ISO/IEC 10116:1997

INTERNATIONAL
ISOJIEC
STANDARD
10116
Second edition
1997-04-I 5
Information technology - Security
techniques - Modes of operation for an
n-bit block cipher
Technologies de /‘information - Techniques de &cut-it& - Modes
opkatoires d ’un chiffrement par blocs de n-bits
Reference number
lSO/lEC 10116:1997(E)

---------------------- Page: 1 ----------------------
ISO/IEC 10116:1997(E)
Foreword
IS0 (the International Organization for Standardization) and IEC (the Inter-
national Electrotechnical Commission) form the specialized system for worldwide
standardization. National bodies that are members of IS0 or IEC participate in the
development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity.
IS0 and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with
IS0 and IEC, also take part in the work.
In the field of information technology, IS0 and IEC have established a joint
technical committee, ISO/IEC JTC 1. Draft International Standards adopted by the
joint technical committee are circulated to national bodies for voting. Publication
as an International Standard requires approval by at least 75 % of the national
bodies casting a vote.
International Standard ISO/IEC 10116 was prepared by Joint Technical Com-
mittee ISO/IEC JTC 1, Znformation technology, Subcommittee SC 27, IT Security
techniques.
This second edition cancels and replaces the first edition (ISO/IEC 10116: 1991),
which has been technically revised.
Annexes A to D of this International Standard are for information only.
0 ISO/IEC 1997
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and micro-
film, without permission in writing from the publisher.
ISO/IEC Copyright Office l Case postale 56 l CH- 1211 Geneve 20 l Switzerland
Printed in Switzerland

---------------------- Page: 2 ----------------------
ISO/IEC 10116:1997(E)
INTERNATIONAL STANDARD 0 ISO/IEC
Information technology - Security techniques - Modes of operation for an
n-bit block cipher
1 Scope 2.11 starting variable (sv): Variable defining the starting
point of the mode of operation.
This International Standard describes four modes of
NOTE - The method of deriving the starting variable from the
operation for an n-bit block cipher.
initializing value is not defined in this International Standard. It
needs to be described in any application of the modes of operation.
NOTE - Annex A (informative) contains comments on the
properties of each mode.
3 Notation
This International Standard establishes four defined modes of
operation so that in applications of an n-bit block cipher (e.g.
3.1 encipherment: For the purposes of this International
protection of data transmission, data storage, authentication)
Standard the functional relation defined by the block cipher is
this International Standard will provide a useful reference for,
written
for example, the specification of the mode of operation and
the values of parameters (as appropriate).
C = eK(P)
where
2 Definitions
P is the plaintext block;
For the purposes of this International Standard, the following
C is the cipher-text block;
definitions apply.
K is the key.
2.1 block chaining: The encipherment of information such
The expression eK is the operation of encipherment using the
that each block of ciphertext is cryptographically dependent
key K.
upon the preceding cipher-text block.
3.2 decipherment: The corresponding decipherment function
2.2 ciphertext: Data which has been transformed to hide its
is written
information content.
P = dK(C)
2.3 cryptographic synchronization: The co-ordination of
the encipherment and decipherment processes.
The expression dK is the operation of decipherment using the
key K.
The reversal of a corresponding
2.4 decipherment:
encipherment.
3.3 array of bits: A variable denoted by a capital letter, such
as P and C above, represents a one-dimensional array of bits.
2.5 encipherment: The (reversible) transformation of data
For example,
by a cryptographic algorithm to produce ciphertext, i.e. to
hide the data.
A = (al, a2, . . . . a,& and B = (bl, b2, . . . . b,J
2.6 feedback buffer (FB): Variable used to store input data
are arrays of m bits, numbered from I to m. All arrays of bits
for the encipherment process. At the starting point FB has the
are written with the bit with index I in the leftmost position.
value of SV.
3.4 addition modulo 2: The operation of addition, modulo
2.7 initializing value: Value used in defining the starting
2, also known as the “exclusive or” function, is shown by the
point of an encipherment process.
symbol 0. The operation applied to arrays such as A and B is
defined as
2.8 key: A sequence of symbols that controls the operation
of a cryptographic transformation (e.g. encipherment,
A 0 B = (al 0 bl, a2 0 b2, . . . . a, 0 bd
decipherment)
3.5 selection of bits: The operation of selecting the j
2.9 n-bit block cipher: A block cipher with the property that
leftmost bits of A to generate aj-bit array is written
plaintext blocks and ciphertext blocks are n bits in length.
A -j = (al, a2, . . . ai,
2.10 plaintext: Unenciphered information.
This operation is defined only when I number of bits in A.
1

