`
`Mm
`
`,
`I
`
`
`,
`
`.6136128‘
`Pups PUB 81 ;
`
`FEDERAL INFORMATION
`PROCESSING STANDARDS PUBLICATION
`
`1980 flacember 2, '
`
`
`
`
`
`
`" 'QIENTQEflcmMME" E “Natimaraugéau ufsténd'arés
`
`
`
`
`
`
`
`OFOPERATI
`
`SUBCATEGORY COMPUTER SECURITY
`
`ILATEGORY ADP OPERATIGWD
`
`'
`
`Unified Patents Inc. Ex. 1014, pg. 1
`
`Unified Patents Inc. Ex. 1014, pg. 1
`
`

`

`
`(Dads-2}
`“W3 materia} may b6: Hammad by (Sapyrigm 58W
`6: “E?” US»,
`ms“ Damian/mm" o? cemmca. Philip M.;x1umnick, Secretary
`
`' Joréan J“ Baruch, Assistant Secrétary far ?rnductivity;
`'
`Technuisgy and Innovation
`
`NAfi0NAL BUREAU 0F STANDARDS, Ernest Amhler, Birector
`
`Fareword
`
`cf
`infcrmatinn ?r02essing Standards Publicatimn Serieg 0f the Matjnnal Eurasu
`?Q&&rfil
`Th3
`Standards
`is Chfi official pablficaninn reiating to standards adoited anfl’prnmulgated
`under
`Ehfi
`prnwisians
`DE Publia Law 89*306 (Braoks Act) and under Part 6 Qf Title
`15’, Code Of
`¥wflaral Regulatimns.
`These legislative and axecutive manfiates have given the Secretary DE
`Cnmmercfl
`important
`responsibilitiag far
`impraving the utiiization and management
`0E
`tcmflmtfirg
`and
`autmmatic data processing in the Federal Gnvernment.
`To Carry
`cut
`the
`Swervtary’g
`respansibilities,
`the NBS,
`thruugh its Institute far Ccmputer Sciences
`and
`Tachnmlagv,
`pruvifieg lwafiarship,
`teahnical guidance and caerdinatisn mf Government efforis
`in aha devolmgmenc nf guidelinea and standards in these areas.
`
`and
`lnformacimn Ptncessing Standards Puhlicatians are welcamed
`L hmenfig CQHC§Tfiinfi Fedwral
`ahaulfi
`hv
`35§r@ssefi
`hm Chg Dire Car,
`Institute fnr Computer Scienceg
`and Tachnclogy,
`Raiémnafi Eureau a? Standardg, Hashingfian, DC
`20234.
`
`James H. Eurrnws, Divectar
`Institute far Cmmpucar Sciences
`anfl Temhnalngy
`
`Abstract
`
`
`
`
`
`
`
`
`(FIPS SE) specifies a uryptografihic algnrithm t0
`,*%§ Nata Euvryptinn Etafiflard (3E8)
`nga& ior aha Cfvfliugffiphifl prncectimn mi sansitfve,
`but unclaggified,
`camputer data.
`EEWfi flnfinva {mar a}fl93 a? mpcratian Fmr
`the £58 which may he used in a wide variety
`* Liana.
`The mafiea Specify hmw data wili ha ennryptwd (cryptagraphically prntect~
`cvaawfi {raturnmd Em arigimal
`form}.
`The mufiw$ inciufiefi
`in this fitandard are the
`
`
`* @hme i
`fiR} mafia,
`the Cipher Black Chaining (CBC) mode,
`thw Cipher Feedback
`m, anfi
`{Mg
`Hutput Ffithack {DFB} made.
`
` ‘w~grity; urvptmgraphy; damn sacuritv; H88; encrypgiwn; Fefimral {nfnr-
`SfflflflAYdfi: mmfiaa af nymra:imn.
`
`
`
`5“.9.§‘ F9d.Tnfm¥?r€669$.Rtnn&*?ub2.(¥?Pfl
`
`PNR) SI,
`
`3% pxfldfi.
`
`1; £9313
`CK'WE‘REE; I F I PPAT
`
`
`
`Twahvéma§ Emfmrmatifin fivrviwn,
`
`fi.§.
`
`fiqurrmvmt
`
`m?
`
`Cwfimorvv1
`
`Unified Patents Inc. Ex. 1014, pg. 2
`
`Unified Patents Inc. Ex. 1014, pg. 2
`
`

