`
`C13:S2° Fl
`FIPS PUB 87
`
`PROCESSING STANDARDS PUBLICATION
`
`1980 December2
`
`
`
`
`
`
`
`
`
`oe.
`
`
`
`shELGRe
`
`Ee
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DES MODES oo
`OF OPERATION | 2
`
`
`
`
`CATEGORY: ADP OPERATIONS
`SUBCATEGORY: COMPUTER SECURITY
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`IPR2016-00753
`Page 1
`Page 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`This material may be protected by Copyright law (Title 17 U.S. Code)
`
`
`
`
`
`U.S. DEPARTMENT OF COMMERCE, Philip Ms Klutznick, Secretary
`
`Jordan J. Baruch, Assistant Secretary for Productivity,
`Technology and Innovation
`
`NATIONAL BUREAU OF STANDARDS, Ernest Ambler, Director
`
`Foreword
`
`The Pederal Information Processing Standards Publication Series of the National Bureau of
`Standards
`is the official publication relating to standards ade ted and promulgated under
`the provisions
`of Public Law 89-306 (Brooks Act) and under Part 6 of Title
`15, Code
`~of
`Federal Regulations.
`These legislative and executive mandates-have given the Secretary of
`Commerce
`important
`responsibilities
`for
`improving the utilization.
`and management
`of
`
`
`
`
`
`computers carry-outand automatic data processing in the Federal Government. To the
`Secretary’s
`responsibilities,
`the NBS,
`through its Institute for Computer Selences
`and
`Technology,
`provides leadership,
`technical guidance and coordination of Government efforts
`iw the development of guidelines and standards in these areas.
`
`and
`Information Processing Standards Publications are welcomed
`comments concerning Federal
`should
`be
`addressed
`to the Director,
`Institute for Computer Sciences
`ard Technology,
`National Bureau of Standards, Washington, DC
`20234,
`
`James H. Burrows, Director
`Institute for Computer Sciences
`and Technology
`
`Abstract
`
`
`(FIPS 46) specifies a ervptographic algorithm to
`Federal Data Encryption Standard (DES)
`used Cor
`the cryptographic protection of sensitive,
`but unclassified,
`computer data.
`
`FIPS defines four modes of operation for the O°S which may be used in a wide variety
`The modes specify how data will be enervpted (cryptoagraphically protect~
`
`d (returned to original
`form).
`The modes
`included in this standard are.the
`
`cadebook (ECB) mode,
`the Cipher Block Chaining (CBC) mode,
`the Cipher Feedback
`ard the Output Feedback (OFB) mode.
`
`" security; ervptoegraphy; data security; DES; enervption; Federal Infor-
`
`
`nd.
`
`(045.7), Fed. info.Precess.Stand.Publ.(FIPS PUB) 81, 26 pages.
`
`C1981)
`CODEN? FIPPAT
`
` nal Technical
`
`
`Information Service, U.S. Department
`
`of Commerce,
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`IPR2016-00753
`Page 2
`Page.2
`
`
`
`
`
`Federal Information
`|
`Processing Standards Publication 81
`
`1980 December 2
`
`ANNOUNCING THE
`STANDARD FOR
`
`DES MODES OF OPERATION
`
`FIPS PUB 81
`
`
`
`of
`Federal Information Processing Standards Publications are issued by the National Bureau
`as
`St adards pursuant
`to the Federal Property and Administrative Services Act
`of
`1949,
`amended, Public Law 89-306 (79 Stat.
`1127), Executive Order 11717 (38 FR 12315, dated May
`ll, 1973), and Part 6 of Title 15 Code of Federal Regulations (CFR).
`
`ls. Name of Standard. DES Modes of Operation.
`
`2. Category of Standard.
`
`ADP Operations, computer security.
`
`(FIPS 46) specifies a crypto-
`The Federal Data Encryption Standard (DES)
`Explanation.
`3.
`graphic algorithm to be used for the cryptographic protection of sensitive,
`but unclassi-
`fied,
`computer data»
`This FIPS defines four modes of operation for the DES which may be
`used
`in a wide variety of applications.
`The modes specify how data will
`be
`encrypted
`Ceryptographically protected)
`and decrypted (returned to original form).
`The modes
`in
`cluded in this standard are the Electronic Codebook (ECB) mode,
`the Cipher Block Chaining
`(CBC) mode,
`the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.
`
`The body of this standard provides specifications of the recommended modes of operation but
`does not specify the necessary and sufficient conditions for their secure implementatior in
`a particular application. This standard specifies the numbering of data bits, how the bits
`are
`encrypted and decrypted,
`and the data paths and the data processing necessary
`for
`encrypting and decrypting data or messages. This standard is based on (and references) the
`DES
`and provides the next
`level of detail necessary for providing compatibility among
`DES
`equipment.