---------------------- Page: 3 ----------------------
0 ISO/IEC
ISO/IEC 10116:1997(E)
A “shift function” Sk is defined as
3.6 shift operation:
6 Cipher Block Chaining (CBC) Mode
follows:
6.1 The variables employed for the CBC mode of
Given an m-bit variable X and a k-bit variable F where
encipherment are
I - < k - < m, the effect of a shift function &(x]F) is to produce
the m-bit variable
a) A sequence of q plaintext blocks PI, P2, . . . . P, each of n
bits.
(k < m)
sdAF) = (xk+l, xk+2, -.) X, fi,f2, . . . . f$
b) A key K.
(k = m)
sk(AF) = (fit -. f$
c) A starting variable SV of n bits.
d) A sequence of q ciphertext blocks Cl, C2, . . . . Cy, each of
The effect is to shift the bits of array X left by k places,
n bits.
discarding XI . . . xk and to place the array F in the rightmost k
m the effect is to totally replace X by
places of X. When k =
6.2 The CBC mode of encipherment is described as follows:
F.
Encipherment of the first plaintext block,
A special case of this function begins with the m-bit variable
I(m) of successive “1” bits and shifts the variable F of k bits
Cl = eK(PI 0 Sv)
(3)
into it.
subsequently,
The result is
Ci =eK(Pi 0 Ci-1) for i ~2, 3, . . . . q
(4)
(k < m)
&(I(m)IF) = (I, I, .--f I,fi,.)?, . . . . f$
(k = m)
Sk@(m)(F) = Gfi, fi, +--, fk)
This procedure is shown in the upper part of figure 1. The
starting variable SV is used in the generation of the first
where the m - k leftmost bits are “1 ”.
ciphertext output. Subsequently the ciphertext is added,
modulo 2, to the next plaintext before encipherment.
4 Requirements
6.3 The CBC mode of decipherment is described as follows:
For some of the described modes padding of the plaintext
Decipherment of the first cipher-text block,
variables may be required. Padding techniques are not within
the scope of this International Standard.
PI = dK(CJ 0 SV
(5)
For the Cipher Feedback (CFB) Mode of operation (see
subsequently,
clause 7), three parameters r, j and k are defined. For the
Output Feedback (OFB) Mode of operation (see clause S),
Pi = dK(C,) 0 Ci-1 for i = 2, 3, . . . . q
(6)
one parameterj is defined. When one of these modes of op-
eration is used the same parameter value(s) need(s) to be
This procedure is shown in the lower part of figure 1.
chosen and used by all communicating parties.
7 Cipher Feedback (CFB) Mode
5 Electronic Codebook (ECB) Mode
7.1 Three parameters define a CFB mode of operation:
5.1 The variables employed for the ECB mode of
- the size of feedback buffer, r, where n 5 r < 2n
encipherment are
- the size of feedback variable, k, where I< k 5 n
- the size of plaintext variable, j, where II j 5 k
a) A sequence of q plaintext blocks PI, P2, . . . . P, each of n
.
bits
NOTES
b) A key K.
1 r - k may be smaller than ~1. Figure 2 shows the special
c) The resultant sequence of q ciphertext blocks Cl, C2, . . . .
case where r - k > ~2.
C,+ each of n bits.
2 If r = y1 then this mode is compatible with the CFB Mode
described in the previous edition of this International Standard.
5.2 The ECB mode of encipherment is described as follows: The variables employed for the CFB mode of operation are
Ci = eK(Pi) for i = I, 2, . . . . q
(1)
a) The input variables
5.3 The ECB mode of decipherment is described as follows:
Pi = dK(CJ for i = I, 2, . . . . q 1) A sequence of q plaintext variables PI, PJ, . ., Pq, each
(2)
of j bits.
2) A key K.
3) A starting variable SV of r bits.

