`
`:5
`Q
`‘'1.’
`<3"
`*3?
`
`“»
`
`iégfin
`€}=:>2
`
`*5Z:*::r§‘>Y
`€,:<::»E%m*y
`amt‘
`<.ii€~:;a;<:w<:§
`W7
`
`
`
` CATEGORY: ADP 0PERA"HON$
`SUBCATEGORY: COMPUTER mm
`
`“:89
`
`wmmm mmrwmmm
`wmmmmm flgmmmmm wm.mA"rwm
`
`3%’? JANUARY 15
`
`W ‘
`
`;_"2Ҥ <2":
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 1
`Page 1
`
`
`
`This material may be protected by fiamyright iaw (T‘itIe W 118. (Jade)
`
`Ufléis. WWPAR\TM}f:.§NT (W Eféfimmlfiflfifl ® E;?;EEE@t L. Riahmd;:3wm§ flmrwzatrxry
`
`Edwmd 0. Vaétmm Urm”m* Macmfmfiy
`
`Hm‘. Emmy Attmkarmfimhmfimmfi ‘Amzcxfstamf £§em*«w?‘ary Mr Emiamce mm’ iffieafmmarmggy
`
`NA” ‘M)NAE4 BUWYEMJ HI?‘ 8“§‘ANEmRI")@ W Efirmegt mmm, Acfirwg Ifiirwfimr
`
`13%;)mwW(fi
`
`I“izb§ica§;i<m ?Em“ie&3 of the Nmi<)1“1:.z.I
`P‘1'<>e:ee;asing i3tam<im‘<;§:a
`Ir1f<)1‘I1:mti(>xz
`The Wrciekml
`Buwzm of E“»t,amdm“<'i:3 i:~: the «.;i‘fi<éi:«1l p:1i’>Ei<’m‘,im: w\Em,im9: to s;t.mt<§:xN§s: 2«xci01m:9d and pmmu1-
`gwmd um;im* the }.?Y0\'iSWf1E§ of Pubiiz: Lmrv é%§€%wi50€$
`(1§:§rm'»k:~& Bi“) amd! umiw Pam‘: 6 of "§_”ii:ka ‘I5,
`‘“,<;»(i<s of i§?a‘5:<‘i«.=.1'z1} Reym1aLi0r::~..:.
`'I“F”m:«;e
`2e>gg:i:‘alz:\Li\-‘<3 arm! wxeémniive ma1n<izx$;<9&a hm-'ez g:;i\Ic.=n the
`€»e<:mtax=y
`at" €_‘.«mmnez“ce émmyrmnt ms;3oxmi‘t)i1itie‘a for i2:’1;>:':>vi;1g the tltilizaamn zmd mam»
`ag«z:0t11e:1t <31‘ c<}m{)Latm“5 emifi
`€kKlt,(‘&iY1€.N.§(‘.
`«int»: pt‘(zr:*«'~>$miI"'x§;“ :%_\r":§‘t¢:9nm in thw f<‘e¢‘!er;~1I G0\»"m‘2'1rx”mn€..
`To czswy out the Sc3<%m>€.:z1§V’a3
`1‘msp2>r::e:%bi1iti«3rx the NBS, €,}n‘<mgh
`its; 1':1M.i“i:,:‘,zI:e for ('_f<>mpum1'
`53C§(:F!1(TQ8 and "1‘ec*§1n<)i<2§w,
`}'>1‘<wi<_ie.«x §«;»;1demE:ip,
`technica} gszicizxxxw‘ and <7<_mniit“z2m<>rx of
`gnverrxment effb2“£,ss
`in the ziuvelnyprmrrlt‘ cf te<‘:hmc2=:1 ;,>a.,2i:i€~,Ein<>,:1 and .m,mu‘im":Es
`in tisezzw
`swcraza.
`
`I’Jz‘<2m3 ailm 53t.zm<Em‘<is,:, and :0
`infm‘:m’t’£i<_>r":
`The e:<e>2'im i:3 Lmed ta zmnounce EV‘~9<‘iea1‘axl
`index af‘ r‘elevan-‘t, E<t:.m{ia1'd.<s
`gwmside ssmndawlsa iz1i'm‘n1m.:on of ;,~;m'em"aI %mi.0:*e'~.~‘;f, mzwi
`dd“:
`pubE%cati<>21:.4 emd :~;;1e»:*if"ic23,'§§<)u1:s,
`I”1.:k3IicM.iox1.~1 Htiki a1'm<:mm>e> m‘{nmE<‘):1 oi" :~‘<€zm:iz;1“(i5% m':>\=ie‘i<—=,
`the Iu2<:m~:«:a'z2t‘§«' policy, andminis.t.r22:tiVaé, mni guidzzxnces mf‘<_mmN:i0n for ef'fect.%vv:»1 .~:mt1d:1H.i:_:
`implmmmmtimx and LXSIW. The m<*hnica1 8~pe<.tifi<:a‘r.i<n‘m ef the) sgmrxtmrd um x,z.»ma1}}§,~«' m,€..e2chmi
`2,0 t,I'm2 m2b?imx‘Li<m, 0t}w:'vvise a ::N'm“om<e .‘:§O1H‘(‘,P is: <'3‘§i;ezd,
`
`Ccmm'mxma ;%o\=ering*; Fw§m‘2:E infm"xn;.1i:i0n }"r0<:e$:m}s,>; Smn<iaM.~:a and Pwmicmzimizs are
`welzrornwi, zmd ssfimuld be miéiwmzed to the 2’&&%s()<*iz%t;@ Diw<*£:m‘ far ADI’ Er§ta11<laz‘< FM Insatittue
`far {[fmm)ute:1" Scéierxceia am} T€‘<.'hIH')}(},<3,‘:\’,
`“*Ea‘E;1:)11a} E§~u1‘@z1‘n3 of 5$m1m‘ta1*d:~;,
`\’$’a>3hi13g9_:f.<‘>:3, DE}.