`This
`standard anticipates the developvent of a set of application standards
`which reference it such as communication security standards, data storage standards, pass~-
`word protection standards and key management standards.
`Cryptographic system designers or
`security application designers must select one or more of the possible modes of operation
`for implementing and using the DES in a cryptographic system or security application.
`The
`Appendices
`to this standard provide tutorial information on the modes
`of operation and
`examples
`for validating their correct
`implemeitation.
`The Appendices are guidelines
`and
`are not mandatory requirements of this standard.
`
`4. Approving Authority. Secretary of Commerce.
`
`5. Maintenance Agency. U.S. Department of Commerce, National Bureau of Standards, Insti-
`tute for Computer Sciences and Technology.
`
`6. Related Documents.
`
`FIPS PUB 46, "Data Encryption Standard," January 15, 1977.
`
`"Telecommunications:
`(Proposed) Federal Standard 1026,
`Use of
`the Data Encryption Standard," May 20, 1980, draft.
`
`Interoperability Requirements for
`
`“Telecommunications:;
`(Proposed) Federal Standard 1027,
`the Data Encryption Standard," August 5,
`1980, draft.
`
`Security Requirements for Use
`
`of
`
`BEST BCCUNENT
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`eeepage8
`Page 3
`
`
`
`FIPS PUB 81
`
`A list of currently approved FIPS may be obtained from the Standards Administ’ tion Office,
`Insti cute for Computer Sciences and Technology, National Bureau of Standards, Washington,
`be 20234.
`
`This standard shall be used by Federal departments and agencies when
`7. Applicability.
`procuring equipment or services which implement
`the Data Eneryption Standard and which are
`intended for use in the cryptographic protection of sensitive,
`but unelassified,
`computer
`data.
`This
`standard may
`be
`used by anyone desiring to implement
`and..use
`the Data
`Encryption Standard.
`The selection of one of the specified modes of operation will. depend
`on the particular application being considered.
`
`Specifications. Federal Information Processing Standard (FIPS 81) DES Modes of Opera~
`8.
`tion (affixed).
`
`The DES modes of operation described in this standard are based upon
`Qual fications.
`9.
`information provided by many sources within the Federal Government and private
`industry.
`These modes
`are presently being implemented in cryptographic
`equipment
`containing DES
`Govices.
`However, a standard of this nature must, of necessity,
`remain flexible enough to
`adapt
`to advancements and innovations in science and technology.
`As such,
`this
`standard
`should
`not be construed as being either exhaustive or static.
`Tt wi
`be reviewed
`every
`five years
`in order to incorporate new implementations whose technic
`“ economic merit
`justify the issuance of a revised standard.
`FIPS 46 requires impleme.
`» o£
`the DES
`
`algorithm in electronic devices when used by Federal departments and a,-=>» The ODES,
`itself, must
`therefore be in hardware or firmware for Federal applicatior
`However,
`the
`modes of operation specified in this standard may be implemented in softwa..:,
`-hardware, or
`Firmware.
`
`subject
`Export Control. Cryptographic devices and technical data regarding them are
`10.
`to Federal Government
`export
`controls
`as
`specified in Title 22, Cede
`of Federal
`Regulations, Parts
`121 through 128. Cryptographic devices implementing this standard and
`technical data regarding them must comply with these Federal regulations.
`
`Cryptographic equipment
`Patents.
`ll.
`and foreign patents.
`
`implementing this standard may be covered by U.&.
`
`12.
`
`Implementation Schedule. This standard becomes effective on June 2, 1981.
`
`standard be
`of agencies may request that the requirements of this
`Heads
`15. Waivers.
`waived in instances where it can be clearly demonstrated that there are appreciable perfor-
`mance or cost advantages to be gained and when the overall interests of the Federal Govern-
`ment
`are best
`served by granting the requested waiver.
`Such waiver
`requests will
`be
`reviewed
`by
`and
`are subject
`to the approval of
`the Secretary of Commerce.
`The waiver
`request must specify anticipated performance and cost advantages in the justification for
`the waiver.
`
`should be allowed for review and response by the Secretary of Commerce.
`days
`Forty~five
`Waiver requests shall be submitted to the Secretary of Commerce, Washington, DC
`20230, and
`labeled as
`a Request for a Waiver to this Federal Information Processing Standard.
`No
`agency shall take any action to deviate from this standard prior to the receipt of a waiver
`approval
`from the Secretary of Commerce.
`No agency shall implement or procure
`equipment
`using a
`DES mode of operation not conforming to this standard unless a waiver has
`been
`approved.
`
`the National
`to Obtain Copies. Copies of this publication are fer sale by
`14. Where
`Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161.
`When
`ordering,
`refer to Federal Information Processing Standards Publication 81 (FIPS PUB 81),
`and title.
`When microfiche is desired,
`this should be specified.
