`
`
`
`C’ 13.51‘. E:
`’ FIPS PUB
`
`
`
`PROCESSWG STANDARDS PUBLICATION
`
`FEDERAL INFORMATION
`
`1980 Etecember 2
`
`. J‘.
`
`5
`
`1-
`
`.
`
`4
`
`:
`
`‘p
`
`av» Qai
`
`
`
`
` DES MODES
`OF OPERATIN
`
`
`
`€3ATEGORY; ADP OPERATSON3
`SUBCATEGORY: COMPUTER SECURITY
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`|PR2016-00753
`IPR2016-00753
`Page 1
`Page 1
`
`
`
`Théa material may be protected by fimpyright law {Title "E"? US. Eode)
`
`
`
`M, DEPARTMENT 23? czsmaaca, Phi1"Ep “M. Kiutznick, §et:r:=:tary
`
`Jordan J. Baruch, AssisLant Secretary far Productivity,
`Technology and Innovation
`
`NAQEONAL BBREAU OF STANBARDS, Ernest Ambler, fiirecror
`
`Fareworfl
`
`The Feéaral Infcrmation Prmcessing Standards Publicatimn Seriea 0f the Natianal Buzeau of
`Htamdards
`is tha ufficial pmblicauimn relating to standards ado tad amfi promulgated under
`Ehfi
`pravisimns
`05 Publie Law B9*3G6 (Braaks Act) and under Para 6 of Title
`15, Code
`QE
`Fmderal Regulations.
`These legislative anfi executive manéates have given the Secretary uf
`Cnmmarce
`impvrtant
`rasponsihilities
`fur
`imprnving the utiiization ané management
`of
`ammnmtvrg
`and
`autmmatic data processing in the Federai Gnvarnment.
`To
`carry gut
`the
`Secretary’s
`raspansibilities,
`the WEB,
`thrmugh its Institute far Csmputer Sciences
`and
`Twchnolngy,
`praviflax lwaéership,
`teahnicai guidance and caordinatisn uf Gnvernment efforts
`éu the fiaveingment mf guidelinea and standards in thfififl areas.
`
`and
`fimmmamfw cmncgrning Fed@ra1 Infnrmatimn Prmcessimg Standards ?ub1ications are welcnmed
`ahnu1§
`he
`flddffifififld
`km the flirectmr,
`institute for Computer Sciences
`and Technnlogy,
`Nuiimnak Bureau Q5 8tan&arfls, Washington, DC
`2023&.
`
`James H. Burraws, Director
`In$titute far Cnmvucar Sciences
`and Technmlagv
`
`Abstract
`
`Vnfiwfai %at& Envryptinn Standard (953) {F1?S $6) specifies a cryptagraphic algurithm to
`wand far aha rrywtmgraphic prntectimn nf $EflRiE§U&,
`but unciasgifiafi,
`computer data.
`FE?fi fiufimvs
`fmur mmdos of mperatian fnr the LJS which may be used in a wide variety
`app3€va:imns.
`The mwdéa specify haw data wili he annryptwd (cryptographicaily prntect~
`‘
`"
`0 {retnrnefi
`Em ariginal
`farm}.
`The mmdég includaé in this standard ara tha
`Anniv ,nd&hwmk {ESE} made,
`thm Cipher Black Chaining (QBC) moda,
`the Cipher Faedback
`1} mmfiw, mnfl {Ha fiurput Ffiadhack {flFB) mafia.
`
`
`
`‘
`
`
`
`«water awcurit¥; cryprmgraphw; dflta securitv; HES; encrypaimn; Faderal Enfnr-
`u Srwwdxrdwi mmdma nf ngaratiom.
`
`Ké{.3nr.§?mu£+ 5V.S.3. V9d.{nfm»?r<CfiSS.S£Mn&~?ubE.{F?PS FUR} SI,
`
`2% p¢g¢S.
`
`{E9313
`CWflEK:FI?PAT
`
`
`
`W3: Twcknémné
`
`énfarmntimm fivrrisn, V.R. Wvpnrrmumx
`
`of
`
`Cummmrcc,
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`|PR2016-00753
`IPR2016-00753
`Page 2
`Page2
`
`
`
`
`
`Federal Infnrmmion
`V
`Processing Standards Publiwtion 81
`
`1930 Dsgecember 2
`
`ANNDUNCING THE
`
`STANBARB FOR
`
`DES MODES OF OPERATION
`
`HPS PUB 81
`
`
`
`sf
`Fefleral Information Processing Standards Fublicationfi are issuad by the National Bureau
`as
`St.ndards pursuant
`tn the Federal Prcperty and Administrative Services Act
`uf
`19&5,
`amended. Public Law 89~306 (?9 Stat.
`112?), Executive Orfier l1?17 (38 FR 12315, dated May
`11, E973), and Part 6 of Title 15 Cnée sf Feaeral Regulations {CFR).
`
`1. Name of Standard. DES Mnfie3 of Operation.
`
`2. Categary of Standard.
`
`ADP Operations, computer security.
`
`(F195 46) specifies a crypts"
`The Federal Data Encryptian Standard (DES)
`Explanation.
`3.
`graphie algnrithm to be used far the cryptngraphic protacticn of sensitive,
`but unclassi-
`fied,
`computer data.
`This FIPS defines faur modes of operatiwn for the DES which may be
`used
`in a wi&e variety af applications.
`Tha moées specify how data will
`be
`encrypted
`{cryptagraphically pratected)
`and d&cryptafl (returned ta original form).