`z‘z0;3:M. kwch cmnrlwntsa WEE} be e;*ii:hm* <?m12‘~:i(%a:>re3c‘i by NEW» or €c>1‘vmt*dmi
`9,4; H19 1‘<3ts1.>c3z1r;ib1@
`2~3.c(,.ivity ass appmpz‘izw.te.
`
`E21 RN 193:‘ A ;\»mLE1{, Am‘ zf 27:5:
`
`[.1 iurmrmr
`
`Ahmrawt
`
`is an
`:~:4z1.i‘¢+g.m211‘<‘1:3
`px‘<><:mhn‘2:I
`m.);,>1évz:H;i<>r: uf tc<i}1rx<>1w_{i<~2-2} and 1‘<>£aLe(§
`The §§€‘E’w[€.T(j€.'i“}/Q)!
`inxyimrficzmt 2.*w~;;.>(>m;ii)%1i*it,;~.r of e\~‘<2t'y E*‘wicerz.1i m‘g.e_::mi2;z-1§;im: in p1'c;>\—'i:‘iir1;.r m:ie<}mx/Et,e sae.cux*itj,I to its
`AIM’ sayeztmms. TM:-3 §:)11b1icz1‘t,i<}n pr‘0\«‘idma ea,
`sat.m1<:izJa.!‘<1§
`to Kw mxmii by Vo{ie1‘a} c31‘g;i1xi:eaxti«>n::
`when thwe m‘g:ax:§:aai;i0m?.
`:i:pecii'§.r that m‘}zpt,0g:r*a1:>}'ki<r g}1'm;e>z:t,ic;n is»: to ba uxzeci fer‘ E%<t?I}tSiH\"e
`m‘ va1h2ab}<3 <*01m.>uEim* <ia’£.<L I’r(_>i.eu:t..mI1 M c0nx;owLe:t* data dm*im«:
`t1‘am§n':imim1 Ewstva/w>n
`v10cL2‘<>:t3i(f (*0mp0m>n$:2 or \x:}1i§¢r in sat()m:g‘e may be 1'xe3w&3é;;1a"};
`ta: rm:int,air'1 the cwnfhientizxliiy
`and im;eg:2“it;v of the %1zf”c>r*tmzt,i<)zx m}2I*e.~:.m:te<i
`in,’ mm aizma.
`‘W10. stzmdani :a;>m'i%‘ies em
`encrypticm zxlgz<>1‘itf:1t'n xvhivh is to be it"c':};x1m"m3:n‘Led in em elw‘Lr‘<mi(: <:§m'ic«3 fm‘ mat: in V@daér’&1
`ADP 3},-wt:-*»7mz1‘:.~;
`zxmi nef,wm“i<:“». Tina» a1g2;m‘it.m1n umqmgiy c§m‘§1‘1ers
`‘the mzathezxxaticzxl
`f:3t@;(}‘.~‘»
`m(w§x'e<i £0 U*mmf'«>1‘nz mnm>uter Liam imxy a crypt<.>§§r;whic <:§p}’m1‘.
`it. akms >;}:>ecifie:‘: the maps
`m(;uiI:°*<ed {,0 E/rmmfown Hm cripher M101“:
`ta»
`its <‘2t‘i;4'Er1;:i {'mm. A <’ie\»'ice perf<)1‘mi1'1g t.1'2i:‘~:
`:afigg‘:w1‘it,§xrx: nmy be‘ mwd in mzmy m’;piicat;i<>n&a améasa wmwo :.'1‘§xpt<>g§raphic dz1mm'(>tM*tic>n is
`nmeaieai. xmmm the <:‘<)m,m;?; of‘ a toi.ezE ssemirity prm;§;rem‘: <:<>zm>x‘irsin§2; phy:~*»icai
`t.~3£'i-L‘{.!1‘i'£},‘
`m“<:«<e@cim*e:4, gooii im?‘<)r'nm€§<m mmmga;m“r1e2wE. p1‘m:t%<.:us mm cmmm€:m'
`ewmtesxnmet,v.rm*k ac<-,m5»
`onntmfiss, the rum I‘§n<:1“y;>tim‘: S‘:ta\ndz1.1“d iii: }wmgr rrxézcfie m»'2:i1a}‘>1<% fur zxaaeaa by ]f*\><‘ie1‘21E
`zageraezies.
