Withdrawn NIST Technical Series Publication
`
`
`
`
`Warning Notice
`
`The attached publication has been withdrawn (archived), and is provided solely for historical purposes.
`It may have been superseded by another publication (indicated below).
`
`Withdrawn Publication
`Series/Number
`Federal Information Processing Standards Publication 46
`Title
`Data Encryption Standard
`Publication Date(s)
`January 15, 1977
`Withdrawal Date
`January 22, 1988
`Withdrawal Note
`FIPS 46 was superseded and reaffirmed by FIPS 46-1 (January 22, 1988)
`Superseding Publication(s) (if applicable)
`
`The attached publication has been superseded by the following publication(s):
`Series/Number
`Federal Information Processing Standards Publication 46-1
`Title
`Data Encryption Standard
`Author(s)
`National Institute of Standards and Technology
`Publication Date(s)
`January 22, 1988
`URL/DOI
`https://csrc.nist.gov/publications/detail/fips/46/1/archive/1988-01-22
`Additional Information (if applicable)
`Contact
`Computer Security Division (Information Technology Laboratory)
`Latest revision of the
`
`attached publication
`Related Information
`Withdrawal
`Announcement Link
`
`
`
`
`
`Date updated: January 8, 2020
`
`Oracle-1031 p. 1
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS Pua46
`
`
`
`FEDERAL INFORMATION
`
`
`
`
`
`PROCESSING STANDARDS PUBLICATION
`
`1977 JANUARY 15
`
`DATA
`
`ENCRYPTION
`
`STANDARD
`
`CATEGORY: ADP OPERATIONS
`
`
`SUBCATEGORY: COMPUTER SECURITY
`
`Oracle-1031 p. 2
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`Secretary
`U.S. DEPARTMENT OF COMMERCE • Elliot L. Richardson,
`
`
`Edward 0. Vetter, U,ukr Secretary
`
`
`Dr. Betsy Ancker-Johnson, Secretary for Science
`Assistant
`and Techno/,ogy
`
`NATIONAL BUREAU OF STANDARDS • Ernest Ambler,
`Acting Director
`
`Foreword
`
`The Federal Information Processing Standards Publication Series of the National
`
`
`
`
`
`
`
`
`Bureau of Standards is the official publ�ation relating to standards adopted and promul­
`
`
`gated under the provisions of Public• Law 89-306 (Brooks Bill) and under Part 6 of Title 15,
`
`
`
`
`Code of Federal Regulations. These legislative and executive mandates have given the
`
`
`
`
`
`Secretary of Commerce important responsibilities for improving the utilization and man­
`
`
`
`
`
`agement of computers and automatic data processing systems in the Federal Government.
`
`
`
`To carry out the Secretary's responsibilities, the NBS, through its Institute for Computer
`
`
`
`
`
`
`
`Sciences and Technology, provides leadership, technical guidance, and coordination of
`government
`
`
`
`
`
`efforts in the development of technical guidelines and standards in these
`areas.
`
`The series is used to announce Federal Information Processing Standards, and to
`
`
`
`
`
`
`
`provide standards information of general interest and an index of relevant standards
`
`
`
`
`
`publications and specifications. Publications that announce adoption of standards provide
`
`
`
`
`
`
`the necessary policy, administrative, and guidance information for effective standards
`
`
`
`
`
`and use. The technical specifications of the standard are usually attached
`implementation
`
`
`
`to the publication, otherwise a reference source is cited.
`
`Comments covering Federal Information Processing Standards and Publications are
`
`
`
`
`
`
`
`
`
`
`welcomed, and should be addressed to the Associate Director for ADP Standards, Institute
`
`
`
`
`
`for Computer Sciences and Technology, National Bureau of Standards, Washington, D.C.
`
`
`
`20234. Such comments will be either considered by NBS or forwarded to the responsible
`
`activity as appropriate.
