sp800-38a(apuntes sobre algorimos de criptografia)

8/12/2019 Sp800-38a(Apuntes Sobre Algorimos de Criptografia)

1/66

NIST Special Publication 800-38A Recommendation for Block2001 Edition Cipher Modes of Operation

ethods and Techniques

Morris Dworkin

C O M P U T E R S E C U R I T Y


2/66

ii


3/66

C O M P U T E R S E C U R I T Y

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

December 2001

U.S. Department of CommerceDonald L. Evans, Secretary

Technology Administration

Phillip J. Bond, Under Secretary of Commerce for Technology

National Institute of Standards and Technology

Arden L. Bement, Jr., Director

iii


4/66

Reports on Information Security Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology

(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nations

measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of

concept implementations, and technical analyses to advance the development and productive use ofinformation technology. ITLs responsibilities include the development of technical, physical,

administrative, and management standards and guidelines for the cost-effective security and privacy of

sensitive unclassified information in Federal computer systems. This Special Publication 800-series

reports on ITLs research, guidance, and outreach efforts in computer security, and its collaborative

activities with industry, government, and academic organizations.

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommendation or

endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,materials, or equipment are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 800-38A 2001 ED

Natl. Inst. Stand. Technol. Spec. Publ. 800-38A 2001 ED, 66 pages (December 2001)

CODEN: NSPUE2

U.S. GOVERNMENT PRINTING OFFICE

WASHINGTON: 2001

For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250

Mail: Stop SSOP, Washington, DC 20402-0001

iv
http:///reader/full/bookstore.gpo.govhttp:///reader/full/bookstore.gpo.gov


5/66

Abstract

Thisrecommendationdefinesfiveconfidentialitymodesofoperationforusewithanunderlying

symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining

(CBC),CipherFeedback (CFB),OutputFeedback(OFB),and Counter (CTR). Usedwith an

underlyingblockcipheralgorithmthatisapprovedinaFederalInformationProcessingStandard(FIPS), these modes can provide cryptographic protection for sensitive, but unclassified,

computerdata.

KEY WORDS: Computer security; cryptography; data security; block cipher; encryption;

FederalInformationProcessingStandard;modeofoperation.

v


6/66

Table of Contents

1 PURPOSE .......................................................................................................................................................... 1

2 AUTHORITY .................................................................................................................................................... 1

3 INTRODUCTION ............................................................................................................................................. 1

4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS................................................................................. 3

4.1 DEFINITIONSANDABBREVIATIONS............................................................................................................3

4.2 SYMBOLS....................................................................................................................................................5

4.2.1 Variables ............................................................................................................................................... 5

4.2.2 Operations and Functions..................................................................................................................... 5

5 PRELIMINARIES............................................................................................................................................. 7

5.1 UNDERLYINGBLOCKCIPHERALGORITHM.................................................................................................7

5.2 REPRESENTATIONOFTHEPLAINTEXTANDTHECIPHERTEXT.....................................................................7

5.3 INITIALIZATIONVECTORS...........................................................................................................................8

5.4 EXAMPLESOFOPERATIONSANDFUNCTIONS.............................................................................................8

6 BLOCK CIPHER MODES OF OPERATION ............................................................................................... 9

6.1 THEELECTRONICCODEBOOKMODE..........................................................................................................9

6.2 THECIPHERBLOCKCHAININGMODE......................................................................................................10

6.3 THECIPHERFEEDBACKMODE.................................................................................................................11

6.4 THEOUTPUTFEEDBACKMODE................................................................................................................13

6.5 THECOUNTERMODE...............................................................................................................................15

APPENDIX A: PADDING ...................................................................................................................................... 17

APPENDIX B: GENERATION OF COUNTER BLOCKS ................................................................................. 18

B.1 THESTANDARDINCREMENTINGFUNCTION.............................................................................................18B.2 CHOOSINGINITIALCOUNTERBLOCKS.....................................................................................................19

APPENDIX C: GENERATION OF INITIALIZATION VECTORS ................................................................. 20

APPENDIX D: ERROR PROPERTIES ................................................................................................................ 21

APPENDIX E: MODES OF TRIPLE DES............................................................................................................ 23

APPENDIX F: EXAMPLE VECTORS FOR MODES OF OPERATION OF THE AES ................................ 24

F.1 ECBEXAMPLEVECTORS.........................................................................................................................24

F.1.1 ECB-AES128.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 24

F.1.2 ECB-AES128.Decrypt ........... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ....... 24

F.1.3 ECB-AES192.Encrypt .......... ........... .......... .......... ........... .......... ........... .......... .......... ........... ......... ........ 25F.1.4 ECB-AES192.Decrypt ......... ........... .......... ........... .......... .......... ........... .......... ........... .......... .......... ........ 25

F.1.5 ECB-AES256.Encrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... ........ 26

F.1.6 ECB-AES256.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 26

F.2 CBCEXAMPLEVECTORS.........................................................................................................................27

F.2.1 CBC-AES128.Encrypt ......................................................................................................................... 27

F.2.2 CBC-AES128.Decrypt......................................................................................................................... 27

F.2.3 CBC-AES192.Encrypt ......................................................................................................................... 28

F.2.4 CBC-AES192.Decrypt......................................................................................................................... 28

vi


7/66

F.2.5 CBC-AES256.Encrypt ......................................................................................................................... 28

F.2.6 CBC-AES256.Decrypt......................................................................................................................... 29

F.3 CFBEXAMPLEVECTORS.........................................................................................................................29

F.3.1 CFB1-AES128.Encrypt .......... .......... .......... .......... ........... .......... .......... ........... .......... .......... .......... ....... 29

F.3.2 CFB1-AES128.Decrypt ....................................................................................................................... 31

F.3.3 CFB1-AES192.Encrypt .......... .......... .......... ........... .......... .......... .......... ........... .......... .......... ........... ...... 33

F.3.4 CFB1-AES192.Decrypt ....................................................................................................................... 34F.3.5 CFB1-AES256.Encrypt ....................................................................................................................... 36

F.3.6 CFB1-AES256.Decrypt ....................................................................................................................... 37

F.3.7 CFB8-AES128.Encrypt .......... ........... .......... .......... .......... ........... .......... .......... ........... .......... .......... ...... 39

F.3.8 CFB8-AES128.Decrypt ....................................................................................................................... 41

F.3.9 CFB8-AES192.Encrypt ........... .......... .......... .......... ........... .......... .......... ........... .......... .......... .......... ...... 42

F.3.10 CFB8-AES192.Decrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... . 44

F.3.11 CFB8-AES256.Encrypt ......... .......... ........... .......... .......... ........... .......... .......... .......... ........... .......... .. 46

F.3.12 CFB8-AES256.Decrypt .......... ........... .......... ........... .......... .......... ........... .......... ........... .......... ......... . 48

F.3.13 CFB128-AES128.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 50

F.3.14 CFB128-AES128.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 50

F.3.15 CFB128-AES192.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 50

F.3.16 CFB128-AES192.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 51

F.3.17 CFB128-AES256.Encrypt ......... ........... .......... .......... ........... .......... .......... .......... ........... .......... ........ 51F.3.18 CFB128-AES256.Decrypt .......... ........... .......... .......... .......... ........... .......... .......... .......... ........... ....... 52

F.4 OFBEXAMPLEVECTORS.........................................................................................................................52

F.4.1 OFB-AES128.Encrypt ......................................................................................................................... 52

F.4.2 OFB-AES128.Decrypt......................................................................................................................... 53

F.4.3 OFB-AES192.Encrypt ......................................................................................................................... 53

F.4.4 OFB-AES192.Decrypt......................................................................................................................... 54

F.4.5 OFB-AES256.Encrypt ......................................................................................................................... 54

F.4.6 OFB-AES256.Decrypt......................................................................................................................... 55

F.5 CTREXAMPLEVECTORS.........................................................................................................................55

F.5.1 CTR-AES128.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 55

F.5.2 CTR-AES128.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 56

F.5.3 CTR-AES192.Encrypt .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... .......... ........ 56

F.5.4 CTR-AES192.Decrypt ........... .......... .......... ........... .......... ........... .......... .......... ........... .......... .......... ....... 57F.5.5 CTR-AES256.Encrypt .......... .......... .......... ........... .......... ........... .......... .......... ........... .......... ......... ......... 57

F.5.6 CTR-AES256.Decrypt ........... .......... .......... ........... .......... .......... ........... .......... ........... .......... .......... ....... 57

APPENDIX G: REFERENCES.............................................................................................................................. 59

Table of Figures

Figure1:TheECBMode................................................................................................................9

Figure2:TheCBCMode..............................................................................................................10

Figure3:TheCFBMode..............................................................................................................12

Figure4:TheOFBMode..............................................................................................................14Figure5:TheCTRMode..............................................................................................................16

vii


8/66

1 Purpose

This publication provides recommendations regarding modes of operation to be used with

symmetrickeyblockcipheralgorithms.

2 Authority

This document has been developed by the National Institute of Standards and Technology

(NIST)infurtheranceofitsstatutoryresponsibilitiesundertheComputerSecurityActof1987

(Public Law 100-235) and the Information Technology Management Reform Act of 1996,

specifically15U.S.C.278g-3(a)(5).Thisisnotaguidelinewithinthemeaningof15U.S.C.278

g-3(a)(5).

Thisrecommendationisneitherastandardnoraguideline,andassuch,isneithermandatorynor

bindingonFederalagencies.Federalagenciesandnon-governmentorganizationsmayusethisrecommendationonavoluntarybasis.Itisnotsubjecttocopyright.

Nothinginthisrecommendationshouldbetakentocontradictstandardsandguidelinesthathave

beenmademandatoryandbindinguponFederalagenciesbytheSecretaryofCommerceunder

hisstatutoryauthority.Norshouldthisrecommendationbeinterpretedasalteringorsuperseding

theexistingauthoritiesoftheSecretaryofCommerce,theDirectoroftheOfficeofManagement

andBudget,oranyotherFederalofficial.

Conformance testing for implementations of themodes ofoperation that arespecified in this

recommendation will be conducted within the framework of the Cryptographic Module

Validation Program (CMVP), a joint effort of the NIST and the Communications Security

Establishmentof theGovernmentofCanada. Animplementationofamodeofoperationmust

adheretotherequirementsinthisrecommendationinordertobevalidatedundertheCMVP.

