ISO/IEC 10116:2006

INTERNATIONAL ISO/IEC
STANDARD 10116
Third edition
2006-02-01


Information technology — Security
techniques — Modes of operation for
an n-bit block cipher
Technologies de l'information — Techniques de sécurité — Modes
opératoires pour un chiffrement par blocs de n-bits




Reference number
ISO/IEC 10116:2006(E)
©
ISO/IEC 2006

---------------------- Page: 1 ----------------------
ISO/IEC 10116:2006(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2006 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 10116:2006(E)
Contents Page
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4 Symbols (and abbreviated terms) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6 Electronic Codebook (ECB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7 Cipher Block Chaining (CBC) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8 Cipher Feedback (CFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9 Output Feedback (OFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10 Counter (CTR) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Annex A (normative) Object identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Annex B (informative) Properties of the modes of operation . . . . . . . . . . . . . . . . 16
B.1 Properties of the Electronic Codebook (ECB) mode of operation . . . . . . . . 16
B.2 Properties of the Cipher Block Chaining (CBC) mode of operation . . . . . . . 17
B.3 Properties of the Cipher Feedback (CFB) mode of operation . . . . . . . . . . 18
B.4 Properties of the Output Feedback (OFB) mode of operation . . . . . . . . . . 20
B.5 Properties of the Counter (CTR) mode of operation . . . . . . . . . . . . . . . 21
Annex C (informative) Figures describing the modes of operation . . . . . . . . . . . . . 23
�c ISO/IEC 2006 — All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 10116:2006(E)
Annex D (informative) Examples for the Modes of Operation . . . . . . . . . . . . . . . 26
D.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
D.2 Triple Data Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 26
D.2.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
D.2.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
D.2.3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
D.2.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
D.2.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
D.3 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
D.3.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
D.3.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
D.3.3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
D.3.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
D.3.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figures
C.1 The Cipher Block Chaining (CBC) mode of operation with m=1 . . . . . . . . . 23
C.2 The Cipher Block Chaining (CBC) mode of operation . . . . . . . . . . . . . . . . 23
C.3 The Cipher Feedback (CFB) mode of operation . . . . . . . . . . . . . . . . . . . . 24
C.4 The Output Feedback (OFB) mode of operation . . . . . . . . . . . . . . . . . . . 24
C.5 The Counter (CTR) mode of operation . . . . . . . . . . . . . . . . . . . . . . . . . 25
iv �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 10116:2006(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Elec-
trotechnical Commission) form the specialized system for worldwide standardization. National
bodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandards
through technical committees established by the respective organization to deal with particular
fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual
interest. Other international organizations, governmental and non-governmental, in liaison with
ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC
have established a joint technical committee, ISO/IEC JTC 1.
InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,
Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft
International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least 75 %
of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. ISO and IEC shall not be held responsible for identfying any or all
such patent rights.
ISO/IEC 10116 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information tech-
nology, Subcomittee SC 27, IT Security techniques.
Thisthirdeditioncancelsandreplacesthesecondedition(ISO/IEC10116:1997)whichhasbeen
revised. ImplementationsthatcomplywithISO/IEC10116:1997willalsocomplywiththisthird
edition.
The main technical changes between the second edition and this third edition are as follows:
a) CBC mode has been extended to permit interleaving; and
b) a new mode (Counter mode) has been introduced.
�c ISO/IEC 2006 — All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 10116:2006(E)
Introduction
ISO/IEC 10116 specifies modes of operation for an n-bit block cipher. These modes provide
methods for encrypting and decrypting data where the bit length of the data may exceed the
size n of the block cipher.
This third edition of ISO/IEC 10116 specifies five modes of operation:
a) Electronic Codebook (ECB);
b) Cipher Block Chaining (CBC);
c) Cipher Feedback (CFB);
d) Output Feedback (OFB); and
e) Counter (CTR).
vi �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 10116:2006(E)
Information technology —
Security techniques —
Modes of operation for an n-bit block cipher
1 Scope
ThisInternationalStandardestablishesfivemodesofoperationforapplicationsofann-bitblock
cipher (e.g. protection of data transmission, data storage). The defined modes only provide
protection of data confidentiality. Protection of data integrity and requirements for padding the
data are not within the scope of this International Standard. Also most modes do not protect
the confidentiality of message length information.
This International Standard specifies the modes of operation and gives recommendations for
choosing values of parameters (as appropriate).
The modes of operation specified in this International Standard have been assigned object iden-
tifiersinaccordancewithISO/IEC9834. ThelistofassignedobjectidentifiersisgiveninAnnex
A. In applications in which object identifiers are used, the object identifiers specified in An-
nex A are to be used in preference to any other object identifiers that may exist for the mode
concerned.
NOTE Annex B (informative) contains comments on the properties of each mode. Block ciphers
are specified in ISO/IEC 18033-3.
2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
ISO/IEC 18033-3, Information technology – Security techniques – Encryption algorithms – Part 3:
Block ciphers.
�c ISO/IEC 2006 — All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 10116:2006(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
block chaining
encryption of information in such a way that each block of ciphertext is cryptographically de-
pendent upon a preceding ciphertext block.
3.2
block cipher
symmetric encryption algorithm with the property that the encryption algorithm operates on a
block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
[ISO/IEC 18033-1]
3.3
ciphertext
data which has been transformed to hide its information content.
3.4
counter
bitarrayoflengthnbits(wherenisthesizeoftheunderlyingblockcipher)whichisusedinthe
Counter mode; its value when considered as the binary representation of an integer increases by
n
one (modulo 2 ) after each block of plaintext is processed.
3.5
cryptographic synchronization
co-ordination of the encryption and decryption processes.
3.6
decryption
reversal of a corresponding encryption.
[ISO/IEC 18033-1]