`Payment may be made by
`check, money order, or deposit account.
`
`bo
`
`BEST DOCUMEN
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`PR2016-00758
`Page 4
`
`
`
`
`
`Federal Information
`Processine Standards Publication 81
`1980 December 2
`|
`Specifications for
`
`DES MODES OF OPERATION
`
`FIPS PUB 81
`
`“Ny,
`.
`i
`<
`
`
`
`:
`%
`%
`
`CONTENTS
`
`Le
`
`Page
`INTRODUCTION eee eee ee eeTTee ee] 4
`ial Definitions, Abbreviations, and ConventlonGescssoccenecceneseeneesneouconsnane &
`
`ELECTRONIC CODEBOOK (ECB) MODE. caceeeecseetnncnerenectenemnuaneteeeeeecaeeeenanes
`2+
`CIPHER BLOCK CHATNING (CBC) MODE, ccc wc cee eee eee eee eee ORO RO eee E EHR E BOOHER ee
`3s
`4 CIPHER FEEDBACK (CFB) MODE. scssesceseenscnn en ean eee ce ened beta eens eens ebaenenteans
`Be
`
`OUTPUT FEEDBACK (OFB) MODE 6 aac ee ee eae EERO ROE OHH EERE R ER REE OOunin
`
`FIGURES
`
`Figure 1. Electronic Codebook (ECB) Mode.csscncacnesnceereenecsessnensneesesneecnaee O
`Figure 2. Cipher Block Chaining (CBC) Modesenvcscsauvecsetneneeracecwensnensecusenuue ?
`Figure 3. K-Bit Cipher Feedback (CFB) Mode. ecsesccnccsnenesaseneneketunuaeeonenesnan O
`Figure 4. K-Bit Output Feedback (OFB) Mode@sscusccestcenetnasesennaveneceeoansereanua ld
`
`Figure Al: Des MAPPINBSsccccrccrscersee renee nen ewen es encase seeennnocenaneseousseaee ld
`
`TABLES
`
`Table Bl.
`Table Cl.
`Table Dl.
`Table D2.
`Table D3.
`Table D4,
`Table D5.
`Table El.
`Table EZ.
`Table Fl.
`Table F2.
`
`An Example of the Electronic Codebook (ECB) Modesssevencuecesunacavecceeneld
`An Example of the Cipher Block Chaining (CBC) Mod@sesareccessaceenccnenceald
`An Example of the l-Bit Cipher Feedback (CFB) Mode@scecascceseesnnensosneeed?
`An Example of
`the 8-Bit Cipher Feedback (CFB) Modeesessessnecesanseeunnenn lB
`An Example of the 64-Bit Cipher Feedback (CFB) Mode@sassseveuscaneneennnseedL
`An Example of
`the 7-Bit Cipher Feedback Alternative Modescessessesseennnee dl
`An Example of
`the 56-Bit Cipher Feedback Alternative Modescaceseresncneseedl
`An Example of the I-Bit Output Feedback COFB) Mod@ssucenvassaneeenoonnneseae
`An Example of
`the 8-Bit Output Feedback (OFB) Modesscsceusessevereneerannedd
`An Example of
`the Cipher Block Chaining (CBC) Mode for Authentications....25
`An Example of che Cipher Feedback (CFB) Mode for Authentication. +...-ss000226
`
`APPENDICES
`
`Appendix A. General Informationccsscccseentennnesenenewenssarnneneeeensenoereseewseed |
`Appendix B. Electronic Codebook (ECB) Mod@sacccseutesestenasecnecsensneseveenesmenen de
`Appendix C. Cipher Block Chaining (CBC) Mod@essnecseseseenannenarsseresasveuvneetasen Ld
`Appendix D. Cipher Feedback (CFB) Modessscsanceusecscensuneeesenseesevesesesneeeasee lO
`Appendix E. Output Feedback (OFB) Mod@sscsecctecsesnsacnenweuseeneenseesesesetastaneeca
`Appendix F.
`DES Authentication Techniqu@scccecessnseasenswneseunceenaseeeeasnneneene cd
`
`BESi DOCUMENT
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`Page 5
`
`eeePage8
`
`
`
`FIPS PUB 81
`
`Introduction. Binary data may be cryptographically protected (encrypted) using devices
`1.
`implementing the algorithm specified in the Data Encryption Standard (DES)
`(FIPS PUB 46)
`in
`conjunction with a cryptographic key.
`The cryptographic key controls the encryption .proe-
`cess
`and
`the
`identical key must also 5« used in the decryption process
`to obtain the
`
`original date. cryptographic security depends on.theSince the DES is publicly defined,
`
`secrecy of the e«ryptographic keys
`
`—
`
`The binary format of a cryptographic key te:
`
`(B1,B2,+.+,B7,P1,58,...,814,P2,B15,..+,B49,P7,850,...,B56,P8)
`
`where (B1,B2,«..,B56} are the independent bite of a DES key and {[P1,P2,...»,P8} are reserved
`for parity bits computed.on the preceding seven independent bite and eset so that the sarity
`of the octet
`is odd, d.e.,
`there is an odd number of "1" bits in the octet.