3 Introduction

Thisrecommendationspecifiesfiveconfidentialitymodesofoperationforsymmetrickeyblock

cipheralgorithms,suchasthealgorithmspecifiedinFIPSPub.197, theAdvancedEncryption

Standard(AES)[2].Themodesmaybeusedinconjunctionwithanysymmetrickeyblockcipher

algorithm that is approved by a Federal Information Processing Standard (FIPS). The five

modesthe Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback(CFB),OutputFeedback(OFB),andCounter(CTR)modes canprovidedataconfidentiality.

Two FIPS publications alreadyapprove confidentialitymodes ofoperation for twoparticular

blockcipheralgorithms.FIPSPub.81[4]specifiestheECB,CBC,CFB,andOFBmodesofthe

Data Encryption Standard (DES). FIPS Pub. 46-3 [3] approves the seven modes that are

specifiedinANSIX9.52[1].Fourofthesemodesareequivalentto theECB,CBC,CFB,and

OFBmodeswith theTripleDES algorithm(TDEA) astheunderlyingblockcipher;theother

1


9/66

threemodesinANSIX9.52arevariantsoftheCBC,CFB,andOFBmodesofTripleDESthat

useinterleavingorpipelining.

Thus, there are three new elements in this recommendation: 1) the extension of the four

confidentiality modes in FIPS Pub 81 for use with any FIPS-approved block cipher; 2) the

revision of the requirements for these modes; and 3) the specification of an additionalconfidentialitymode,theCTRmode,forusewithanyFIPS-approvedblockcipher.

2


10/66

4 Definitions, Abbreviations, and Symbols

4.1 Definitions and Abbreviations

Bit Abinarydigit:0or1.

BitError Thesubstitutionofa0bitfora1bit,orviceversa.

BitString Anorderedsequenceof0sand1s.

BlockCipher Afamilyoffunctionsandtheirinversefunctionsthatisparameterized

bycryptographickeys;thefunctionsmapbitstringsofafixedlengthto

bitstringsofthesamelength.

BlockSize Thenumberofbitsinaninput(oroutput)blockoftheblockcipher.

CBC CipherBlockChaining.

CFB CipherFeedback.

Ciphertext Encrypteddata.

ConfidentialityMode Amodethatisusedtoencipherplaintextanddecipherciphertext.The

confidentialitymodesinthisrecommendationaretheECB,CBC,CFB,

OFB,andCTRmodes.

CTR Counter.

CryptographicKey Aparameterusedintheblockcipheralgorithmthatdeterminesthe

forwardcipheroperationandtheinversecipheroperation.

DataBlock(Block) Asequenceofbitswhoselengthistheblocksizeoftheblockcipher.

DataSegment

(Segment)

IntheCFBmode,asequenceofbitswhoselengthisaparameterthat

doesnotexceedtheblocksize.

Decryption(Deciphering) The processofa confidentiality mode that transformsencrypteddataintotheoriginalusabledata.

ECB ElectronicCodebook.

Encryption

(Enciphering)

Theprocessofaconfidentialitymodethattransformsusabledatainto

anunreadableform.

3


11/66

Exclusive-OR Thebitwiseaddition,modulo2,oftwobitstringsofequallength.

FIPS FederalInformationProcessingStandard.

ForwardCipher

Function(ForwardCipherOperation)

Oneofthetwofunctionsoftheblockcipheralgorithmthatisselected

bythecryptographickey.

InitializationVector

(IV)

A data block that some modes of operation require as an additional

initialinput.

InputBlock Adatablockthatisaninputtoeithertheforwardcipherfunctionorthe

inversecipherfunctionoftheblockcipheralgorithm.

InverseCipher

Function(Inverse

CipherOperation)

The function that reverses the transformation of the forward cipher

functionwhenthesamecryptographickeyisused.

LeastSignificant

Bit(s)

Theright-mostbit(s)ofabitstring.

ModeofOperation

(Mode)

Analgorithmforthecryptographictransformationofdatathatfeatures

asymmetrickeyblockcipheralgorithm.

MostSignificantBit(s) Theleft-mostbit(s)ofabitstring.

Nonce Avaluethatisusedonlyonce.

Octet Agroupofeightbinarydigits.

OFB OutputFeedback.

OutputBlock Adatablockthatisanoutputofeithertheforwardcipherfunctionor

theinversecipherfunctionoftheblockcipheralgorithm.

Plaintext Usabledatathatisformattedasinputtoamode.

4


12/66

4.2 Symbols

4.2.1 Variables

b Theblocksize,inbits.

j Theindextoasequenceofdatablocksordatasegmentsorderedfromleft

toright.

n Thenumberofdatablocksordatasegmentsintheplaintext.

s Thenumberofbitsinadatasegment.

u Thenumberofbitsinthelastplaintextorciphertextblock.

Cj Thejth

ciphertextblock.

C#

Thejthciphertextsegment.

C*

j

Thelastblockoftheciphertext,whichmaybeapartialblock.

Ij Thejthinputblock.

IV Theinitializationvector.

K Thesecretkey.

Oj Thejthoutputblock.

n

Pj Thejthplaintextblock.

P#

Thejthplaintextsegment.

P*

j

Thelastblockoftheplaintext,whichmaybeapartialblock.

Tj Thejthcounterblock.

n

4.2.2 Operations and Functions

X |Y TheconcatenationoftwobitstringsXandY.

X Y Thebitwiseexclusive-ORoftwobitstringsXandYofthesamelength.

CIPHK(X) TheforwardcipherfunctionoftheblockcipheralgorithmunderthekeyKapplied

tothedatablockX.

5


13/66

CIPH-1

(X) TheinversecipherfunctionoftheblockcipheralgorithmunderthekeyKappliedKtothedatablockX.

LSB (X) Thebitstringconsistingofthem leastsignificantbitsofthebitstringX.m

MSB (X) Thebitstringconsistingofthem mostsignificantbitsofthebitstringX.m

[x] Thebinaryrepresentationofthenon-negativeintegerx,inmbits,wherex


14/66

5 Preliminaries

5.1 Underlying Block Cipher Algorithm

ThisrecommendationassumesthataFIPS-approvedsymmetrickeyblockcipheralgorithmhasbeenchosenas theunderlyingalgorithm,andthat a secret, randomkey, denotedK,hasbeen

establishedamongallofthepartiestothecommunication. Thecryptographickeyregulatesthe

functioningoftheblockcipheralgorithmand,thus,byextension,regulatesthefunctioningofthe

mode. Thespecificationsof theblockcipherandalgorithmsandthemodesarepublic,sothe

securityofthemodedepends,ataminimum,onthesecrecyofthekey.

Aconfidentialitymodeofoperationoftheblockcipheralgorithmconsistsoftwoprocessesthat

are inverses of each other: encryption and decryption. Encryption is the transformationof a

usablemessage,calledtheplaintext,intoanunreadableform,calledtheciphertext;decryptionis

thetransformationthatrecoverstheplaintextfromtheciphertext.

For any given key, the underlying block cipher algorithm of the mode also consists of two

functions that areinverses ofeach other.These two functionsareoftencalledencryptionand

decryption, but in this recommendation, those terms are reserved for the processes of the

confidentialitymodes.Instead,aspartofthechoiceoftheblockcipheralgorithm,oneofthetwo

functionsisdesignatedastheforwardcipherfunction,denotedCIPHK;theotherfunctionisthen

calledtheinversecipherfunction,denotedCIPH1

.TheinputsandoutputsofbothfunctionsareKcalledinputblocksandoutputblocks. Theinputandoutputblocksoftheblockcipheralgorithm

havethesamebitlength,calledtheblocksize,denoted b.

5.2 Representation of the Plaintext and the Ciphertext

Forallofthemodesinthisrecommendation,theplaintextmustberepresentedasasequenceof

bitstrings;therequirementsonthelengthsofthebitstringsvaryaccordingtothemode:

FortheECBandCBCmodes,thetotalnumberofbitsintheplaintextmustbeamultipleofthe

blocksize,b;inotherwords,forsomepositiveintegern, thetotalnumberofbitsintheplaintext

mustbenb. Theplaintextconsistsofasequenceofnbitstrings,eachwithbitlengthb. Thebit

stringsinthesequencearecalleddatablocks,andtheplaintextisdenoted P1,P2,,P .n

FortheCFBmode,thetotalnumberofbitsintheplaintextmustbeamultipleofaparameter,

denoteds,thatdoesnotexceedtheblocksize;inotherwords,forsomepositiveintegern, the

totalnumberofbitsinthemessagemustbe ns. Theplaintextconsistsofasequenceofnbitstrings,eachwithbitlength s. Thebitstringsinthesequencearecalleddatasegments,andthe

plaintextisdenotedP#

1,P#

2,,P#

.n

FortheOFBandCTRmodes,theplaintextneednotbeamultipleoftheblocksize.Letn andu

denotetheuniquepairofpositiveintegerssuchthatthetotalnumberofbitsinthemessageis

(n-1)b+u,where1 u b. Theplaintextconsistsofasequenceofnbitstrings,inwhichthebit

lengthofthelastbitstringisu,andthebitlengthoftheotherbitstringsisb. Thesequenceis

denotedP1,P2,,Pn-1,P*

,andthebitstringsarecalleddatablocks,althoughthelastbitstring,n

7


15/66

P

*,maynotbeacompleteblock.n

Foreachmode, theencryptionprocess transformseveryplaintextdatablockorsegmentintoa

correspondingciphertextdatablockorsegmentwiththesamebitlength,sothattheciphertextis

asequenceofdatablocksorsegments. Theciphertextisdenotedasfollows: fortheECBand

CBCmodes,C1,C2,,C;fortheCFBmode,C

#

1,C

#

2,,C

#

;and,fortheOFBandCTRmodes,C1,C2,,Cn-1,C*

,wheren

C*

maybeapartialblock.n

n n

Theformattingoftheplaintext,includingin somecasestheappendingofpaddingbitstoform

completedatablocksordatasegments,isoutsidethescopeofthisrecommendation.Paddingis

discussedinAppendixA.

5.3 Initialization Vectors

TheinputtotheencryptionprocessesoftheCBC,CFB,andOFBmodesincludes,inadditionto

theplaintext,adatablockcalledtheinitializationvector(IV),denotedIV. TheIVisusedinan

initialstepintheencryptionofamessageandinthecorrespondingdecryptionofthemessage.