3.7
encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to
hide the information content of the data.
[ISO/IEC 18033-1]
3.8
feedback buffer (FB)
variable used to store input data for the encryption process. At the starting point FB has the
value of SV.
2 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 10116:2006(E)
3.9
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encryp-
tion, decryption).
[ISO/IEC 18033-1]
3.10
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length.
3.11
plaintext
unencrypted information.
3.12
starting variable (SV)
variable possibly derived from some initialization value and used in defining the starting point
of the modes of operation.
NOTE The method of deriving the starting variable from the initializing value is not defined in
this International Standard. It needs to be described in any application of the modes of operation.
4 Symbols (and abbreviated terms)
C Ciphertext block.
CTR Counter value.
d Decryption function of the block cipher keyed by key K.
K
E Intermediate variable.
e Encryption function of the block cipher keyed by key K.
K
F Intermediate variable.
FB Feedback buffer.
i Iteration.
j Size of plaintext/ciphertext variable.
K Key.
n Plaintext/ciphertext block length for a block cipher.
m Number of stored ciphertext blocks.
P Plaintext block.
q Number of plaintext/ciphertext variables.
r Size of feedback buffer.
SV Starting variable.
X Block cipher input block.
Y Block cipher output block.
| Concatenation of bit strings.
�c ISO/IEC 2006 — All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 10116:2006(E)
4.1 a mod n
Forintegersaandn,a mod ndenotesthe(non-negative)remainderobtainedwhenaisdivided
by n. Equivalently if b= a mod n, then b is the unique integer satisfying:
— 0≤b — (b−a) is an integer multiple of n
4.2 array of bits
A variable denoted by a capital letter, such as P and C, represents a one-dimensional array of
bits. For example,
A=(a ,a ,.,a ) and B =(b ,b ,.,b )
1 2 m 1 2 m
are arrays of m bits, numbered from 1 to m. All arrays of bits are written with the bit with the
index 1 in the leftmost position. When interpreting a bit array as an integer the leftmost bit
shall be the most significant bit.
4.3 bitwise addition modulo 2
Theoperationofbitwiseaddition, modulo2, alsoknownasthe“exclusiveor”function, isshown
by the symbol⊕. The operation when applied to arrays A and B of the same length is defined
as
A⊕B =(a ⊕b ,a ⊕b ,.,a ⊕b )
1 1 2 2 m m
4.4 decryption
The decryption relation defined by the block cipher is written
P =d (C)
K
where
— P is the plaintext block;
— C is the ciphertext block;
— K is the key.
4.5 encryption
The encryption relation defined by the block cipher is written
C =e (P)
K
where
— P is the plaintext block;
4 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 10116:2006(E)
— C is the ciphertext block;
— K is the key.
4.6 selection of bits
The operation ofselecting thej leftmost bits ofan arrayA=(a ,a ,.,a ) to generate aj-bit
1 2 m
array is written
(j∼A)=(a ,a ,.,a )
1 2 j
The operation is defined only when 1≤j≤m.
4.7 shift operation
A “shift function” S is defined as follows: Given an m-bit variable X and a t-bit variable F
t
where 1≤t≤m, the effect of the shift function S (X |F) is to produce the m-bit variable
t
S (X |F)=(x ,x ,.,x ,f ,f ,.,f ) (t t t+1 t+2 m 1 2 t
S (X |F)=(f ,f ,.,f ) (t=m)
t 1 2 t
The effect is to shift the bits of array X left by t places, discarding x ,x ,.,x , and to place
1 2 t
the array F in the rightmost t places of X. When t=m the effect is to totally replace X by F.
4.8 I(t)
The variable I(t) is a t-bit variable where the value 1 is assigned to every bit.
5 Requirements
For some of the described modes, padding of the plaintext variables may be required. Padding
techniques, although important from a security perspective, are not within the scope of this In-
ternationalStandard,andthroughoutthisstandarditisassumedthatanypadding,asnecessary,
has already occurred.
NOTE Advice on the selection of a padding method for use with the CBC mode of operation is
provided in Annex B.2.3.
For the Cipher Block Chaining (CBC) mode of operation (see clause 7), one parameter m
needs to be selected. For the Cipher Feedback (CFB) mode of operation (see clause 8), three
parameters r,j and k need to be selected. For the Output Feedback (OFB) mode of operation
(see clause 9) and the Counter (CTR) mode of operation (see clause 10), one parameter j needs
to be selected. When one of these modes of operation is used the same parameter value(s) need
to be chosen and used by all communicating parties. These parameters need not be kept secret.
All modes of operation specified in this International Standard require the parties encrypting
and decrypting a data string to share a secret key K for the block cipher in use. All modes of
�c ISO/IEC 2006 — All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 10116:2006(E)
operation apart from the Electronic Codebook (ECB) mode also require the parties to share a
starting variable SV, where the length of SV will depend on the mode in use. The value of the
starting variable should normally be different for every data string encrypted using a particular
key (see also Annex B). How keys and starting variables are managed and distributed is outside
the scope of this International Standard.
6 Electronic Codebook (ECB) mode
6.1 Preliminaries
The variables employed by the ECB mode of encryption are
a) The input variables
1) A sequence of q plaintext blocks P ,P ,.,P , each of n bits.
1 2 q
2) A key K.
b) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of n bits.
1 2 q
6.2 Encryption
The ECB mode of encryption operates as follows:
C =e (P ) for i=1,2,.,q.
i i
K
6.3 Decryption
The ECB mode of decryption operates as follows:
P =d (C ) for i=1,2,.,q.
i K i
7 Cipher Block Chaining (CBC) mode
7.1 Preliminaries
The CBC mode of operation is defined by an interleave parameter m > 0, the number of
ciphertext blocks that must be stored whilst processing the mode. The value of m should be
small (typically m=1) and at most 1024.
NOTE Thechoiceof1024astheupperlimitformissomewhatarbitrary. Itisintendedtoprovide
a realistic upper bound on the number of hardware processors.
6 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 10116:2006(E)
The variables employed by the CBC mode are
a) The input variables
1) A sequence of q plaintext blocks P ,P ,.,P , each of n bits.
1 2 q
2) A key K.
3) A sequence of m starting variables SV ,SV ,.,SV each of n bits.
1 2 m
NOTE If m = 1 then this mode is compatible with the CBC mode described in the second
edition of this standard (ISO/IEC 10116:1997).
b) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of n bits.
1 2 q
7.2 Encryption
The CBC mode of encryption operates as follows:
C =e (P ⊕SV ),1≤i≤ min(m,q)
i K i i
If q >m, all subsequent plaintext blocks are encrypted as:
C =e (P ⊕C ),m+1≤i≤q
i K i i−m
NOTE At any time during the computation, the values of the m most recent ciphertext blocks
need to be stored, e.g. in a cyclically used “feedback buffer”FB (see figure C.2).
This procedure is shown in the left side of figure C.2.
7.3 Decryption
The CBC mode of decryption operates as follows:
P =d (C )⊕SV ,1≤i≤ min(m,q)
i K i i
If q >m, all subsequent plaintext blocks are computed as:
P =d (C )⊕C ,m+1≤i≤q
i K i i−m
NOTE At any time during the computation, the values of the m most recent ciphertext blocks
need to be stored, e.g. in a cyclically used ’feedback buffer’ FB (see figure C.2).
This procedure is shown in the right side of figure C.2.
�c ISO/IEC 2006 — All rights reserved 7

