ions,
`between the encryption and
`ion
`ic
`zation will automatically be reestablished 64 bits after block
`boundaries have been established. This property is known as self-synchronization.
`
`An
`
`of the CBC mode is
`
`in Table Cl.
`
`14 BEST DOCUMENT
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 16
`
`

`
`FIPS PUB 81
`
`TABLE Cl
`
`AN EXAMPLE OF THE CIPHER BLOCK CHAINING (CBC) MODE
`
`The CBC mode in the encrypt state has been selected.
`
`Cryptographic
`
`•• 0123456789abcdef
`
`Initialization Vector
`
`• 1234567890abcdef
`
`The
`text is the ASCII code for *'Now is the time for all • " These seven-bit charac-
`ters are written in hexadecimal notation (O,b7,b6, ••• bl).
`
`TIME
`
`PLAIN TE:<:T
`
`INPUT
`DES
`BLOCK
`
`DES OUTPUT
`BLOCK
`
`CIPHER TEXT
`
`l
`2
`3
`
`4e6f772069732074 5c5b2158f9d8ed9b e5c7cdde872bf27c e5c7cdde872bf27c
`68652074696d6520 8da2edaaee46975c 43e934008c389c0f 43e934008c389c0f
`666f7220616c6c20 25864620ed54f02f 683788499a7c05f6 683788499a7c05f6
`
`The
`
`CBC' mode in the
`
`state has been selected.
`
`TIME
`
`CIPHER TEXT
`
`INPUT
`DES
`BLOCK
`
`DES OUTPUT
`BLOCK
`
`PLAIN TEXT
`
`1 e5c7cdde872bf27c e5c7cdde872bf27c 5c5b2158f918ed9b 4e6f772069732074
`2 43e934008c389c0f 43e934008c389c0f 8da2edaaee46975c 68652074696d6520
`3 683788499a7c05f6 683788499a7c05f6 25864620ed54f02f 666f7220616c6c20
`
`BEST
`
`15
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 17
`
`

`
`FIP3 PUB 81
`
`CIPHER FEEDBA K
`
`) MODE
`
`APPENDIX D
`
`The CFB mode is a stream method of encryption in which the DES is used to generate
`bits which are exclusive-DRed with binary
`text to form cipher text.
`The cipher text is fed back to form the next DES input block.
`Identical messages that
`are
`using the CFB mode and different IVs will have different
`texts.
`IVs that are shorter than 64 bits lShould be put in the least significant bits of the
`first DES input block and the unused, moat
`lcant, bits Initialized to "O's."
`
`of
`In the CFB mode. errors in any K-bit unit of cipher text will affect the
`the
`cipher t.::xt and also the
`of
`cipher text until the bits
`in error hav~ ueen shifted out of the
`block. The first affected K-bit unit of
`will be garbled in exactly those places where the
`te.•t is in error.
`decrypted
`text will have an average error rate of fifty percent until
`all errors have been shifted out of the DES
`block.
`no additional errors
`are encountered
`this time, the correct plain text will then be obtained.
`
`If !<-bit boundaries are lost during
`be lost until cryptographic initialization
`boundaries have been reestablished.
`
`will
`K-bit
`
`The
`DES.
`tive
`
`in the CFB mode both use the encrypt state of the
`mode are
`in Tables Dl, D2, and D3, respec-
`
`and deci-
`The 7-bit CFB alternative mode is defined in the standard in order to
`7-bit coces and st.ill use an 8-bit ft:edback
`Most commercial implementations
`of the DES are
`to e
`handle 8-bit b;tes of data and
`Host computer
`of recent architecture are also
`to efficiently handle
`and communication
`full 8-bit
`However, some systems use the most
`bit as a
`hit.
`These systems often generate the
`bit
`transmission and check its validity
`In such systems the
`text would be automatically
`modified during transmission.
`In this case,
`and
`processes must
`of the parity bits and the 7-bit CFB (a) mode should he used.
`If
`the encryptor and the decryptor both set the most significant bit of the 8-bit cipher
`to be a "1" bit in the
`are compatible. Holding no more than
`bits of the DES
`level of
`for government
`
`an
`
`useful in applications requiring very efficient use of
`An extension of this
`the DES device.
`If several 7-bit data units are to be
`, then a
`"1" bit may be put in the most
`icant bit
`of each 8-bit byte of the feedback
`This extension of the 7-bit CFB alternative mode should be called the K-bit CFB (a)
`for K= Ill, 21,
`35,
`49.
`56 for
`tions which
`, respect
`2, 3, 4, 5, 6, 7, and 7-bit data units
`These alternatives provide an
`·
`level of security for
`
`of 7 and 56-bit CFB (a) mode are
`
`in tables D4 and OS,
`
`16
`
`BEST D UMENT
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 18
`
`