The IV need not be secret; however, for the CBCandCFBmodes,the IV foranyparticular

executionoftheencryptionprocessmustbeunpredictable,and,fortheOFBmode,uniqueIVs

mustbeusedforeachexecutionoftheencryptionprocess.ThegenerationofIVsisdiscussedin

AppendixC.

5.4 Examples of Operations and Functions

Theconcatenationoperationonbitstringsisdenoted|;forexample,001|10111=00110111.

Givenbitstringsofequallength,theexclusive-ORoperation,denoted,specifiestheaddition,modulo2,ofthebitsineachbitposition,i.e.,withoutcarries.Thus,1001110101=00110,for

example.

ThefunctionsLSB andMSB returnthesleastsignificantbitsandthe smostsignificantbitsofs stheirarguments.Forexample,LSB3(111011010)=010,andMSB4(111011010)=1110.

Givenapositiveintegermandanon-negative(decimal)integerxthatislessthan2m

,thebinary

representationofxinmbitsisdenoted[x] .Forexample,[45]8=00101101.m

8


16/66

6 Block Cipher Modes of Operation

The mathematical specifications of the five modes are given in Sections 6.1-6.5, along with

descriptions,illustrations,andcommentsonthepotentialforparallelprocessing.

6.1 The Electronic Codebook Mode

TheElectronicCodebook(ECB)modeisaconfidentialitymodethatfeatures,foragivenkey,

theassignmentofafixedciphertextblocktoeachplaintextblock,analogoustotheassignmentof

codewordsinacodebook. TheElectronicCodebook(ECB)modeisdefinedasfollows:

ECBEncryption: Cj=CIPHK(Pj) forj=1 n.

ECBDecryption: Pj=CIPH-1

(Cj) forj=1 n.

InECB encryption, theforward cipher function is applied directly andindependently toeachblockoftheplaintext.Theresultingsequenceofoutputblocksistheciphertext.

InECB decryption, the inversecipher function is applieddirectly and independently to each

blockoftheciphertext.Theresultingsequenceofoutputblocksistheplaintext.

K

ECB Encryption ECB Decryption

PLAINTEXT

CIPHK

INPUT BLOCK

OUTPUT BLOCK

CIPHERTEXT

CIPH-1K

INPUT BLOCK

OUTPUT BLOCK

Figure1:TheECBMode

InECBencryptionand ECBdecryption,multiple forward cipherfunctionsandinversecipher

functionscanbecomputedinparallel.

CIPHERTEXT PLAINTEXT

In theECBmode, under agivenkey,anygiven plaintextblock always getsencrypted tothe

9


17/66

sameciphertextblock. Ifthispropertyisundesirableinaparticularapplication,theECBmode

shouldnotbeused.

TheECBmodeisillustratedinFigure1.

6.2 The Cipher Block Chaining Mode

The CipherBlockChaining (CBC)mode isa confidentiality mode whoseencryptionprocess

featuresthecombining(chaining)oftheplaintextblockswiththepreviousciphertextblocks.

TheCBCmoderequiresanIVtocombinewiththefirstplaintextblock.TheIVneednotbe

secret, but itmustbe unpredictable; the generationof such IVs isdiscussed inAppendix C.

Also,theintegrityoftheIVshouldbeprotected,asdiscussedinAppendixD. TheCBCmodeis

definedasfollows:

CBCEncryption: C1= CIPHK(P1IV);

Cj = CIPHK(Pj Cj-1) forj=2 n.

CBCDecryption: P1 =CIPH-1

(C1)IV;KPj=CIPH

-1(Cj) Cj-1 forj=2 n.K

CIPHK

OUTPUT BLOCK 1

OUTPUT BLOCK 2

OUTPUT BLOCK n

PLAINTEXT 1 PLAINTEXT 2INITIALIZATIONVECTOR

INPUT BLOCK 1 INPUT BLOCK 2 INPUT BLOCK n

PLAINTEXT n

ENCRYPT

DECRYPT

INPUT BLOCK 1 INPUT BLOCK 2 INPUT BLOCKn

CIPH-1K

PLAINTEXT 1 PLAINTEXT 2 PLAINTEXT n

OUTPUT BLOCK 1 OUTPUT BLOCK 2 OUTPUT BLOCK n

INITIALIZATIONVECTOR

CIPHERTEXT 1 CIPHERTEXT 2

CIPHERTEXT 1 CIPHERTEXT 2

CIPHERTEXT n

CIPHERTEXT n

CIPHK CIPHK

CIPH-1K CIPH-1

K

Figure2:TheCBCMode

In CBCencryption, the first inputblock is formed by exclusive-ORing the firstblock ofthe

plaintextwiththe IV.The forwardcipherfunction isappliedto the firstinputblock, and the

10


18/66

resultingoutputblockisthefirstblockoftheciphertext.Thisoutputblockisalsoexclusive-

ORedwiththesecondplaintextdatablocktoproduce thesecondinputblock,andtheforward

cipherfunctionisappliedtoproducethesecondoutputblock. Thisoutputblock,whichis the

secondciphertextblock,isexclusive-ORedwiththenextplaintextblocktoformthenextinput

block. Each successiveplaintextblock isexclusive-ORed with thepreviousoutput/ciphertext

blocktoproducethenewinputblock. Theforwardcipherfunctionisappliedtoeachinputblocktoproducetheciphertextblock.

InCBCdecryption,theinversecipherfunctionisappliedtothefirstciphertextblock,andthe

resulting output block is exclusive-ORed with the initialization vector to recover the first

plaintextblock. Theinversecipherfunctionisalsoappliedtothesecondciphertextblock,and

theresultingoutputblockisexclusive-ORedwiththefirstciphertextblocktorecoverthesecond

plaintextblock.Ingeneral,torecoveranyplaintextblock(exceptthefirst),theinversecipher

function isapplied tothecorrespondingciphertextblock,andtheresultingblockisexclusive-

ORedwiththepreviousciphertextblock.

InCBCencryption,theinputblocktoeachforwardcipheroperation(exceptthefirst)dependsontheresultof thepreviousforwardcipheroperation,sotheforwardcipheroperationscannotbe

performed in parallel. In CBC decryption, however, the input blocks for the inverse cipher

function, i.e., theciphertextblocks,are immediately available, so that multiple inversecipher

operationscanbeperformedinparallel.

TheCBCmodeisillustratedinFigure2.

6.3 The Cipher Feedback Mode

The Cipher Feedback (CFB) mode is a confidentiality mode that features the feedback of

successiveciphertext segments into theinput blocksof theforwardcipher togenerateoutputblocksthatareexclusive-ORedwiththeplaintexttoproducetheciphertext,andviceversa. The

CFBmoderequiresanIVastheinitial inputblock. TheIVneednotbesecret,butitmustbe

unpredictable;thegenerationofsuchIVsisdiscussedinAppendixC.

The CFB mode also requires an integer parameter, denoted s, such that 1 s b. In the

specificationoftheCFBmodebelow,eachplaintextsegment( P#)andciphertextsegment(C

#)j j

consistsofsbits. Thevalueofsissometimesincorporatedintothenameofthemode,e.g.,the

1-bitCFBmode,the8-bitCFBmode,the64-bitCFBmode,orthe128-bitCFBmode.

TheCFBmodeisdefinedasfollows:

CFBEncryption: I1 =IV;

Ij=LSBb-s(Ij1)|C#

j-1 forj=2 n;

Oj=CIPHK(Ij) forj=1,2 n;C

#

j=P#

jMSB (Oj) forj=1,2 n.s

CFBDecryption: I1 =IV;

Ij=LSBb-s(Ij-1)|C#

j-1 forj=2 n;

11


19/66

Oj=CIPHK(Ij) forj=1,2 n;

P#

=C#

jMSB (Oj) forj=1,2 n.j s

InCFBencryption,thefirstinputblockistheIV,andtheforwardcipheroperationisappliedto

theIVtoproducethefirstoutputblock. Thefirstciphertextsegmentisproducedbyexclusive-

ORingthefirstplaintextsegmentwiththesmostsignificantbitsofthefirstoutputblock. (Theremainingb-sbitsofthefirstoutputblockarediscarded.) Theb-sleastsignificantbitsoftheIV

are then concatenatedwith thes bitsofthe first ciphertext segmentto form thesecond input

block. Analternativedescriptionoftheformationofthesecondinputblockisthatthebitsof

the first input block circularly shift s positions to the left, and then the ciphertext segment

replacesthesleastsignificantbitsoftheresult.

Theprocessisrepeatedwiththesuccessiveinputblocksuntilaciphertextsegmentisproduced

fromeveryplaintextsegment. Ingeneral,eachsuccessiveinputblockisencipheredtoproduce

anoutputblock. Thesmostsignificantbitsofeachoutputblockareexclusive-ORedwiththe

correspondingplaintextsegmenttoformaciphertextsegment.Eachciphertextsegment(except

thelastone)isfedbackintothepreviousinputblock,asdescribedabove,toformanewinputblock.Thefeedbackcanbedescribedintermsoftheindividualbitsinthestringsasfollows:ifi1i2ibisthejthinputblock,andc1c2c isthejthciphertextsegment,thenthe(j+1)

thinputblocks

isis+1is+2ibc1c2c .s

OUTPUT BLOCK 1Select Discards Bits (b-s) Bits

INPUT BLOCK 1

OUTPUT BLOCK 1Select Discard

s Bits (b-s) Bits

CIPHK

INITIALIZATION

VECTOR

PLAINTEXT 1s Bits

CIPHERTEXT 1s Bits

INPUT BLOCK 1

CIPHERTEXT 1s Bits

PLAINTEXT 1

s Bits

E

NCRYPT

DECRYPT

OUTPUT BLOCK nSelect Discards Bits (b-s) Bits

INPUT BLOCK n(b-s) Bits s Bits

OUTPUT BLOCK nSelect Discard

s Bits (b-s) Bits

PLAINTEXT ns Bits

CIPHERTEXT ns Bits

INPUT BLOCK n(b-s) Bits s Bits

CIPHERTEXT ns Bits

PLAINTEXT n

s Bits

OUTPUT BLOCK 2Select Discards Bits (b-s) Bits

INPUT BLOCK 2(b-s) Bits s Bits

OUTPUT BLOCK 2Select Discard

s Bits (b-s) Bits

PLAINTEXT 2s Bits

CIPHERTEXT 2s Bits

INPUT BLOCK 2(b-s) Bits s Bits

CIPHERTEXT 2s Bits

PLAINTEXT 2s Bits


CIPHK CIPHK

CIPHKCIPHKCIPHK

Figure3:TheCFBMode

InCFBdecryption,theIVisthefirstinputblock,andeachsuccessiveinputblockisformedasin

CFBencryption,byconcatenatingthe b-s leastsignificantbitsofthepreviousinputblockwith

12


20/66

thesmostsignificantbitsofthepreviousciphertext.Theforwardcipherfunctionisappliedto

eachinputblocktoproducetheoutputblocks. Thesmostsignificantbitsoftheoutputblocks

are exclusive-ORed with the corresponding ciphertext segments to recover the plaintext

segments.