`
`ERNEST AMBLER, Acting Director
`
`Abstract
`
`-'fhe selective application of technological and related procedural safeguards is an
`
`
`
`
`
`
`
`
`
`
`
`important responsibility of every Federal organization in providing adequate security to its
`
`
`
`
`ADP systems. This publication provides a standard to be used by Federal organizations
`
`
`
`when these organizations specify that cryptographic protection is to be used for sensitive
`
`
`
`
`
`or valuable computer data. Protection of computer data during transmission between
`
`
`
`
`
`
`electronic components or while in storage may be necessary to maintain the confidentiality
`
`
`
`
`
`and integrity of the information represented by that data. The standard specifies an
`
`
`
`
`encryption algorithm which is to be implemented in an electronic device for use in Federal
`
`
`
`
`
`ADP systems and networks. The algorithm uniquely defines the mathematical steps
`
`
`
`
`
`
`required to transform computer data into a cryptographic cipher. It also specifies the steps
`
`
`
`
`
`required to transform the cipher back to its original form. A device performing this
`
`
`
`
`algorithm may be used in many applications areas where cryptographic data protection. is
`
`
`needed. Within the context of a total security program comprising physical security
`
`
`
`
`
`
`procedures, good information management practices and computer system/network access
`
`
`
`
`
`
`controls, the Data Encryption Standard is being made available for use by Federal
`agencies.
`
`
`
`Key Words: ADP security; computer security; encryption; Federal Information Processing
`
`
`
`
`
`
`
`
`
`Standard.
`
`
`Nat. Bur. Stand. (U.S.), Fed. Info. Process. Stand. Puhl. (FIPS PUBJ 46, 17 pages (1977)
`CODEN: F1PPAT
`
`
`
`
`
`For sale by the National Technical Information Service. U.S. Department of Commerce.
`
`
`Springfield. Virginia 22161
`
`Oracle-1031 p. 3
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`Federal Information
`
`
`
`
`Processing Standards Publication 46
`
`FIPS PUB 46
`
`
`
`1977 January 15
`
`ANNOUNCING THE
`
`DATA ENCRYPrION STANDARD
`
`Federal Information Processing Standards are issued by the National Bureau of Standards pursuant to the Federal
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Property and Administrative Services Act of 1949, as ilmended, Public Law 89-306 (79 Stat 1127), Executive Order 11717
`
`
`
`(38 FR 12315, dated May 11, 1973), and Part 6 of Title 15 Code of Federal Regulations (CFR).
`
`
`
`
`
`Name of Standard: Data Encryption Standard (DES).
`
`
`
`
`
`
`
`
`
`Category of Standard: Operations, Computer Security.
`
`Explanation: The Data Encryption Standard (DES) specifies an algorithm to be implemented in
`
`
`
`
`
`
`
`
`
`
`
`
`electronic hardware devices and. used for the cryptographic protection of computer data. This
`
`
`
`
`
`
`
`publication provides a complete description of a mathematical algorithm for encrypting (encipher­
`
`
`
`
`
`ing) and decrypting (deciphering) binary coded information. Encrypting data converts it to an
`unintelligi
`
`
`
`
`
`ble form called cipher. Decrypting cipher converts the data back to its original form. The
`
`
`
`
`
`
`
`algorithm described in this standard specifies both enciphering and deciphering operations which
`
`
`
`are based on a binary number called a key. The key consists of 64 binary digits ("0"s or "l"s) of
`
`
`which 56 bits are used directly by the algorithm and 8 bits are used for error detection.
`
`Binary coded data may be cryptographically protected using the DES algorithm in conjunction
`
`
`
`
`
`with a key. The key is generated in such a way that each of the 56 bits used directly by the
`
`
`
`algorithm are random and the 8 error detecting bits are set to make the parity of each 8-bit byte of
`
`the key odd, i.e., there is an odd number of "l"s in each 8-bit byte. Each member of a group of
`
`
`
`
`authorized users of encrypted computer data must have the key that was used to encipher the data
`
`in order to use it. This key, held by each member in common, is used to decipher the data received
`
`in this in cipher form from other members of the group. The encryption algorithm specified
`
`
`
`
`standard is c_Q._mmonly known among those using the standard. The unique key chosen for use in a
`
`
`
`
`
`
`
`particular application makes the results of encrypting data using the algorithm unique. Selection of
`
`
`
`a'. different key causes the cipher that is produced for any given set of inputs to be different. The
`
`
`
`
`cryptographic security of the data depends on the security provided for the key used to encipher
`
`and decipher the data.
`
`Data can be recovered from cipher only by using exactly the same key used to encipher it.