---------------------- Page: 13 ----------------------
ISO/IEC 10116:2006(E)
8 Cipher Feedback (CFB) mode
8.1 Preliminaries
Three parameters define a CFB mode of operation:
— the size of feedback buffer, r, where n≤r≤1024n and r — the size of feedback variable, k, where 1≤k≤n
— the size of plaintext variable, j, where 1≤j≤k
NOTE
a) r−k is not constrained by n in any way, i.e. r−k may be less than, equal to or greater than
n. Figure C.3 shows the special case where r−k >n.
b) If r = n then this mode is compatible with the version of CFB mode described in the first
edition of this standard (ISO/IEC 10116:1991).
c) the upper bound on r, i.e. r≤ 1024n is chosen because it provides a realistic upper bound on
the number of hardware processors.
It is recommended that CFB should be used with equal values of j and k (see clause B.3.2).
The variables employed by the CFB mode of operation are
a) The input variables
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits.
1 2 q
2) A key K.
3) A starting variable SV of r bits.
b) The intermediate results
1) A sequence of q block cipher input blocks X ,X ,.,X , each of n bits.
1 2 q
2) A sequence of q block cipher output blocks Y ,Y ,.,Y , each of n bits.
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits.
1 2 q
4) A sequence of q−1 feedback variables F ,F ,.,F , each of k bits.
1 2 q−1
5) A sequence of q feedback buffer contents FB ,FB ,.,FB each of r bits.
1 2 q
c) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
8.2 Encryption
The feedback buffer FB is set to its initial value
FB =SV
1
8 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 14 ----------------------
ISO/IEC 10116:2006(E)
The operation of encrypting each plaintext variable employs the following six steps.
a) X =n∼FB (Selection of leftmost n bits of FB).
i i
b) Y =e (X ) (Use of block cipher).
i i
K
c) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
d) C =P ⊕E (Generation of ciphertext variable).
i i i
e) F =I(k−j)|C (Generation of feedback variable).
i i
f) FB =S (FB |F ) (Shift function on FB).
i+1 k i i
These steps are repeated for i=1,2,.,q, ending with step (d) on the last cycle. The procedure
is shown in the left side of figure C.3. The leftmost j bits of the output block Y of the block
cipher are used to encrypt the j-bit plaintext variable by modulo 2 addition. The remaining
bits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.
The ciphertext variable is augmented by placing k−j one bits in its leftmost bit positions to
become the k-bit feedback variable F. Then the bits of the feedback buffer FB are shifted left
byk placesandF isinsertedintherightmostk places, toproducethenewvalueofthefeedback
buffer FB. In this shift operation, the leftmost k bits of FB are discarded. The new n leftmost
bits of FB are used as the next input X of the encryption process.
8.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The feedback buffer FB is set to its initial value
FB =SV
1
The operation of decrypting each ciphertext variable employs the following six steps.
a) X =n∼FB (Selection of leftmost n bits of FB).
i i
b) Y =e (X ) (Use of block cipher).
i K i
c) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
d) P =C ⊕E (Generation of plaintext variable).
i i i
e) F =I(k−j)|C (Generation of feedback variable).
i i
f) FB =S (FB |F ) (Shift function on FB).
i+1 k i i
These steps are repeated for i=1,2,.,q, ending with step (d) on the last cycle. The procedure
is shown in the right side of figure C.3. The leftmost j bits of the output block Y of the block
cipher are used to decrypt the j-bit ciphertext variable by modulo 2 addition. The remaining
bits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.
The ciphertext variable is augmented by placing k−j one bits in its leftmost bit positions to
become the k-bit feedback variable F. Then the bits of the feedback buffer FB are shifted left
�c ISO/IEC 2006 — All rights reserved 9