`The mudes
`in-
`cluded in this stanéard are the Electronic Codebook (ECB) made,
`the Cipher Block Chaining
`(SEC) mfida,
`thm Cipher Feeéback (CF33 mcda, and the Dutput Feedback (OFB) mode.
`
`The bad? 0f this standard provides specifications of tha recommended muées of operation but
`fleas not specify the necessary and sufficianr nonditicns for their seaure implementation in
`a particular applicatian. This standard specifies the numbering of data bits, haw the bits
`are
`encrypted and decrypted,
`and the data paths and the data precessing necessary
`far
`encrypting and éecrypting data at messages. This standard is based on (and refarences) the
`DES
`and provides the max:
`level of detail necessary far providing compatibility among
`DES
`equipment.
`This
`standard anticipates the develayfient cf a set of application standards
`which reference it such as cummunicatian security standards, data storage standards, pass-
`woré protactian standards and key management standarés.
`Cryptographic system designers er
`security application designers must select ane or more of the pmssible mdea of operatiwn
`far implemanting and using tha DES in a cryptcgraphic system at sacurity application.
`The
`Appendices
`to this standard provide tutarial informatinn an the modes
`of operation and
`examples
`fur validating their correct
`implementation.
`The Appendices are guidaifinwg
`and
`are not m$néatory requirements pf this stanéard.
`
`4. Approving Authority. Secretary of Cnmmerce.
`
`Raintenance Agency. U.S. Department of Cammerce, National Bureau cf Standards, Insti-
`5.
`tute for Computer Sciences and Technalngy.
`
`6. Related Dacuments.
`
`FIPS PUB £6, "Data Encryptian Standard," January 15, 1917.
`
`”Te1ecommunicaticns:
`(Proposed) Federal Standard 1626,
`Use of
`the Data Encryption Standard," May 26, 1980, draft.
`
`Interoperability Requirements for
`
`“Telecommunications:
`(Proposed) Federal Standaré 1027,
`1980, draft‘
`the Data Encryption Standard," August 5,
`
`Security Requirements fur Use
`
`cf
`
`1 BEST Wi’;%%WNT
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`|PR2016-00753
`IPR2016-00753
`Page 3
`Page3
`
`
`
`raps ma 3:
`
`A list wf fiutrently appravefi FIFE may be obtained frem the Standardg Admin1stv*t1on affine,
`Ins:l:ute for Computer Sciences and Technology, Rational Bureau of Standarfia, Washington,
`DC 2%23&.
`’
`
`This standard shall be uaed by Feéeral departmenta afid agencies when
`7. Applicability.
`procuring equipment or services which implement
`the Data Encryption Standar& and which are
`intended fur use in the cryptngraphic pratectinn of aensitive,
`but unclassifiefi,
`computer
`&ata.
`This
`stanflard may
`be
`used by anyone desiring ts
`implement
`and
`age
`the Data
`Encryption Standard.
`The selectinn of one of the apecified mudes af operatian will depenfi
`an the particular appliaation being cnnsidered.
`
`Specifications. Fafieral Informatinn Processing Stanfiard (FIPS 81) 0B5 Hades cf 0para—
`8.
`tinn (affixed).
`
`The DES modes of mperatiun described in this atandard are based upan
`9. Quallficationa.
`in§nrmatlnn pravideé by many saurces within the Fefleral Gavernmant and private
`industry.
`These modes
`are presently being implemented in cryptugraphic
`equipment
`cantaining DES
`figvices.
`Hawever, 3 stanaard of this natura must, of necesaity,
`remain flexible enough to
`adapt
`to advancements and innavations in science and technolagy.
`As such,
`thig standard
`shoulfi
`not ha construed as being either exhaustive or static.
`It wi
`be reviewed
`every
`five years
`in order tn incorporate new implementations whnse technig
`" ecnnomic merit
`justify the issuance af a rwvised gtanfiard.
`?IPS A6 requires imp1ema«
`~ of
`the DES
`algcrithm in electrnnic devicas when used by Federal departments and ah
`. The DES,
`itself, must
`therefore be in hardware at firmware far Federal applicatiar
`However,
`the
`moées of oparatinn specifiefi
`in this standard may he implemented in softwa a,
`hardware, or
`firmware.
`
`V
`
`subject
`Export Cuntrnl. Cryptagraphic davices and technical data regaréing them are
`10.
`ta Federal Government
`export
`cantrals
`as
`speciflefi
`in Titlg 22, Caée
`nf Federal
`Regulations, Parts
`12} through 123. Cryptmgtaphic devices im§1ementing this standard and
`technical data regarding them must comply with thesa Fefieral regulations.
`
`Crypcograghlc equipment
`Patents.
`1!.
`and fareign patents.
`
`implementing zhls standard may be cavared by U.S.
`
`12.
`
`Implementation Scheéule. This standard bacmme$ effemtive an June 2, 1981.
`
`standard be
`of agencies may request that the requirements nf this
`fleafls
`13. Waivers.
`waiwwd in instances where it can be clearly demnnstrated that there are appreciable perfor«
`mance at cost aévantages to ba gained and when the nverall interests of the Federal Govern»
`ment
`are best
`sErv&d by granting the requested waiver.
`Such waiver
`requestg will
`be
`reviewed
`by
`ané
`are subject
`tn the approval of
`the Secretary of Commerce.
`The waiver
`raquest must specify anticipated perfnrmanme and cast advantages in tha justificatian for
`the waiver.
`
`shoulfi be alluwed for review ané response by the Secretary cf Commerce.
`days
`Fortywfive
`waiver requestg shall be submitted to tha Secretary of Cemmerca, Washington, DC
`20230, ané
`labeled as
`a Request for a waiver ta this ?edera1 lnfarmatinn Processing Standard.