InCFBencryption,likeCBCencryption,theinputblocktoeachforwardcipherfunction(exceptthe first) depends on the result of the previous forward cipher function; therefore, multiple

forward cipher operations cannot be performed in parallel. In CFB decryption, the required

forwardcipheroperationscanbeperformedinparalleliftheinputblocksarefirstconstructed(in

series)fromtheIVandtheciphertext.

TheCFBmodeisillustratedinFigure3.

6.4 The Output Feedback Mode

The OutputFeedback (OFB) mode is a confidentialitymode that features theiteration of the

forwardcipheronanIVtogeneratea sequenceofoutputblocksthatareexclusive-ORedwiththeplaintexttoproducetheciphertext,andviceversa.TheOFBmoderequiresthattheIVisa

nonce, i.e., the IV mustbe unique for eachexecutionof the mode under the given key; the

generationofsuchIVsisdiscussedinAppendixC. TheOFBmodeisdefinedasfollows:

OFBEncryption: I1 =IV;

Ij=Oj-1 forj=2 n;Oj=CIPHK(Ij) forj=1,2 n;Cj=Pj Oj forj=1,2 n-1;C

*=P

*

MSB (O ).n n u n

OFBDecryption: I1 =IV;Ij=Oj-1 forj=2 n;

Oj=CIPHK(Ij) forj=1,2 n;Pj =Cj Oj forj=1,2 n-1;P

*

n =C*

nMSBu(On).

InOFB encryption, the IVis transformed by theforward cipherfunction toproduce thefirst

outputblock. Thefirstoutputblockisexclusive-ORedwiththefirstplaintextblocktoproduce

thefirstciphertextblock.Theforwardcipherfunctionistheninvokedonthefirstoutputblock

toproducethesecondoutputblock. Thesecondoutputblockisexclusive-ORedwiththesecond

plaintext block to produce the second ciphertext block, and the forward cipher function is

invoked on the second output block toproduce the thirdoutput block. Thus, the successiveoutputblocksareproduced from applying theforwardcipher function to theprevious output

blocks, and theoutput blocks areexclusive-ORed with thecorrespondingplaintext blocks to

produce the ciphertextblocks. For thelastblock,whichmaybeapartialblockofubits,the

most significant u bits of the last output blockare used for the exclusive-OR operation; the

remainingb-ubitsofthelastoutputblockarediscarded.

In OFBdecryption, the IV istransformedby theforward cipher function toproduce thefirst

13


21/66

outputblock. Thefirstoutputblockisexclusive-ORedwiththefirstciphertextblocktorecover

the first plaintext block. The first output block is then transformed by the forward cipher

functiontoproducethesecondoutputblock.Thesecondoutputblockisexclusive-ORedwith

thesecondciphertextblocktoproducethesecondplaintextblock,andthesecondoutputblockis

alsotransformedbytheforwardcipherfunction toproduce the third outputblock. Thus, the

successiveoutputblocksareproducedfromapplyingtheforwardcipherfunctiontothepreviousoutput blocks, and the output blocks are exclusive-ORed with the corresponding ciphertext

blockstorecovertheplaintextblocks. Forthelastblock,whichmaybeapartialblockofubits,

themostsignificantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;the

remainingb-ubitsofthelastoutputblockarediscarded.

OUTPUT BLOCK 1

INPUT BLOCK 1

OUTPUT BLOCK 1

CIPHK


PLAINTEXT 1

CIPHERTEXT 1

INPUT BLOCK 1

CIPHERTEXT 1

PLAINTEXT 1

ENCR

YPT

DECRYPT

OUTPUT BLOCK n

INPUT BLOCK n

OUTPUT BLOCK n

PLAINTEXT n

CIPHERTEXT n

INPUT BLOCK n

CIPHERTEXT n

PLAINTEXT n

OUTPUT BLOCK 2

INPUT BLOCK 2

OUTPUT BLOCK 2

PLAINTEXT 2

CIPHERTEXT 2

INPUT BLOCK 2

CIPHERTEXT 2

PLAINTEXT 2


CIPHK CIPHK

CIPHKCIPHKCIPHK

Figure4:TheOFBMode

Inboth OFBencryptionandOFB decryption,each forward cipherfunction (except the first)

dependsontheresultsofthepreviousforwardcipherfunction;therefore,multipleforwardcipher

functionscannotbeperformedinparallel. However,iftheIVisknown,theoutputblockscanbe

generatedpriortotheavailabilityoftheplaintextorciphertextdata.

TheOFBmoderequiresauniqueIVforeverymessagethatiseverencryptedunderthegiven

key. If,contraryto this requirement, thesameIVisusedfortheencryptionofmorethanone

message, then theconfidentialityof thosemessagesmay becompromised. Inparticular, ifa

plaintextblockofanyofthesemessagesisknown,say,thejthplaintextblock,thenthejthoutput

of the forward cipher function can be determined easily from thejth ciphertext block of the

message.Thisinformationallowsthejthplaintextblockofanyothermessagethatisencrypted

14


22/66

usingthesameIVtobeeasilyrecoveredfromthejthciphertextblockofthatmessage.

Confidentialitymaysimilarlybecompromisedif anyoftheinputblockstotheforwardcipher

functionfortheencryptionofamessageisdesignatedastheIVfortheencryptionofanother

messageunderthegivenkey.

TheOFBmodeisillustratedinFigure4.

6.5 The Counter Mode

TheCounter(CTR)modeisaconfidentialitymodethatfeaturestheapplicationoftheforward

ciphertoasetof inputblocks,calledcounters,toproduceasequenceofoutputblocksthatare

exclusive-ORedwith theplaintexttoproduce theciphertext,andviceversa. Thesequenceof

countersmusthave theproperty that eachblock inthesequence isdifferent fromeveryother

block. Thisconditionisnotrestricted toa singlemessage:acrossallofthemessages thatare

encryptedunderthegivenkey,allofthecountersmustbedistinct.Inthisrecommendation,the

countersforagivenmessagearedenotedT1,T2, ,T . Methodsforgeneratingcountersarendiscussed inAppendixB. Given a sequence ofcounters,T1 , T2 , , T, theCTRmode isndefinedasfollows:

CTREncryption: Oj=CIPHK(Tj) forj=1,2 n;Cj=Pj Oj forj=1,2 n-1;

C*

=P*

MSB (O ).n n u n

CTRDecryption: Oj=CIPHK(Tj) forj=1,2 n;Pj =Cj Oj forj=1,2 n-1;P

*

n =C*

nMSBu(On).

In CTR encryption, the forward cipher function is invoked on each counter block, and the

resultingoutputblocksareexclusive-ORedwiththecorrespondingplaintextblockstoproduce

the ciphertext blocks. For the last block, which may be a partial block of u bits, the most

significantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;theremainingb-ubitsofthelastoutputblockarediscarded.

In CTR decryption, the forward cipher function is invoked on each counter block, and the

resultingoutputblocksareexclusive-ORedwiththecorrespondingciphertextblockstorecover

the plaintext blocks. For the last block, which may be a partial block of u bits, the most

significantubitsofthelastoutputblockareusedfortheexclusive-ORoperation;theremaining

b-ubitsofthelastoutputblockarediscarded.

InbothCTRencryptionandCTRdecryption,theforwardcipherfunctionscanbeperformedin

parallel;similarly,theplaintextblockthatcorrespondstoanyparticularciphertextblockcanbe

recoveredindependentlyfromtheotherplaintextblocksifthecorrespondingcounterblockcan

bedetermined.Moreover,theforwardcipherfunctionscanbeappliedtothecounterspriortothe

availabilityoftheplaintextorciphertextdata.

15


23/66

OUTPUT BLOCK 1

INPUT BLOCK 1

OUTPUT BLOCK 1

CIPHK

COUNTER 1

PLAINTEXT 1

CIPHERTEXT 1

INPUT BLOCK 1

CIPHERTEXT 1

PLAINTEXT 1

E

NCRYPT

DECRYPT

COUNTER 1

OUTPUT BLOCK 2

INPUT BLOCK 2

OUTPUT BLOCK 2

COUNTER 2

PLAINTEXT 2

CIPHERTEXT 2

INPUT BLOCK 2

CIPHERTEXT 2

PLAINTEXT 2

COUNTER 2

. . . . .CIPHK

CIPHKCIPHK

INPUT BLOCK n

OUTPUT BLOCK n

COUNTER n

PLAINTEXT n

CIPHK

OUTPUT BLOCK n

CIPHERTEXT n

INPUT BLOCK n

CIPHERTEXT n

COUNTER n

. . . . . CIPHK

PLAINTEXT n

Figure5:TheCTRMode

TheCTRmodeisillustratedinFigure5.

16


24/66

Appendix A: Padding

FortheECB,CBC,andCFBmodes,theplaintextmustbeasequenceofoneormorecomplete

datablocks(or,forCFBmode,datasegments).Inotherwords,forthesethreemodes,thetotal

numberofbitsintheplaintextmustbeapositivemultipleoftheblock(orsegment)size.

Ifthedatastringtobeencrypteddoesnotinitiallysatisfythisproperty,thentheformattingofthe

plaintextmustentailanincreaseinthenumberofbits.Acommonwaytoachievethenecessary

increaseistoappendsomeextrabits,calledpadding,tothetrailingendofthedatastringasthe

laststep inthe formattingof theplaintext. An example of apadding methodis to appenda

single 1bittothedatastringandthentopadtheresultingstringbyasfew 0bits,possibly

none,asarenecessarytocompletethefinalblock(segment). Othermethodsmaybeused;in

general,theformattingoftheplaintextisoutsidethescopeofthisrecommendation.