---------------------- Page: 15 ----------------------
ISO/IEC 10116:2006(E)
by k places and F is inserted in the rightmost k places to produce the new value of FB. In this
shift operation, the leftmost k bits of FB are discarded. The new n leftmost bits of FB are
used as the next input X of the decryption process.
9 Output Feedback (OFB) mode
9.1 Preliminaries
The OFB mode of operation is defined by one parameter, i.e. the size of the plaintext variable
j, where 1≤j≤n.
The variables employed by the OFB mode of operation are the
a) input variables where
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits;
1 2 q
2) A key K; and
3) A starting variable SV of n bits;
b) intermediate results where
1) A sequence of q block-cipher input blocks X ,X ,.,X , each of n bits;
1 2 q
2) A sequence of q block-cipher output blocks Y ,Y ,.,Y , each of n bits; and
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits; and
1 2 q
c) output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
9.2 Encryption
The input block X is set to its initial value
X =SV
1
The operation of encrypting each plaintext variable employs the following four steps.
a) Y =e (X ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits).
i i
c) C =P ⊕E (Generation of ciphertext variable).
i i i
d) X =Y (Feedback operation).
i+1 i
These steps are repeated for i=1,2,.,q, ending with step (c) on the last cycle. The procedure
isshownontheleftsideoffigureC.4. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
10 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 16 ----------------------
ISO/IEC 10116:2006(E)
The result of each use of the block cipher is Y and this is fed back to become the next value of
i
X, namely X . The leftmost j bits of Y are used to encrypt the input variable.
i+1 i
9.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The input block X is set to its initial value
X =SV
1
The operation of decrypting each ciphertext variable employs the following four steps.
a) Y =e (X ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits).
i i
c) P =C ⊕E (Generation of plaintext variable).
i i i
d) X =Y (Feedback operation).
i+1 i
Thesestepsarerepeatedfori=1,2,.,q,endingwithstep(c)onthelastcycle. Theprocedure
isshownintherightsideoffigureC.4. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
The result of each use of the block cipher is Y and this is fed back to become the next value of
i
X, namely X . The leftmost j bits of Y are used to decrypt the input variable.
i+1 i
10 Counter (CTR) mode
10.1 Preliminaries
The Counter mode of operation is defined by one parameter, i.e. the size of plaintext variable,
j, where 1≤j≤n.
The variables employed by the Counter mode of operation are the
a) input variables where
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits;
1 2 q
2) A key K; and
3) A starting variable SV of n bits;
b) intermediate results where
1) A sequence of q block cipher input blocks CTR ,CTR ,.,CTR , each of n bits;
1 2 q
�c ISO/IEC 2006 — All rights reserved 11