`
`The hexadecimal format of a eryptographic key is:
`
`CHIN2 HOH4 ... HI5H16)
`
`The
`(H1,H2,...,H16]} are hexadecimal characters from the set ([0,1,..+,9,A,B,C,D,E,P}.
`wWoere
`of
`embedded blanks in the format are optional and lower cage letters may be used in place
`the upoer case letters.
`This standard assumes that a cryptographic key has been entered
`into a 18S device prior to encryption or decryption.
`
`1.1 Definitions, Abbreviations, and Conventions. The following definitions, abbreviations
`and conventions shall be used throughout this standard:
`
`BIT:
`
`A binary digit denoted as a "0" or a "1."
`
`BINARY VECTOR:
`
`A sequence of bits.
`
`A binary vector consisting of sixty-four bits numbered from the left as 1, 2, «««,
`BLOCK:
`64 and denoted as (B1,B2,...,B64).
`
`cec: Cipher Block Chaining.
`
`CPB:
`
`Cipher Feedback.
`
`CIPHER TEXT: Encrypted data.
`
`A 64-bit parameter consisting of 56 independent bits and & parity bits
`CRYPTOGRAPHIC KEY:
`used in a DES device to control
`the encrypt and decrypt operations.
`(Synonyms:
`KEY, KEY VARIABLE).
`
`is encrypted as an entity and denoted as
`of K bits that
`A binary vector
`DATA UNIT:
`(D1,D2,..+,DK) where K = 1,2,..+.,04 and where D1,D2,...,DK represent bits.
`
`The process of changing cipher text
`DECRYPTION:
`Verb: DECRYPT.
`(Synonym: DECIPHER).
`
`into plain text.
`
`DECRYPT STATE:
`FIPS PUB 46.
`
`The state of a DES device executing the deciphering operation specified in
`
`DES: Data Encryption Standard;
`
`specified in FIPS PUB 46.
`
`typically an
`the DES algorithm,
`The electronic component used to implement
`DES DEVICE:
`integrated circuit chip or a micro-computer with the DES algorithm specified in a read-only
`memory program.
`
`INPUT
`DES
`decryption.
`sent bits.
`
`encryption or
`A block that is entered into the DES device for either
`BLOCK:
`The input block shall be designated (11,12,...,164) where I1,12,...,164 repre-
`PMC Exhibit 2094
`PMCExhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`Page 6
`
`“BEST DOCUMENT
`
`9"2
`
`
`
`FIPS PUB 81
`
`is the final result of an encryption or decryption opera-
`A block that
`DES OUTPUT BLOCK:
`tion of
`a
`DES device.
`The output block shall
`be designated
`.(01,02,..+,064) where
`01,02,...,064 represent bits.
`
`ECB: Electronic Codebook.
`
`©The process of changing plain text into ciyher text«
`ENCRYPTION:
`Verb: ENCRYPT.
`(Synonym:
`ENCIPHER).
`
`ENCRYPT STATE:
`FIPS PUB 46.
`
`The state of a DES device execut me the onciphering operation specified in
`
`two binary vectors of
`The bit~by-bit modulvo-o addit on of
`EXCLUSIVE<OR. OPERATION:
`length. This operation is represented by a "@"
`in hie standard.
`
`equal
`
`A binary vector used in Che Initial input block in the CFB and
`INITIALIZATION VECTOR (IV):
`OFB modes and ag the randomizing block thet
`is exclusive-ORed with the firet data block
`in
`the CEC mode.
`
`The right-most bit(s) of a binary vector.
`LEAST SIGNIFICANT BIT(S):
`(Synonym: Low order bit(s)).
`
`A logical data entity consisting of a sequence of data white (e.g., bits,
`MESSAGE (MSG):
`ectecs, characters, fixed length numbers)
`that
`is encrypted as an entity.
`
`The left-most bit(s) of
`MOST SIGNIFICANT BIT(S):
`(Synonym: High order bit(s)).
`
`a binary vector.
`
`OCTET:
`
`A group of eight binary digits numbered from left to right: B1,B2,...,88.
`
`OFB: Output Feedback.
`
`PLAITY TEXT:
`
`Unenerypted data.
`
`The Electronic Codebook (ECB) mode is defined as
`(ECE) Mede.
`Electronic Codebook
`Ze
`a plain text data block (01,D2,...,D64) is
`used
`follows
`(Figure 1).
`In ECB eweryption,
`directly as the DES input block (11,12,+-.,164).
`The input block is processed through a
`DES
`deviee
`in
`the encrypt state.