`No
`agency shall taka any actien ta fieviate from this standard prior tn the receipt af 3 waiver
`appraval
`Exam the Secretary of Cummerce.
`No agency shall implement or procure
`equipment
`using 3
`DES made nf operatlan net cnnforming to this standard unless a waiver has
`been
`approvaé.
`
`the National
`ta Obtain Copies. Copies of this publication ara far sale by
`Hhera
`lfi.
`Technical
`lnfutmation Service, U.S. fiepartment uf Commerce, Springfield, VA 22161.
`when
`ordering,
`refer ta Fedmral Infnrmatian Processing Stanfiardfi Publication 81 {FIPS PUB 81),
`and title.
`when microfiche is fiesired,
`this should he apecified.
`Payment may be made by
`check, mnney arder, or deposit account.
`
`fa?
`
`BE$T DOCUMENE
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`IPR2016-00753
`'P“2°‘6%»°§’Je53
`Page 4
`
`
`
`Fwsderal lnfoarmatibn
`Pracessingg Smndards Publication 81
`
`
`
`1930 December fl
`,
`Specificminns for
`
`DES MODES OF OPERATION
`
`hrs puss’:
`
`i
`
`fi“w:"fiw“k
`V
`.
`g
`i
`
`’~'.Mfl .3
`
`CONTENTS
`
`Page
`KNTEQQUCTIGN uwouoannvqaoaunoummnetumaintainu-groan:cuonwqotwbqunaaauohcnnnnoignu a
`1:1 Dflfinitiflflfi, Abbrfiviatifins, Hfld CUflVQnti0nSa¢0mIInwucuquwuuonuwpuannobnndtamay A
`
`5
`ELECTRONIC CQDEBUQK (ECB) M0BE.»¢.o......a...R».w....................¢o..onao+an.
`CIPHER BLQCK CHAENKNG (CBC) Manfiaucoaaqonapwavtutuouwnobiauoonu»tmvnuInanIwnvunun 5
`GSPHER FEEDEACK (CFB) Mgnfiuuauannpnuuwouquus~u~nvnatni¢wuiwiinuunusutpnufi-nuances 3
`OUTPHT FEE§BACK (QFB) MBDEQ«insaneuwnasaawnupwannacwulpnnuvtuocumawisoinanonomomu 8
`
`11
`
`2.
`3:
`Au
`Sn
`
`FIGURES
`
`la Eiafitroflic Cfldébflfik {ECB} ModafltiwifilutiiiififllitlfllQlifidtlknflfllflititllillfl 6
`Figuffl
`Figuta 2.
`Cipher Blflflk Chflining (CHE) Mgdefiwwbtlpibinnmotwllsbnunnlllntinmauolutoboo 7
`K-Bit Ciphflf Fafldhaflk (EVE) NQde..................u....».....uaa.a-~...... 9
`Figure 3.
`Figura 4.
`K_Bit 0UtpUt Feedbaflk (UFB) Mgdfilfithiabhblmtnltnlulflttnfioiwjéifibbmfillliidiiu
`
`u»
`
`Figure Al
`
`Table
`Eable
`Table
`Tabla
`Table
`Table
`Tabla
`Table
`Table
`Table
`Table
`
`B1.
`C1.
`D1.
`D2.
`D3.
`D4.
`D5.
`El.
`E2.
`Flo
`F2.
`
`DES MappingS.....»s............u.-».....m..~......u.....«a..............eI2
`
`TABLES
`
`Example
`Example
`Example
`Example
`Example
`Examplm
`Example
`Example
`Emampla
`Example
`Exampla
`
`the
`She
`the
`thti
`the
`the
`the
`the
`the
`tha
`fihe
`
`Electrmnic Qndebook (EC3) Made..........................l3
`Cipher Biock chaining {CEO} Made........................15
`lvfiit Cipher Feadback (GEE) Made........................17
`8wBit Ciphar Feedback (CFB) Mode........................18
`&4~Bit Cipher Feedback (CFB) Moda.......................19
`Twfiit Cipher Feedback Alternative Mada...............,..20
`56*Bit Cipher Feadback Alternative Mode.............»...21
`lwflit Output Feeéback (DFB) Mode........................2l
`flwfiit flutput Feafiback {O§B) Mada........................23
`Cipher Blank Chaining (CBC) Made fiat Authen:ic3ti0n.....25
`Cipher Feaéback (CFB) Made for Authenticatian...........2b
`
`APPENHICES
`
`Appenéix
`hppendix
`Appendix
`hppendix
`fippendix
`Apgandix
`
`fienaral Infurmation.....................................................ll
`Eiectrnnic Codebuok (KGB) Mode..........................................12
`Cipher Block Chaining {CBC} H9de........................................1é
`Ciyher Faadback (CFB) Mode.......,......................................16
`Output Feedback (DEB) Mode..............................................22
`DES Authantication T Xchnlqufiunouotnuuusuonuoiwownutiauoognpoaiapuuutconoza
`
`3
`
`BESII MCUMENI
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`IPR2016-00753
`|PR2016-00753
`Pages
`Page 5
`
`
`
`FIPS PUB 81V
`
`Iutro&uct1¢n. Binary data may be aryptugraphicaliy protected (encrypted) using devicea
`1.
`implemanting the &1gar1thm mpecified in th& Bata Encryption Standard (DES) {FIPS PUB 46)
`in
`canjunutian with a Qryptagraphifl key.
`The cryptagraphic key cantruls the ancryptiun pra- ~
`cess
`and
`the
`idantical key must also he usad in the dearyptiuu precess
`to obtain the
`original data.