`

`
`
`,
`' Federal lnfarmdfidn
`- ,
`Processing 'Smndnrds Publication 81
`
`1930 December 5!
`
`muouwtms THE
`stmnmu FOR
`
`DES MODES OF OPERATION
`
`,HFS'PUB a!
`
`
`
`?edera£ Information Prdcessing Standards'Publicationd are issuad by the Natinnal Bureau 0f
`Signdards pursuant
`to the Fedaral Pncnerty and Administrativa Services Act 0f 19hg,
`an
`amended, Public Law 89-306 {?9 Stat.
`1327), Exacntive Grant 1&717 (38 FR 12315, dated May
`11, 1973), and Part 6 of Title 15 Cnde of Federal Regdlatinns (CFR).
`
`1. Name uf Standard. DES Hades of Operation.
`
`'2. Catagnry of Standard.
`
`ADP Operations, camputer security.
`
`(FIFE 46) specifies a cryptnm
`Exnlanatinn. The Federal Barn Encryptian Standard (DES)
`3.
`graphic algnrithm to ha used for the cryptographic ptntnctinn nf sensitive,
`but unclassi‘
`fled,
`computer data.
`This FIPS defines four modes of operatidn for the DES which may be
`used
`in a wide varidty cf applicatinns-
`The mnden specify haw data will
`be
`encrypted
`(cryptographically prdtected)
`and decryptnd (returned tn nriginal farm).
`The mades
`in“
`cluded in this standard are the Elentronic Codebnok (ECB) made,
`the Cipher Block Chaining
`(CBC) made,
`the Cipher Feedback (CF33 made, and the Output Feedback (OFB) mode.
`
`this standard prnvides specificatidns of the recommended nudes df operation but
`The bndy of
`does not specify the necassary and sufficiént nonditians far their secure implementation in
`a particular appliuatinn, This standard specifies the numbering nf data bits, haw the bits
`are
`encrypted
`and decryptedi
`and the data paths and the data prncessing necessary for
`encrypting and decrypting data 0: messages. This standard is hased on (and references) the
`DES
`and prevides the next
`level of detail necessary far prdviding compatibility among
`DES
`equipment.
`This
`standard anticipates the develervnnt of a set of applicatinn standards
`which reference it such an nnmmunicatinn security standards,
`data storage standards, pass'
`word nrntectinn standards and key manngement standards.
`Cryptographic system designers or
`security application designers must select one or more of the pnssible modas of
`cperatiun
`fur implemnnting and using tha DES in a cryptographic system at security applicaticn.
`The
`Appendices
`tn
`this standard prnvide tutnrial informatinn 0n the modes
`of oparatlon and
`examples
`far validating their correct
`implementatinn.
`The Appendices are gnidaiinnn
`and
`are not mnndatory requiremnnts 9f
`this standard.
`
`6. Approving Authnrity. Snaretary 9f Commernn.
`
`5. Maintenance Agency. U'S. Department df Commerce, National Bureau of Standards, Insti-
`tute for Cnmputer Sciences and Technalogy.
`
`6. Related flocuments.
`
`F195 FHB 46, "Data Encryption Standard," January 15, 1977.
`
`”Telecnmmunicatinns:
`(Proposed) Federal Standard 1026,
`Use Of
`the Data Encryption Standard,“ May 28, 1980, draft.
`
`Interapernbility Requirements for
`
`"Tnlecommnnicatinns:
`(Proposed) Federal Standard 102?,
`tna flata Encryption Standard," Augngt 5,
`1980, draft,
`
`$ecurity Requirements for Use of
`
`am mnnnfl mums,
`
`Unified Patents Inc. Ex. 1014, pg. 3
`
`Unified Patents Inc. Ex. 1014, pg. 3
`
`

`

`FIFE mm:
`
`A lint nf nurrently éppraved FIPS may be cbtained fram the’Stanéardn Adminint%*tion Offica.
`Innzisnte for Cnmputer Sciences and Technnlngy, National Bureau at Standards, Washingtnn.
`BC 2&23é.
`‘
`
`This standard shall bé used by Fafleral departmenta and agencies when
`'Afiplicability.
`7a
`pracuring equipment at sarvices whith implement
`the Data Encryption Standaré and which are
`intended fnr nae in the cryptngraphic protectinn of nensltive,
`but unclasnifiea.
`camputnr
`data.
`This
`standard may
`be
`used by anyone desiring tn implement
`and use
`the Data
`Encryntion Standard.
`The selectinn of one of the npenified modas nf aperation will depenn'
`an the partinnlar npplicatian being considered.
`
`Specificnklnnn.
`8.
`tian (affixed).
`
`Fnfieral Informatinn Prunessing Stanfiard (FIPS 81) DES Nudes of fiparn~
`
`The DEfi modes 0f nperatinn deacribed in this ntandard are based upnn
`9‘ Qualgficatiann,
`infarmatinn pravidefi by many snurces within the Federal Gnvernment and privatn industry.
`These modeg
`are presently being implementefi
`in cryptngraphic
`cquipmfint
`cantaining ,DES
`nvnices.
`Hnnever, a stanéard of this natutn must, nf necessity,
`remain flexibla enough tn
`aéapt
`to advancements and innavatlons in science and technolngy. As such,
`this
`standard
`shnuln
`not ha ennstrued as being either exhaustive at stating
`It wi,
`be reviewed
`every
`five years
`in order to incurpcrata new implementations whnse techniu,',
`* econcmic merit
`justify the isnuance mf a rnvisad Standard.
`FIPS £6 requires lmplema;'
`" 0f
`the DES
`algerithm in alectrnnln devices when used by Federal departments and agg"" . The BBB,
`itself, must
`therefore be in hardware at
`firmware far Federal applicatinn,
`Howeveri
`the
`moans of npnratinn specifiefi in this standard may be implemented in soft flax,
`hardwarn, or
`firmware.
`
`subject
`Expart Cnntrnl. Cryptagraphic devices and technical data regarding them are
`10.
`ta Federal Government
`export
`enntrals
`as
`specified in Titla 22,
`6069
`cf Federal
`Regulations, Parts
`l2} through 123. Cryntngraphlc devinas implementing this standard and
`technical data regarding than must comply with these Fefieral regulations.
`
`Crypcggrapnlc equipment
`Patents.
`1!.
`and fateign patents.
`
`implementing zhls standard may be cavered by U.S.
`
`12.
`
`Implementation Schafinle. This standard beanmeg affective an Jnne 2, 1981.
`
`standard be
`the requirements nf this
`that
`of agencies may request
`flands
`13. Waivern.
`waivmd in instances where it nan be clearly demunstrated that there are appreciable perf0r~
`mance at cost afivantages to be gained and when the nnnrall interests of the Federal Governn
`men:
`are best
`servnd by granting the requested walvar.
`Such waiver
`requeats will
`be
`reviewed
`by
`and
`are subject
`to {he approval of
`the Secretary of Commerca.
`The waiver
`rnquest must specify anticipatnd perfurmnnne and cast aévantages in thn justificatian for
`thn waivnr.
`
`annuld be allnwed fur review ané respnnse by the Secretary of Commerae‘
`days
`Fortwaive
`Rniver tannests shall be submitted to the Secretary of Cnmmeraa, Washington, DC
`2U230, ané
`labeled as
`a Reguast for a Waiver
`to this Federal Infcrmatinn Pynnessing Standard.
`N0
`agency shall take any actinn £9 neviata frnm this standard prior to the receipt af a waiver
`apprcval
`frnm the Secretary 0f Cnmmerce.
`We agency shall implement or procure
`equipment
`using a
`DES mnde nf operatlnn nut nanfnrming to this standard unlesn a waiver has
`been
`apnrnved.
`
`the National
`ta Obtain Copies. Copies of this publication ara far nale by
`lfi. Where
`Technical Infnrmatinn Serving, UaS. flapartment 0f Cnmmerce, Springfield, VA 22161.
`When
`ardering,
`refer ta Federal Infnrmatinn ¥rocessing Stanéards Publication 81 {FIPS PUB SK),
`and title.
`When microfiche is fiesired,
`this should ha gpecified.
`Payment may hé made by
`check, mnney nrder, a: depasit accaunt.
`
`TO
`
`BE§T WCUMENT MMlflBLE
`
`Unified Patents Inc. Ex. 1014, pg. 4
`
`Unified Patents Inc. Ex. 1014, pg. 4
`
`