`The resultant output block
`(01,02,...,064)
`is
`used
`directly as cipher text (C1,C2,...,€64)
`or may be used in subsequent ADP applications.
`
`input
`a cipher tent block (C1,C2,...,C64) is used directly as the DES
`ECB decryption,
`In
`the
`block
`(11,12,...,(64).
`The
`input block is then processed through a DES device
`text
`decrypt
`state.
`The
`resultant output
`bleck
`(01,02,...,064)
`is
`the
`plain
`(D1,D2,...,064) or may be used in subsequent ADP applications.
`The ECB decryption process
`is
`the same ax the ECH encryption process except
`that
`the decrypt state of the DES device
`is used rather than the encrypt state.
`
`in
`
`The Cipher Tlock Chaining (CBC) mode is defined as
`Cipher Block Chaining (CBC) Mode.
`3
`follows (Figure 2).
`A message to be encrypted is dlvided into blocks.
`In CBC encryption,
`the
`first DES input block is formed by exclusive~ORing the first block of a message with a
`64-bit initialization vector (IV),
`i-e.,
`(11,12,...,164) =
`(CIVI@DL,1V20D2,...,1V640D64).
`The
`input block is processed through a DES device in the encrypt state,
`and the resulting
`output block is used as the cipher text,
`i-e.,
`(C1,€2,...«,C64)
`=
`(01,02,.+.,064).
`This
`First
`cipher
`text block is then exclusive-ORed with the second plain text data block
`to
`produce
`the
`second DES input block,
`i.e.,
`(€171,12,...,164)
`=
`(C1lOD1,C20D2,...,C64@D64).
`Note
`that
`T and D now refer to the second block.
`The second input
`block
`is processed
`through the DES device in the encrypt state to produce the second cipher text block.
`This.
`encryption
`process.
`continues to “chain™ successive cipher and plain text blocks
`together
`until
`the.
`last plain text block in the message is encrypted.
`Tf
`the message
`does
`not
`then the final partial data block should be
`consist.
`of an integral number of data blocks,
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`Page 7
`
`“BEST pecuMENT=eSPage 7
`
`
`
`FIPS PUB 81
`
`FIGURE 1: ELECTRONIC CODEBOOK (ECB) MODE
`
`ECB ENCRYPTION
`
`PLAIN TEXT
`vo
`(D1,92, ..., B64)
`
`ECB DECRYPTION
`
`CIPHER TEXT
`
`(cl, €2,
`
`.., C64)
`
`vey 164)
`*
`ni,
`(I, 12, y
`INPUT BLOCK
`i
`ss
`|
`|_INPUT BLOCK
`
`
`
`DES ENCRYPT
`
`DES DECRYPT
`
`| ourputsiock—|
`
`OUTPUT BLOCK __
`(01,02, |
`..., 064)
`;
`an 064)
`
`
`..., C64)
`
`(DI, D2, .., D6é4)
`
`CIPHER TEXT
`
`(Cl, C2,
`
`PLAIN TEXT
`
`ee
`
`BEST DOCUMENT AVAILABLE
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`IPR2016-00753
`Page 8
`Page 8
`
`
`
`FIPS PUB 81
`
`FIGURE 2: CIPHER BLOCK CHAINING (CBC) MODE
`
`TIME=2
`
`DECRYPT
`
`ENCRYPT
`
`LEGEND
`D=DATA BLOCK J
`T=ENCRYPTION INPUT BLOCK J
`C =CIPHER BLOCK J
`
`IV = INITIALIZATION VECTOR
`® = EXCLUSIVE-OR
`
`EST DOCUMENT AVAILABLE
`
`ed
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 9
`Page 9
`
`parlev.PMC
`
`
`
`FIPS PUB 81
`
`a manner specified for the application.
`in
`encrypted
`Appendix C of this standard.
`
`One such method
`
`1s described in
`
`the first cipher text block of an encrypted message is used as the input
`in CBC decryption,
`block and is processed through a DES device In the decrypt state, 4se.,
` (11,12,.6.,164).=
`(C1,€2....,€64).
`The resulting output block, which equals the original input block to the
`DES <aring encryption,
`is exclusive+ORed with the IV (must be same as that
`used during
`enc yption)
`to
`produce
`the
`first plain text
`block,
` i.e.,
`(D1,D2,.«.,;D64)°
`-=
`(O1GiV1 ,O2@IV2,...,06401V64). The second cipher text block is then used as the input block
`and
`is processed through the DES in the decrypt state and the resulting output
`block
`is
`exclusive-ORed with the
`first cipier text block to produce the second plaiy
`text data
`block,
`ise.,
`(D1,D2,.+..,064)
`= (010C1,026C2,...,0640C64).
`Note that again {2} and
`0
`refer
`to the second block.