`Since the DES is publicly defined,
`cryptographic aecutity depends on
`the
`sacreuy of the cryptographic key»
`
`The binary format of a cryptngraphic kay 15:
`
`(m,B2.... ,3m?1,Ba,....,B3!»,P2.m5,. . . $49,117,350, . . . ,E56,P8)
`
`where {B1,B2,...,BS6} are the indepenfient bits af a DES hay and {PI,P2,...,P8} are resexved
`§or parity bits computefi on the preneding seven inaepandent bits and set so that the ymrlty
`of the ante:
`la a&&, i.a., there is an odd number of "1" bits in the acten.
`
`The hexadecimal format mf a cryptagraphic key is:
`
`(H1H2 H3H& ... Hlfifilfifi
`
`The
`wlare {Bi,H2,...,H16} are hexadecimal characters frnm the set {G,I,...,9,A,B,C.D,E,F}.
`of
`ambfififlwd blanks in the furmat are nptiunal and lower case letters may be used in place
`the
`ugwer case letters.
`This standard assumas that a cryptographic hay has been enterefi
`into 3 &ES device priar ta encryption or decryptian.
`
`1.1 Definitiann, Abbreviations, and Conventians. The follawing definitions, abbreviatimns
`ana convention$ shall he used thraughout this standard:
`
`EIT:
`
`A binary digit denntea as a "0“ or 3 “I.”
`
`BINARY VECTUR:
`
`A saquenca af bits.
`
`A binary vector censisting mf sixtywfour bits numberefi frum the left as 1, 2, ...,
`ELOCK:
`6% and denntfifi as (El,B2,...,B54).
`
`CBC: Ciphar Block Chaining.
`
`fiffi:
`
`Cipher Feefihack.
`
`CIFHER TEXT: Encryptefi data.
`
`A éé*bit parameter cnnsisting of 56 independent bits and fl garity bits
`CRYPTGGRAPHIC KEY:
`used in a DES davice ta control
`tha encrypt and dearypt operations.
`(Synnnyms:
`KEY, KEY VERIABLE).
`
`is encrypted as an entity sad denotad as
`af K bits that
`A binary vector
`QATA UNIT:
`(D1,D2,...,BK) where K m l,2,...,6& and whare Bl,fl2,...,DK represent bits-
`
`The pffltflfifi nf changing cipher text
`BECRYPTIUN:
`Verb: HECRYFT.
`
`intu plain text.
`
`(Synnnym: DECI?HER).
`
`BECRYPT S?ATE:
`FIPS PUB &&*
`
`The state nf a DES device exacuting the éeciphering operation specified in
`
`HES: Data Encryptimn Standard; Epecifiefi
`
`in FIPS PUB hfi.
`
`typically an
`the HES algorithm,
`The electronic componant useé to implement
`DEE DEVICE:
`intflgrated circuit chip or a micro“c0mput&r with the DES algorithm specified in a read*an1y
`memory pragram.
`
`INPUT
`DES
`decryption.
`Semi him ~
`
`encryption or
`A block that is entered into the DES éavice for either
`BLDCK:
`The input block shall he flesignateé {1l,I2,..a,I64) whmre Ii,I2,...,I6h repre“
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`IPR2016-00753
`Page 6
`
`(‘BEST mcumwr
`
`
`
`MP5 PUB 81
`
`A black that
`fiES OUTPUT ELOCR:
`fievice.
`The
`tiou af
`a
`DES
`01,fi2,...,0fih represent bits.
`
`E63: Electranic Cadabauk.
`
`ia the final rewult af an encryption at fiecryptiun op§ra~
`autput block ahall
`be
`daaiguated
`(0I,G2$...?flfi&) whara
`
`The pracess uf changing plain taut intu ciwhe: text.
`ENCRY?T10N:
`Varb: ENCRY?T.
`
`(Synonym:
`
`ENC1PfiER).
`
`ENCRY?T STATE:
`FKPF PUB £6.
`
`?he state sf a DES dmviae axacuting the wnciphering mwaratiwn spacified in
`
`Exctustuawon GFERATIQN:
`
`langth.
`
`tun binary vamfiwya af
`Tha bit~hy~b1t mofiuiw~E mfiflitaun mf
`This mperation is rmpresentad by 3 ”0“ in §h1a ataafiarfi.
`
`equxl
`
`input blnuk in the awn and
`A binary vector usad in tha inxtiai
`IWITIALIZATEUN V$C?OR (iv):
`QFH madeg and as the randomiaing hlouk that
`ta mxa1us£ve-fifiafl with the firmt data black
`in
`the CBC mndg.
`
`The rightwmmat bitfs) as a binary wectar*
`LEAST 3£GM1FIEANT 3iT(5):
`(fiynonym: Lgw ordar h1t{$}3.
`
`A lmgical data wntity cmnalating mf a sequence uf flata unitfl {e.g.,
`ME$$AGE (fififilz
`outfits, characters. fixed langth numbars)
`that £3 ancryptefl as an fiflfiifiy.
`
`hing.
`
`The 1aft~mast bit§53 af
`Mflfi? SIGNIFICANT EITQS):
`ifiynumym: High urder bit(S§)m
`
`a binfiry vawtmrm
`
`GCTET:
`
`K grmmg sf Eight binary digims numbered frum Raft
`
`tn right: B1,B2,...,BB.
`
`UFB: Qutput Feadhatk.
`
`PLAIN TEXT:
`
`Unancrypted flata.
`
`éefified as
`The Elmctranic Cndebnnk {EEK} mmde is
`(ECB} Hmde.