---------------------- Page: 4 ----------------------
ISOAEC 10116:1997(E)
0 ISO/IEC
These steps are repeated for i = I, 2, . . . . q, ending with
b) The intermediate results
equation (18) on the last cycle. The procedure is shown in the
right side of figure 2. The leftmost j bits of the output block Y
1) A sequence of q block cipher input blocks
of the block cipher are used to decipher the j-bit cipher-text
Xq, each of n bits.
Xl, x2, “‘J
variable by modulo 2 addition. The remaining bits of Y are
2) A sequence of q block cipher output blocks
discarded. The plaintext and ciphertext variables have bits
Yy, each of n bits.
Yh y2, l *-9
numbered from I to j.
3) A sequence of q variables El, E2, . . . . Ey, each ofj bits.
The ciphertext variable is augmented by placing k-j “1” bits
4) A sequence of q-l feedback variables
in its leftmost bit positions to become the k-bit feedback
F,I, each of k bits.
FI, F2, “‘3
variable F. Then the bits of the feedback buffer FB are
5) A sequence of q - I feedback buffer contents
shifted left by k places and F is inserted in the rightmost k
FBI, FB2,. . . . FBqwl each of r bits.
,
places to produce the new value of FB. In this shift operation,
the leftmost k bits of FB are discarded. The new n leftmost
i.e. a sequence of q ciphertext
c) The output variables,
bits of FB are used as the next input X of the encipherment
variables Cl, C2, . . . . Cy, each ofj bits.
process.
7.2 The feedback buffer FB is set to its initial value
7.4 It is recommended that CFB should be used with equal
values of j and k. In this recommended form (j = k) the
FBI = SV (7)
equations ( 12) and (19) can be written
The operation of enciphering each plaintext variable employs
Fi = Ci (case j = k)
the following six steps:
a) Xi = FBi - n (8)
b) Use of block cipher, Yi = eK(XJ (9)
8 Output Feedback (OFB) Mode
Selection of leftmost j bits, Ei = Yi -j (10)
c)
(11)
d) Generation of ciphertext variable, Ci = Pi 0 Ei
8.1 The OFB mode of operation is defined by one parameter,
e) Generation of feedback variable, Fi = SJI(k) ICi)
(12)
i.e. the size of plaintext variable j where I 1. j < n.
f) Shift function on FB, FBi+l = Sk(FBiIFi) (1%
The variables employed for the OFB mode of operation are
These steps are repeated for i = I, 2, . . ., q, ending with
equation (11) on the last cycle. The procedure is shown in the
a) The input variables
left side of figure 2. The leftmost j bits of the output block Y
of the block cipher are used to encipher the j-bit plaintext
1) A sequence of q plaintext variables PI, P2, . . . . P,,
variable by modulo 2 addition. The remaining bits of Y are
each ofj bits.
discarded. The plaintext and ciphertext variables have bits
2) A key K.
numbered from I to j.
3) A starting variable SV of n bits.
The ciphertext variable is augmented by placing k-j “1” bits
b) The intermediate results
in its leftmost bit positions to become the k-bit feedback
variable F. Then the bits of the feedback buffer FB are
1) A sequence of q block cipher input blocks
shifted left by k places and F is inserted in the rightmost k
Xy, each of n bits.
JG, x2, “‘7
places, to produce the new value of the feedback buffer FB.
2) A sequence of q block cipher output blocks
In this shift operation, the leftmost k bits of FB are discarded.
Yy, each of n bits.
Yl, y2, “‘7
The new n leftmost bits of FB are used as the next input X of
3) A sequence of q variables El, E2, . ., E,, each ofj
the encipherment process.
bits.
c) The output variables, i.e. a sequence of q ciphertext
7.3 The variables employed for decipherment are the same as
variables Cl, C2, . . ., Cq, each ofj bits.
those employed for encipherment.
8.2 The input block X is set to its initial value
The feedback buffer FB is set to its initial value
x1=sv
(21)
FBI = SV (14)
The operation of enciphering each plaintext variable employs
of deciphering each ciphertext variable
The operation
the following four steps:
employs the following six steps:
a) Use of block cipher, Yi = eK(Xi,
(22)
Xi = FBi - n (15)
a)
b) Selection of leftmost j bits, Ei = Yi -. j
(23)
b) Use of block cipher, Yi = eK(XJ (16)
c) Generation of ciphertext variable, Ci = Pi 0 Ei
(24)
(17)
c) Selection of leftmost j bits, Ei = Yi - j
d) Feedback operation, Xi+] = Yi
(25)
(18)
Generation of plaintext variable, Pi = Ci 0 Ei
d)
e) Generation of feedback variable, Fi = Si (I(k) 1 Ci, (19)
These steps are repeated for i = I, 2, . . . . q, ending with
f) Shift function on FB, FBi+I = Sk(FBilFi) (20)
equation (24) on the last cycle. The procedure is shown on
the left side of figure 3. The result of each use of the block
3