`
`
`
`
`
`
`Unauthorized recipients of the cipher who know the algorithm but do not have the correct key
`
`
`
`
`cannot derive the original data algorithmically. However, anyone who does have the key and the
`
`
`
`
`
`
`algorithm can easily decipher the cipher and obtain the original data. A standard algorithm based
`
`
`
`
`on a secure key thus provides a basis for exchanging encrypted computer data by issuing the key
`
`
`
`
`used to encipher it to those authorized to have the data. Additional FIPS guidelines for
`
`
`
`implementing and using the DES are being developed and will be published by NBS.
`
`
`
`Approving Authority: Secretary of Commerce.
`
`
`
`
`
`
`
`
`
`Maintenance Agency: Institute for Computer Sciences and Tecqnology, National Bureau of
`
`
`
`
`
`Standards.
`
`
`
`
`
`
`Applicability: This standard will be used by Federal departments and agencies for the crypto­
`
`
`
`
`
`graphic protection of computer data when the following conditions apply:
`
`1
`
`Oracle-1031 p. 4
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB 46
`
`1.An authorized official or manager responsible for data security or the security of any
`
`
`
`
`
`computer
`
`
`
`
`system decides that cryptographic protection is required; and
`
`
`
`
`Atomic Energy Act of 1954, as amended.
`
`2.The data is not classified according to the National Security Act of 1947, as amended, or the
`
`However, Federal agencies or departments which use cryptographic devices for protecting data
`
`
`
`
`
`
`
`
`
`
`
`
`
`classified according to either of these acts can use those devices for protecting unclassified data in
`lieu of the standard.
`
`In addition, this standard may be adopted and used by non-Federal Government organizations.
`
`
`
`
`
`
`
`
`
`
`Such use is encouraged when it provides .the desired security for commercial and private
`organizations.
`
`Data that is considered sensitive by the responsible authority, data that has a high value, or data
`
`
`
`
`
`
`
`
`that represents a high value should be cryptographically protected if it is vulnerable to unauthor­
`
`
`
`
`
`ized disclosure or undetected modification during transmission or while in storage. A risk analysis
`
`
`
`
`
`should be performed under the direction of a responsible authority to determine potential threats.
`
`
`
`
`
`FIPS PUB 31 (Guidelines for Automatic Data Processing Physical Security and Risk Management)
`
`
`
`
`
`and FIPS PUB 41 (Computer Security Guidelines for Implementing the Privacy Act of 1974)
`
`
`
`
`
`provide guidance for making such an analysis. The costs of providing cryptographic protection
`
`
`
`
`using this standard as well as alternative methods of providing this protection and their respective
`
`
`
`
`costs should be projected. A responsible authority then should make a decision, based on these
`
`
`
`
`analyses, whether or not to use cryptographic protection and this standard.
`
`Applications: Data encryption (cryptography) may be utilized in various applications and in various
`
`
`
`
`
`
`
`
`
`
`
`environments. The specific utilization of encryption arid the implementation of the DES will be
`
`
`
`
`
`based on many factors particular to the computer system and its associated components. In
`
`
`
`
`
`general, cryptography is used to protect data while it is being communicated between two points or
`
`
`
`
`while it is stored in a medium vulnerable to physical theft. Communication security provides
`
`
`
`
`protection to data by enciphering it at the transmitting point and deciphering it at the receiving
`
`
`
`
`
`
`point. File security provides protection to data by enciphering it when it is recorded on a storage
`
`
`
`medium and deciphering it when it is read back from the storage medium. In the first case, the key
`
`
`
`
`
`must be available at the transmitter and receiver simultaneously during communication. In the
`
`
`
`second case, the key must be maintained and accessible for the duration of the st.orage period.
`
`I
`
`Hardware Implementation: The algorithm specified in this standard is to be implemented in
`
`
`
`
`
`
`
`
`
`
`
`
`computer or related data communication devices using hardware (not software) technology. The
`
`
`
`
`specific implementation may depend on several factors such as the application, the environment,
`
`
`
`
`the technology used, etc. Implementations which comply with this standard include Large Scale
`
`
`
`
`
`
`Integration (LSI) "chips" in individual electronic packages, devices built from Medium Scale
`
`
`
`
`
`
`
`Integration (MSI) electronic components, or other electronic devices dedicated to performing the
`
`
`operations of the algo rithm. Micro-processors using Read Only Memory (ROM) or micro-pro­
`
`
`
`
`
`
`grammed devices using mic1·Qcode for hardware level control instructions are examples of the
`
`
`
`
`
`latter. Hardware implementations of the algo rithm which are tested and validated by NBS will be
`
`
`
`
`
`
`
`considered as complying with the standard. Procedures for testing and validating equipment for
`
`
`
`
`conformance with this standard are available from the Systems and Software Division, National
`
`
`
`
`
`Bureau of Standards, Washington, D.C. 20234. Software implementations in general purpose
`
`
`
`
`
`
`computers are not in compliance with this standard. Information regarding devices which have
`
`
`
`been tested and validated will be made available to all FIPS points of contact.
