`
`ru
`
`:5
`Q
`Q.’
`Q?‘
`‘R?
`
`L§.i§3,
`fig’):
`
`
`
`Wwmry €:*€J¢E?>Y
`amt‘
`<.ii€~:;a;<:w<:§
`W7
`
`
`
`Apple v. PMC
`|PR2016-00755
`Page 1
`
`FEB 9
`
`wmmm mmmnmmm
`wmmmmm mmmmm awm.mA'"rwN
`
`mm JANUARY 15
`
`CATEGORY: ADP 0PERA"HON$
`
`SUBCATEGORY: COMPUTER $ECU %
`
`PMC Exhibit 2095
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 1
`
`
`
`This material may be protected by Empyright law (T‘itIe W 118. (Jam)
`
`Ukffs. fiWf.PAR\'I‘MEi.§NT (W {ZWMMEQEQQM ® E:?;EEi@t L. 7Richmd;@wm Smrrezatemry
`
`Edwmd 0. Vaetmwy Urm”m* £?%§m:'m{m*:y
`
`Hm‘. Emmy Axtakermfiwhmfiasmw /almarfatam‘ £§¢2¢:r*Mcw;:y fin“ Scéeme «mm? ,’F7m:*ma20£»z»ggg
`
`NA” ‘E()NAEA BUWYEMJ ()1? 8“E‘ANEmRI")@ W Efirmeat mw»m~=, Acfirwg Ifiirwfimr
`
`E?%;)v@w0w(fi
`
`I“izbiica§;i<m ?§m“ie&3 of the Nmi<)ImI
`Ir1f<)1‘I1:mti(>xz V1'<>ceeming i§tamdm‘<;§:a
`The Wrciekml
`Buwzm of E“»t,amdar<'i:3 i:~: the <;i'f“§c,ia9.l p1_lb}i<%2immx w2Ez1!,ir:g~2.: to &sCm1dz1Ni:~: 2«1<i01m9d and p1*m'm.:1-
`gwwd um:im* the p1'0vi8ic»m:a of Pubiiz: Law é%§€}w.‘30€$
`(1§:§m0k:~& Bi“) amt} 11mieI' Pzu“t‘: 6 of "§."itka ‘I5,
`‘“,<;»(i<s of i§?a‘5:<‘i«.=.1'z1} Reym1aLi()r:.s.:.
`'I“F”m:«;e 2e>gg:i:‘alzm\-*0 arm! wxeémniive mam<izx$;<9&a hm-'ez g:;i\Ic.=n the
`€»e<:mtax=y
`at" {_‘.«<>zmnez"ce émjpormnt ::‘<3sg3on5zi‘t)i1i’Lie>;sa for izx’1;m>vim.;3~ the tttilizaamn zmd mum»
`a;«z:0t11e:1t. <31‘ mmpLat,m“.~; emifi z.mt,mar1z1f;i¢:. dam [>1‘<u:*m:;i1"1§;“ a_\r":;‘t@nm in the F9(il€’}“&l} G0\»"m‘r'1rxmm,.
`To czswy out the Sc3<%mé€.:z1§V’:3 m:s;)m::e:%bi1iti«;wx the NBS, €,}n‘<mgh
`its; 111M.i“i:,:‘,zI:e for ('_f<>mpu€m'
`53C§(:F!1(TQ8 and "1‘ec*§1n<)i<:gw,
`}'>1‘<wi<_ie.«x
`§t3i1(iGI<‘RE¥iK),
`technica} gszicizuxw, and <7<_mniit“z2m<>rx 0?
`gnverrxment effb2“£,ss
`in the iieévelommrrm cf te<:hmc2=:1 ;2:v.,2i<i€~,Ein<>,:1 and .~,mnu‘i:M":Es
`in {E35289
`:u‘ea:~3.