`The CBC decryption process continues in this manner «ntil the
`last
`complete cipher text block has been decrypted.
`Cipher text repregenting 2 partial
`data block must be decrypted in a manner as specified for the application.
`
`follows
`(CFB) Node. The Cipher Feedback (CFB) mode is defined as
`Cipher Feedback
`he
`(Figure 3).
`A message to be encrypted is divided into data units each containing K bits (K
`= 1,2,«+.,64).
`In both the CFB encrypt and decrypt operations,
`an initialization vector
`(IV) of length L is used.
`The IV is placed in the least significant bits of
`the DES input
`bleck with the unused bite set
`to "O's," dees,
`(T1L,12,0+6,164)
`=
`(0,0,.0+,0,1V1,IV2,
`+ee,1VL).
`This
`input
`block is processed through che DES device in the encrypt state to
`produce an output block.
`During encryption,
`cipher text is produced by exclusive-ORing a
`Kbit plain text data unit with the most significant K bits of the output block,
`i.e.,
`(C1,C2,-6<«,CK) = (D1G01,D2002,...,DK00K). Similarly, during decryption, plain text
`is pro=
`duced
`by exclusive-ORing a K~bit unit of cipher text with the most significant K bits
`of
`the output block, i.e., (D1,D2,...,DK) = (C1601 ,C2002,...,CKO0K).
`In both cases the unused
`bits of the DES output block are disecrded.-.
`In both cases the next
`input block is created
`by discarding the most significant K bits of
`the previous input block,
`shifting the remai-
`ning bite EK positions
`to the left and then inserting the K bits
`of
`cipher
`text
`just
`produced
`in the encryption operation or just used in the decrypt operation into the
`least
`significant bit positions,
`is«e.,
`(11,12,...,164) = CL[K+1],1[K+2],...,164,C1,C2,.+.,CK).
`This
`input block is then processed through the DES device in the encrypt state to
`produce
`the next outout block. This process continues until the entire plain text message has been
`encrypted or until the entire cipher text message has been decrypted.
`
`CFB
`through 64 inclusive. K-bit
`length |
`CFB mode may operate on data units of
`Tee
`defined
`to be the CFR mode operating on data units of
`length K for K
`=
`1,2,0«0,6%.
`each operation of the DES device one K~bit unit of slain text produces one K-bit unit
`cipher text or one E~bit unit of cipher text produces one K-bit unit of plain text.
`
`is
`For
`of
`
`48-bit
`acceptable alternative for 8&-bit CFB when enciphering 7-bit entities using an
`An
`feedback path is to insert a "1" bit in bit position one of the &bit
`feedback path, i-e.,
`CML" C1,C2 ,204,07).
`This
`results in a "1" always being placed in bit location 57 of
`DES input block. This alternative is called the 7~bit CFB(a) mode of operation.
`
`follows
`The Output Feedback (OFB) mode is defined as
`(OFB) Mode.
`Output Feedback
`5.
`(Figure 4).
`A message to be encrypted is divided into data units each containing K bits (K
`= 1,2,+«+,64).
`In both the OFB encrypt and decrypt operations,
`an initialization vector
`(IV) of
`length L is used.
`The IV is placed in the least significant bits of
`the DES input
`block
`with
`the
`unused
`bits
`set
`to
`"O%s,"
`dees,
`CT1,12,.+.,164)
`=
`(0,0,...,0,1V1,1V2,...,IVL).
`This
`input block is processed through the DES device in the
`encrypt state to produce an output block.
`During encryption,
`cipher text {s produced
`by
`exclusive-ORing a K-bit plain text data unit with the most significant K bits of
`the output
`block,
`l.e., (C1,C2,...,CK) = (D1€01,02002,...,DK@0K).
`Similarly, during decryption, plain
`text
`is produced by exclusive-ORing a K=bit unit of cipher tex: with the most significant F
`bits of the output block,
`di.e.,
`(01,D2,...,DK) = (C1@01 ,C2@07,...,CK@OK).
`In both cases
`the unused bits of
`the DES output block are discarded.
`In both cases the
`ext
`input block
`is created by discarding the most significant EK bits of
`the previous input block,
`shifting
`the
`remaining bits K positions to the left and then inserting the K bits of output
`just
`used
`into
`the
`least
`significant
`bit
`positions,
`1.@5,
`(11,12 ,«..,164)
`=
`This input block is then processed thrgugh.the BES
`CU[R+1L] ,T[R+2],...«,764,01,02,...,0K).