`
`Export Control: Cryptographic devices and technical data regarding them are subject to Federal
`
`
`
`
`
`
`
`
`
`
`
`Government export controls as specified in Title 22, Code of Federal Regulations, Parts 121 through
`
`
`
`
`
`128.Cryptographic devices implementing this standard and technical data regarding them must
`
`comply with these Federal regulations.
`
`2
`
`Oracle-1031 p. 5
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB 46
`
`Crytographic devices implementing this standard may be covered by U.S. and foreign
`
`
`
`
`
`Patents:
`
`
`
`
`
`
`patents issued to the International Business Machines Corporation. However, IBM has granted
`
`
`
`nonexclusive, royalty-free licenses under the patents to make, use and sell apparatus which
`
`
`
`
`
`complies with the standard. The terms, conditions and sc·ope of the licenses are set out in notices
`
`
`
`
`published in the May 13, 1975 and August 31, 1976 issues of the Official Gazette of the United
`
`
`States Patent and Trademark Office (934 0. G. 452 and 949 0. G. 1717).
`
`and Using the Data Modes of Using the DES: The "Guidelines for Implementing
`
`
`Alternative
`
`
`
`
`Encryption Standard" describe two different modes for using the algorithm described in this
`
`
`
`
`standard. Blocks of data containing 64 bits may be directly entered into the device where 64-bit
`
`
`
`
`cipher blocks are generated under control of the key. This is called the electronic code book mode.
`
`
`
`
`Alternatively, the device may be used as a binary stream generator to produce statistically random
`
`
`binary bits which are then combined with the clear (unencrypted) data (1-64 bits) using an
`
`
`
`"exclusive-or" logic operation. In order to assure that the enciphering device and the deciphering
`
`
`device are synchronized, their inputs are always set to the previous 64 bits of cipher that were
`
`
`
`
`
`transmitted or received. This second mode of using the encryption algorithm is called the cipher
`
`
`
`
`feedback (CFB) mode. The electronic codebook mode generates blocks of 64 cipher bits. The cipher
`
`
`feedback mode generates cipher having the same number of bits as the plain text. Each block of
`
`
`
`cipher is independent of all others when the electronic codebook mode is used while each byte
`
`
`(group of bits) of cipher depends on the previous 64 cipher bits when the cipher feedback mode is
`
`
`
`
`
`used. The modes of operation briefly described here are further explained in the FIPS "Guidelines
`
`
`for Implementing and Using the Data Encryption Standard."
`
`Implementation of this standard: This standard becomes effective six months after the publication
`
`
`
`
`
`
`
`
`
`date of this FIPS PUB. It applies to all Federal ADP systems and associated telecommunications
`
`
`
`
`
`networks under development as well as to installed systems when it is determined that crypto­
`
`
`
`
`
`
`
`graphic protection is required. Each Federal department or agency will issue internal directives for
`
`
`
`the use of this standard by their operating units based on their data security requirement
`determinations.
`
`NBS will provide assistance to Federal organizations by developing and issuing additional
`
`
`
`
`
`
`
`
`
`
`
`
`technical guidelines on computer security and by providing technieal assistanee in using data
`
`
`
`
`
`encryption. A data encryption testbed has been established within NBS for use in providing this
`
`
`
`
`
`
`
`technical assistance. The National Seeurity Agency assists Federal departments and agencies in
`
`
`
`
`
`
`
`communications security and in determining specific security requirements. Instruetions and
`
`
`
`
`
`
`
`r�gulations for procuring data processing equipment utilizing this standard will be provided by the
`
`General Services Administration.
`
`
`Specifications:
`(DES) (affixed).