`

`
`
`Madam-all Information,
`Pracessing; SMndards Publication 31
`
`1980 flecember 32
`
`Specificmions for
`
`DES MODES 0F OPERAfI'lDN
`
`CONTENTS
`
`Page
`INTROQUCT[DN tunloollicaoahsauna-1Q.Illnencn-iihtu-u.1baaqo‘w¢¢uuaniuqhonnmluuquh a
`1.1 Definitians, Abbreviations, and Cunventians...*..............w................ a
`
`ELEQTRONIC CODEBOQK (ECB) MODE.._...........1a...,...................m..........u
`ClPHER BLflCK CHEXNENG (CBC) MBHE................:.e.»................-.......*i..
`CIFHER FEEDBACK (CFB) MQBE.....a.....ua‘...........3...gy;...........,‘u.........
`
`UUTPET FEEfiBACK (QFB} MDDE........u...g...............»...a.‘o........-........w~ menu-rm
`
`1.
`
`2.
`3.
`A.
`5.
`
`FIGURES
`
`Figure l. Eiactronic Cudeboak CECE) Moda.............‘....*....‘~................... 6
`Figure 2. Cipher Black Chaining (CBC) Modefi.........n.......‘....................... 7
`Figure 3- K'Bit Cipher Ffifldbaflk (CF33 Made.IOQAAttrQqwonIIbmuitflfliliiifliulhibnlnifiit 9
`Figure é. K-Bit Qutput Faedback (OFB) M0de..........u.......w......i..¢.‘..»........IO
`n
`
`Des Mapplngs......a.....................,..i...*.........Q...............12
`
`Figure A1
`
`TABLES
`
`Table 81.
`Table Cl.
`Table D1.
`Table D2.
`Table D3.
`Table D4.
`Table D5.
`Tabla EL.
`Tablé E2.
`Tablg Fl.
`Table F2.
`
`the Elactrmnic Cndebook CECE) Mode...l...................*..13
`Au Example of
`An Example 0f the Ciphér Biock Chaining {CBC} fiade..............a.........15
`&n Example cf the lwfiit Cipher Feedback (fiFfi) Made........................l7
`an Example 0f the 8*Bit Cipher Feedback (CFB) Mnda...._...................18
`An Example of
`the fié-Bit Cipher Feedback €CFB) Mode.......................19
`fifl Examplm 0E the YwBit Gipha: Feedback Alfiernative Made...............,..20
`an Example 95 the Sbnflit Cipher Feedback Alternative Made.................21
`An Example of the inflit Output Feeéback {DFBJ Moée....................,...22
`fin ENQWPIE 0f
`the 3WBit Output FEEdbaCk {DFE) Mode.gno.n...-.no¢.....s....23
`An Example af tha Cipher Block Chaining (CBC) fiude {or Authenticatian.....25
`An Examgle of
`the Cipher Feedback (CF33 Made for Authenticatinn....m......2b
`
`AFPEWDECES
`
`Appendix A. General lnfnrmafiion...........‘.*...........,...........................ll
`fippendix B. Electronic Codebook (EOE) Mode.....................................w....12
`Appendix C. Cipher Black Chaining {CBC} Made...........,......................u....»lé
`fippendix fl. Cipher Faadback (CFB) Made.......3..i...‘...........................¢...16
`Appendix E. Output Feedback (GEE) Mode...............‘..................*..w........22
`Apgandix F.
`DES Authanticatian Tichnique...‘........................................2&
`
`RES”? , WOCUMENI...?.AVAILABLE
`
`Unified Patents Inc. Ex. 1014, pg. 5
`
`Unified Patents Inc. Ex. 1014, pg. 5
`
`