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`BEST BOCHMENT
`9Pex
`
`Page 10
`
`
`
`FIPS PUB 81
`
`FIGURE 3: K-BIT CIPHER FEEDBACK (CFB) MODE
`
`ENCRYPTION
`
`SHIFT
`
`DECRYPTION
`
`
`
`INPUT BLOCK —
`
`INPUT BLOCK
`|
`*
`:
`| (64-K) BITS
`} K BITS
`(64-K) BITS?K BITS |
`
`i
`
`| FEED BACK
`K BITS
`
`|
`
`DES ENCRYPT
`
`
`
`
`
`
`
`
`1
`
`
`
`DES ENCRYPT
`
`
`
`
`
`|—QUTPUT BLOCK
`OUTPUT BLOCK
`SELECT : DISCARD |
`| SELECT : DISCARD
`
`
`
`
`
`
`
`K BITS } (64-K) BITS |
`:
`(64-K) BITS |
`
`
`
`| CIPHER TEXT |
`|
`K BITS
`|
`kK BITS
`
`
`| CIPHER TEXT |
`
`| PLAIN TEXT
`K BITS
`
`1
`
`
`| PLAIN TEXT |
`
`
`ee |
`K
`
`1
`
`INPUT BLOCK INITIALLY CONTAINS AN INITIALIZATION VECTOR [IV) RIGHT JUSTIFIED.
`
`
` 70 ba
`sae
`
`NT AVAILABLE
`
`=>
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`IPR2016-00753
`Page 11
`Page 11
`
`abovecores
`
`
`
`FIPS PUB 81
`
`FIGURE 4: K-BIT OUTPUT FEEDBACK (OFB) MODE
`
`ENCRYPTION
`
`DECRYPTION
`
`
`
`
`
`
`INPUT BLOCK
`L
`(64-K) BITS}KBITS|
`1(64-K) BITS:K BITS
`
`
`
`1
`FEED BACK
`}
`
`K BITS
`
`DES ENCRYPT
`
`
`
`OUTPUT BLOCK
`SELECT : DISCARD |
`
`
`
`
`(64-K)BITS |
`:
`K BITS
`
`
`SHIFT
`
`
`
`
`
`
`|
`OUTPUT BLOCK
`SELECT : DISCARD
`
` K BITS
`:
`) BITS |
`64-K
`
`
`
`~
`
`INPUT BLOCK
`
`DES ENCRYPT
`
`
`
`1
`
`|
`Kets
`~ K
`
`CIPHER TEXT |
`
`
`
`
`
`CIPHER TEXT
`
`K BITS
`~
`
`|
`K
`
`1
`
`INPUT BLOCK INITIALLY CONTAINS AN INITIALIZATION VECTOR (IV) RIGHT JUSTIFIED.
`
`device in the encrypt state to produce the next output block. This process continues unttl
`the entire plain text message has been encrypted or until
`the entire cipher
`text message
`has been decrypted.
`
`is
`For
`of
`
`OFB
`K-bit
`through 64 inclusive.
`length |
`OFB mode may operate on data units of
`The
`defined to be the OFB mode operating on data units of Length K for K = 1,2,.++,64.
`each operation of
`the DES device one K-bit unit of plain text produces one K-bit unit
`cipher text or one K-bit unit of cipher text produces one K~bit unit of plain text.
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`IPR2016-00753
`Page 12
`
`ae SE
`
`8 Ge om agbi aA
`bats g
`
`10
`
`
`
`FIPS PUB 81
`
`GENERAL INFORMATION
`
`APPENDIX. A
`
`The National Bureau of Standards issued Federal Information Processing Standards Publica
`tion 46 (FIPS PUB 46)
`in 1977. That standard specifies a cryptographic algorithm, commonly
`called the Data Encryption Standard (DES) algorithm,
`to be used within the Federal Govern
`ment for the cryptographic protection of.sensitive,
`but unclassified,
`computer data. The
`DES
`algorithm was developed by the International Business Machines Corporation.
`(IBM)
`and
`submitted to the National Bureau of Standards during an NBS public solicitation for crypto~
`graphic algorithms to be used in a Federal Information Processing Standard.
`Several meth-
`ods
`for
`incorporating this algorithm into a cryptographic system are possible.
`These
`methods,
`external
`to the DES algorithm,
`have come to be called the "modes of operation."
`Four modes,
`called the Electronic Codebook (ECB) mode,
`the Cipher Block Chaining
`(CBC)
`mode,
`the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode, are specified in
`this
`standard.
`ECB is a direct application of the DES algorithm to encrypt
`and decript
`data;
`CBC is an enhanced mode of ECB which chains together blocks of cipher text; CFB uses
`previously generated cipher
`text as input
`to the DES to generate
`pseudo-random ont puts
`which
`are combined with the plain text
`to produce cipher text,
`thereby chaining cogether
`the resulting cipher text;
`OFB is identical to CPB except that
`the previous output of
`the
`DES
`is used as input
`in OFB while the previous cipher text
`is used as input
`in CFB.
`OFB
`does not chain the cipher text.
`The proposed FIPS specifies these four modes because they
`are
`capable of providing acceptable levels of protection for all anticipated unclassified
`Federal ADP encryption applications.