`
`
`
`
`
`Federal Information Processing Standard (FIPS 46) Data Encryption Standard
`
`Cross Index:
`
`
`
`a.FIPS PUB 31, "Guidelines to ADP Physical Security and Risk Management"
`
`
`
`
`
`
`
`b.FIPS PUB 39, "Glossary for Computer Systems Security"
`
`
`
`c.FIPS PUB 41, "Computer Security Guidelines for Implementing the Privaey Aet of 1974"
`
`
`
`
`
`
`
`
`
`
`
`
`
`d.FIPS PUB-, "Guidelines for Implementing and Using the Data Encryption Standard" (to
`
`
`
`be published)
`
`e.Other FIPS and Federal Standards are applicable to the implementation and use of this
`
`
`
`
`
`
`
`
`
`
`standard. In particular, the American Standard Code for Information Interehange (FIPS PUB 1)
`
`3
`
`Oracle-1031 p. 6
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB 46
`
`and other related data storage media or data communications standards should be used in
`
`
`
`
`
`
`
`
`conjunction with this standard. A list of currently approved FIPS may be obtained from the Office
`
`
`
`
`
`
`
`of ADP Standards Management, Institute for Computer Sciences and Technology, National Bureau
`
`
`of Standards, Washington, D.C. 20234.
`
`Qualifications: The cryptographic algorithm specified in this standard transforms a 64-bit binary
`
`
`
`
`
`
`
`
`
`
`
`
`64-bit input is If the complete variable. value into a unique 64-bit binary value based on a 56-bit
`
`
`used (i.e., none of the input bits should be predetermined from block to block) and if the 56-bit
`
`
`
`
`
`variable is randomly chosen, no technique other than trying all possible keys using known input
`and output for the DES will guarantee finding the chosen key. As there are over
`
`
`
`
`
`
`70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits, the feasibility of deriving a
`
`
`
`
`
`
`particular key in this way is extremely unlikely in typical threat environments. Moreover, if the
`
`
`
`However, users should be key is changed frequently, the risk of this event is greatly diminished.
`
`
`
`
`aware that it is theoretically possible to deriv the key in fewer trials (with a correspondingly lower
`
`
`
`
`
`probability of success depending on the number of keys tried) and should be cautioned to change
`
`
`
`the key as often as practical. Users must change the key and provide it a high level of protection in
`
`
`
`
`
`order to minimize the potential risks of its unauthorized computation or acquisition. The feasibility
`
`
`
`
`of computing the correct key may change with advances in technology. A more complete
`
`
`
`
`
`
`
`description of the strength of· this algorithm against various threats will be contained in the
`
`
`Guidelines for Implementing and Using the DES.
`
`When correctly implemented and properly used, this standard will provide a high level of
`
`
`
`
`
`
`
`
`
`
`
`cryptographic protection to c:omputer data. NBS, supported by the technical assistance of Govern­
`
`
`
`
`
`
`ment agencies responsible for communication security, has d termined that the algorithm specified
`
`
`
`in this standard will provide a high I vel of prole<:tion for a lime period beyond the normal life cycle
`
`
`
`
`
`
`of its associated ADP equipment. The prote<:tion provided by this algorithm against potential new
`
`
`
`
`
`
`
`threats will be reviewed within five years to assess its adequacy. 1n addition, both the standard and
`
`
`
`
`pos ible threats reducing the security provided through the use of this standard will undergo
`
`
`
`
`continual review by NBS and other c:ognizant Federal organizations. The new technology available
`
`
`
`
`at that time will be evaluated to determine its impaet on the standard. In addition, the awareness
`
`
`
`
`
`of any breakthrough in technology or any mathematical weakness of the algorithm will cause NBS
`
`
`
`
`to reevaluate this standard and provide ne('essary revisions.
`
`Comments: Comments and suggestions regarding this standard and its use are welcomed and
`
`
`
`
`
`
`
`
`
`
`
`shouJd be addressed to the Associate Direc:tor for ADP Standards, Institute for Computer Sciences
`
`
`
`
`and Technology, National Bureau of Standards, Washington, D.C. 20234 .
`
`.