`

`FI‘P‘S NE 81
`
`Iatrofluctiun. Einary data may ha cryptagrsphically yrutected (encryptad) ufiing dévices
`1‘
`imwlementing the algarithm apecified in tha Data Ennryptinu Standard (DES)
`(FIFE PUB héfi
`in
`canjunntion with a cryptngraphic key.
`The ctyptagraphic key contrnls the encryption, pro-
`cexs
`an& the
`identical
`key must alga he usfid in the deatyptiafi pracass
`to attain tha
`original data.
`Since thfl DES is publicly defined. nrthographic security depends on
`the
`sacraay of tha cryptngraphlc keyfl
`
`The binary format of a cryptographic kay 13:
`
`(BI‘BZ,..¢,3???1,Bfi,...,Bl&,?2,%15,a-.,Bh§,P73350,...,356,F8)
`
`where {£1,82?i.~,356} are the indepeméent bits Of a DfiS kmy and {PR,P2,...,P8} are rasefived
`fiat parity bits computefi an the praaeding seven indepandent hita and set 39 that
`the yarity
`0f the utter 13 add,
`iua‘,
`thave is an odd number nf "1" bits in the fictet.
`
`Tha hexadecimal format af a cfyptngraphic Ray is:
`
`(HIRE H3H£ ... Hlfiflifi)
`
`The
`wtwre {H1,H2,*..,Hlé} are hexadecimal characters Erna ths set {G,I,...QQ,A,B,C.D,E,F}.
`
`of
`embaiflwd blanks in the format are aptional anfi
`lewer case lettara may be used in place
`the
`“fiflEf case letters.
`This atawdard assumas that a cryptogr&phic key has been entereé
`inta a £38 device prior tn encryption 0r decryptian.
`
`1.1 Definitinnfl. Abbrevi&ti0ns, and Convamtianm. The following definitiona, abbreviatianfi
`and conventiuna shall be maed throughout this standard:
`
`HIT:
`
`A binary digit denated as a "Q" at a “1.“
`
`HINARY VECTflR:
`
`A sequenca flf bit$«
`
`A binary vector cansistimg of sixrwaour bits numbered from the left as i, 2, ...,
`BLOCK:
`6% 30d dflnatfifi as (51,52....,E6fi).
`
`EEC: Cipher Block Chaining.
`
`QFB:
`
`Cipher Feedback.
`
`CXFHER TEXT: Encrypted &ata.
`
`A fiéwbit parametar cansigting of 56 indgpendent bits and 8 parity bits
`CRYPTGGRAPHIC KEY:
`usgd in a DES device ta cantrol tha ancrypt anfi decrypt operations.
`(Symanyms:
`KEY, KEY VARIRBLK)~
`
`is encrypted as an ent1ty sad
`of H hita that
`a binary vector
`EAT$ BRIT:
`{01.nzm...,BK) where K * 1,2,...,fié and where EI,DE,...,DK represent bits.
`
`denntfid
`
`35
`
`The process 0f changing cipher text
`EECRYPTEUME
`Varb: DHCRYPT.
`
`imam plain text.
`
`(Synonym: DECfPHER).
`
`flECRYPT STATE:
`FIFE PUB «fiw
`
`The state cf 3 DES devica exacuting the éeciphering nperation specified in
`
`DES: Data Encryption Standaré;
`
`fipemifiefi
`
`in FIPS PUB 45.
`
`typically an
`the 9E3 algorithm.
`The eiectronic campenant used :0 implement
`DES DEVICE:
`integratad circuit chip or a microficnmputar wit% the DES algnrithm spécified in a read*only
`memary pragram,
`
`IN?UT
`HES
`dearyptiou-
`
`enaryption at
`A black that is entared into the 0E3 dgvtca for either
`BLDCK:
`The input biack shall he degignateé (11,12...a,164) whgre 1i,12,...,16# repre~
`
`a BEST mm mama ,
`
`,
`
`Unified Patents Inc. Ex. 1014, pg. 6
`
`Unified Patents Inc. Ex. 1014, pg. 6
`
`