`Electrmnic Qudeheok
`E.
`a plain text éata black £fl1,D2,...,Dfi&} 13
`used
`follmwa
`(Figure 1}.
`In EQB angryptiun,
`diractiy a3 the DES input black (1l,$E,...,ffi&}.
`The input black is prwcesaed through a
`DB3
`device
`in
`the encrypt state.
`The resultant autput block
`{fl1,D2,...t0fi&)
`is
`used
`direct§y as uipher text {Cl,C2,*..,Cfi&} or may be used in auhswquant ADP applicatinna.
`
`input
`is ugad fiirectly as the DES
`a ciphar text black {C1,C2,...,€fi5)
`ECB dacryptian,
`Kn
`the
`black
`(Ii,13.-~-,1fi5)-
`The
`input biaak is than prmceased through 3 EH3
`fieviam in
`text
`dwcrypt
`stata.
`The
`reaultant mutput
`hfiack
`(01,02,...,fl6A)
`is
`khe
`plain
`(fllyfig.-«»,D5%} av may he used in munseqwant AB? appliuatiwnsu
`The ECB fiecryption pracess
`is
`the sama ax the ECB encryptinn process axcept
`that
`the daurypt state of the DES devica
`is used rather than thé encrypt stata.
`
`The Qiphat Kiosk Chaining {CBC} made is definsd a5
`Cipher Elock Chaining {EEC} Nada.
`3.
`follmws (Figure 2).
`a mesgaga ta be ancrypte& is divided inks bloaka.
`in CBC encryptinn,
`the
`first DES input block is formed by axclusivewflfiing the first block of a message with a
`fifl~hit
`inicializatimn veetcr (IV),
`i.e.,
`(I1,E2*...,I6&) n
`(IVi®D1,IVEfiD2,...,IVfia$D6&).
`The
`input block 13 prncessad thrnugh 3 DES deuic$ in thm encrypt state,
`anfl
`the resulting
`output black is used as the cipher text,
`i.e.,
`(£1,C2,...,C6é) =
`(G1,fl2,...,O6&}.
`This
`firsi
`cipher
`text black is than axc1us1ve~GR@d with the Second plain text data block
`to
`prméuca
`the
`secanfi QES input block,
`i.e.,
`(Il,t2,...,I6&) w
`(C}$fl1,C2$D2,...,Q6fi$Dfi&).
`Nata
`that
`1 an& D naw refer to the sacond block.
`Thfi second input
`block
`is procassed
`thraugh the DES fievice in the encrypt state to prnéuce the second cipher text block.
`Tfiis
`encryptiun
`nffiflflfifi
`cmntinues to "chain" successive cipher anfi plain text blmcka
`together
`untii
`tha
`last plain text block in the message is encrypted.
`If the message
`flees
`not
`consist
`0? an integral number cf data blacks,
`than tha final partiai data block shauid be
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`|PR2016-00753
`IPR2016-00753
`Page 7
`Page7
`
`5 BEST WEWEM
`
`
`
`MP5 FUR 83
`
`FIGURE 1: ELEBTHDNHE CGHEBOUK (EBB) MEDE
`
`ECE ENCRYPTIBN
`
`ECB DECRYPTEON
`
`mmw TEX‘?
`It
`
`1‘
`
`<:wI-am mm"
`
`(mama, mm *
`
`ma. «:2,
`
`:54}
`
`mm,
`T mm mcncx
`
`T
`
`ms mcmw
`
`numm
`um, 02.
`'
`3
`
`CIPHER YEXT
`
`{C1, C1,
`
`..., CIEM)
`
`%
`
`%
`
`M
`
`>
`°
`M
`INPWMDCK
`
`V
`
`ms i}ECR‘a'PT
`
`UTPTOCK
`
`PLMN TEX?
`
`(EN, DE,
`
`D64}
`
`6
`
`V
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`Page 8
`Page 8
`
`|PR2016-00753
`
`
`
`FIPS PUB B1
`
`HGHHE 2: CIPHER BLBCK CHAINING (EBB) MODE
`
`1"‘
`CL
`)*
`fii
`L3
`2DJ
`
`
`
`1
`
`‘
`
`"-
`7'
`—
`‘
`DES macaw»?
`
`N
`:2-as D£CFE‘fP'f
`1
`;
`%
`—_T
`....
`“~ — 1—
`§"‘
`1
`“
`V
`I
`‘
`,‘_
`_,
`V
`77
`W
`%
`UVMal
`D
`
`17
`
`
`
`LEGEND
`
`B=fiATA BLDCK 3
`
`W 3 §NI‘¥!ALl1A'HC3N VECTOR
`
`E='-EMCRYPWGN INPUT BLOCK J
`C =ClPHER BLOCK J
`
`@ 2 EXCLUSEVBCIR
`
`ES?
`
`£WML!3;§!..E
`
`W-1
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`.pé2%'f6YaE%§
`IPR2016-00753
`Page 9
`Page 9
`
`
`
`FIPS PUB 87¢
`
`a manner specified for the application.
`in
`encrypted
`Appendix C of thia standard.
`
`One auch method
`
`is described in
`
`the first cipher text blomk of an encrypted message is used as the input
`In CBC éecryptian,
`block and is pracessed thrnugh a DES fievice in the decrypt state,
`i.e., {I1,I2....,I5h) W
`(ClpF2Lv..,C64}.