`
`Waiver Procedure: The head of a Federal agency may waive the provisions of this FI PS PUB after
`
`
`
`
`
`
`
`the conditions and justifications for the waiver have been coordinated with the National Bureau of
`
`
`
`
`
`
`Standards. A waiver is necessary if cryptographic: devices performing an algorithm other than that
`
`
`
`which is specified in this standard are to be used by a Federal agency for data subject to
`
`
`
`
`
`
`cryptographic protection under this standard. No waiver is necessary if classified communications
`
`
`
`
`
`security equipment is to be used. Software implementations of this algorithm for operational use in
`
`
`
`general purpose computer systems do not comply with this standard and each suc:h implementation
`
`
`must also receive a waiver. Implementation
`
`
`
`of the algorithm in software for testing or evaluation
`
`
`
`
`
`does not require waiver approval. Implementation of other special purpose cryptographic algo­
`
`
`
`
`
`
`files) or encrypting password system (e.g., use within a computer rithms in software for limited
`
`
`
`
`
`implementations of cryptographic algorithms in software which were being utilized in computer
`
`
`
`
`
`
`systems before the effective date of this standard do not require a waiver. However, these limited
`
`
`
`
`uses should be converted to the use of this standard when the system or equipment involved is
`
`
`
`
`
`
`
`upgraded or redesigned to include general cryptographic protection of computer data. Letters
`
`
`
`
`
`describing the nature of and reasons for the waiver should be addressed to the Associate Director
`
`
`for ADP Standards as previously noted.
`
`4
`
`Oracle-1031 p. 7
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`Sixty days should be allowed for review and response by NBS. The waiver shall not be approved
`
`
`
`
`
`
`
`
`the waiver is the for granting however, the final decision until a response from NBS is received;
`
`
`responsibility of the head of the particular agency involved.
`
`FIPS PUB 46
`
`Where to Obtain Copies of the Standard:
`
`Copies of this publication are for sale by the National Technical Information Service, U. S:
`
`
`
`
`
`
`
`
`
`
`Department of Commerce, 5285 Port Royal Road, Springfield, Virginia 22161. Order by FIPS PUB
`
`
`
`
`
`
`number and title. Prices are published by NTIS in current catalogs and other issuances. Payment
`
`
`
`
`
`
`may be made by check, money order, deposit account or charged to a credit card accepted by NTIS.
`
`6
`
`Oracle-1031 p. 8
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`Oracle-1031 p. 9
`Oracle v. Teleputers
`|PR2021-00078
`
`Oracle-1031 p. 9
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`Federal Information
`Processing
`
`Standards Publication 46
`
`FIPS PUB 46
`
`1977 January 15
`
`
`
`SPECIFICATIONS FOR THE
`
`DATA ENCRYPTION STANDARD
`
`The Data Encryption Standard (DES) shall copsist of the following Data Encryption Algorithm to
`
`
`
`
`
`
`
`
`
`
`
`
`
`be implemented in special purpose electronic devices. These devices shall be designed in such a way
`
`
`
`
`
`that they may be used in a computer system or network to provide cryptographic protection to
`
`
`binary coded data. The method of implementation will depend on the application and environment.
`
`
`
`
`The devices shall be implemented in such a way that they may be tested and validated as
`
`
`
`
`
`accurately performing the transformations specified in the following algorithm.
`
`DATA ENCRYPTION ALGORITHM
`
`Introduction
`
`The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control
`
`
`
`
`
`
`
`
`
`
`of a 64-bit key. Deciphering must be accomplished by using the same key as for enciphering, but
`
`
`
`
`
`
`with the schedule of addressing the key bits altered so that the deciphering process is the reverse of
`
`the enciphering process. A block to be enciphered is subjected to an initial permutation IP, then to
`
`
`
`
`
`
`
`
`a complex key-dependent computation and finally to a permutation which is the inverse of the
`
`
`• The key-dependent computation can be simply defined in terms of a
`
`
`initial permutation JP-1
`
`
`
`
`
`
`
`function f, called the cipher function, and a function KS, called the key schedule. A description of
`
`
`
`
`the computation is given first, along with details as to how the algorithm is used for encipherment.
`
`
`
`
`
`Next, the use of the algorithm for decipherment is described. Finally, a definition of the cipher
`
`
`
`
`
`given in terms of primitive functions which are called the selection functions S; and the
`functionfis
`
`
`
`
`permutation function P. S 1, P and KS of the algorithm are contained in the Appendix.