`
`Key Words: ADP s@<:*m*i€y;
`S$;zM1«:¥;1}.:“<i.
`
`c<3exn;mt.er :%e‘\curity; mxcrgvptiarx; k*\+<im‘:xi Fui‘ox‘n'121ii<m P1“{>s:e&s::ing2;
`
`NM. Bur. 5E§‘mnd. {U.a‘:“»)9 P“e3cL Enfon Pmcmes.
`(‘,{‘t¥)F2i"Q:
`
`
`é‘?$t\a:‘mI. Puitxh <F‘EE*:~: Mia; 46, 1‘?
`J%*"f?P‘AT
`
`}.mge2~..ss
`
`(19'¥‘7)
`
`
`
`M31‘ cmle by the Nzxfiwnzxé ’§‘s-cmmwal fmmmutémw E§m‘viw. U55. E,)9pm‘mwn€, M C<>:2'1nwr<'v,
`.‘*Spr%m:f'i@l<.i.
`\"irgm1Ez1 ZZEM
`
`
`
`
`
`‘
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 2
`Page 2
`
`
`
`
`
`Federal Information
`
`Processing Standards Publication 46
`
`1977 January 15
`
`ANNOUNCING THE
`
`DATA ENCRYPTION STANDARD
`
`FIPS PUB 46
`
`
`
`Federal Information Processing Standards are issued by the National Bureau of Standards pursuant to the Federal
`Property and Administrative Services Act o1’i949, as amended, Public Law 89-306 (79 Stat 1127), Executive Order 11717
`(38 FR 12315, dated May 11, 1973), and Part 6 of Title 15 Code of Federal Regulations (CFR).
`
`Name of Standard: Data Encryption Standard (DES).
`
`Category of Standard: Operations, Computer Security.
`
`Explanation: The Data Encryption Standard (DES) specifies an algorithm to be implemented in
`electronic hardware devices and used for the cryptographic protection of computer data. This
`publication provides a complete description of a mathematical algorithm for encrypting (encipher~
`ing) and decrypting (deciphering) binary coded information. Encrypting data converts it to an
`unintelligible form called cipher. Decrypting cipher converts the data back to its original form. The
`algorithm described in this standard specifies both enciphering and deciphering operations which
`are based on a binary number called a key. The key consists of 64 binary digits (“O”s or “1”s) of
`which 56 bits are used directly by the algorithm and 8 bits are used for error detection.
`
`Binary coded data may be cryptographically protected using the DES algorithm in conjunction
`with a key. The key is generated in such a way that each of the 56 bits used directly by the
`algorithm are random and the 8 error detecting bits are set to make the parity of each 8-bit byte of
`the key odd, i.e., there is an odd number o1°“1”s in each 8-bit byte. Each member of a group of
`authorized users of encrypted computer data must have the key that was used to encipher the data
`in order to use it. This key, held by each member in common, is used to decipher the data received
`in cipher form from other members of the group. The encryption algorithm specified in this
`standard is commonly known among those using the standard. The unique key chosen for use in a
`particular application makes the results of encrypting data using‘ the algorithm unique. Selection of
`a different key causes the cipher that is produced for any given set of inputs to be different. The
`cryptographic security of the data depends on the security provided for the key used to encipher
`and decipher the data.
`
`,
`
`Data can be recovered from cipher only by using‘ exactly the same key used to encipher it.
`Unauthorized recipients of the cipher who know the algorithm but do not have the correct key
`cannot derive the original data algorithinically. However, anyone who does have the key and the
`algorithm can easily decipher the cipher and obtain the original data. A standard algorithm based
`on a secure key thus provides a basis for exchanging encrypted computer data by issuing the key
`used to encipher it
`to those authorized to have the data. Additional FIPS guidelines for
`implementing and using the DES are being developed and will be published by NBS.
`
`Approving Authority: Secretary of Commerce.
`
`Maintenance Agency: Institute for Computer Sciences and Technology, National Bureau of
`Standards.
`
`Applicability: This standard will be used by Federal departments and agencies for the crypto-
`graphic protection of computer data when the foliowing conditions apply:
`1
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 3
`Page 3
`
`
`
`
`
`FIPS PUB 46
`
`1. An authorized official or manager responsible for data security or the security of any
`computer system decides that cryptographic protection is required; and
`2. The data is not classified according to the National Security Act of 1947, as amended, or the
`Atomic Energy Act of 1954, as amended.