`The resulting nutput black, which equals the original input block to the
`BEE
`raring encryptiom,
`fig exc1us1ve~0Red with the IV (must be same as that
`use& flaring
`enn"yption)
`to
`praduce
`the
`first plain text
`block,
`i.e.,
`(D1,fl2,...,fl6&)
`n
`(filfiivl,02&1V2,...,O6&$Iv6&). The secnnd cipher text block is than used aa the input bleak
`and
`is praeessed thruugh the DES in the decrypt state and the resulting autput
`black
`is
`Exclusive-Sfied with the
`first cirher text block ta proéuce the second plair
`text
`éata
`block, 1.e.,
`(31,D2,...,Bfi&}
`a (Ul%C1,02®C2,...,06&fiC6fi).
`Nafie that again &he U and
`0
`refer
`ta the second block.
`The CBC decryption ptmce3a continues in this manna: rntil the
`East
`cnmplete cipher text black has been decrypted.
`Cipher text repw"%enting
`a partial
`data block must he d@crypt@fi
`in a manner as specified fur tha applicatimn.
`
`folluwa
`as
`(CPR) Hafiz. The Cipher Feedback (CFB) made is definea
`Cipher Feedback
`A.
`(Figure 3).
`A messaga ta be encrypted is d§v1ded into data units each containing K bits (K
`W
`i,2,wum,&&)o
`in bath the CFB encrypt xnd decrypt operations,
`an initialization vector
`(EV) of length L is useé.
`Tfie IV is placed in the least significant bits af the DES input
`black with the‘unused hits set
`to “0’s,"
`i.e.,
`(Ii,I2,...,I64)
`#
`(0,0,...,O,IVl,IV2,
`...,IVL).
`This
`input
`black is processed through the DES device in the encrypt state to
`prwduce an nutput black.
`During encryptinn,
`cipher text is produced by exc1us1ve~ORing 3
`K—bit plain text data unit with the mast significant K hits of the uutput block,
`i.e.,
`(Cl,CE,...,CK) m (ni®01,D2%02,..,,DKm0K}. Similarly, during decryption, plain text
`is pro»
`duced
`by exc1usive~0Ring a K*bit unit cf cipher text with the most significant K bits
`of
`the autput %Iock, 1.e., (flI,D2,...,DK) = (Ci®0l,C3$Q2,...,CK%DK).
`In both cases the unused
`bits af the DES uutput black are disc gded.
`V
`In bath cases the next
`input block is created
`by discarfling the most significant K bits cf the previous input black,
`shifting the remain
`ning bits
`K wmsitians
`tn the left and than inserting the E bits
`nf
`cipher
`text
`just
`produced
`in the encryption oweration or just useé in the decrypt operation intu the
`least
`significant bit positinns, 1.e.,
`(Il,I2,...,I6&) = (IIK+1},I[K+2},...,I64,GI,C2,...,CK).
`This
`input biack is than procassed thfmugh th& DES device in aha encrypt stata to
`produce
`the next outnut block. This pracess continues until the antite plain text message has baen
`encrypted nr until the entire cipher taxt messaga has been decrypted‘
`
`CFB
`through 64 incluaive. K-bit
`length i
`CFB made may mperata on data unita of
`The
`defined
`to be the QFB mmé& nparating an data unita Bf
`length K for K
`%
`i,2,...,65.
`each
`aperation of the DES device nae Kwhit unit cf plain text prméuces one K~bit unit
`cipher text or ona K*bit unit 0? cipher text pruduces sue K~bit unit cf plain text.
`
`is
`Far
`of
`
`acceptahla altarnative for 3~b1t CFB when encipharing 7~bit entities using an 8~bit
`An
`Feedback path is tn insert a "1" bit in bit position fine uf the 8~bit
`feedback path, 1.e.,
`("i",C1,C2,...,C?).
`Thig
`results in 3 "1" always being placeé in hit location 57 of
`”
`DES input bimck. This alternative is called the 7~hit CPB(a) made of operation.
`
`fellows
`The Dutput Feedback (OPE) made is defined as
`(OFB) Mode.
`Output Feedback
`5.
`(Figure A).
`A message to be encrypted is divided into data units each cantaining K bits {K
`= 1,2,...,6&).
`In both the OPE encrypt and flecrypt operations,
`an initializatimn vectar
`(IV) af
`length L is used.
`Tha IV is placed in the least significant bits of
`the DEE Input
`block
`with
`the
`unu5ed
`bit$
`set
`tn
`"G's,"
`i.e.,
`(Ii.I2....,16é)
`=
`(@,G,...,0,IVi,1V2,...,IVL).
`This
`input black is procéssed thraugh the DES device in the
`encrypt state tn prnduce an autput black.
`During emcryptian,
`cipher text
`is pru&mced
`by
`exc1usive—flRing a Kwbit plafin text data unit with the must significant K hing 9f
`the output
`block, 1.a.,
`€C},C2,...,CK)
`m fDlBOl,D2$02,...,DK$Ofi3. Similarly, during decryptian, plain
`text
`is prnducaé by exclusive-Dfling a Kwbit unit of cipher tex§ with tha most significant K
`hita nf the autput block,
`i.e.,
`(Dl,D2,...,flK) = (Ci®0E,C2wGE§...,€K$0K).
`In both cases
`the unused hits of
`the DES autput block ara discarded.
`In bath cases the gext
`input block
`is created by discarding the most significant K hitg 0f
`the pravieug input black,
`shifting
`the
`remaining bits K paxitioms tn the left and then inserting the K bits of output
`just
`use&
`into
`the
`iaast
`significant
`bit
`ynsiticns,
`i.e.,
`(I1,I2,...,I6&}
`=
`This input black is then pracessed th$fiaE$Efi¥fit2gg§
`(I{K+1},I{K+2}a...,16é,G1,02,...,DK).