`
`The following notation is convenient: Given two blocks L and R of bits, LR denotes the block
`
`
`
`
`
`
`
`
`
`consisting of the bits of L followed by the bits of R. Since concatenation is associative B 1B 2 • • • B8,
`
`
`
`
`
`for'.example, denotes the block consisting of the bits of BI followed by the bits of B2 • • • followed by
`the bits of B 8•
`
`Eneiphering
`
`
`
`
`
`A sketch of the enciphering computation is given in figure 1.
`
`7
`
`Oracle-1031 p. 10
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB 46
`
`PERMUTED
`INPUT
`
`INPUT
`
`INITIAL
`PERMUTATION
`
`;
`r-------�-------Kn
`(! :r4------©- -----�
`-------- ---
`----
`._
`.......... ... --
`.... --�----._
`___
`... ___ _
`-------
`
`L
`
`_J
`
`INVERSE INITIAL.
`PERM
`
`OUTPUT
`
`FIGURE 1. Encipheri'Tlf! computation.
`
`8
`
`Oracle-1031 p. 11
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`
`
`The 64 bits of the input block to be enciphered are first subjected to the following permutation,
`
`
`
`
`called
`
`
`the initial permutation JP:
`
`FIPS PUB 46
`
`IP
`
`58 50 42 34 26 18 10 2
`60 52 44 36 28 20 12 4
`62 54 46 38 30 22 14 6
`64 56 48 40 32 24 16 8
`57 49 41 33 25 17 9 1
`59 51 43 35 27 19 11 3
`61 53 45 37 29 21 13 5
`63 55 47 .39 31 23 15 7
`
`That is the permuted input has bit 58 of the input as its first bit, bit 50 as its second bit, and so on
`
`
`
`with bit 7 as its last bit. The permuted input block is then the input to a complex key-dependent
`
`
`
`
`computation described below. The output of that computation, called the preoutput, is then
`
`
`
`
`subjected to the following permutation which is the inverse of the initial permutation:
`
`Jp-1
`
`40 8 48 16 56 24 64 32
`39 7 47 15 55 23 63 31
`38 6 46 14 54 22 62 30
`37 5 45 13 53 21 61 29
`36 4 44 12 52 20 60 28
`35 3 43 11 51 19 59 27
`34 2 42 10 50 18 58 26
`33 1 41 9 49 17 57 25
`
`That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its
`
`
`second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.
`
`The computation which uses the permuted input block as its input to produce the preoutput block
`
`
`
`
`
`
`
`
`
`
`consi�ts, but for" a final interchange of blocks, of 16 iterations of a calculation that is described below
`
`
`
`in terms of the cipher function f which operates on two blocks, one of 32 bits and one of 48 bits, and
`
`produces a block of 32 bits.
`
`
`
`Let the 64 bits of the input block to an iteration consist of a 32 bit block L followed by a 32 bit block
`
`
`
`
`R.Using the notation defined in the introduction, the input block is then LR.
`
`Let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of an iteration with
`
`
`
`
`
`input LR is defined by:
`
`(1)
`
`L' =R
`R' = L fBf(R,K)
`
`
`
`where fB denotes bit-by-bit addition modulo 2.
`
`
`
`
`
`As remarked before, the input of the first iteration of the calculation is the permuted input
`
`
`
`
`
`
`block. At each block. If L'R' is the output of the 16th iteration then R'L' is the preoutput
`
`
`
`
`
`
`
`
`iteration a different block K of key bits is chosen from the 64-bit key designated by KEY.
`
`9
`
`Oracle-1031 p. 12
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB ,4g
`
`Let in more detail. of the computation the iterations With more notation we can describe
`
`
`
`
`
`KS
`
`
`
`be a function which takes an integer in the range from 1 to 16 and a 64-bit block as
`KEY
`n
`
`of bits from KEY.
`
`selection input and yields as output a 48-bit block Kn which is a permuted
`That is
`
`(2)
`
`Kn
`= KS(n,KEY)
`
`of KEY. KS is called the key
`
`bit positions with Kn determined by the bits in 48 distinct
`
`
`because the block K used in the n'th iteration of (1) is the block Kn determined
`by (2).