`
`FIPS PUB 81
`
`TABLE Dl
`
`AN EXAMPLE OF THE 1-St'r CIPHER FEEDBACK (CFB) '"!ODE
`
`The 1-bit CFB mode in the encrypt state has been selected.
`
`Cryptographic
`
`• 0123456789abcdef
`
`Initialization Vector
`
`• 1234567890abcdef
`
`The
`The DES input and. output
`vector (010011100110111101110111).
`text is the
`blocks a.re written
`in he:<adecimal notation.
`The &
`represents bit-by-bl!:, modulo 2
`addition.
`
`TIME DES
`
`INPUT BLOCK
`
`DES OUTPUT BLOCK
`
`p
`
`•
`
`0
`
`"'c
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`
`l234567890abcdef
`2468acf121579bdf
`48dl59e242af37bf
`9la2b3c4855e6f7e
`234567890abcdefc
`468acfl21579bdf9
`8d159e242af37bf3
`la2b3c4855e6f7e6
`34567890abcdefcd
`68acfl21579bdf9a
`dl59e242af37bf34
`a2b3c4855e6f7e68
`4567890ahcdefcdl
`8acfl21579bdf9a3
`159e242af37bf347
`
`567890ahcdefcdle
`fl21579bdf9a3d
`59e242af37bf347b
`b3c4855e6f7e68f6
`67890abcdefcdlec
`cfl2l579bdf9a3d9
`9e242af37bf347b2
`3c4855e6f7e68f64
`
`bd661569ae874e25
`48b3169c1fac7a10
`Oa0143394c9959fe
`6d52f55fd8b027l1
`3a38debb3a2fa892
`719b70bd3dce7acc
`81809c230adc0d23
`83d14a6da6926604
`3lle9dc8d6d52d8a
`db47c7feb6fc4272
`b73850afa3b8ed89
`f5fbl9dd00590800
`Of435la9bbffe5a5
`769593c58e20d41b
`Oe949d3f3a293d64
`92leb7ffeacd0db9
`d2adl09c8895fb95
`3c36317828a9bd04
`e7248586e7e4ecac
`f9a58el6a7597c5e
`e939fdf63dl77946
`f325eac046bad58d
`8385a6d97Sffdbba
`70a54baceae7ba6b
`
`0 & 1
`1
`•
`0
`0
`•
`0
`0 • 0
`l
`•
`0
`1
`•
`0
`1
`•
`l
`0
`•
`1
`0
`•
`0
`1
`•
`1
`1
`•
`1
`0
`•
`l
`1
`•
`0
`1
`•
`0
`1 & 0
`l
`•
`l
`0
`•
`l
`l
`•
`0
`1
`•
`1
`1
`tit 1
`0
`•
`1
`l
`•
`1
`1
`•
`1
`1
`•
`0
`
`- 1
`= 1
`"' 0
`.. 0
`- 1
`= l
`- 0
`.. 1
`= 0
`"' 0
`- 0
`.. 1
`"' 1
`- 1
`= 1
`• 0
`- 1
`l
`=
`0
`3 0
`.. 1
`- 0
`a 0
`= l
`
`BEST
`
`17
`
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 19
`
`

`
`FIPS PUB 81
`
`AN EXAMPLE OF THE 8-BIT CIPHER FEEDBACK (CFB) MODE
`
`The 8-bit CFB mode in the encrypt state has been selected.
`
`TABLE D2
`
`Key
`
`~ 0123456789abcdef
`
`Initialization Vector
`
`• l234567890abcdef
`
`TIME DES
`
`INPUT BLOCK
`
`DES OUTPUT BLOCK
`
`.. c
`
`.. f3
`.. lf
`
`- 07
`
`- 14
`"' 62
`• ee
`18
`.. 7f
`
`text is the ASCII code for "Now is the." These seven-bit characters are written
`The
`in hexadecimal notation (O,b7,b6, ••• bl). The a represents bit-by-bit, modulo 2 addition.
`p • 0
`4e • bd
`6f • 70
`77 • ad = da
`20 • 27
`69 • 68 =01
`73 • 67
`20 • 42
`74 • 9a
`68 a 70
`65 • la
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`
`l234567890abcdef
`34567890abcdeff3
`567890abcdeff3lf
`7890abcdeff3lfda
`90abcdeff3lfda07
`abcdeff3lfda070l
`cdeff3lfda070114
`eff3lfda07011462
`f3lfda07011462e~
`lfda070ll462ee18
`
`bd661569ae874e25
`7039546f9a0f6330
`adlb78b0bb37Ibe7
`2735 b0ld5ca3lf7
`68863426e397685d
`6798240e8c6b68Sf
`421feefb3f8ca64f
`9al69a9b