`
`I’Jz‘<2m9 saingx 53t.zm<Em‘<is,:, and £10
`infm‘:m’t’£i<_>r"z
`The e:<e>2'im i:3 Lmed ta zmnounce F~9<‘iea1‘axl
`index nf‘ mlevam: E<t:.u1{ia1'dss
`gwmside ssmndawlsa iz1i'm‘r11m.ion of ;,~;m3m"aI %mi.0:*e'~s;f, mzwi
`an‘:
`pL1bE§CfiU€}!1f~‘«
`emd :~;pe»:*if"ic23,'§§<;vu1:s,
`I”1.:k3iic21t.iox1.~1 Wm, a1'm<:mm:0 eu‘I«;>mE():1 oi" :~‘<mn:ia1“(i5% pm>\=ie‘ie
`the Ti€3<_’£7:f*3t'5€1‘.Y§v'
`policy, andminis.t.r22:tiVaé, mni guidézxnces mf‘<_>mmN:i0n fm‘ ef'fect.%w3 .~:mt1d:1Hi:_:
`implémnemzxtimx and Liam. The mchnical 3pe<:ificmi<nm ef the s§mI1<‘im“d um x,z.»ma1H§,~«' m,€..e2chmi
`2,0 t,I'm2 pub?imx‘Li<m, 0t}w:'vvise a ::N'm“o.m<e .‘:§(71H‘(‘,9 is: <'3‘§i;ezd,
`
`Ccmm'mxma £30\>’(3Y‘§}'Z§;§‘ Fe»dm‘2:E inf<,u"x1‘1;.1i:i«:>r1 P‘z*0<:e$:%;ins_9; 8t,mx<iaM:'a and Pumicmziusizs are
`
`welzrornmi, zmd ssfimuld be miéiwmzed to the M" ‘0<*iz%t;@ Di1‘0<*£:m‘ far ADI’ i'r‘Mtz:&11<l'az‘<i&a‘ Insat.itu"{e
`far {[fmm:)ute:1" Scéierxceia am} Te<.'hIu)}ogy,
`“*Ea‘E;i:)11zx} E§~u1‘@z1‘n3 of 5$m1m‘ta1*d:~;, W’e1.whi13g9_:f.<‘>:3, DA}.
`z‘z0;3:M. mzch cmnrlwntsa WEE} be e;*ii:hm* <?m1s~:i(%a:>re3c‘i by NEW» or €c>1‘vmt*dmi
`9,4; H19 1‘<35spc3z1r;ib1@
`2~3.c(,.ivity ass appmpr‘izw.te.
`
`E21 RN 193:‘ /3«.;\»1m,E1{, Am‘ i 27:5:
`
`[.1 irmrtar
`
`Amtram
`
`is an
`:~:4z1.i‘¢+g.ma1‘<‘1:3
`px‘<><:m§Ln‘2:I
`m.);,>1évz:H;i<>r: uf tc<i}1rx<>1w_{i<~2-2} and 1‘<>£aLe(§
`The §§€‘E’w[€.T(j€.'i“}/Q)!
`to its
`inxyimrtzult 2.*w~;;.>(>m;ii)%1i*it,;~.r of e\~‘<2t'y E*‘wiceI'z.1i m‘g.e_::mi9;z-1§;im': in p1'c;>\—'i:‘iir1;.r m:ie<}mx/Eze $E€(‘.UX’iiLf;-’
`AIM’ saytétmms. TM:-3 §:)11b1icz1‘t,i<;n pr‘0\«‘idms ea, sat.m1cizJa.n1§ to Em mxmii by Vo{ie1*a} c';2‘g;ini:mt.i«>n::
`when thwe m*g:ax:§:aai;i0m?. flzpeciiy that m‘ypt,0g_2:r*ag>}'ki<r g}1'<m>z:t,ic;n is»: to ba uxzeci fer‘ E%(t?I}tSi€,i'x’L’
`m‘ vaaltmbm <*(>1m.>\.1E“.e2r <ia’£.<u
`I’mi.eL:t.mn M c0nxpwLe:t* dam dm*im«:
`‘€1‘am§n':i:<aamn
`Emma/awn
`v10cL2‘<>:t3i(f (*0mp0m>n$:2 or \x:}1i§¢r in sat()2'axg‘e may be 1'xe3w&3é;;1a"j¢ ta: rm:int,air'1 the L‘£“;I‘»fi(i6Y1€§ii1i€),7
`and im;eg:2“it.;v of the %1zf”c>r*t1mt,i<)zx m}>I*e>~:.m:te<i
`in,’ mm aizma.
`‘W10. Stzmdani
`:a;>m'i%‘ies am
`encrypticm zxlgz<>1‘it/}1t'n xvhivh is to be it"c'2};x1mm3:n‘Led in em ele><*‘Lr‘<mi(: <:§m'i:;w3 fm‘ me in V@daér’&1
`ADP say:-wmzlw zxmi
`I”t(‘,?,W(“)i“}<t‘». Tina» a1g2;m‘it.m1n umqmgiy a§m‘§1‘1ers aha mzathezxxaticzxl
`f:3t@p‘.~‘»
`m(w§x'ed £0 U*mmf'«>1‘nz mnmmter Liam imxy a cryp?,<.>§§r;whic c:§phm‘.