For theabovepaddingmethod,thepaddingbitscanbe removedunambiguously,providedthe

receivercandeterminethatthemessageisindeedpadded. Onewaytoensurethatthereceiverdoesnotmistakenlyremovebitsfromanunpaddedmessageistorequirethesendertopadevery

message, includingmessagesinwhichthe finalblock(segment)is alreadycomplete.Forsuch

messages,anentireblock(segment)ofpaddingisappended. Alternatively,suchmessagescan

besentwithoutpaddingif,foreverymessage,theexistenceofpaddingcanbereliablyinferred,

e.g.,fromamessagelengthindicator.

17


25/66

Appendix B: Generation of Counter Blocks

ThespecificationoftheCTRmoderequiresauniquecounterblockforeachplaintextblockthat

is ever encrypted under a given key, across all messages. If, contrary to this requirement, a

counter block is used repeatedly, then the confidentiality of all of the plaintext blockscorrespondingtothatcounterblockmaybecompromised. Inparticular,if anyplaintextblock

that isencryptedusingagivencounterblockisknown,then theoutputoftheforwardcipher

functioncanbedeterminedeasilyfromtheassociatedciphertextblock. Thisoutputallowsany

otherplaintext blocksthat areencryptedusing thesame counterblock tobeeasilyrecovered

fromtheirassociatedciphertextblocks.

Therearetwoaspectstosatisfyingtheuniquenessrequirement.First,anincrementingfunction

forgeneratingthecounterblocksfromanyinitialcounterblockcanensurethatcounterblocksdo

not repeatwithinagiven message. Second, the initialcounterblocks,T1,mustbe chosen to

ensurethatcountersareuniqueacrossallmessagesthatareencryptedunderthegivenkey.

B.1 The Standard Incrementing Function

In general, given the initial counter block for a message, the successive counter blocks are

derivedbyapplyinganincrementingfunction.Asintheabovespecificationsofthemodes,nis

thenumberofblocksinthegivenplaintextmessage,and bisthenumberofbitsintheblock.

Thestandardincrementingfunctioncanapplyeithertoanentireblockortoapartofablock.

Let m be the number of bitsin thespecific partof theblock to be incremented;thus, misa

positiveintegersuchthatmb.Anystringofmbitscanberegardedasthebinaryrepresentation

ofanon-negativeintegerxthatisstrictlylessthan2m.Thestandardincrementingfunctiontakes

[x]mandreturns[x+1mod2m] .m

For example, let thestandard incrementing function apply to thefive least significantbits of

eightbitblocks,sothatb=8andm=5(unrealisticallysmallvalues);let*representeachunknown

bit in this example, and let ***11110 represent a block to be incremented. The following

sequenceofblocksresultsfromfourapplicationsofthestandardincrementingfunction:

***11110

***11111

***00000

***00001

***00010.

Counter blocks inwhich a given set of m bits are incremented by thestandard incrementing

function satisfy the uniqueness requirement within the given message provided that n 2m

.

Whethertheuniquenessrequirementforcounterblocksissatisfiedacrossallmessagesthatare

encryptedunderagivenkey thendepends onthechoicesoftheinitialcounterblocksfor the

messages,asdiscussedinthenextsection.

18


26/66

Thisrecommendationpermitstheuseofanyotherincrementingfunctionthatgeneratesnunique

stringsofmbitsinsuccessionfromtheallowableinitialstrings.Forexample,iftheinitialstring

ofm bits isnot the zero string, i.e., if itcontains at leastone1 bit,then anincrementing

functioncanbeconstructedfroma linearfeedbackshiftregisterthat isspecializedtoensurea

sufficientlylargeperiod;seeRef.[5]forinformationaboutlinearfeedbackshiftregisters.

B.2 Choosing Initial Counter Blocks

Theinitialcounterblocks, T1,foreachmessagethatisencryptedunderthegivenkeymustbe

choseninamannerthanensurestheuniquenessofallthecounterblocksacrossallthemessages.

Twoexamplesofapproachestochoosingtheinitialcounterblocksaregiveninthissection.

Inthefirstapproach,foragivenkey,allplaintextmessagesareencryptedsequentially.Within

themessages,thesamefixedsetofmbitsofthecounterblockis incrementedbythestandard

incrementing function. The initialcounterblock forthe initialplaintextmessagemaybeany

string of b bits. The initial counter block for any subsequent message can be obtained by

applyingthestandardincrementingfunctiontothefixedsetof mbitsofthefinalcounterblockofthepreviousmessage. Ineffect,alloftheplaintextmessagesthatareeverencryptedunderthe

givenkeyareconcatenated into asinglemessage;consequently, the total number ofplaintext

blocksmustnotexceed2m. Proceduresshouldbeestablishedtoensurethemaintenanceofthe

state of the final counter block of the latest encrypted message, and to ensure the proper

sequencingofthemessages.

Asecondapproach tosatisfyingtheuniquenesspropertyacrossmessages istoassigntoeach

messageauniquestringof b/2bits(roundingup, ifbisodd),inotherwords,amessagenonce,

andtoincorporatethemessagenonceintoeverycounterblockforthemessage.Theleadingb/2

bits (rounding up, if b is odd) of each counter block would be the message nonce, and the

standardincrementingfunctionwouldbeappliedtotheremainingmbitstoprovideanindextothecounterblocksforthemessage. Thus,ifNisthemessagenonceforagivenmessage,then

thejthcounterblockisgivenby Tj=N | [j] ,forj=1n. Thenumberofblocks,n,inany

messagemustsatisfyn


27/66

Appendix C: Generation of Initialization Vectors

The CBC, CFB, and OFB modes require an initialization vector as input, in addition to the

plaintext. AnIVmustbegeneratedforeachexecutionoftheencryptionoperation,andthesame

IVisnecessaryforthecorrespondingexecutionofthedecryptionoperation.Therefore,theIV,orinformation that is sufficient to calculate the IV, must be available to each party to the

communication.

The IV need not be secret, so the IV, or information sufficient todetermine the IV, may be

transmittedwiththeciphertext.

For the CBC and CFB modes, the IVs must be unpredictable. In particular, for any given

plaintext, itmustnot be possible topredict the IV that will be associated to the plaintext in

advanceofthegenerationoftheIV.

TherearetworecommendedmethodsforgeneratingunpredictableIVs. Thefirstmethod istoapply the forward cipher function, under the same key that is used for the encryption of the

plaintext,toanonce.Thenoncemustbeadatablockthatisuniquetoeachexecutionofthe

encryptionoperation. Forexample,thenoncemaybeacounter,asdescribedinAppendixB,or

a message number. The second method is to generate a random data block using a FIPS-

approvedrandomnumbergenerator.

FortheOFBmode,theIVneednotbeunpredictable,butitmustbeanoncethatisuniqueto

each execution of the encryption operation. For example, the nonce may be a counter, as

describedinAppendixB,oramessagenumber.

If,contrarytothisrequirement,thesameIVisusedfortheOFBencryptionofmorethanonemessage, then theconfidentialityof thosemessagesmay becompromised. Inparticular, ifa

plaintextblockofanyofthesemessagesisknown,say,thejthplaintextblock,thenthejthoutput

of the forward cipher function can be determined easily from thejth ciphertext block of the

message.Thisinformationallowsthejthplaintextblockofanyothermessagethatisencrypted

usingthesameIVtobeeasilyrecoveredfromthejthciphertextblockofthatmessage.

Confidentialitymaysimilarlybecompromisedif anyoftheinputblockstotheforwardcipher

function for the OFB encryptionof a message isdesignated as the IV for the encryption of

anothermessageunderthegivenkey.OneconsequenceofthisobservationisthatIVsforthe

OFBmodeshouldnotbegeneratedbyinvokingtheblockcipheronanotherIV.

Validation that an implementation of the CBC, CFB, or OFB mode conforms to this

recommendation will typically include an examination of the procedures for assuring the

unpredictabilityoruniquenessoftheIV.

20


28/66

Appendix D: Error Properties

Abiterroristhesubstitutionofa 0bitfora1bit,orviceversa. Thisappendixcontainsa

discussionoftheeffectsofbiterrorsinciphertextblocks(orsegments),counterblocks,andIVs

on themodes inthisrecommendation. Insertionordeletionofbits intociphertextblocks (orsegments)isalsodiscussed.

Foranyconfidentialitymode,ifthereareanybiterrorsinasingleciphertextblock(orsegment),

thenthedecryptionofthatciphertextblock(orsegment)willbeincorrect,i.e.,itwilldifferfrom

theoriginalplaintextblock(orsegment). IntheCFB,OFB,andCTRmodes,thebiterror(s)in

thedecryptedciphertextblock(orsegment)occurinthesamebitposition(s)asintheciphertext

block(orsegment);theotherbitpositionsarenotaffected. IntheECBandCBCmodes,abit

errormay occur,independently, inany bitpositionofthedecryptedciphertextblock,with an

expectederrorrateoffiftypercent,dependingonthestrengthoftheunderlyingblockcipher.

For the ECB, OFB, and CTR modes, bit errors within a ciphertext block do not affect thedecryptionofanyotherblocks. IntheCBCmode,anybitpositionsthatcontainbiterrorsina

ciphertextblockwillalsocontainbiterrorsinthedecryptionofthesucceedingciphertextblock;

theotherbitpositionsarenotaffected.IntheCFBmode,biterrorsinaciphertextsegmentaffect

thedecryptionofthenextb/s(roundeduptothenearestinteger)ciphertextsegments. Abiterror

may occur, independently, inany bit position in these decrypted segments,withanexpected

errorrateoffiftypercent.

Similarly,fortheCTRmode,ifthereisabiterrorinacounterblock,thenabiterrormayoccur,

independently, in any bit position of the decryption of the corresponding ciphertext, withan

expectederrorrateoffiftypercent.

BiterrorsinIVsalsoaffectthedecryptionprocess.IntheOFBmode,biterrorsintheIVaffect

the decryption of every ciphertext block. In theCFBmode, bit errors in the IV affect, at a

minimum, the decryption of the first ciphertext segment, and possibly successive ciphertext

segments,dependingonthebitpositionoftherightmostbiterrorintheIV.(Ingeneral,abit

errorintheithmostsignificantbitpositionaffectsthedecryptionsofthefirst i/s(roundingup)

ciphertextsegments.) ForboththeOFBandCFBmodes,abiterrormayoccur,independently,

inanybitpositionoftheaffectedciphertextblocks(orsegments),withanexpectederrorrateof

fiftypercent. IntheCBCmode,ifbiterrorsoccurintheIV,thenthefirstciphertextblockwill

bedecryptedincorrectly,andbiterrorswilloccurinexactlythesamebitpositionsasintheIV;

thedecryptionsoftheotherciphertextblocksarenotaffected.