`
`However, Federal agencies or departments which use cryptographic devices for protecting data
`classified according to either of these acts can use those devices for protecting unclassified data in
`lieu of the standard.
`
`In addition, this standard may be adopted and used by non-Federal Government organizations.
`Such use is encouraged when it provides the desired security for commercial and private
`organizations.
`
`Data that is considered sensitive by the responsible authority, data that has a high value, or data
`that represents a high value should be cryptographically protected if it is vulnerable to unauthor-
`ized disclosure or undetected modification during transmission or while in storage. A risk analysis
`should be performed under the direction of a responsible authority to determine potential threats.
`FIPS PUB 31 (Guidelines for Automatic Data Processing Physical Security and Risk Management)
`and FIPS PUB 41 (Computer Security Guidelines for Implementing the Privacy Act of 1974)
`provide guidance for making such an analysis. The costs of providing cryptographic protection
`using this standard as well as alternative methods of providing this protection and their respective
`costs should be projected. A responsible authority then should make a decision, based on these
`analyses, whether or not to use cryptographic protection and this standard.
`
`Applications: Data encryption (cryptography) may be utilized in various applications and in various
`environments. The specific utilization of encryption and the implementation of the DES will be
`based on many factors particular to the computer system and its associated components. In
`general, cryptography is used to protect data while it is being communicated between two points or
`while it is stored in a medium vulnerable to physical theft. Communication security provides
`protection to data by enciphering it at the transmitting point and deciphering it at the receiving
`point. File security provides protection to data by enciphering it when it is recorded on a storage
`medium and deciphering it when it is read back from the storage medium. In the first case, the key
`must be available at the transmitter and receiver simultaneously during communication. In the
`second case, the key must be maintained and accessible for the duration of the storage period.
`
`Hardware Implementation: The algorithm specified in this standard is to be implemented in
`computer or related data communication devices using hardware (not software) technology. The
`specific implementation may depend on several factors such as the application, the environment,
`the technology used, etc. Implementations which comply with this standard include Large Scale
`Integration (LS1) “chips” in individual electronic packages, devices built from Medium Scale
`integration (MSI) electronic components, or other electronic devices dedicated to performing the
`operations of the algorithm. Microprocessors using Read Only Memory (ROM) or micro«pro-
`grammed devices using microcode for hardware level control instructions are examples of the
`latter. Hardware implementations of the algorithm which are tested and validated by NBS will be
`considered as complying with the standard. Procedures for testing and validating equipment for
`conformance with this standard are available from the Systems and Software Division, National
`Bureau of Standards, Washington, DC. 20234. Software implementations in general purpose
`computers are not in compliance with this standard. Information regarding devices which have
`been tested and validated will be made available to all FIPS points of contact.
`
`Export Control: Cryptographic devices and technical data regarding them are subject to Federal
`Government export controls as specified in Title 22, Code of Federal Regulations, Parts 121 through
`128. Cryptographic devices implementing this standard and technical data regarding them must
`comply with these Federal regulations.
`
`2
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016—00753
`Page 4
`Page 4
`
`
`
`
`
`Fl PS PU B 46
`
`Patents: Crytographic devices»; implementing this standard may be covered by U.S. and foreign
`patents iseued to the International Business l\/lachines Corporation. However, IBM has graiited
`nonexclusive. royalty-free licenses under the patents;
`to make, use and sell apparatu:~s which
`complies with the standard. The terms, conditions and sseope of the licenses are set out in noti<:es~:.
`published in the May 13,
`i975 and August 31, 1976 lSSU(38 of the Official Gazette of the United
`States Patent and Ti‘a<’ieinai‘k Office (934 O. G. 452 and 949 O. G. l7l7).
`
`Alternative Modes of Using the DES: The “Guidelines for lmplementinp; and Using" the Data
`Elncryption Standard” describe two dillerent modes for US-Slllg‘ the algz;orithm (lescrihed in this
`standard. Bl()cl<s of data containing‘ 64 bits may be directly entered into the clevicze where 6<l—l>it
`cipher l)lo«:*l<.e are generated under control of the key. This is called the electronic: code book mode.
`Alternatively, the device may he used as 8. binary stream grenerator to produce satatistically random
`binary bits which are then conihined with the clear (unencrypted) data (1-64 bits) using an
`“exelusive»or” logic operation.
`ln order to assure that the enciphering‘ device and the deciphering‘
`device are syncshronized, their inputs are always set to the previous 64 hits of cipher that were
`transmitted or received. This second mode of using; the encryption algroritlmi is called the cipher
`i’eedliacl«: (CFB) mode. The electronic codebook mode grenerates blocks of (54 cipher hits. The cipher
`i'ee<:ll')acl< mode §2,‘€heI'3.t(:‘.S cipher liaviiigr the same number of hits as the plain text. Each block of
`cipher is independent of all others when the electronic codebook mode is used while each byte
`(group of bits) of cipher depends on the previou;~; ($4 cipher hits when the cipher feedback mode is;
`used. The modes of operation briefly <1lesci‘ibed here are fiirtlier explained in the FIPS “Guidelines
`for Implementing and l.olsing the Data litliicryption Standard.”