`it. mm >;}:>ecifie:‘: the s~;tep:5
`re(;t,xiI:°*<e<i
`{,0 E/rmmfown Hm cripher bzlclwc
`ta»
`its <‘2t‘i;4'Er1;:i {'mm. A <’ie\»'ice perfm‘mi1'1g t.1'm‘~:
`:afigg‘:w1‘it,§xzx: nmy be‘ mwd in mzmy m’;pii¢:at;i<>n&a arm1$ wmwo <.'1‘ypt<>g§ra{mic dz1m1:>x'(>tM*tic>n is
`nmeaieai. Wimin the <:‘m:t.,e:»;t of‘ a €01.28
`ssemirity g:nm;§;rem‘: <:<>zm>x‘ir.;in§2; physicai m—zm.z1*ity
`pr<:«<e@dum:4, gooii im?‘<)r'nm€§<;n mm1ug3;m'“r1e2‘>E. pxwgtmrs mm cmmmtw :a::m%,e,1nmew.rm*k ac<m.~3s»
`onntmfiss, the mm I‘§n<:1“y;>tim‘: S‘:mndz1.1“d it»: hemgr nmufiaa m»'2:i1a}‘>1(% fur zxaaeaa by ]f*\><‘ie1‘21E
`zageraezies.
`
`Key Wmr‘d§;: ADP :~t@<:*m*i€y; coexmmter :%e‘\curity; mxcrgvptiarx; k*\+<im‘:xi Fni‘ox‘n'121ii<m P1“{>s:e&s::ir:g2;
`S$;zM1«:¥m“<i.
`
`NM. Emu“. 5E§‘mnd. {U.a‘:“»)9 E‘“mL Enfon Pwocmes. 5$ta:‘mI. Puitxh <F‘EE*:~: Him 46, 1‘?
`4L‘,{‘t¥)F2i"Q:
`J%”f?P’AT
`
`ywzczgmss (1977)
`
`Fry!‘ mxie by the Nmwnzié Ts-cm’:
`al fnfmmzmmw E§m‘viw. U43. E,)9pm‘mwnt, ofC<m'1n'wr<‘v,
`
`.‘~'§pr%ngf'i@l<.i. \"irg:‘m in 252 E M
`
`
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 2
`
`
`
`‘
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 2
`
`
`
` FIPS PUB 46
`
`Federal Information
`
`Processing Standards Publication 46
`
`1977 January 15
`
`ANNOUNCING THE
`
`
`
`DATA ENCRYPTION STANDARD
`
`Federal Information Processing Standards are issued by the National Bureau of Standards pursuant to the Federal
`Property and Administrative Services Act of 1949, as amended, Public Law 89-306 (79 Stat 1127), Executive Order 11717
`(38 FR 12315, dated May 11, 1973), and Part 6 of Title 15 Code of Federal Regulations (CFR).
`
`Name of Standard: Data Encryption Standard (DES).
`
`Category of Standard: Operations, Computer Security.
`
`Explanation: The Data Encryption Standard (DES) specifies an algorithm to be implemented in
`electronic hardware devices and used for the cryptographic protection of computer data. This
`publication provides a complete description of a mathematical algorithm for encrypting (encipher~
`ing) and decrypting (deciphering) binary coded information. Encrypting data converts it to an
`unintelligible form called cipher. Decrypting cipher converts the data back to its original form. The
`algorithm described in this standard specifies both enciphering and deciphering operations which
`are based on a binary number called a key. The key consists of 64 binary digits (“O”s or “l”s) of
`which 56 bits are used directly by the algorithm and 8 bits are used for error detection.
`
`Binary coded data may be cryptographically protected using the DES algorithm in conjunction
`with a key. The key is generated in such a way that each of the 56 bits used directly by the
`algorithm are random and the 8 error detecting bits are set to make the parity of each 8-bit byte of
`the key odd, i.e., there is an odd number o1°“1”s in each 8-bit byte. Each member of a group of
`authorized users of encrypted computer data must have the key that was used to encipher the data
`in order to use it. This key, held by each member in common, is used to decipher the data received
`in cipher form from other members of the group. The encryption algorithm specified in this
`standard is commonly known among those using the standard. The unique key chosen for use in a
`particular application makes the results of encrypting data using the algorithm unique. Selection of
`a different key causes the cipher that is produced for any given set of inputs to be different. The
`cryptographic security of the data depends on the security provided for the key used to encipher
`and decipher the data.
`
`Data can be recovered from cipher only by using exactly the same key used to encipher it.
`Unauthorized recipients of the cipher who know the algorithm but do not have the correct key
`cannot derive the original data algorithinically. However, anyone who does have the key and the
`algorithm can easily decipher the cipher and obtain the original data. A standard algorithm based
`on a secure key thus provides a basis for exchanging encrypted computer data by issuing the key
`used to encipher it to those authorized to have the data. Additional FIPS guidelines for
`implementing and using the DES are being developed and will be published by NBS.
`
`Approving Authority: Secretary of Commerce.
`
`Maintenance Agency: Institute for Computer Sciences and Technology, National Bureau of
`Standards.
`
`Applicability: This standard will be used by Federal departments and agencies for the crypto-
`graphic protection of computer data when the following conditions apply:
`
`1
`
`
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 3
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 3
`
`
`
`
`
`FIPS PUB 46
`
`1. An authorized official or manager responsible for data security or the security of any
`computer system decides that cryptographic protection is required; and
`2. The data is not classified according to the National Security Act of 1947, as amended, or the
`Atomic Energy Act of 1954, as amended.