Consequently,fortheCBCmode,thedecryptionofthefirstciphertextblockisvulnerabletothe

(deliberate)introductionofbiterrorsinspecificbitpositionsoftheIViftheintegrityoftheIVis

notprotected.Similarly,fortheOFBandCTRmodes,thedecryptionofanyciphertextblockis

vulnerabletotheintroductionofspecificbiterrorsintothatciphertextblockifitsintegrityisnot

protected. ThesamepropertyalsoholdsfortheciphertextsegmentsintheCFBmode;however,

foreveryciphertextsegmentexceptthelastone,theexistenceofsuchbiterrorsmaybedetected

bytheirrandomizingeffectonthedecryptionofthesucceedingciphertextsegment.

21


29/66

TableD.1summarizestheeffectsofbiterrorsinaciphertextblockorIVonthedecryptionofthe

ciphertextforeachofthefiveconfidentialitymodes.

TableD.1efiveconfidentialitymodes.

TableD.2:SummaryofEffectofBitErrorsonDecryption

Mode EffectofBitErrorsinCj EffectofBitErrorsintheIV

ECB RBEinthedecryptionofCj Notapplicable

CBCRBEinthedecryptionofCjSBEinthedecryptionofCj+1

SBEinthedecryptionofC1

CFBSBEinthedecryptionofCjRBEinthedecryptionofCj+1,,Cj+b/s

RBEinthedecryptionofC1,C2,,Cjforsomejbetween1andb/s

OFB SBEinthedecryptionofCj RBEinthedecryptionofC1,C2,,Cn

CTR SBEinthedecryptionofCj Notapplicable*

RBE:randombiterrors,i.e.,biterrorsoccurindependentlyinanybitpositionwithan

expectedprobabilityof.

SBE:specificbiterrors,i.e.,biterrorsoccurinthesamebitposition(s)astheoriginalbit

error(s).

*Biterrorsinthejthcounterblock,Tj,resultinRBEinthedecryptionofCj.

Thedeletionorinsertionofbitsintoaciphertextblock(orsegment)spoilsthesynchronizationof

the block (or segment) boundaries; in effect, bit errors may occur in the bit position of the

insertedordeletedbit,andineverysubsequentbitposition.Therefore,thedecryptionsofthe

subsequent ciphertext blocks (or segments) will almost certainly be incorrect until the

synchronization is restored. When the 1-bit CFB mode is used, then the synchronization is

automaticallyrestoredb+1positionsaftertheinsertedordeletedbit.Forothervaluesof sinthe

CFBmode,andfortheotherconfidentialitymodesinthisrecommendation,thesynchronization

mustberestoredexternally.

22


30/66

Appendix E: Modes of Triple DES

FIPS Pub 46-3 [FIPS 46-3] specifies the Data Encryption Standard (DES) algorithm and

approvesitsthree-fold,compoundoperationthatisspecifiedinANSIX9.52[1]:theTripleData

EncryptionAlgorithm(TDEA). Essentially,theTDEAconsistsoftheapplicationoftheforwardDESalgorithm,i.e,DESencryption,underonekey,followedbytheapplicationoftheinverse

DES algorithm, i.e.,DES decryption, under a secondkey, followedby the applicationof the

forwardDESalgorithmunderathirdkey. TheTDEAisoftencalledTripleDES.

FIPSPub46-3alsoapprovesthesevenmodesofoperationofTripleDESthatarespecifiedin

ANSIX9.52. Fourof thosemodesare equivalentto modes inthis recommendationwith the

TDEA as the underlying block cipher. Inparticular, the TECB,TCBC,andTOFB modes in

ANSIX9.52areequivalenttotheECB,CBC,andOFBmodesinthisrecommendation,withthe

TDEAastheunderlyingblockcipher;theTCFBmodeinANSIX9.52isequivalenttotheCFB

modeinthisrecommendation,withtheTDEAastheunderlyingblockcipher,providedthatthe

possiblechoicesoftheparameters(thesegmentsize)arerestrictedtothreevalues:1,8,and64.TheremainingthreemodesinANSIX9.52areTCBC-I,TCFB-P,andTOFB-I;theyaremode

variants that allow for interleaving or pipelining; this recommendation does not provide

analoguesofthesethreemodes.

The Triple DES modes in ANSI X9.52 should not be used as the underlying block cipher

algorithm for the modes in this recommendation. However, the Triple DES algorithm, i.e.,

TDEA,asdescribedabove,may beused as theunderlyingblockcipheralgorithmforthe six

modes in this recommendation. One of the resulting modes of Triple DES is new, i.e., not

specifiedinANSIX9.52:theCTRmodeoftheTDEA.

23


31/66

Appendix F: Example Vectors for Modes of Operation of the AES

Inthisappendix,threeexamplesareprovidedforeachofthemodesinthisrecommendationwith

the AES algorithm [2] as the underlying block cipher:one example isgiven for each of the

allowedkeysizes(128,192,and256bits). Someintermediateresultsarepresented. Forthefiveconfidentialitymodes,examplesareprovidedforbothencryptionanddecryption. Examplesare

providedfor1-bit,8-bit,and128bitCFB.Theplaintextforallbuttwooftheseexamplesis

equivalenttothefollowingstringofhexadecimalcharacters,formattedintofour128bitblocks:

6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710.

Fortheexampleof1-bitCFB,theplaintextisthefirst16bitsintheabovestring;fortheexample

of8-bitCFB,theplaintextisthefirst18octetsintheabovestring.Allstringsarepresentedin

hexadecimal notation,exceptin theexampleof1-bitCFB,wheretheplaintextandciphertext

segmentsaresinglebits.

F.1 ECB Example Vectors

F.1.1 ECB-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock 3ad77bb40d7a3660a89ecaf32466ef97

Ciphertext 3ad77bb40d7a3660a89ecaf32466ef97Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock f5d3d58503b9699de785895a96fdbaafCiphertext f5d3d58503b9699de785895a96fdbaafBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock 43b1cd7f598ece23881b00e3ed030688Ciphertext 43b1cd7f598ece23881b00e3ed030688Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710

InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 7b0c785e27e8ad3f8223207104725dd4Ciphertext 7b0c785e27e8ad3f8223207104725dd4

F.1.2 ECB-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cBlock#1Ciphertext 3ad77bb40d7a3660a89ecaf32466ef97InputBlock 3ad77bb40d7a3660a89ecaf32466ef97

24


32/66

OutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext f5d3d58503b9699de785895a96fdbaafInputBlock f5d3d58503b9699de785895a96fdbaafOutputBlock ae2d8a571e03ac9c9eb76fac45af8e51

Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 43b1cd7f598ece23881b00e3ed030688InputBlock 43b1cd7f598ece23881b00e3ed030688OutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 7b0c785e27e8ad3f8223207104725dd4InputBlock 7b0c785e27e8ad3f8223207104725dd4OutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710

F.1.3 ECB-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock bd334f1d6e45f25ff712a214571fa5ccCiphertext bd334f1d6e45f25ff712a214571fa5ccBlock#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock 974104846d0ad3ad7734ecb3ecee4eefCiphertext 974104846d0ad3ad7734ecb3ecee4eefBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock ef7afd2270e2e60adce0ba2face6444eCiphertext ef7afd2270e2e60adce0ba2face6444eBlock#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 9a4b41ba738d6c72fb16691603c18e0eCiphertext 9a4b41ba738d6c72fb16691603c18e0e

F.1.4 ECB-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bBlock#1

Ciphertext bd334f1d6e45f25ff712a214571fa5ccInputBlock bd334f1d6e45f25ff712a214571fa5ccOutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 974104846d0ad3ad7734ecb3ecee4eefInputBlock 974104846d0ad3ad7734ecb3ecee4eefOutputBlock ae2d8a571e03ac9c9eb76fac45af8e51Plaintext ae2d8a571e03ac9c9eb76fac45af8e51

25


33/66

Block#3Ciphertext ef7afd2270e2e60adce0ba2face6444eInputBlock ef7afd2270e2e60adce0ba2face6444eOutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4

Ciphertext 9a4b41ba738d6c72fb16691603c18e0eInputBlock 9a4b41ba738d6c72fb16691603c18e0eOutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710

F.1.5 ECB-AES256.EncryptKey 603deb1015ca71be2b73aef0857d7781

1f352c073b6108d72d9810a30914dff4Block#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc1bee22e409f96e93d7e117393172aOutputBlock f3eed1bdb5d2a03c064b5a7e3db181f8Ciphertext f3eed1bdb5d2a03c064b5a7e3db181f8

Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock ae2d8a571e03ac9c9eb76fac45af8e51OutputBlock 591ccb10d410ed26dc5ba74a31362870Ciphertext 591ccb10d410ed26dc5ba74a31362870Block#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 30c81c46a35ce411e5fbc1191a0a52efOutputBlock b6ed21b99ca6f4f9f153e7b1beafed1dCiphertext b6ed21b99ca6f4f9f153e7b1beafed1dBlock#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock f69f2445df4f9b17ad2b417be66c3710OutputBlock 23304b7a39f9f3ff067d8d8f9e24ecc7Ciphertext 23304b7a39f9f3ff067d8d8f9e24ecc7

F.1.6 ECB-AES256.DecryptKey 603deb1015ca71be2b73aef0857d7781

1f352c073b6108d72d9810a30914dff4Block#1Ciphertext f3eed1bdb5d2a03c064b5a7e3db181f8InputBlock f3eed1bdb5d2a03c064b5a7e3db181f8OutputBlock 6bc1bee22e409f96e93d7e117393172aPlaintext 6bc1bee22e409f96e93d7e117393172aBlock#2

Ciphertext 591ccb10d410ed26dc5ba74a31362870InputBlock 591ccb10d410ed26dc5ba74a31362870OutputBlock ae2d8a571e03ac9c9eb76fac45af8e51Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext b6ed21b99ca6f4f9f153e7b1beafed1dInputBlock b6ed21b99ca6f4f9f153e7b1beafed1dOutputBlock 30c81c46a35ce411e5fbc1191a0a52efPlaintext 30c81c46a35ce411e5fbc1191a0a52ef