`
`Implementation of this standard: This»: standard becomes effectixie six months after the publication
`date of this FlP.‘3 PUB. lt applies to all l’ederal ADP systeins and associate(l telecommiinications
`networks under developinent as well as to installed zsysteins when it is determined that crypto-
`graphic protection is; required. Each Federal department or agency will isssue internal directives for
`the use of this 2-itaiiclard hy their operating“ units lizisecl on their data security requirement
`(l€3‘C€?l‘li'1ll‘l£1i1l€)}"1?~E.
`
`NBS will provide zissistaiice to Federal oi';rziiii'x.atio1is by <leveloping; and issiiiiigg; additional
`technical guidelines; on cmnputer security and hy providing}; tot-hnieal aitseisstzimre in timing; data
`encryption. A data encryption testbed has been eSt.‘dl)llSl1(’.{l within NBS for use in providing‘ this
`technical asasistance. The National Security Agency ziesists l*‘ederal departments and agencies in
`eominunicatione security and in determinin,<: s-ape:-ific security requireinents.
`instructions and
`regulations For procuring: data pi‘oces;sing‘ equipment utili'/.ing‘ this: Sté1l1(ldl‘(l will lie prodded by the
`General Services Administrotion.
`
`Specifications: Federal
`(DES) {affixml}.
`
`Cross Index:
`
`lnformation Processing Standard (FIPS 46) Data Encryption Standard
`
`a. FIPS PUB 31, “Guidelines to ADP Physical Security and Risk Mzinagement”
`
`h. FIPS PUB 39, “Glos:szi1‘y for Computer Systeins Security”
`
`:3. FIPS PUB 41, “Computer Security Guidelines for linpleineiit,ing2; the l’rivacy Act of l9’"/ll”
`74
`
`d. FIPS l’UB—«, “Guidelines for Implementing and Using‘ the Data Encryption Standard” (to
`be published)
`
`e. Other FIPS and li‘ederal Standards are applicable to the implementation and use of this
`standard. In particular, the American Standard Code for information lnterclian;_{'e (FIPS PUB ll
`
`3
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 5
`Page 5
`
`
`
`FIPS PUB 445
`
`and other relzited data storagfe media or data communications standards should be used in
`<:onjunction with tliis standard. A list of currently approved FIPS may be obtained from the Office
`of ADP St:«.1ndai‘ds Mzinagrenient, ll’lSCli3l..lt(:? for Computer Sciences and Tecliniilogiy, National Bureau
`of Stamlzirds, Washington, DC. 20234.
`
`Qualifications: The cryptograpliic algzgoritlmi specified in this; ivtandard transforms a 64-liit binary
`value into 8. unique 64-bit binary value liased on 21 56~hit variable.
`ll’ the complete l34—liit input is
`used (i.e., none of the input bits should be predetermined from block to block) and if the 56~hit
`V'3,I'l8.bl€
`is rzuidomly chosen, no technique other than trying‘ all possible keys using known input
`and output
`for
`the DES will gfuarantee iillldlllg‘
`the cho:~=,en key. As
`there are over
`70,0()O,()O0,000,000,00(l (seventy quzidrillion) possible keys of 56 hits, the teaisiliility of deriving‘ at
`particular key in this way is extremely unlikely in typical threat environments. Moreover, if the
`key is changed frequently, the risk of this event is grezitly diminished. However, ussers should be
`aware that it is theoretically possible to derive the key in fewer trials (with a co1‘1i‘esponding'ly lower
`probability of success depending‘ on the number of keys tried) and should he cautioned to (‘l1‘c111§.’,‘e
`the key as often as przieticeil. Users must chzinge the key and provide it a high level of protection in
`order to minimirae the potential Fl:-3l(S of its unautliorized computation or acquisition. The feasiliility
`of computing‘ the correct key may clianggge with wivzinccs in technology. A more complete
`description of the strength of this zilgorithm against various;
`threat:~3 will be contained in the
`Guidelines for Implementing and Using the DES.