`
`However, Federal agencies or departments which use cryptographic devices for protecting data
`classified according to either of these acts can use those devices for protecting unclassified data in
`lieu of the standard.
`
`In addition, this standard may be adopted and used by non-Federal Government organizations.
`Such use is encouraged when it provides the desired security for commercial and private
`organizations.
`
`Data that is considered sensitive by the responsible authority, data that has a high value, or data
`that represents a high value should be cryptographically protected if it is vulnerable to unauthor-
`ized disclosure or undetected modification during transmission or while in storage. A risk analysis
`should be performed under the direction of a responsible authority to determine potential threats.
`FIPS PUB 31 (Guidelines for Automatic Data Processing Physical Security and Risk Management)
`and FIPS PUB 41 (Computer Security Guidelines for Implementing the Privacy Act of 1974)
`provide guidance for making such an analysis. The costs of providing cryptographic protection
`using this standard as well as alternative methods of providing this protection and their respective
`costs should be projected. A responsible authority then should make a decision, based on these
`analyses, whether or not to use cryptographic protection and this standard.
`
`Applications: Data encryption (cryptography) may be utilized in various applications and in various
`environments. The specific utilization of encryption and the implementation of the DES will be
`based on many factors particular to the computer system and its associated components.
`In
`general, cryptography is used to protect data while it is being communicated between two points or
`while it is stored in a medium vulnerable to physical theft. Communication security provides
`protection to data by enciphering it at the transmitting point and deciphering it at the receiving
`point. File security provides protection to data by enciphering it when it is recorded on a storage
`medium and deciphering it when it is read back from the storage medium. In the first case, the key
`must be available at the transmitter and receiver simultaneously during communication. In the
`second case, the key must be maintained and accessible for the duration of the storage period.
`
`Hardware Implementation: The algorithm specified in this standard is to be implemented in
`computer or related data communication devices using hardware (not software) technology. The
`specific implementation may depend on several factors such as the application, the environment,
`the technology used, etc. Implementations which comply with this standard include Large Scale
`Integration (LS1) “chips” in individual electronic packages, devices built from Medium Scale
`Integration (MSI) electronic components, or other electronic devices dedicated to performing the
`operations of the algorithm. Microprocessors using Read Only Memory (ROM) or micro«pro-
`grammed devices using microcode for hardware level control instructions are examples of the
`latter. Hardware implementations of the algorithm which are tested and validated by NBS will be
`considered as complying with the standard. Procedures for testing and validating equipment for
`conformance with this standard are available from the Systems and Software Division, National
`Bureau of Standards, Washington, DC. 20234. Software implementations in general purpose
`computers are not in compliance with this standard. Information regarding devices which have
`been tested and validated will be made available to all FIPS points of contact.
`
`Export Control: Cryptographic devices and technical data regarding them are subject to Federal
`Government export controls as specified in Title 22, Code of Federal Regulations, Parts 121 through
`128. Cryptographic devices implementing this standard and technical data regarding them must
`comply with these Federal regulations.
`
`2
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 4
`
`
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 4
`
`
`
`
`
`Fl PS PU B 46
`
`Patents: Crytog;raphic devices»; implementing this standard may be covered by U.S. and foreign
`patents issued to the International Business Machines Corporation. However, IBM has granted
`nonexclusive. royalty—freo licenses under the patents;
`to make, use and sell apparatu:~3 which
`complies with the ntzintlard. The terms, conditions and scope of the licenses are set out in notices»:
`published in the May 13, 1975 and August ill, 1976 issues: of the Official Gazette of the United
`States Patent and Trademark ()ffice (934 O. G. 452 and 949 O. G. 1717).
`
`Alternative Modes of Using the DES: The “Guidelines for lmplementinp; and Using" the Data
`Elncryption Standar(” describe two dilierent modes for ueirig the algz;orithm described in this
`standard. Bl()clo»; of data containing‘ 64 hits may be directly entered into the device where 6<l—l’>it
`cipher l)l<:i«:*l<.:.-“l are generated under control of the key. This is called the electronic code book mode.
`Alternatively, the device may be used as 8. binary stream generator to produce s=.tatistically random
`binary bits which are then combined with the clear (unencrypte<.i) data (1-64 hits) using: an
`“eXolusive»or” logic operation.