26


34/66

Block#4Ciphertext 23304b7a39f9f3ff067d8d8f9e24ecc7InputBlock 23304b7a39f9f3ff067d8d8f9e24ecc7OutputBlock f69f2445df4f9b17ad2b417be66c3710Plaintext f69f2445df4f9b17ad2b417be66c3710

F.2 CBC Example Vectors

F.2.1 CBC-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock 7649abac8119b246cee98e9b12e9197dCiphertext 7649abac8119b246cee98e9b12e9197dBlock#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51

InputBlock d86421fb9f1a1eda505ee1375746972cOutputBlock 5086cb9b507219ee95db113a917678b2Ciphertext 5086cb9b507219ee95db113a917678b2Block#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 604ed7ddf32efdff7020d0238b7c2a5dOutputBlock 73bed6b8e3c1743b7116e69e22229516Ciphertext 73bed6b8e3c1743b7116e69e22229516Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock 8521f2fd3c8eef2cdc3da7e5c44ea206OutputBlock 3ff1caa1681fac09120eca307586e1a7Ciphertext 3ff1caa1681fac09120eca307586e1a7

F.2.2 CBC-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fBlock#1Ciphertext 7649abac8119b246cee98e9b12e9197dInputBlock 7649abac8119b246cee98e9b12e9197dOutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 5086cb9b507219ee95db113a917678b2InputBlock 5086cb9b507219ee95db113a917678b2OutputBlock d86421fb9f1a1eda505ee1375746972cPlaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 73bed6b8e3c1743b7116e69e22229516InputBlock 73bed6b8e3c1743b7116e69e22229516OutputBlock 604ed7ddf32efdff7020d0238b7c2a5dPlaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 3ff1caa1681fac09120eca307586e1a7InputBlock 3ff1caa1681fac09120eca307586e1a7

27


35/66

OutputBlock 8521f2fd3c8eef2cdc3da7e5c44ea206Plaintext f69f2445df4f9b17ad2b417be66c3710

F.2.3 CBC-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0f

Block#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock 4f021db243bc633d7178183a9fa071e8Ciphertext 4f021db243bc633d7178183a9fa071e8Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock e12f97e55dbfcfa1efcf7796da0fffb9OutputBlock b4d9ada9ad7dedf4e5e738763f69145aCiphertext b4d9ada9ad7dedf4e5e738763f69145aBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock 8411b1ef0e2109e5001cf96f256346b5

OutputBlock 571b242012fb7ae07fa9baac3df102e0Ciphertext 571b242012fb7ae07fa9baac3df102e0Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710InputBlock a1840065cdb4e1f7d282fbd7db9d35f0OutputBlock 08b0e27988598881d920a9e64f5615cdCiphertext 08b0e27988598881d920a9e64f5615cd

F.2.4 CBC-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0fBlock#1

Ciphertext 4f021db243bc633d7178183a9fa071e8InputBlock 4f021db243bc633d7178183a9fa071e8OutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext b4d9ada9ad7dedf4e5e738763f69145aInputBlock b4d9ada9ad7dedf4e5e738763f69145aOutputBlock e12f97e55dbfcfa1efcf7796da0fffb9Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 571b242012fb7ae07fa9baac3df102e0InputBlock 571b242012fb7ae07fa9baac3df102e0OutputBlock 8411b1ef0e2109e5001cf96f256346b5

Plaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext 08b0e27988598881d920a9e64f5615cdInputBlock 08b0e27988598881d920a9e64f5615cdOutputBlock a1840065cdb4e1f7d282fbd7db9d35f0Plaintext f69f2445df4f9b17ad2b417be66c3710

F.2.5 CBC-AES256.EncryptKey 603deb1015ca71be2b73aef0857d7781

28


36/66

1f352c073b6108d72d9810a30914dff4

IV 000102030405060708090a0b0c0d0e0fBlock#1Plaintext 6bc1bee22e409f96e93d7e117393172aInputBlock 6bc0bce12a459991e134741a7f9e1925OutputBlock f58c4c04d6e5f1ba779eabfb5f7bfbd6

Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6Block#2Plaintext ae2d8a571e03ac9c9eb76fac45af8e51InputBlock 5ba1c653c8e65d26e929c4571ad47587OutputBlock 9cfc4e967edb808d679f777bc6702c7dCiphertext 9cfc4e967edb808d679f777bc6702c7dBlock#3Plaintext 30c81c46a35ce411e5fbc1191a0a52efInputBlock ac3452d0dd87649c8264b662dc7a7e92OutputBlock 39f23369a9d9bacfa530e26304231461Ciphertext 39f23369a9d9bacfa530e26304231461Block#4Plaintext f69f2445df4f9b17ad2b417be66c3710

InputBlock cf6d172c769621d8081ba318e24f2371OutputBlock b2eb05e2c39be9fcda6c19078c6a9d1bCiphertext b2eb05e2c39be9fcda6c19078c6a9d1b

F.2.6 CBC-AES256.DecryptKey 603deb1015ca71be2b73aef0857d7781

1f352c073b6108d72d9810a30914dff4IV 000102030405060708090a0b0c0d0e0fBlock#1Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6InputBlock f58c4c04d6e5f1ba779eabfb5f7bfbd6OutputBlock 6bc0bce12a459991e134741a7f9e1925Plaintext 6bc1bee22e409f96e93d7e117393172aBlock#2Ciphertext 9cfc4e967edb808d679f777bc6702c7dInputBlock 9cfc4e967edb808d679f777bc6702c7dOutputBlock 5ba1c653c8e65d26e929c4571ad47587Plaintext ae2d8a571e03ac9c9eb76fac45af8e51Block#3Ciphertext 39f23369a9d9bacfa530e26304231461InputBlock 39f23369a9d9bacfa530e26304231461OutputBlock ac3452d0dd87649c8264b662dc7a7e92Plaintext 30c81c46a35ce411e5fbc1191a0a52efBlock#4Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b

InputBlock b2eb05e2c39be9fcda6c19078c6a9d1bOutputBlock cf6d172c769621d8081ba318e24f2371Plaintext f69f2445df4f9b17ad2b417be66c3710

F.3 CFB Example Vectors

F.3.1 CFB1-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3c

000102030405060708090a0b0c0d0e0f

29

IV


37/66

Segment#1InputBlockOutputBlockPlaintextCiphertextSegment#2

InputBlockOutputBlockPlaintextCiphertextSegment#3InputBlockOutputBlockPlaintextCiphertextSegment#4InputBlockOutputBlockPlaintext

CiphertextSegment#5InputBlockOutputBlockPlaintextCiphertextSegment#6InputBlockOutputBlockPlaintextCiphertextSegment#7InputBlock

OutputBlockPlaintextCiphertextSegment#8InputBlockOutputBlockPlaintextCiphertextSegment#9InputBlockOutputBlockPlaintext

CiphertextSegment#10InputBlockOutputBlockPlaintextCiphertextSegment#11InputBlockOutputBlockPlaintext

000102030405060708090a0b0c0d0e0f50fe67cc996d32b6da0937e99bafec6000

00020406080a0c0e10121416181a1c1e19cf576c7596e702f298b35666955c7911

0004080c1014181c2024282c3034383d59e17759acd02b801fa321ea059e331f11

0008101820283038404850586068707b71f415b0cc109e8b0faa14ab740c22f40

0

00102030405060708090a0b0c0d0e0f63fb76d3d1048179964597a0f64d5adad11

0020406080a0c0e10121416181a1c1ed4c943b4bac54ab974e3e52326d29aaa100

004080c1014181c2024282c3034383da

c94da41eb3d3acf1993a512ab1e8203f10

008101820283038404850586068707b4e07f5e98778f75dbb2691c3f582c395310

0102030405060708090a0b0c0d0e0f6802ef5fc8961efcce8568bc0731262dc71

1

020406080a0c0e10121416181a1c1ed19f5a30367065efbe914b53698c8716b710

04080c1014181c2024282c3034383da2d018cfb81d0580edbff955ed74d382db0

30


38/66

Ciphertext 1Segment#12InputBlock 08101820283038404850586068707b45OutputBlock 81272ab351e08e0b695b94b8164d86f4Plaintext 0Ciphertext 1

Segment#13InputBlock 102030405060708090a0b0c0d0e0f68bOutputBlock 094d33f856483d3fa01ba94f7e5ab3e7Plaintext 0Ciphertext 0Segment#14InputBlock 20406080a0c0e10121416181a1c1ed16OutputBlock 609900ad61923c8c102cd8d0d7947a2cPlaintext 0Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383da2cOutputBlock 9e5a154de966ab4db9c88b22a398134e

Plaintext 0Ciphertext 1Segment#16InputBlock 8101820283038404850586068707b459OutputBlock 7fe16252b338bc4de3725c4156dfed20Plaintext 1Ciphertext 1

F.3.2 CFB1-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Ciphertext 0Plaintext 0Segment#2InputBlock 00020406080a0c0e10121416181a1c1eOutputBlock 19cf576c7596e702f298b35666955c79Ciphertext 1Plaintext 1Segment#3InputBlock 0004080c1014181c2024282c3034383dOutputBlock 59e17759acd02b801fa321ea059e331fCiphertext 1

Plaintext 1Segment#4InputBlock 0008101820283038404850586068707bOutputBlock 71f415b0cc109e8b0faa14ab740c22f4Ciphertext 0Plaintext 0Segment#5InputBlock 00102030405060708090a0b0c0d0e0f6OutputBlock 3fb76d3d1048179964597a0f64d5adad

31


39/66

CiphertextPlaintextSegment#6InputBlockOutputBlockCiphertext

PlaintextSegment#7InputBlockOutputBlockCiphertextPlaintextSegment#8InputBlockOutputBlockCiphertextPlaintextSegment#9InputBlock

OutputBlockCiphertextPlaintextSegment#10InputBlockOutputBlockCiphertextPlaintextSegment#11InputBlockOutputBlockCiphertextPlaintext

Segment#12InputBlockOutputBlockCiphertextPlaintextSegment#13InputBlockOutputBlockCiphertextPlaintextSegment#14InputBlock

OutputBlockCiphertextPlaintextSegment#15InputBlockOutputBlockCiphertextPlaintextSegment#16InputBlock