`
`When correctly implemented and properly used, this st2ui(leir<l will provide a high level oi‘
`cryptogrzipliic protection to computer <iata. NBS, supported by the technical assistzmee of Govern«
`ment eieqencies responsible for communication security, has determined that the zilgorithm specified
`in this stan<lzu‘d will provide 21 hipgh level of‘ protection for a time period heyond the normal life cycle
`of its ass<)<.-iziteii Al’)? equipment. The protection provided by this algorithm against potential new
`threats will he reviewed within live _vezu's to assess its actlequzicy. ln addition, both the standard and
`possible tlirezits reducing‘ the :«te<:urity provided throug*h the use of this SiC,2H“l(,l‘¢il‘(‘i will undergo
`continual review by NBS and other cogniiziint FL-'(le1‘Z1l oi‘g‘eini7,ations. The new teclim>log'y available
`at that time will be evoliizitml to determine its iinpart, on the .~etan<lair<l. in addition, the awareness
`of any i)l‘€£il{tl1l‘()l1§3,‘l1
`in technology or any niatlieinzitii-ail wezikness oi‘ the E1l§2,‘()t‘li;llm will cause NBS
`to reevaluate this stzmdard and provide necessary revisions.
`
`Comments: Comments and sug‘;;‘es~itions re;.>;ei1‘<ling' this stzmdzird and its use are welcomed and
`should he addressed to the Associate Director for ADP St,ancl2ii'<‘ls,, institute for Computer Sciences
`and Technology, Nzitionzil Bureau of St.‘:l11(l%1l‘(.iS. Wz1shing‘ton, I).C. 2()234.
`
`Waiver l’rocedure: The l‘lOd(l of 21 Federail zigrency may waive the provisions of this FIPS PUB ziiter
`the conditions d.!i<,i _justif'iczition:’~: for the waiver have been coordinzited with the National Bureau of
`
`Standards. A waiver is necessary if’ cryptograpliic devices perlorining‘ an zilgoritlim other than that
`which is specified in this standard are to be used by a Federal agency for data subject to
`cryptogzfrapliic protection under this standard. No waiver is necessary if classiiieil communications
`security equipment. is to he used, Software implementzitions of this zilgorithm for operzitional use in
`generzil purpose computer systems do not comply with this stzin<lar<l and each such impieinentaition
`must also receive a waiver. Implementation of the algorithm in software for testing or evnluzition
`does not require waiver zipprovzil. Implementation of other special
`))l.ll‘})()f*‘s£—‘, c1'y}i3tog‘1'2iphic al;:‘o—
`rithms in softwzire for limited use within 21 computer system (e.gr., encrypting‘ password files) or
`implementations of Cl‘y{')tO;?1f1‘apl”llC algorithms in software which were being‘ utilized in computer
`systems before the effective date of this st.and2i1*d do not require a waiver. However, these limited
`user} should be converted to the use of this Si;‘c1.!‘l(l‘c11‘(l when the systeni or equipment involved
`upgraded or redesigned to include general cryptog‘raphic protection of computer (iota. Letters
`describingz; the nature of and reasons for the waiver should be addressed to the Associate Director
`for ADP Stan(iards; as previously noted.
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016—00753
`Page 6
`Page 6
`
`
`
`
`
`FIPS PUB 46
`
`Sixty days should be allowed for review and response by NBS. The waiver shall not be approved
`until a response from NBS is received; however, the final decision for granting the waiver is the
`responsibility of the head of the particular‘ agency involved.
`
`Where to Obtain Copies of the Standard:
`
`Copies of this pubiication are for sale by the National Technical Information Service, U. S.
`Department of Comnieree, 5285 Port Royal Road, Springfield, Virginia 22161. Order by FIPS PUB
`number‘ and title. Prices are published by NTIS in current catalogs and other issuances. Payment
`may be made by check, money order, deposit account or charged to a credit card accepted by NTIS.
`
`5
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016—00753
`Page 7
`Page 7
`
`
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 8
`Page 8
`
`
`
`FIPS PUB 46
`
`
`
`Federal Information
`
`Processing Standards Publication 46
`
`1977 January 15
`
`SPECIFICATIONS FOR THE
`
`DATA ENCRYPTION STANDARD
`
`
`
`The Data Encryption Standard (DES) shall consist of the following Data Encryption Alg2;orithm to
`be implemented in special purpose electronic devices. These devices shall be designed in such a way
`that they may be used in a computer system or network to provide cryptographic protection to
`binary coded data. The method of implementation will depend on the application and environment.
`The devices shall be implemented in such a way that they may be tested and validated as
`accurately performing the transformations specified in the following algorithm.
`
`DATA ENCRYPTION ALGORITHM
`
`Introduction
`
`The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control
`of a 64-bit key. Deciphering must be accomplished by using the same key as for enciphering“, but
`with the schedule of addressing the key bits altered so that the deciphering process is the reverse of
`the enciphering process. A block to be enciphered is subjected to an initial permutation IP, then to
`a complex key~dependent computation and finally to a permutation which is the inverse of the
`initial permutation IP". The key«dependent computation can be simply defined in terms of a
`function f, called the cipher function, and a function KS, called the key schedule. A description of
`the computation is given first, along with details as to how the algorithm is used for encipherment.
`Next, the use of the algorithm for decipherment is described. Finally, a definition of the cipher
`function f is given in terms of primitive functions which are called the selection functions 8; and the
`permutation function P. Si, P and KS of the algorithm are contained in the Appendix.