`in order to assure that the enciphering‘ device and the deciphering‘
`device are ssynehronized, their inputs are always: set to the previous 64 hits of cipher that were
`trztnsmittetl or received. This second mode of using; the encryption algroritlmi is called the cipher
`i’eedhacl«: (CFB) mode. The electronic codehook mode grenerates hloclcs of (54 cipher hits. The cipher
`feeclliack mode §3,‘€hel'El.t(:‘.S cipher liavingr the same number of hits as the plain text. Each block of
`cipher is independent of all others when the electronic codebook mode is used while each byte
`(group of bits) of cipher depends on the previous 64 cipher hits when the cipher feedback mode is;
`used. The modes of operation briefly des<:i‘ibed here are further explained in the FIPS ‘‘Guideline:-:
`for implementing and llsingsg the Data ltlncryption Standard.”
`
`Implementation of this standard: Tliis: standard becomes effectixze six months after the publication
`date of this FlPS PUB. it applies to all Flederal ADP systems and associated telecommunications
`networks under development as well as to li1Si;€;llle{i
`systeins when it is determined that crypto-
`graphic protection is; required. Each Federal department or agency will issue internal directives for
`the use of this sitanclard hy their operating‘ units lizisecl on their data security requirement
`(ii-;3‘teX‘I}'1ll‘l£.li3l{)1'"lé.'%.
`
`NBS will provide zissiistance to l*‘ederi—il m';rmii'x.ati<>iis: by <levelopine; and issiiiiie; additional
`technical g‘uidelines on computer security and by providing: technical aissistziiicre in Lieiiie; dzita
`encryption. A data encryption teiuzhed has been (~3St.‘dllllSl1(’.{i within NBS for use in providing‘ this
`technical asasistance. The National Security Agency ziesists Federeil departments and 21g‘€IlL‘leS
`in
`communications Security and in determining: s-ipeciilic security requireinents.
`instructions and
`reg:ul2itions for procuring data processing‘ equipment utili'/.ing' this: St£lI1€l‘¢ll‘(l will he prodded by the
`General Services Administrotion.
`
`Specifications: Federal
`(DES) {ai’fixe(l}.
`
`Cross Index:
`
`information Processing Standard (FIPS 46) Data Encryption Standard
`
`a. FIPS PUB 31, “Guidelines; to ADP Physical Security ami Risk Mzinzigrenient”
`
`h. FlPS PUB 39, “Gloe:sai1‘y for Computer Systems Security”
`
`:3. FIPS PUB 41, “Computer Security Guidelines for linpleinentiiigz; the l’rivz1cy Act of 1974”
`74
`
`d. FIPS I’UB~—~, “Guidelines for Implementing and Using‘ the Data Encryption Standard” (to
`be published)
`
`e. Other FIPS and li‘edera.l Standards are 2i.pplical,)le to the implementation and use of this
`standaiwl. in }I)élI'lZl(,‘lll2l,1‘, the Americem Stamiard Code for information lnterchzm;_{‘e (FIPS PUB ll
`
`3
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 5
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 5
`
`
`
`FIPS PUB 416
`
`and other related data storage media or data communications standards should be used in
`cimjunction with thin standard. A list of currently approved FIPS may be obtained from the Office
`of ADP Standards; Managreinent, institute for Computer Sciences and Technology, National Bureau
`of Standards, Wasahington, DC. 20234.
`
`Qualifications: The cryptographic algoritlmi specified in this; aitandard transforms a 64-liit binary
`value into a unique 64-bit binary value liassed on a 56~hit variable. lf the coinpiete 64-hit input is
`used (i.e., none of the input bits should he })l‘(%(l€3i;€I‘l”hiI1e(l
`from block to block) and if the 56~hit
`variable is randomly chosen, no technique other than trying; all possible keys using‘ known input
`and output
`for
`the DES will guarantee finding‘
`the choaen key. As there are over
`70,0()0,000,{)00,000,00(l (seventy quadriliion) possible keys of 56 hits, the feasibility of deriving‘ a
`particular key in this way is extremely unlikely in typical threat environments. Moreover, if the
`key is changed frequently, the risk of this event is greatly diminished. However, ussers should be
`aware that it is theoretically po>a:~iihle to derive the key in fewer trials (with a cor1‘e.~:ponding'ly lower
`probability of success depending; on the number of keys tried) and should he cautioned to change
`the key as often an practical. Users must change the key and provide it a high level of protection in
`order to niinimirae the potential ri:~3l<s of its unauthorized computation or acquisition. The feasiiliility
`of computing‘ the correct key may changze with advances in technology. A more complete
`description of the strength of this algorithm against various;
`threatis will be contained in the
`Guidelines for implementing" and Using the DES.