`

`HPSMMV
`
`VA blank that fix aha final regal: af an énctyption at dacryptihn apefmw ,
`BEE OUTPUT fiaflflk:
`fieviae.
`The mutput black ahaxl
`he
`dasignatmfi
`(01,02m...‘0fi&) whfira'
`tian a?
`a
`DES
`01.82,...,0&5 repregent bits-
`
`ECE: Electrnnic Cadabgmk»
`
`The gracess 0f changing plain taxm intu ciwhaz taxt.
`ENfiEY?TION:
`Vfirb: ENCRY?T.
`(Synonym:
`EWCIPflER)*
`
`ENCRYFT 3TATE:
`FEF? PUfi
`fifi‘
`
`?he $fiate mi a DES dflvice flxfifiuiiflg thu finciafiurimg wwatatiwm fipfiéifimd in
`
`Thfi hitvby*bit mmfiuiflwfi ad§l£§un 9f twa binary vamfiwxa 3f
`EXCLUSIVE*QR QPERATEQH:
`langth. This aperatinn is repreaantvd by a ”Q" in ¢hla ataaflard.
`
`aqufil
`
`A binary vacant usfid in {kg initial innum bintk ifi the CFB mufl
`INITIALIZATEUN VECTGR {iv}:
`QFB made& and as aha randomiaing hlank that
`is %ma1ua£ve-Gflad with aha {irac fiata black i“
`the CBC mafia.
`
`Thfi rightwmast hit€a§
`LE&3T SIGMIFEfiANT EiTifi):
`{Synanymt 13% mrdar bitfia33.
`
`a; a binary weaker»
`
`A Ingical data @ntity munaistimg Q? a aequflnce nf flata uflltfl (a.g.,
`MESSAGE (MSG):
`outfits, charficters. fixed length nmmbgrs)
`that
`is amcryptgfl as an amtity.
`
`hing,
`
`1”th lafiwmst bitifi} mf a binary wmmr.
`wwysmmficm‘w 3mm):
`i53numym: High arder ait(s§)fi
`
`GCTET:
`
`k firmuy 3f Eight binary digits numbered fxam lafa tn right: Bl,fi§,._‘,flfiv
`
`UFB:
`
`flutput Fawfihack.
`
`PLA1§ TEXT:
`
`Unanctypned data.
`
`Tha Elantranic Cfldabmnk (ECfl) made is defiaad as
`fiwda.
`{Rafi}
`Elecfirmnlc Eofiebemk
`2.
`a plain text data bkock {flIiDZ,..Q,D%A} 13 used
`falluws
`(Figura 1).
`In ESE Engrypcian,
`diractly as th& DES input hiack (Il,il,...,1fi&).
`The input black is processed through a
`DEfi
`device
`in
`the encrypt state*
`The rasultant autput black (91,02,,..,03é3 is mead
`directiy as Ciphflr text
`(G1*C2,wg.,6fifi} at may ha used in suhsaquent A”? applicatinnai
`
`input
`a ciphar text black {Cl,CZ,,..,C64§ is used directly as the DES
`ECB decryption,
`In
`thé
`black
`(Il,12....,16&}‘
`The
`inpua biack is than prmceased thraagh a HES
`flevica
`text
`dwarypt
`stata.
`The
`resultant mutvmt
`b?ack
`{01,92,...,flfi&)
`is
`the
`plain
`(D1,DE‘»&.,DEQE av may he used in mubaequflnt $9? applicatians.
`Th3 ESE decryption praceas
`is
`thé 53mg 33 [ha EOE encryptimn prnnefis EXEth that
`the decrypt state of the DES devica
`is used rathar than tha Encrypt stata.
`
`in
`
`as
`Clgher Elock Chainiug (EEC) Mafia. The fliphet Eiock fihaining {€36} mafia is definefi
`3.
`fallowa (Figure 2).
`A messagm t3 be ancrypte& is £1vfidad inta blnaka.
`in CBC encrygtinn,
`the
`first DEB ifiput block i5 fnrméd by $Kc1usiv3wDRing the first block vi a message with a
`fifl“bit
`inimializatimfi vectcr {IV}¥
`i.e.,
`(11,12g...,16&) a
`(IVimDI,IV2fiD2,.fi.,IV64$D6&).
`The
`input black is pFOCEBSQd thrmugh a DES dauice in the encrypt state,
`ané the resulting
`output black is use& as th9 ciphar text,
`i.e.,
`(Cl,C2,.‘.,C6é} a
`(31.92,...,064}.
`Thifi
`firsm ciphar
`text hiack is thén exclusive~flaed with the second plain text data
`black
`tn
`prmduce
`the
`secanfi EES input black,
`i‘e.,
`(Il,[2,...,l6h) m
`(Ei@fl¥,02$02,...,CB&$DB&).
`Note
`that
`1 ané D flaw refer to the second black.
`Thfi secomd input black
`is processed
`thrnugh the 3E5 device in the ancrypc state tn produce the second cipher taxt black.
`Tfiis
`encryptinn yyrwrfifig
`continuea t0 "chain" SuccessiVE cipher and plain text blackg
`tugether
`mntii
`the
`last plain text biock in tha message is encryvted.
`If the messaga
`does
`nut
`censist
`0? an integral numher 0f data blacks,
`than the final partiai data block shnuid be
`
`- BEST 3%va Mfllmm,
`
`Unified Patents Inc. Ex. 1014, pg. 7
`
`Unified Patents Inc. Ex. 1014, pg. 7
`
`

`

`“ FIFE ms 31
`
`”ENE 1: ELEETBDNIE CHEEBBDK (EBB; MGDE
`
`5C3 ENC’R¥PYIDN
`
`ECE DECRYPTEON
`
`”
`
`mum mm
`.1
`
`(Damn, mm
`
`CEPHER YEXT
`
`{CL C2,
`
`€64}
`
`, my
`‘
`Ham mm:
`
`,,
`
`,,
`
`,
`
`'
`
`.'
`
`, H” '64}
`
`, mpm amen
`
`GEE ENCRVM’
`
`DES IEECRYPT
`
`1
`
`.
`
`(m. m. M43
`
`ouwm mam
`
`{max 5
`
`” moms
`
`CWHER EEK?!
`
`{C1, C1.
`
`.... C64)
`
`,, WWW . '
`m, m.
`"
`
`
`
`PLMN mm
`
`fig
`
`£2391%$“1%
`
`3W!3%EPi!3;:
`
`:.
`gm W
`
`Unified Patents Inc. Ex. 1014, pg. 8
`
`Unified Patents Inc. Ex. 1014, pg. 8
`
`

`

`ms m m
`
`HGUHE 2: CIPHER BLOCK BHAINING (EEC! MflBE
`
`”ME22
`
`ENCEYPT
`
`DEER???
`
`
`
`LEGEND
`
`D=DAWK BLOCK J
`
`W = ENITMUIAHON VECVOR
`
`E=£NCRYPIION INPUT BLOCK .I
`t2 :CkFHER BLOCKJ
`
`@ 2 EXCLUSIVE—GR
`
` mm mmg v
`
`Unified Patents Inc. Ex. 1014, pg. 9
`
`Unified Patents Inc. Ex. 1014, pg. 9
`
`