`
`The following notation is convenient: Given two blocks L and R of bits, LR denotes the block
`consisting of the bits of L followed by the bits of R. Since concatenation is associative B132 .
`.
`. B3,
`for example, denotes the block consisting‘ of the bits of 81 followed by the bits of B2 .
`.
`. followed by
`the bits ofB,,.
`
`Enciphering
`
`A sketch of the enciphering computation is given in figure 1.
`
`
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 9
`Page 9
`
`
`
`FIPS PUB 46
`
`INPDTI:
`
`INITEAL PERMUTATION
`
`INPUT
`
` PERMUTED
`
`K3
`
`K2
`
`52223.] (9 £02}, K2)
`L2=R}
`"'"”“"“'r“
`1""
`_____ ______;______ ______K
`I
`'
`F‘
`;
`<+;..———-«._.@.———————-¢
`1
`W;
`
`"
`
`
`
`0-.
`
`
`
`
`
`INVERSE :NmAL PERM
`
`::>“5%*50”*”'“
`
`FIGURE 1. Enciphcring computation.
`8
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 10
`Page 10
`
`
`
`
`
`FIPS PUB 46
`
`The 64 bits of the input block to be enciphered are first subjected to the following permutation,
`called the initial permutation IP:
`
`58
`60
`62
`64
`57
`59
`61
`63
`
`50
`52,
`54
`56
`49
`51
`53
`55
`
`42
`44
`46
`48
`41
`43
`45
`47
`
`LE
`
`34
`36
`38
`40
`33
`35
`37
`39
`
`26
`28
`30
`32
`25
`27
`29
`31
`
`18
`20
`22
`24
`17
`19
`21
`23
`
`10
`12
`14
`16
`9
`11
`13
`15
`
`-CiCJ1C20r-‘O00’-\>$3[*O
`
`That is the permuted input has hit 58 of the input as its first bit, bit 50 as its second hit, and so on
`with bit '7 as its last bit. The permuted input block is then the input to a complex key-dependent
`computation described below. The output of that computation, called the preoutput,
`is then
`subjected to the following permutation which is the inverse of the initial permutation:
`
`40
`39
`38
`37
`36
`35
`34
`33
`
`8
`7
`6
`5
`4
`3
`2
`1
`
`48
`47
`46
`45
`44
`43
`42
`41
`
`£13:
`
`16
`15
`14
`13
`12
`11
`10
`9
`
`56
`55
`54
`53
`52
`51
`50
`49
`
`24
`23
`22
`21
`20
`19
`18
`17
`
`64
`63
`62
`61
`60
`59
`58
`57
`
`32
`31
`30
`29
`28
`27
`26
`25
`
`That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its
`second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.
`
`The computation which uses the permuted input block as its input to produce the preoutput block
`consists, but for a final interchange of blocks, of 16 iterations of a calculation that is described below
`in terms of the cipher function f which operates on two blocks, one of 32 hits and one of 48 bits, and
`produces a block of 32 bits.
`
`Let the 64 bits of the input block to an iteration consist of a 32 bit block L followed by a 32 bit block
`R. Using the notation defined in the introduction, the input block is then LR.
`
`Let K be a block of 48 bits chosen from the 64-bit key. Then the output I/R’ of an iteration with
`input LR is defined by:
`
`(1)
`
`L’ :12
`R’ =13 @.f(R,K>
`
`where 33 denotes bit—by-bit addition modulo 2.
`
`As remarked before, the input of the first iteration of the calculation is the permuted input
`block. If L‘R’ is the output of the 16th iteration then R’L' is the preoutput block. At each
`iteration a different block K of key bits is chosen from the 64-bit key designated by KEY.
`
`9
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 11
`Page 11
`
`
`
`FIPS PUB 46
`
`With more notation we can describe the iterations of the computation in more detail. Let KS
`be a function which takes an integer n in the range from 1 to 16 and a 64—bit block KEY as
`input and yields as output a 48-bit block K,, which is a permuted selection of bits from KEY.
`That is
`
`(2)
`
`K" = KS('n., KEY)
`
`with K" determined by the bits in 48 distinct bit positions of KEY. KS is called the key
`schedule because the block K used in the n.’th iteration of(1) is the block Kn determined by (2).
`
`As before, let the permuted input block be LR. Finally, let L” and R” be respectively L and R
`and let L,, and R" be respectively L’ and R’ of(1) when L and R are respectively L,,_, and Bar,
`and K is K"; that is, when it is in the range from 1 to 16,
`
`The preoutput block is then RWLW.
`
`Ln : Rn—1 V
`Rn : Ln-1 @.f(Rn-1: Kn)
`
`The key schedule KS of the algorithm is described in detail in the Appendix. The key schedule
`produces the 16 K,, which are required for the algorithm.