`
`When correctly implemented and properly used, this stanclaml will provide a high level of
`cryptographic protection to computer data. NBS, f~‘»tl})})()1‘l;Bfl by the technical assistance of Govern
`ment agencies responsilole for communication security, has determined that the algorithm specified
`in this atandard will provide a high level of protection for a time period beyond the normal life cycle
`oi‘ its aiss<)<.-iziteii ADP equipment. The protection provided hy this algorithm against potential new
`threats will he reviewed within five years to eiasess its adequacy. ln addition, both the standard and
`possible threats reducing‘ the :«te<:urity provided through the use of this St,‘(l1I'1(rI£1{‘(Li will undergo
`continual review by NBS and other cognizant Federal organr/,ations. The new techiiologry available
`at that time will be evaluated to determine its impact on the .~:tandard. In addition, the awareness
`of any i)I‘€£il{ti11‘()l1g‘l1
`in technology or any mathematical weakness of‘ the algzorithm will cause NBS
`to reevaluate this standard and provide necessary revision.~:.
`
`Comments: Comments and siigrgrestions re;.>;ai‘<ling' this standard and its use are welcomed and
`should be addressed to the Associate Director for ADP St‘c1Tl(iE).l‘(l£-4,, lnstitute for Computer Sciences
`and Technology, National Bureau of Standards. Wasiliing‘ton, I).C. 2()234.
`
`Waiver Procedure: The head of a Federal agrency may waive the })1‘()\‘l.“'~‘»l()11£-‘a of this FIPS PUB after
`the conditions and _iustifi<:ation:~; For the waiver have been coordinated with the National Bureau of
`
`Standards. A waiver is necessary if’ cryptogrraphic devices perforiiiing‘ an aigoritlnn other than that
`which is specified in this standard are to be used by a Federal agency for data subject to
`cryptogiapliic protection under this standard. No waiver is necessary if ciassifierl communications
`security equipment. is to he used, Software iI1‘1}')leh1(3l1t2ltlOI1S of this alg'orithm for operational use in
`greneral purpose computer systems do not comply with this standard and each Such implementation
`must also receive a waiver. Implementation of the algorithm in software for testing or evaluation
`does not require waiver approval. Implementation of other special purpose, cryptographic algo-
`rithms in software for limited nae within a computer system (e.g., encrypting‘ password files) or
`implementations of ci‘ypto,c.=:i'apl"iic algrorithms in software which were being‘ utilized in computer
`systems before the eftectixre date of this standard do not require a waiver. However, these limited
`USES should be converted to the use of this stamlard when the systein or equipment involved
`upg'rade<:l or redesigned to inchide general cryptographic protection of computer data. Letters
`describing; the nature of and reasons; for the waiver sliould be addressed to the Associate Director
`for ADP Standards; as previously noted.
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 6
`
`
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 6
`
`
`
`
`
`FIPS PUB 46
`
`Sixty days should be allowed for review and response by NBS. The waiver shall not be approved
`until a response from NBS is received; however, the final decision for granting the waiver is the
`responsibility of the head of the particular agency involved.
`
`Where to Obtain Copies of the Standard:
`
`Copies of this publication are for sale by the National Technical Information Service, U. S.
`Department of Commerce, 5285 Port Royal Road, Springfield, Virginia 22161. Order by FIPS PUB
`number‘ and title. Prices are published by NTIS in current catalogs and other issuances. Payment
`may be made by check, money order, deposit account or charged to a credit card accepted by NTIS.
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 7
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 7
`
`
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 8
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 8
`
`
`
`
`
`FIPS PUB 46
`
`
`
`Federal Information
`
`Processing Standards Publication 46
`
`1977 January 15
`
`SPECIFICATIONS FOR THE
`
`DATA ENCRYPTION STANDARD
`
`
`
`The Data Encryption Standard (DES) shall consist of the following Data Encryption Algorithm to
`be implemented in special purpose electronic devices. These devices shall he designed in such a way
`that they may be used in a computer system or network to provide cryptographic protection to
`binary coded data. The method of implementation will depend on the application and environment.
`The devices shall be implemented in such a way that they may be tested and validated as
`accurately performing the transformations specified in the following algorithm.
`
`DATA ENCRYPTION ALGORITHM
`
`Introduction
`
`The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control
`of a 64-bit key. Deciphering must be accomplished by using the same key as for enciphering“, but
`with the schedule of addressing the key bits altered so that the deciphering process is the reverse of
`the enciphering process. A block to be enciphered is subjected to an initial permutation IP, then to
`a complex key~dependent computation and finally to a permutation which is the inverse of the
`initial permutation IP". The key«dependent computation can he simply defined in terms of a
`function f, called the cipher function, and a function KS, called the key schedule. A description of
`the computation is given first, along with details as to how the algorithm is used for encipherment.
`Next, the use of the algorithm for decipherment is described. Finally, a definition of the cipher
`function f is given in terms of primitive functions which are called the selection functions 8; and the
`permutation function P. S,, P and KS of the algorithm are contained in the Appendix.
`
`The following notation is convenient: Given two blocks L and R of hits, LR denotes the block
`consisting of the bits of L followed by the bits of R. Since concatenation is associative B132 .
`.
`. B3,
`for example, denotes the block consisting of the bits of 81 followed by the bits of B2 .