`schedule
`
`L and R
`let L11 and R11 be respectively
`input block be LR. Finally,
`As before, let the permuted
`
`and let Ln and Rn be respectively
`L' and R,' of (1) when L and R are respectively
`Ln-1 and Rn-1
`and K is Kn; that is, when n is in the range from 1 to 16,
`
`(3)
`
`Ln = Rn-1
`= Ln-1 tf)J(Rn-1, Kn)
`Rn
`
`
`
`The preoutput block is then R1�16•
`
`
`
`
`
`The key schedule of the algorithm is described in detail in the Appendix. The key schedule
`KS
`
`produces the 16 Kn which are required
`for the algorithm.
`
`Deciphering
`
`
`
`permutation of the initial block is the inverse to the preoutput The permutation JP-1 applied
`
`
`
`
`
`
`JP applied to the input. Further, from (1) it follows that:
`
`
`( 4)
`
`R = L'
`L= R' tf)J(L', K)
`
`to apply the very same algorithm to an ell.ciphered
`to decipher
`
`
`Consequently, it is only necessary
`
`
`
`message block, taking care that at each iteration of the computation the same block of key bits
`is used during decipherment
`
`as was used during the encipherment of the block. Using the
`K
`
`
`
`
`notation of the previous section, this can be expressed by the equations:
`
`(5)
`
`Rn-1 = Ln
`Ln-1= Rn $fi.Ln, Kn)
`
`where now R 16 L16 is the permuted
`and L0 R0 is the
`input block for the deciphering calculation
`
`
`with R16 L16 as the permuted input,
`
`
`preoutput block. That is, for the decipherment calculation
`
`K16 is used in the first iteration, K15 in the second, and so on, with K1 used in the 16th
`iteration.
`
`The Cipher Function f
`
`
`
`off ( R, K) is given in figure 2.
`A sketch of the calculation
`
`10
`
`Oracle-1031 p. 13
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`R ( 32 BITS)
`
`FIPS PUB 46
`
`48 BITS
`
`K (48 BITS)
`
`32 BITS
`
`
`
`FIGURE 2. Calculation off (R, K).
`
`Let denote -a-·function which takes a block of 32 bits as input and yields a block of 48 bits as
`
`
`E
`
`
`
`
`output. Let be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are
`E
`
`
`
`
`obtained by selecting the bits in its inputs in order according to the following table:
`
`BIT-SELECTION TABLE
`E
`
`32 1 2
`3 4 5
`4 5 6 7 8 9
`8 9 10 11 12 13
`12 13 14 15 16 17
`16 17 18 19 20 21
`20 21 22 23 24 25
`24 25 26 27 28 29
`28 29 30 31 32 1
`
`Thus the first three bits of E( R) are the bits in positions
`32, 1 and 2 of R while the last 2 bits
`of
`
`
`are the bits in positions 32 and 1.
`E( R)
`
`11
`
`Oracle-1031 p. 14
`Oracle v. Teleputers
`IPR2021-00078
`
`

`

`FIPS PUB 46
`
`Each of the unique selection functions
`
`
`S" S 2, • • • , S 8, takes a 6-bit block as input and yields a 4-.
`
`
`
`
`the recommended bit block as output and is illustrated by using a table containing
`S 1:
`
`S1
`
`Column Number
`
`Row
`No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
`0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
`1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
`2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
`3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
`
`as defined in this table and B is a block of 6 bits, then S 1 (B) is determined
`
`
`If SI is the function
`
`
`
`
`in base 2 a number in the range Oto 3. Let that follows: The first and last bits of B represent
`
`number be i. The middle 4 bits of B represent in base 2 a number in the range Oto 15. Let that
`number be j. Look up in the table the number in the i'th row an'd j'th column. It is a number
`
`
`
`in the range O to 15 and is uniquely represented by a 4 bit block. That block is the output
`for input 011011 the row is 01, that is row 1, and the S 1 ( B) of SI for the input B. For example,
`
`
`
`column is determined by 1101, that is column 13. In row 1 column 13 appears 5 so that the
`
`output is 0101. Selection functions Si, S2, • • • , S8 of the algorithm
`appear in the Appendix.
`
`the bits of input by permuting output from a 32-bit The permutation function P yields a 32-bit
`
`
`
`
`
`
`
`
`
`
`the input block. Such a function is defined by the following table:
`
`p
`
`16 7 20 21
`29 12 28 17
`1 15 23 26
`5 18 31
`IO
`2 8 24 14
`32 2