`
`Deciphering
`
`The permutation IP" applied to the preoutput block is the inverse of the initial permutation
`[P applied to the input. Further, from (1) it follows that:
`
`(4)
`
`R =L’
`L =1?’ €Bf(L’, K)
`
`Consequently, to decipher it is only necessary to apply the very same algorithm to an enciphered
`message block, taking‘ care that at each iteration of the computation the same block of key bits
`K is used during decipherinent as was used during the encipherment of the block. Using the
`notation of the previous section, this can be expressed by the equations:
`
`R11--1 : L11
`Ln—1 : Rn @flLnx Kn)
`
`where now 13,5 L“, is the permuted input block for the deciphering calculation and LORO is the
`preoutput block. That is, for the decipherment calculation with R,6L,6 as the permuted input,
`K“, is used in the first iteration, K15 in the second, and so on, with K, used in the 16th
`iteration.
`
`The Cipher Function f
`
`A. sketch of the calculation off(R, K) is given in figure 2.
`
`10
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 12
`Page 12
`
`
`
`FIPS PUB 46
`
`R (32 BITS)
`
`L
`
`48 W5
`
`
`
`I
`
`0
`
`32 BITS
`
`FIGURE 2. Calculation off(R, K).
`
`Let E denote a function which takes a block of 32 hits as input and yields a block of 48 hits as
`output. Let E’ be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are
`obtained by selecting the bits in its inputs in order according to the following table:
`
`E BIT-S.E_£;E_@1?1_0£$I_?j.{%BLE
`
`32
`4
`8
`12
`16
`20
`24
`28
`
`1
`5
`9
`13
`17
`21
`25
`29
`
`2
`8
`10
`14
`18
`22
`26
`30
`
`8
`7
`11
`15
`19
`23
`27
`81
`
`4
`8
`12
`16
`20
`24
`28
`32
`
`5
`9
`13
`17
`21
`25
`29
`1
`
`Thus the first three bits of E(R) are the bits in positions 32, 1 and 2 of R while the last 2 bits
`of E(R) are the bits in positions 32 and 1.
`
`11
`
`PMC Exhibit 2095
`PMC Exhibit 2095
`Apple v. PMC
`Apple v. PMC
`IPR2016-00753
`|PR2016-00753
`Page 13
`Page 13
`
`
`
`FIPS PUB 46
`
`., S8, takes a 6-bit biock as input and yields a4»
`.
`Fjeoli of the unique selection functions 81, S2, .
`bit block as output and IS illustrated by using a table containing the recommended 8,:
`
`S1
`
`Column Number
`
`Row
`No.
`
`U
`1
`2
`3
`
`0
`
`14
`0
`4
`15
`
`1
`
`4
`15
`1
`12
`
`2
`
`13
`7
`14
`8
`
`3
`
`1
`4
`8
`2
`
`4
`
`2
`14
`13
`4
`
`5
`
`15
`2
`6
`9
`
`6
`
`11
`13
`2
`1
`
`'7
`
`8
`1
`11
`7
`
`8
`
`3
`10
`15
`5
`
`9
`
`10
`6
`12
`11
`
`10
`
`6
`12
`9
`3
`
`11
`
`12
`11
`7
`14
`
`12
`
`5
`9
`3
`10
`
`13
`
`9
`5
`10
`0
`
`14
`
`0
`3
`5
`6
`
`15
`
`'7
`8
`0
`13
`
`lfS1is the function defined in this table and B is a block of 6 bits, then S, (B) is determined as
`follows: The first and last bits of B represent in base 2 a number in the range 0 to 3. Let that
`number be i. The middle 4 bits of 8 represent in baee 2 a number in the range 0 to 15. Let that
`number be 3'. Look up in the table the number in the ‘i’th row and j’th column. It is 9. number
`in the range 0 to 15 and is uniquely represented by a 4 bit block. That block is the output
`S3(B)OfS1f()1‘ the input B. For example, for input 011011 the row is 01, that is row 1, and the
`column is determined by 1101, that is column 13. In row 1 column 13 appears 5 so that the
`output is 0101. Selection functions S1, S2, .
`.
`., S3 of the algorithm appear in the Appendix.
`
`The permutation function P yields a 32«bit output from a 32-bit input by permuting the bits of
`the input block. Such a function is defined by the following table:
`
`13
`
`7
`12
`15
`18
`8
`27
`13
`11
`
`20
`28
`23
`31
`24
`8
`30
`4
`
`21
`17
`26
`10
`14
`9
`6
`25
`
`16
`29
`1
`5
`2
`32
`19
`22
`
`The output P(L) for the function P defined by this table is obtained from the input L by
`taking; the 16th bit of L as the first bit of P( L), the 7th bit as the second bit of P(L), and so on
`until the 25th bit of L is taken as the 82nd bit of P(L). The permutation function P of the
`algorithm is repeated in the Appendix.
`
`Now let S,, .. ., So be eight distinct selection function