`.
`. followed by
`the bits ofB,,.
`
`Enciphering
`
`A sketch of the enciphering computation is given in figure 1.
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 9
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 9
`
`
`
`FIPS PUB 46
`
`INPIFI:
`
`INITEAL PERMUTATION
`
`INPUT
`
` PERMUTED
`
`K3
`
`K2
`
`L2=R,
`1,._
`i
`:
`
`‘L
`
`R2:-L, (+3 rm, K2)
`,_.__
`I
`_ _ “ ~ _ _____'_ _ _ _ _ _ ____K
`=
`
`n
`
`F‘
`
`”J
`
`
`INVERSE :NmAL PERM
`
`C::>’5%*50%i”'"
`
`
`FIGURE 1. Enciphcring computation.
`
`8
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 10
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 10
`
`
`
`The 64 bits of the input block to be enciphered are first subjected to the following permutation,
`called the initial permutation IP:
`
`FIPS PUB 46
`
`58
`60
`62
`64
`57
`59
`61
`63
`
`50
`52,
`54
`56
`49
`51
`53
`55
`
`42
`44
`46
`48
`41
`43
`45
`47
`
`LE
`
`34
`36
`88
`40
`33
`35
`37
`39
`
`26
`28
`30
`32
`25
`27
`29
`31
`
`18
`20
`22
`24
`17
`19
`21
`23
`
`10
`12
`14
`16
`9
`11
`13
`15
`
`-CiC}‘lC«0>—-‘DOG’-\>$&[\”2
`
`That is the permuted input has bit 58 of the input as its first bit, bit 50 as its second bit, and so on
`with bit '7 as its last bit. The permuted input block is then the input to a complex key—dependent
`computation described below. The output of that computation, called the pre-output,
`is then
`subjected to the following permutation which is the inverse of the initial permutation:
`
`40
`39
`38
`37
`36
`35
`34
`33
`
`8
`7
`6
`5
`4
`3
`2
`1
`
`48
`47
`46
`45
`44
`43
`42
`41
`
`£13:
`
`16
`15
`14
`13
`12
`11
`10
`9
`
`56
`55
`54
`53
`52
`51
`50
`49
`
`24
`23
`22
`21
`20
`19
`18
`17
`
`64
`63
`62
`61
`60
`59
`58
`57
`
`32
`31
`30
`29
`28
`27
`26
`25
`
`That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its
`second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.
`
`The computation which uses the permuted input block as its input to produce the preoutput block
`consists, but for a final interchange of blocks, of 16 iterations of a. calculation that is described below
`in terms of the cipher function f which operates on two blocks, one of 32 bits and one of 48 bits, and
`produces a block of 32 bits.
`
`Let the 64 bits of the input block to an iteration consist of a 32 bit block L followed by a 32 bit block
`R. Using the notation defined in the introduction, the input block is then LR.
`
`Let K be a block of 48 bits chosen from the 64-bit key. Then the output I/R’ of an iteration with
`input LR is defined by:
`
`(1)
`
`L’ :12
`R’ =13 ®.f(R,K>
`
`where €13 denotes bit—by—bit addition modulo 2.
`
`As remarked before, the input of the first iteration of the calculation is the permuted input
`block. If BB’ is the output of the 16th iteration then R’L' is the preoutput block. At each
`iteration a different block K of key bits is chosen from the 64-bit key designated by KEY.
`
`9
`
`
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 11
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 11
`
`
`
`FIPS PUB 46
`
`With more notation we can describe the iterations of the computation in more detail. Let KS
`be a function which takes an integer n in the range from 1 to 16 and a 64—bit block KEY as
`input and yields as output a 48-bit block K,, which is a permuted selection of bits from KEY.
`That is
`
`(2)
`
`K" = KS('n., KEY)
`
`with K" determined by the bits in 48 distinct bit positions of KEY. KS is called the key
`schedule because the block K used in the n’th iteration of(1) is the block Kn determined by (2).
`
`As before, let the permuted input block be LR. Finally, let L” and R” be respectively L and R
`and let L,, and R" be respectively L’ and R’ of(1) when L and R are respectively L,,_, and Bus,
`and K is K"; that is, when ii, is in the range from 1 to 16,
`
`The preoutput block is then RWLW.
`
`Ln : Rn—1
`11: Ln-1®.f‘(Rn-1: Kn)
`
`The key schedule KS of the algorithm is described in detail in the Appendix. The key schedule
`produces the 16 K” which are required for the algorithm.