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`8
`|PR2016-00753
`IPR2016-00753
`Pagew
`Page 10
`
`BEST Bfi€%.,,:‘i%%% T
`
`
`
`
`RPS PUB 8]
`
`FIGHRE 3: Ir€~BIT CIPHEFI FEEDBACK (CFB) MDDE
`
`ENCR‘l'PT|flN
`
`IJECRYPTIDN
`
`SHIP?
`
` ? FEED Mex
`%
`R 3:15
`
`
`
`
`
`CJUTEUTBLCK
`Saga 5
`D!S~Cfi«RD
`
`mans gtm-msrrs ‘
`
`
`
`4
`
`
`VEIPHER IEXT
`ac. ans
`
`
`
`T
`
`f PLAIN rem
`K 5115
`T‘
`i
`
`1
`
`K
`
`UES ENCRTPT
`
`
`HES ENCRYPT
`
`
`
`
`
`
`%%
`
`mum rem t
`‘
`
`T
`
`scam
`
`
`QURUITBLQK
`asiu
`SE£ECT
`mscnrw
`I0
`
`
`
`(64-K)B%TS I
`
`mam;
`
`!N¥’UT BLGCK HNHTIALLY CONTAINS AN SNITEALIZATIGN VECTOR {IV} RNSHT JUSTIFIED.
`
`
`
`..&,
`
`ggymgggggg
`
`9
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`.pé2%'feY¢§%§
`IPR2016-00753
`Page 11
`Page 11
`
`
`
`
`
`1 {64~K} BITS
`
`K HITS
`
`Tsrxwm MCK W
`
`%
`
`‘
`
`nu
`INPU? BLOCK
`
`
`
`KBITS ‘
`
`(64-MBITS
`
`
`
`'*
`
`
`
`raps we 31
`
`FIGURE 4: K-BIT HUTPUT FEEDHACK (OF-B) MBIJE
`
`EMJHYPTIDM
`
`DECFWPTION
`
`
`
`
`
`
`
`
`
`mm‘: amen:
`on
`(64-mans gxsrrs
`
`
`DES ENCRYP?
`
`
`arguretacx
`sewer; mscmu 2
`K 8115
`5 £64-K)H'5 F
`
`
`
`
`
`
`
`%
`
`K ans
`
`
`
`
`irzwwmz TEXT
`
`
`
`T
`
`INPUT max
`
`S!’-NF?
`_.gsno-u
`
`,
`KBITS =
`
`{64»K) ans
`
`
`
`D£S ENCRYPT
`
`M
`
`FEED HACK
`K BITS
`
`
`
`U'I'P_UT awn:
`semzx‘ mscmm
`
`K BITS
`64»K
`I
`was ‘1
`
`
`%
`
`cwmzn next
`K ans
`
`
`
`3
`
`
`
`
`1
`
`’ K
`
`1
`
`T
`
`K
`
`WPUTE amen mrrmm commms AN lNl‘nAi.lZA‘f|0N vzcmn (IV) a:m~mus'ru=;£n_
`
`'£‘his process continues until
`the naxt nutpui: block.
`c§ev‘ice in tfie encrypt grace to prc)=:1uc:e«
`the entire plain text messagx; has bean encrypted or untii
`the entire uziphear
`text message
`has been decrypted.
`
`is
`{IE8
`K-bit
`inclusive.
`through 65»
`length 3
`QFB mode may operate on data units; of
`The
`For
`defined to be the DFE mode operatzing on data units of
`length K for K =- 1,2,,...,6é:.
`each Dparatinn of
`the DES device one }(-—bit unit of plain text proéuces mm Va-bit unit mf
`cipher text 0!‘ one K-bit: unis: of cipher text prociuces one K-bit unit of plain text.
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 12
`Page *2
`
`10
`
`5-“
`
`
`
`
`
`FIPS PUB 8'!
`
`GENERAL INFORMATION
`
`APPENDIX A
`
`The National Bureau uf Standards issuefi Federal Infarmation ?rocessing Standards Fublicaw
`tion 46 (FI?S PUB $6)
`in 191?. That standard specifies a cryptographic algnrithm, cemmonly
`called the Data Encryption Standard (DES) algorfithm,
`:0 he used within the Federal Gcvern~
`man: for the cryptngraphic protection of gensitive,
`but unclasaifieé,
`ccmputet data. The
`DES
`algorithm was develapad by the International Business Machines Carporaticn
`(inn)
`and
`submitted tn the National Bureau cf Standar&s during an NBS public selicitation for crypta~
`graphic algorithmfi
`to he used in a Federal Infarmatian Pracessing Stanfiard.
`Several meth-
`ads
`far
`inearporating this algerithm inta a cryptcgraphic system are possible.
`Thase
`methods,
`external
`to the DES algorithm,
`have come to be called the "mndas of
`0perati@n."
`Faur mades,
`callefi
`the Electrnnic Codehcok (EBB) mafia,
`the Cipher Black chaining
`(SEC)
`mode,
`the Cipher Feedback (CFB) made. anfi
`the Output Feedback (DEB) made. are specified in
`this
`stanéard.
`ECB is a direct applicatian cf the DES algorithm :9 encrypt
`and decrypt
`data;
`CBC is an enhancefl mmée of ECE which chains together blocks of cipher text; BFB uhes
`pteviausly generated cipher
`text as input
`tn the DES ta generate pseuda-random nufigutfi
`which
`are combined with the plain text
`to prnéuce cipher text.
`thereby chaining fingether
`the resulting cipher text;
`OFB is identical to CFE except that
`the previous eutput af
`the
`BBS
`ia useé as input
`in DFB while the previous cipher text
`is used as input
`in CFB.