`

`Ems PUB a:
`
`in
`enerypted
`Appendix C 0f
`
`a manner specified far the applicatians
`thia stamdard.
`,
`
`fine such methed
`
`is dascribed’ 1d
`
`the first cipher text blank Of an entrypted message 1a usad an the input
`In CBC decryptian,
`black and is pracegsed thrnugh a D88 device in the decrypt state,
`i.e.’ ,(II,12,...,IE&) *
`(C1352 V..,Cbé}.
`The resulting output black, which equals the ntiginal input block ta the
`383 airing encryptium,
`is cxclusive*0fiefl with the I? {must be same as that
`used during
`emu yption)
`ta
`prafiuce
`the
`first plain text
`black,
`i.e.,
`(51,02....,Bfifi)
`n
`(UlfilVl,02fi1V2,....06&mIV6&). The secnnd cipher text blank is then uaed as the input black
`and
`is processed thtaugh {ha $83 in the decrypt grate an& the resulting output black
`is
`exclugiveuflfie& with the
`first ciwher text bleak ta produce the aecand plain
`text data
`block,
`i.e., EDI,DZ,.;.,S&&)
`a (Ulficl,020fl2,...,06&flc&&).
`Hate that again £fi9 U and
`0
`wafer
`ta the secnnfl black.
`The CBC decryption pracess cantinuea in this manual Luci;
`the
`last
`camplete cipher text black has been decrypcad.
`Ciphar taut rep? Renting a partial
`data black must be décryptwd in a manner as specified far tha applicatimn.
`
`follaws
`(CF33 fih&a. The Ciphgr Feedback (CPS) made is defined as
`FEEdbfiCk
`Cipher
`4.
`A messaga tn be ancrypteé is dfivided into data units each containing K hits (K
`(Figure 3).
`:
`1,23wa»,&&)v
`In both the CFE encrypt
`find dactypt operations,
`an initialization vector
`(IV) 9f
`length L is usefi.
`Ike IV is plated in thfi 1335: significant bitfi of the DES input
`black with the'nnuaad bits set
`tn “0's," 1.2.,
`(IE,IZ,w..,Iéh)
`a
`(0,0,...,Q,IV1,IV2,
`...,IVL).
`Thig
`input
`black is proqassed thraugh the DES device in the encrypt state to
`prwduce an gutput black.
`During Encryptinn,
`uiphar text
`is produced by exclusivewoaing a
`K—bit plain text data unit with the most significant K bias 0f the nutput black, 1.2.,
`{C1,C2,...,CK) w (D1Qfll,92®62,‘.9,DKwOK}. Similarly, during dacryptinn, plain text 13 pro“
`dueed
`by exclusive»oking a K~bit unit of ciyher text with the mast significant K bits
`nf
`tfle wutput black, 1.E., (flI,D2,...,DK) s {Cifi01,C28fl3....,CK®OK)-
`In bath caseg :ha unused
`bits cf the HES mutput black are dificagded.
`In both cages the next
`input block is createé
`by discarding thg mast significant K bits of
`the previous input black,
`shifting the remain
`fling bits
`K Basitians
`ta the left and than inseraing the E bits
`cf
`aipher
`text
`juat
`praduced
`in the encryption uperazion or just us&& in the decrypt aperatinn intfl
`thE least
`significant bit positions,
`i.e., CI!,IZ,...,I6&) w (IIK+1],1[K+2},...‘I64,EI,C2,...,CK).
`This
`input biuck is then protmssed threugh tha DES device in aha encrypt state to ptaducg
`tha next output black. This pracess continues until the Entire plain text message has been
`engryptad at until the antire cipher tfixt messaga has been decrypted.
`
`CFB
`thruugh 64 inckuaive. Krbit
`GFB mode may aperate on data unita 0f length l
`Tfie
`defined
`t9 be the CPR mflda operating an data units of
`langth K for K
`a 1,2,...,65.
`eath operation of the DES device nae Kwhit main nf @Iain text préuCflS one K~bit unit
`ciphar text 3r onfi K‘Bit unit of cipher text prnduces fine K~b1t unit 0f plain text.
`
`is
`Fur
`cf
`
`for awhit CFB when enciphering 7~bit entities using an 8~bit
`acceptahifi alternative
`An
`feedback path is ta insert a "1" bit in bi: positinn ana of
`the wait
`feadback path, i.e.,
`("1",C13fi2,—.»,C?).
`This
`results in a "1" always being placed in hit locatinn 57 of
`”
`DES input bimck. This alternative 15 calleé [he 7~bit CFBCa) mafia of operatian.
`
`feliuws
`aa
`Tha Dutput Feedback (OPE) muda is definefi
`(DEB) Bede.
`Output Ffiedbaak
`5.
`(Fignra é).
`a message to bfi encrypted is divifled into data units each cantaining K hits (K
`E 1.2,._.,6&).
`In both the DFB encrypt and decrypt operations,
`an initialization vectar
`(IV) 0? length L is used.
`The iv is placed in tha least significant bits 0f
`the DEE input
`black
`with
`the
`unused
`hitfi
`set
`an
`"0's,”
`i.e.,
`(11,12....,Ifi&}
`=
`(@,0,...,0,IV1,IV2,..,,xVL).
`This
`input black 15 processed thraugh the DES device in the
`encrypt State t0 praduce an output black.
`During encryption,
`cipher text
`is pr0&uced
`by
`emclusive-fiRing a Kmhit plain text éata unit with the mast significant K bits 0f
`the Qutput
`black,
`i.&., {fl§,Cl,—..,EK) x {Dl601,03$02,...,DK90K3. Similarly, during decrygtion, plain
`text
`is produced by exclusivewDRLng a wait unit of cipher texé with the must significant K
`bit$ cf
`the output block,
`i.em,
`(D1,D2,...,DK) = (c1m0:,c2m02§}~.,cx$oxp.
`In both cases
`the unuSed bits of
`the 983 autput black are discardedw
`in bath gases the :31:
`input $1Qck
`$5 created by discarding thfl mast significant K hits 0f
`the previaus input black,
`shifting
`the
`remainimg bits K pagitions t0 the left and then inserting the K bits of outpat
`just
`use§
`inta
`the
`least
`significant
`bit
`positicns,
`1.6.,
`(I1,IZ,....16&}
`=
`(I{K+l},IEK+2§‘@..,165,BX,DE,....DK).
`This input block is than prncessed thruugh the
`DES
`
`BEST WWW ' WWII
`Unified Patents Inc. Ex. 1014, pg. 10
`
`Unified Patents Inc. Ex. 1014, pg. 10
`
`