`
`Deciphering
`
`The permutation IP" applied to the preoutput block is the inverse of the initial permutation
`IP appiied to the input. Further, from (1) it follows that:
`
`(4)
`
`R =L’
`L = R’ €i3f(L’,K)
`
`Consequently, to decipher it is only necessary to apply the very same algorithm to an enciphered
`message block, taking‘ care that at each iteration of the computation the same block of key bits
`K is used during decipherment as was used during the encipherment of the block. Using the
`notation of the previous section, this can be expressed by the equations:
`
`R11--1 : Ln
`Ln—1 : Rn @flLnx Kn)
`
`where now Rm L16 is the permuted input block for the deciphering calculation and LORD is the
`preoutput block. That is, for the decipherment calculation with R,6L,6 as the permuted input,
`K“, is used in the first iteration, K15 in the second, and so on, with K, used in the 16th
`iteration.
`
`The Cipher Function f
`
`A. sketch of the calculation off(R, K) is given in figure 2.
`
`10
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 12
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 12
`
`
`
`
`
`R (32 BITS)
`
`FIPS PUB 46
`
`L
`
`43 ans
`
`K (248 BITS)
`
`
`
`
`
`32 BITS
`
`FIGURE 2. Calculation off(R, K).
`
`Let E’ denote a function which takes a block of 32 bits as input and yields a block of 48 hits as
`output. Let E’ be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are
`obtained by selecting the bits in its inputs in order according to the following table:
`
`E BIT~ S.E1_£;F_3_@,1T1,0£$LiIj_{%BLE
`
`32
`4
`8
`12
`16
`20
`24
`28
`
`1
`5
`9
`13
`17
`21
`25
`29
`
`2
`6
`10
`14
`18
`22
`26
`30
`
`8
`'7
`11
`15
`19
`23
`2'7
`31
`
`4
`8
`12
`16
`20
`24
`28
`32
`
`5
`9
`13
`17
`21
`25
`29
`1
`
`Thus the first three bits of E(R) are the bits in positions 32, 1 and 2 of R while the last 2 bits
`of E(R) are the bits in positions 32 and 1.
`
`11
`
`PMC Exhibit 2095
`
`Apple v. PMC
`|PR2016-00755
`
`Page 13
`
`PMC Exhibit 2095
`Apple v. PMC
`IPR2016-00755
`Page 13
`
`
`
`FIPS PUB 46
`
`., S8, takes a 6-bit block as input and yields a4»
`.
`Flacli of the unique selection functions 81, S2, .
`bit block as output and 1S illustrated by using a table containing the recommended S1:
`
`S1
`
`Column Number
`
`Row
`No.
`
`0
`1
`2
`8
`
`0
`
`14
`O
`4
`15
`
`1
`
`4
`15
`1
`12
`
`2
`
`13
`7
`14
`8
`
`3
`
`1
`4
`8
`2
`
`4
`
`2
`14
`13
`4
`
`5
`
`15
`2
`6
`9
`
`6
`
`11
`13
`2
`1
`
`7
`
`8
`1
`11
`7
`
`8
`
`3
`10
`15
`5
`
`9
`
`10
`6
`12
`11
`
`10
`
`6
`12
`9
`3
`
`11
`
`12
`11
`7
`14
`
`12
`
`5
`9
`3
`10
`
`13
`
`9
`5
`10
`0
`
`14
`
`0
`3
`5
`6
`
`15
`
`'7
`8
`0
`13
`
`HS} is the function defined in this table and B is a block of 6 bits, then S, (B) is determined as
`follows: The first and last bits of B represent in base 2 a number in the range 0 to 3. Let that
`number be i. The middle 4 bits of 8 represent in base 2 a number in the range 0 to 15. Let that
`number be 3'. Look up in the table the number in the ‘i’th row and j’th column. It is a number
`in the range 0 to 15 and is uniquely represented by a 4 bit block. That block is the output
`S3(B)OfS1l'()1‘ the input B. For example, for input 011011 the row is 01, that is row 1, and the
`column is determined by 1101, that is column 13. In row 1 column 13 appears 5 so that the
`output is 0101. Selection functions S1, S2, .
`.
`., S3 of the alg'oi'ithm appear in the Appendix.
`
`The permutation function P yields a 32«bit output from a 82-bit input by permuting the bits of
`the input block. Such a function is defined by the following table:
`
`13
`
`7
`12
`15
`18
`8
`27
`13
`11
`
`20
`28
`23
`31
`24
`8
`30
`4
`
`21
`1'7
`26
`10
`14
`9
`6
`25
`
`16
`29
`1
`5
`2
`32
`19
`22
`
`The output P(L) for the function P defined by this table is obtained from the input L by
`taking; the 16th bit of L as the first bit of P( L), the 7th bit as the second bit of P(L), and so on
`until the 25th bit of L is taken as the 82nd bit of P(L). The permutation function P of the
`algorithm is repeated in the Appendix.
`
`., SK be eight distinct selection functions, let P be the permutation function and
`.
`Now let S,, .
`let E be the function defined above.
`
`To definef(R, K) we first define B1, .
`
`. .,