---------------------- Page: 17 ----------------------
ISO/IEC 10116:2006(E)
2) A sequence of q block cipher output blocks Y ,Y ,.,Y , each of n bits; and
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits; and
1 2 q
c) output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
10.2 Encryption
The counter CTR is set to its initial value
CTR =SV
1
The operation of encrypting each plaintext variable employs the following four steps.
a) Y =e (CTR ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
c) C =P ⊕E (Generation of ciphertext variable).
i i i
n
d) CTR =(CTR +1) mod 2 (Generation of a new counter value CTR).
i+1 i
These steps are repeated for i=1,2,.,q, ending with step (c) on the last cycle. The procedure
isshownontheleftsideoffigureC.5. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
The counter value is encrypted to give an output block Y and the leftmost j bits of this output
i
block Y are used to encrypt the input value. The counter CTR then increases by one (modulo
i
n
2 ) to produce a new counter value.
10.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The counter CTR is set to its initial value
CTR =SV
1
The operation of decrypting each ciphertext variable employs the following four steps.
a) Y =e (CTR ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
c) P =C ⊕E (Generation of plaintext variable).
i i i
n
d) CTR =(CTR +1) mod 2 (Generation of a new counter value CTR).
i+1 i
Thesestepsarerepeatedfori=1,2,.,q,endingwithstep(c)onthelastcycle. Theprocedure
isshownintherightsideoffigureC.5. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
12 �c ISO/IEC 2006 — All rights reserved

---------------------- Page: 18 ----------------------
ISO/IEC 10116:2006(E)
The counter value is encrypted to give an output block Y and the leftmost j bits of this output
i
block Y are used to encrypt the input value. The counter CTR then increases by one (modulo
i
n
2 ) to produce a new counter value.
�c ISO/IEC 2006 — All rights reserved 13

---------------------- Page: 19 ----------------------
ISO/IEC 10116:2006(E)
Annex A
(normative)
Object identifiers
This an
...