`
`Unencrypted data is called plain text. Encryption (also called enciphering) is the process
`of
`transforming plain text
`into cipher text.
`Decryption (also called deciphering) is the
`inverse transformation.
`The encryption and decryption processes are performed according to
`a set of rules,
`called an algorithm,
`that
`is typically based on a parameter called a key.
`The
`key
`is usually the only parameter that must be provided to or by
`the users
`of
`a
`cryptographic system and must be kept secret.
`The period of
`time over which a particular
`key is used to encrypt or decrypt data is called its cryptoperiod.
`
`See
`itself.
`onto
`the set of all possible 64-bit vectors
`DES maps
`the
`Mathematically,
`Figure Al. There are 2764 (2 raised to the 64th power) elements in this set, {neluding all
`binary numbers from 0 up to,
`but not
`including,
`2764.
`The DES cryptographic key allows a
`user to select any one of 2156 possible invertible mappings, i.e., transformations that are
`one~to~one «
`Selecting a key selects one of
`the mappings.
`When using the DES in ECB mode
`and
`any particular key,
`each input
`is mapped onto a unique output
`in encryption and
`this
`output
`is mapped
`back onto the Input
`in decryption.
`The DES is
`an
`iterative,
`block,
`product cipher system (i.e., encryption algorithm).
`A product cipher system mixes transpo-
`sition and substitution operations in an alternating manner.
`Because the
`DES
`algorithm
`maps
`a 64-bit
`input block onto a 64<bit output block the DES is called a
`bleck
`cipher
`system.
`Iterative refers to the use of
`the output of an operation as the input for another
`iteration of the same procedure.
`The DES internally uses sixteen iterations of a pair of
`transposition and substitution operations to encrypt or decrypt an input block.
`A complete
`specification of the DES algorithm is found in FIPS PUB 46.
`
`block
`of methods for incorporating the DES in a cryptographic system are
`categories
`Two
`simple
`methods
`and stream methods.
`In a block method,
`the DES input block is (or is
`a
`function of)
`the plain text
`to be encrypted and the DES output block is the cipher text.
`A
`stream method is based on generating a pseudo~random binary stream of bits,
`and then using
`the
`exclusive-OR binary operation te combine this pseudo-random sequence with
`the plain
`text
`to produce
`the
`cipher text.
`Since the exclusive-OR operator is
`its
`own binary
`inverse,
`the
`same
`pseudo-random binary stream is used for both the encryption of plain
`text,
`P,
`and the decryption of cipher text, C.
`If 0 is the pseudo-random binary stream,
`then C = P @ 0 and inversely, P = C @ 6.
`
`ll
`
`BEST DOCUMENT
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`Page 13
`
`PReONores
`
`
`
`FIPS PUB 81
`
`FIGURE Ai: DES MAPPINGS
`
`ENCRYPT
`INPUT SPACE
`
`
`| OUTPUT SPACE
`
`|
`956
`2
`
`
`
`MAPPINGS
`
`
`
`
`
`2°4 ELEMENTS|
`
`2°4 ELEMENTS |
`
`
` DECRYPT
`
`
`ELECTRONIC CODEBOOK (ECB) MODE
`
`APPENDIX B
`
`The Electronic Codebook (ECB) mode is a basic, block, cryptographic method which transforms
`64 bits
`of
`input
`to 64 bits of output as specified in FIPS PUB 46.
`The
`analogy
`to a
`codebook arises
`because
`the same plain text block always produces the same
`cipher
`text
`block
`for a given cryptographic key»
`Thus a list (or codebook) of plain text blocks
`and
`corresponding cipher text blocks theoretically could be constructed for any given key.
`In
`electronic implementation the codebook entries are calculated each time for the plain text
`to be encrypted and,
`inversely,
`for the cipher text
`to be decrypted.
`
`input
`the
`each bit of an ECB output block is a complex function of all 64 bits of
`Since
`block and all 56 independent (non-parity) bits of
`the cryptographic key, a single bic error
`in either a cipher text block or the non~parity key bits used for decryption will cause the
`decrypted
`plain text block to have an average error rate of fifty percent.
`However,
`an
`error
`in one ECB cipher text block will not affect
`the decryption of other blocks,
`t.e.,
`there is no error extension between ECB blocks.
`
`then
`slip),
`a bit
`block boundaries are lost between encryption and decryption (e.g.,
`If
`synchronization between the encryption and decryption operations will be lost until correct
`block
`boundaries
`are
`reestablished.
`The results of all decryption operations will
`be
`incerrect until
`this occurs.
`
`integral
`an ECH device must encrypt data in
`the ECB mode is a 64-bit block cipher,
`Since
`then the
`multiples of sixty-four bits.
`If a user has less than sixty-four bits to encrypt,
`least stantfi