---------------------- Page: 5 ----------------------
0 ISO/IEC
ISO/IEC 10116:1997(E)
cipher, which is Yi, is used to feed back and become the next a) Use of block cipher, Yi = eK(Xi)
(26)
value of X, namely Xi+] . The leftmost j bits of Yi are used to
b) Selection of leftmost j bits, Ei = Yi -j
(27)
encipher the input variable.
c) Generation of plaintext variable, Pi = Ci 0 Ei (28)
d) Feedback operation, Xi+] = Yi
(29)
8.3 The variables employed for decipherment are the same as
those employed for encipherment. The input block X is set to
These steps are repeated for i = I,2, . . . . q, ending with
its initial value Xl = SV.
equation (28) on the last cycle. The procedure is shown in the
right side of figure 3. The values Xi and Yi are the same as
The operation of deciphering each cipher-text variable
those used for encipherment; only equation (28) is different.
employs the following four steps:
D
I 4 P
q
C
q-1
--
+
-0
.
Encipherment
Encipherment 4
eK
algorithm
.
C
2
C C
v2
v 9
4
4 Decipherment
dK dK
Decipherment
\ \ algorithm
-w-
+
C
q-1
9
P
9
Figure 1 - The cipher block chaining (CBC) mode of operation

---------------------- Page: 6 ----------------------
ISO/IEC 10116:1997(E)
0 ISO/IEC
Encipherment Decipherment
1
1
1
j j
Figure 2 - The cipher feedback (CFB) mode of operation
Encipherment Decipherment
I \
1 n
1 n
X X
Encipherment eK Encipherment
eK
algorithm algorithm
Y Y
select left j bits
1
j
E
1 1
j j
Figure 3 - The output feedback (OFB) mode of operation
5

---------------------- Page: 7 ----------------------
0 ISO/IEC
ISO/IEC 10116:1997(E)
Annex A
(informative)
Properties of the modes of operation
A.2 Properties of the Cipher Block
Al 0 Properties of the Electronic Codebook
Chaining (CBC) mode of operation
(ECB) mode of operation
A.2.1 Environment
A.l.1 Environment
Binary data exchanged between computers, or people, may The CBC mode produces the same ciphertext whenever the
same plaintext is enciphered using the same key and starting
have repetitions or commonly used sequences. In ECB mode,
variable. Users who are concerned about this characteristic
identical plaintext blocks produce (for the same key) identical
need to adopt some ploy to change the start of the plaintext,
cipher-text blocks.
the key, or the starting variable. One possibility is to
incorporate a unique identifier (e.g. an incremented
...