`

`ms PUB a1
`
`FIGHRE 3: I081"? EWHER FEEBBACK (EFB) MUM
`
`ENBRVPTIDN
`
`DECRYPTIDN
`
`
`
`mm 31:11: 7
`K HITS
`“anu-nst
`5i FEED mm
`
`1
`11 3115
`
`HES ENCRYPT
`
`
`
`
`Ouréy‘r BLOCK
`
`SELECT 3
`1113mm
`mans 5164~KIBETS
`
`
`j11933144113 BH'S
`
`‘
`
`
`
`16441213115
`
`
`
`lNPUT BLOCK
`
`
`11mm ‘
`
`
`DES ENCRYPT
`
`
`
`
`
`
`OUTPUT BLOCK
`smear
`mscmw
`1c ans
`{64-111) 3115
`
`
`Itnvwaa
`
`_C1PHER 15x1
`K 3115
`
`CIPHER 113x11 ,
`
`7
`
`K3113 fl
`
`‘
`
`; PLAIN “(EXT 1
`
`K BITS
`
`
`
`'
`
`K
`
`
`
`
`
`
`
`
`
`: PLAIN 112m
`
`K 3115
`
`1
`
`K
`W
`d
`1
`1mm mocx mmmw commws AN INIMLIZAIIQN VECTOR (1V1 11161-11 JUS‘TIFIED
`
`I
`
` 1115 11111111315» ,
`
`é
`
`'
`
`Unified Patents Inc. Ex. 1014, pg. 11
`
`Unified Patents Inc. Ex. 1014, pg. 11
`
`

`

`Hpsma an
`
`HGHRE 4%: K-BIT HUTPUT PEEDBAEK (DEB) MODE
`
`ENCRYPTIDN
`
`DECRYPTIDN
`
`
`
`SHIFT
`L
`
`INPUT BLOC“
`
` ' mam: BLOCK
`
`
`
`
`
`x ans 5 humans ‘
`
`
`
`K ans
`
`
`
`
`
`3 {64-K'33ns
`
`
` '1
`
`
`
`
`
`
`
`015mm 3
`sewn
`
`{ammans ‘
`K3115
`
`
`
`
`
`
`‘CJMER mu
`K am;
`
`
`
`SHIFT
`‘iilllflinl
`
`
`
`{mac} ans
`
`K BITS 3
`
`aan...-
`
`‘: mm EACK
`‘
`K ans
`
`BfS ENCRYPT
`
` KBITS
`
`
`
`DES ENCR YPT
`
`‘
`
`OUTP'UT ELDER
`‘ 5mm 3 mscmm
`
`CIPHER mun
`
`
`
`
`OUTPUT BLOCK
`
`I
`
`' K
`
`I
`
`a: ans
`'
`
`‘
`K
`
`mPur BLOCK mmALLY CONTAINS AN wmauzmmn VECTOR (IV) RIGHT msnrkm
`
`rumpus: Mack. This process continuas until
`device in the encrypt grate to produce.» the next
`the entire plain taxi: messagx: has bean Encrypted or until
`the entire cipher
`tam; message
`has been decrypted.
`
`GFB
`F’s—bit
`thraugh 6i» inclusive.
`length 1
`The GFB mmie may oparate an data unitg of
`defined to he the QFB made operating on data units of
`length K for K m 2,2,...,64.
`each
`cperatmn of
`the DES Gavice mm K~bit unit of plain text proéuces we K-bit unit
`cipher text a: one K~Mt mm: of cipher text produces» me PM: unit of plain text.
`
`is
`For
`315
`
`*
`
`“V m w
`
`
`
`10
`
`Unified Patents Inc. Ex. 1014, pg. 12
`
`Unified Patents Inc. Ex. 1014, pg. 12
`
`