`DEB
`dues not chain the ciphar text.
`The proyosed FI?S specifies these fuur modes becauae they
`are
`capable of prnvifiing acceptable levels of protaction far all antizipated unclassified
`Feéeral ADP encryption applications.
`
`Unencrypted data is called plain text. Encryptimn (also calied encipharing) 15 the prccesa
`uf
`transforming plain text
`intu cipher text.
`Decryption {also called deciphering) 13 the
`inverse transfarmation.
`The encryption and flecryptian processes are parformed accnrding £6
`a sat qf rules,
`called an algorithm,
`that
`is typically based on a parameter called a hay‘
`The
`key
`is usually the only parameter that must ha provideé to or by
`the users
`sf
`a
`cryptagraphic system ané must be kept secret.
`The pariod af
`time over which a particular
`key is used to encrygt er decrypt data is called itg crypcoperiod.
`
`See
`itself.
`onta
`tha set of all possible 64wbit vecturg
`DES maps
`the
`Mathematicaliy,
`including ail
`?igure AE. There are 216% (2 raised tn the 64th pmwer) elements in this set,
`binary numbars from G up ta,
`but nut
`inciuéing,
`2?64.
`The DES cryptographic key allows a
`user to select any sue uf 2156 pussible invertible mappings, i.e., transfarmatians that are
`onewtawone.
`Selecting a key selects aha of
`the mappings.
`when using the SE5 in ECB mode
`and
`any particular key,
`each input
`is mappad auto 3 unique output
`in encryhticn and
`this
`output
`is mapped
`back onta the input
`in decryption.
`Tha DES is
`an
`itarative,
`bleak,
`prnduct cipher system (i.e., ancryption algmrithmfi.
`A praduct cipher system mixes transpe~
`aition and suhstitutian operations in an alternating manner.
`Eacause the
`DES
`algnrinhm
`mapa
`3 &&~h1t
`input block ante a 6fi—hit nutput hlack the BBB is called a
`black
`cipher
`system.
`Iterative rhfers to the usa of
`the mutput af an aperatinn as the input far another
`iteration 0f the sama prnraéure.
`The DES intarnally uges sixteen iterations of a pair of
`transpmsitian and substitution aperations to encrypt or decrypt an input block.
`A cempleta
`specification af the DES algarithm is found in FIFE PUB #6.
`
`black
`of methads for incarporating the DES in a crypingraphic system are
`categories
`Twa
`simpie
`methods
`and fitream methods.
`In a bfiack methofi,
`tha DES input block 1% (at is
`a
`function of)
`the plain text
`to be anctypted ané the DES autput black is the cipher text.
`A
`stream methhd is based on generating a pseuda~random binary stream of bits,
`and then using
`the
`¢xc}usive~0R binary aperation tn cambine thig pseudo~random sequanue wiflh
`the plaifi
`tafik
`to produce
`the
`cipher text.
`Since the exc1us£v2~0R aperatsr is
`its
`awn binary
`invaraa,
`the
`same
`p3eufio*random binary atream is uaad far both the encryption of plain
`text,
`P,
`and the dacryptian of cipher text, C.
`If H is the pseudo-randnm hinary stream,
`then C = P 9 O and inver$e}y, P R C 9 0.
`
`11
`
`BEST DOBUMENT
`
`PMC Exhibit 2094
`PMC Exhibit 2094
`Apple v. PMC
`Apmev.PMC
`|PR2016-00753
`IPR2016-00753
`Page 13
`Page13
`
`
`
`FIPS PUB at
`
`FIGURE M: DES MAPPINGS
`
`mcvpt
`
`INPSACE
`
`‘ mum? smug
`
`255
`%
`%
`MAPPINGS
`
`
`
`
`T
`264 ELEMENTS
`
`
`nvrr
`
`
`
`
`
`2“ ELENT5
`
`ELECTRONIC CODEfl00K (EBB) MQQE
`
`APPENDKX B
`
`The Electtnnic Coéebaok (RC3) mode is a basic, black, crypcngraphic methad which aransforms
`GA bits
`sf
`input
`to fié bits cf output as spacified in FIP$ PUB #6.
`The
`analmgy
`ta
`3
`gndehonk griaes
`bacause
`the eama plain text block alwayfi prnéuces the same
`ciwher
`text
`block
`far a given cryptagraphim Ray.
`Yhus a list (or cedabook) of plain text blacks
`and
`corregponding cipher twat blacks theoretically cuulé be constructed For any given Ray.
`In
`electronic implementation the csdebook entrias are calculated each time far the plain text
`to be encrypted and,
`invarsely, Ear
`thv cipher text
`to be decrvpted.
`
`input
`the
`gash bit 05 an ECE output block is a cmmplex function of all 64 hits 0?
`Since
`block and all
`56 independent (non-parity) hitfi 05 the cryntngraphic key, a single bit urrur
`in either a cipher text bleak nr the nanwparity kfiy hits used far decryption wiil cause the
`decrypted
`piain text hiock to have an avarage error rate af fifty percent.
`Hawever,
`an
`error
`in one RC8 ciphar text block will net affect
`the decrypxion of other biocks,
`i.e.,
`there is no errnr extfinsinn between ECB blocks.
`
`then
`slip),
`a bit
`black baundaries are fast between encryptien and decryptian (e.g.,
`Sf
`synchrmnization between {H9 encryptian and fiecryption aperationg will be last until correat
`bioak
`boundaries
`are
`reestablished.
`The results of all decryptinn operatiuns wiil
`be
`