`

`FIFE Mia 31'
`
`GENERAL INFURHATION
`
`APPENDIX A
`
`The Natiunal Bureau 0f Standards issued Federal Infarmation ?rocessing Standarda Publica»
`ticn 46 (FIPS PUB $6)
`in 197?. That standard specifies a cryptographic algarithm, commonly
`called the Data Encryption Standard (DES) algorithm,
`to he used within the Federal Gnvern~
`man: for the cryptographic protectian of sensitive.
`but unclassified,
`computer data. The
`DES
`algorithm was develupad by the International Business Machines Corporaticn
`(SEM)
`and
`submitted ta aha Natianal flureau 0f Standarés during an NBS public smiicitatian for cryptflur
`graphic algurithmg ta be used in a Federal Infcrmatiau Frncessing Stanfiard.
`Saveral math"
`9&3
`fur
`incorporating this algurithm into a aryptographic system are passibla.
`These
`methofls,
`exterfial
`tn the DES algorithm,
`have name t0 be called the ”mofies of nperatian."
`Four mudes,
`calleé
`the Elactronic Cadebook (EBB) made,
`the Cipher Slack Chaining
`(EEC)
`mode.
`the Cipher Feedback (CF83 mafia, ané the Output Feedback (DEB) mode, are specified,in
`this Standard.
`368 is a direat applicatimfi GE the DES algnrithm t0 encrypt
`and decrypt
`data;
`CBC Is an euhanged mafia of ECE whith chains together blacks Of cipher text; BFB ”was
`previausiy genatated
`cipher
`text as input
`:0 the DES to gewerate
`pseudo-random fluiputfi
`which
`are comfiined with the plain text
`to prnéuce aipher text.
`thereby chaining tagether
`the resulting cipher text;
`OFB 15 identical to CFB exeept that
`the previoua Butput of
`the
`BBS
`i3 used as input
`in UFB while the previous cipher text
`is used as input
`in CFB.
`GEE
`dues not chain the ciphar text.
`The praaosed PIES specifies these fuur modes becauae they
`are
`capable of providing acceptable levels uf prctectinn for all antinipated unalaasified
`Federal ADP encryption applicaticns.
`
`Uaenarypted data is callad plain taxtg Encryptian (also calied encipharifig) is tha prccess
`of
`transforming plain text
`inta cipher text.
`Decryption {also called éeciphering) is the
`inverse transformation.
`The encryption and flecryptimn processes are performed accnréing :0
`a Set 95 rules,
`called an algorithm,
`that
`is typically basefi on a parameter called a Ray.
`The
`key
`is usually the only parameter that must ha pravifled ta 0: by
`the users
`of
`a
`cryptngraphic system and mugt be kept secret.
`The gariud GE time over which a particular
`key is used to ancryvt at decrypt data is called itg cryptaperiod.
`
`See
`itself.
`anta
`the get of all pessible fiéfibit vecturs
`DES maps
`the
`Mathematically,
`including all
`Figure A}. There are Ztéfi
`(2 raisad ta the 64th pmwer) elements in this set,
`binary numharg from Q up t0,
`but ant incdeing,
`2Y54.
`The DES cryptographic key allows a
`uSer to aeiect any ans af 2?56 passible invertible mappings, i.e., transformatimns that are
`ona*to-one.
`Selecting a key selectg ane of
`the mappings.
`When using the DES in ECB mode
`and
`any particular key,
`each input £5 mapped unto a unique output
`in encryptian and
`this
`eutpuz
`is mapped
`back onta the Input
`in decryption.
`The DES is
`an
`itarative,
`black,
`prnduct cipher system (i.e_, encryption algnrithm).
`A product ciphar system mixas transpo~
`witlmn
`and Bubfititutian aperatinns in an alternating manner.
`Because the
`DES
`algcrizhm
`a
`mapg
`6A~b1t
`input black onto a Eh~hit nutput black the DES is called a black cipher
`syatem.
`Iterative refers to the usa of
`tha mutyut af an aperatian as tha input for another
`iteratian 0f the Same pruradure*
`The DES internally uses Sixteen iterations of a pair of
`transpaaitiun and aubatitution uperacions ta encrypt UT decrypt an input block.
`A Complete
`specifiaation 0f the BEE algorithm is found in FIPS PUB $6.
`
`bleak
`of methads for incarporacing the DES in a cryptographic system are
`categories
`Twa
`simpie
`methods
`and fitream methods.
`In a bEack method,
`tha DES input block 13 (or 15
`a
`function of)
`the plain text
`ta be Encrypted an& the DES output black is the cipher tgxt.
`A
`stream methad is based on generating a psguda-random binary stream Qf bits,
`aha than using
`th& ax:3usive*DR binary operaticn ta cambine this pseudn~random sequance wizh
`the plaifi
`text
`to produce
`the
`cipher text.
`Sinca the exclusive—0R aperatar is
`its
`awn binary
`inversa,
`the
`same
`yseudc*fandmm binary gtream is usad fat both the encryptian of plain
`text,
`P,
`and tha decryption 0f cipher text, C.
`if m is the pseudohvandum hinary stream,
`then C = P 9 G and inveraely, P = C 9 0,
`
`11
`
`am mumm AVAILABLE
`
`Unified Patents Inc. Ex. 1014, pg. 13
`
`Unified Patents Inc. Ex. 1014, pg. 13
`
`

`

`FIPS mam
`
`FIGURE M: DES MAPPWGS
`
`EMCRVPI
`
`
`
`'INPI'SPACE
`ouwm SPACE
`
`56
`2
`
`
`MAPPINGS
`
`
`
`
`
` ELEMENTS I
`2&6
`‘
`
`'
`DECRYPI
`
`264
`
`'
`
`‘
`
`ELEMENTS
`
`ELECTRONIC CODEflOOK {HEB} MQBE
`
`APPENDIX B
`
`The Electronic Cadebaok (ECB) mode is a basic, black, cryptngraphic method which aransforms
`64 hits
`3f
`input Ca 55 hits uf output as speaified in FIFE PUB 46.
`The
`analogy
`:0 a
`andehouk
`arises
`because
`tha sama plain text fileck always praduces the Same
`cipher
`next
`block
`for a given cryptagraphic hay.
`Thus a list (or cadahcnk) sf plain text blocks
`and
`carréspnnding cipher taxt blacks thanreticfllly cauld ha canstrutted far any giuén key.
`In
`electronic implementation the ccdebnok entries are calculated each time far the plain taxt
`t0 bE encrypted and,
`inversely, Ear
`the cipher text
`to he decrvpted.
`
`input
`the
`each bit sf an 3C8 output block is a camplex functicn 0f all 6A hits of
`Since
`hlnck and all 56 independent (non-parity) bitfi of
`the cryptngraphic key, a single hit urror
`in either a cipher text blank at
`the nenuparity key bits used Ear decryptiun witl cause the
`decrypted niain text block to have an avarage error rate 0? fifty percent.
`Hawewer,
`an
`error
`in onm ECE cipher text block will not affect
`the decrypting of other biouks, 1.9.,
`there is no errnr extansion hetween ECB blocks.
`
`than
`slip),
`a bit
`black baundaries are lost between encryptien and decryption (e.g.,
`If
`synchranizatifln between the encryptimfi and decryption operationg will be last until correct
`block
`boundaries
`are
`reestablished.
`The regults 0F all decryption Operations will
`be
`incnrrect until
`thifi accnrg.
`
`intwgral
`an EC% devic9 must encrypt data in
`the ECB made is a fifi-hit black cipher,
`Sinca
`than tha
`multiples af fiixty-faur bits.
`If a user has less than sixty-four bits to encrypt,
`leafit significant bits 6f
`the unaged portion of th@ input da