11

0020406080a0c0e10121416181a1c1ed4c943b4bac54ab974e3e52326d29aaa10

0

004080c1014181c2024282c3034383dac94da41eb3d3acf1993a512ab1e8203f01

008101820283038404850586068707b4e07f5e98778f75dbb2691c3f582c395301

0102030405060708090a0b0c0d0e0f68

02ef5fc8961efcce8568bc0731262dc711

020406080a0c0e10121416181a1c1ed19f5a30367065efbe914b53698c8716b701

04080c1014181c2024282c3034383da2d018cfb81d0580edbff955ed74d382db10

08101820283038404850586068707b4581272ab351e08e0b695b94b8164d86f410

102030405060708090a0b0c0d0e0f68b094d33f856483d3fa01ba94f7e5ab3e700

20406080a0c0e10121416181a1c1ed16

609900ad61923c8c102cd8d0d7947a2c00

4080c1014181c2024282c3034383da2c9e5a154de966ab4db9c88b22a398134e10

8101820283038404850586068707b459

32


40/66

OutputBlock 7fe16252b338bc4de3725c4156dfed20Ciphertext 1Plaintext 1

F.3.3 CFB1-AES192.EncryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b

IV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock a609b38df3b1133dddff2718ba09565ePlaintext 0Ciphertext 1Segment#2InputBlock 00020406080a0c0e10121416181a1c1fOutputBlock a0e2bee6eb1734379bd4908be6a991a0Plaintext 1Ciphertext 0Segment#3InputBlock 0004080c1014181c2024282c3034383e

OutputBlock b1a1766bedec7ee3ba9cd3f34fbed4c6Plaintext 1Ciphertext 0Segment#4InputBlock 0008101820283038404850586068707cOutputBlock b294ae5f393ae0179e6d3d8c45a7a4b9Plaintext 0Ciphertext 1Segment#5InputBlock 00102030405060708090a0b0c0d0e0f9OutputBlock f0f703ff5d0634aa8aee7f1e26aafca3Plaintext 1Ciphertext 0Segment#6InputBlock 0020406080a0c0e10121416181a1c1f2OutputBlock 4d67df426abdb8c89e7de9fb3069d8bePlaintext 0Ciphertext 0Segment#7InputBlock 004080c1014181c2024282c3034383e4OutputBlock 30bc892338dfa10664118b9f4ba348d2Plaintext 1Ciphertext 1Segment#8InputBlock 008101820283038404850586068707c9

OutputBlock 763ad8c63ed78d66452bb44c8bb7a8c8Plaintext 1Ciphertext 1Segment#9InputBlock 0102030405060708090a0b0c0d0e0f93OutputBlock bfc36f5cfbc1306859b48f8fa62a43dfPlaintext 1Ciphertext 0Segment#10

33


41/66

InputBlock 020406080a0c0e10121416181a1c1f26OutputBlock 16e27adac112a0bf6a69c95cbdf584a3Plaintext 1Ciphertext 1Segment#11InputBlock 04080c1014181c2024282c3034383e4d

OutputBlock 1e9d21c3da3de9186251160045756ce0Plaintext 0Ciphertext 0Segment#12InputBlock 08101820283038404850586068707c9aOutputBlock b836e0f661b51d8bd38c448e0e5a11bbPlaintext 0Ciphertext 1Segment#13InputBlock 102030405060708090a0b0c0d0e0f935OutputBlock c5efcdd09dbb92d1faada8f6c9bab052Plaintext 0Ciphertext 1

Segment#14InputBlock 20406080a0c0e10121416181a1c1f26bOutputBlock 7c99710018d88e40bd4ac8f1b2bf4dbbPlaintext 0Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383e4d6OutputBlock 173bcd8b4dad60ae6646813fdcb81f5bPlaintext 0Ciphertext 0Segment#16InputBlock 8101820283038404850586068707c9acOutputBlock 09844c6d2272d148d5af1c7bf01bb439

Plaintext 1Ciphertext 1

F.3.4 CFB1-AES192.DecryptKey 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7bIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock a609b38df3b1133dddff2718ba09565eCiphertext 1Plaintext 0Segment#2

InputBlock 00020406080a0c0e10121416181a1c1fOutputBlock a0e2bee6eb1734379bd4908be6a991a0Ciphertext 0Plaintext 1Segment#3InputBlock 0004080c1014181c2024282c3034383eOutputBlock b1a1766bedec7ee3ba9cd3f34fbed4c6Ciphertext 0Plaintext 1

34


42/66

Segment#4InputBlockOutputBlockCiphertextPlaintextSegment#5

InputBlockOutputBlockCiphertextPlaintextSegment#6InputBlockOutputBlockCiphertextPlaintextSegment#7InputBlockOutputBlockCiphertext


OutputBlockCiphertextPlaintextSegment#11InputBlockOutputBlockCiphertextPlaintextSegment#12InputBlockOutputBlockCiphertext

PlaintextSegment#13InputBlockOutputBlockCiphertextPlaintextSegment#14InputBlockOutputBlockCiphertext

0008101820283038404850586068707cb294ae5f393ae0179e6d3d8c45a7a4b910

00102030405060708090a0b0c0d0e0f9f0f703ff5d0634aa8aee7f1e26aafca301

0020406080a0c0e10121416181a1c1f24d67df426abdb8c89e7de9fb3069d8be00

004080c1014181c2024282c3034383e430bc892338dfa10664118b9f4ba348d21

1

008101820283038404850586068707c9763ad8c63ed78d66452bb44c8bb7a8c811

0102030405060708090a0b0c0d0e0f93bfc36f5cfbc1306859b48f8fa62a43df01

020406080a0c0e10121416181a1c1f26

16e27adac112a0bf6a69c95cbdf584a311

04080c1014181c2024282c3034383e4d1e9d21c3da3de9186251160045756ce000

08101820283038404850586068707c9ab836e0f661b51d8bd38c448e0e5a11bb1

0

102030405060708090a0b0c0d0e0f935c5efcdd09dbb92d1faada8f6c9bab05210

20406080a0c0e10121416181a1c1f26b7c99710018d88e40bd4ac8f1b2bf4dbb0

35


43/66


44/66

OutputBlock bb9e05db9855a9e7e3837a648dd4c3b0Plaintext 1Ciphertext 0Segment#9InputBlock 0102030405060708090a0b0c0d0e0f90OutputBlock a413c5714f70287dfcd943004bf7ac8e

Plaintext 1Ciphertext 0Segment#10InputBlock 020406080a0c0e10121416181a1c1f20OutputBlock a7310abf87610d66edf6c892a84460d5Plaintext 1Ciphertext 0Segment#11InputBlock 04080c1014181c2024282c3034383e40OutputBlock 8aec6712d89bd147c83b51d787b11399Plaintext 0Ciphertext 1Segment#12

InputBlock 08101820283038404850586068707c81OutputBlock 2ff05b620f68134f4ba92deffbfc93b2Plaintext 0Ciphertext 0Segment#13InputBlock 102030405060708090a0b0c0d0e0f902OutputBlock 819208afd5284316065a76bead028ad3Plaintext 0Ciphertext 1Segment#14InputBlock 20406080a0c0e10121416181a1c1f205OutputBlock 1914ed64b2115167ce2ca4c813da5245Plaintext 0

Ciphertext 0Segment#15InputBlock 4080c1014181c2024282c3034383e40aOutputBlock 638abae8724a954ae9e1e2e119deb6e1Plaintext 0Ciphertext 0Segment#16InputBlock 8101820283038404850586068707c814OutputBlock 2b4f488a3f958c52a3f1db2da938360ePlaintext 1Ciphertext 1

F.3.6 CFB1-AES256.DecryptKey 603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4000102030405060708090a0b0c0d0e0f

Segment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock b7bf3a5df43989dd97f0fa97ebce2f4aCiphertext 1Plaintext 0

37

IV


45/66

Segment#2InputBlockOutputBlockCiphertextPlaintextSegment#3

InputBlockOutputBlockCiphertextPlaintextSegment#4InputBlockOutputBlockCiphertextPlaintextSegment#5InputBlockOutputBlockCiphertext


OutputBlockCiphertextPlaintextSegment#9InputBlockOutputBlockCiphertextPlaintextSegment#10InputBlockOutputBlockCiphertext

PlaintextSegment#11InputBlockOutputBlockCiphertextPlaintextSegment#12InputBlockOutputBlockCiphertext

00020406080a0c0e10121416181a1c1fee93d380e0f01117fffd78017599514a01

0004080c1014181c2024282c3034383e857749898b3602aad91e699911de89b001

0008101820283038404850586068707cdce81c80810e2ba343a6bb402716b7a810

00102030405060708090a0b0c0d0e0f9e5517bfcdccea00501350a601f7548230

1

0020406080a0c0e10121416181a1c1f215799c7f4081a78cc41f29955349c5a000

004080c1014181c2024282c3034383e484d246bdb391f6a7979ff5ccb846726201

008101820283038404850586068707c8

bb9e05db9855a9e7e3837a648dd4c3b001

0102030405060708090a0b0c0d0e0f90a413c5714f70287dfcd943004bf7ac8e01

020406080a0c0e10121416181a1c1f20a7310abf87610d66edf6c892a84460d50

1

04080c1014181c2024282c3034383e408aec6712d89bd147c83b51d787b1139910

08101820283038404850586068707c812ff05b620f68134f4ba92deffbfc93b20

38


46/66

Plaintext 0Segment#13InputBlock 102030405060708090a0b0c0d0e0f902OutputBlock 819208afd5284316065a76bead028ad3Ciphertext 1Plaintext 0

Segment#14InputBlock 20406080a0c0e10121416181a1c1f205OutputBlock 1914ed64b2115167ce2ca4c813da5245Ciphertext 0Plaintext0Segment#15InputBlock 4080c1014181c2024282c3034383e40aOutputBlock 638abae8724a954ae9e1e2e119deb6e1Ciphertext 0Plaintext 0Segment#16InputBlock 8101820283038404850586068707c814OutputBlock 2b4f488a3f958c52a3f1db2da938360e

Ciphertext 1Plaintext 1

F.3.7 CFB8-AES128.EncryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Plaintext 6bCiphertext 3bSegment#2InputBlock 0102030405060708090a0b0c0d0e0f3bOutputBlock b8eb865a2b026381abb1d6560ed20f68Plaintext c1Ciphertext 79Segment#3InputBlock 02030405060708090a0b0c0d0e0f3b79OutputBlock fce6033b4edce64cbaed3f61ff5b927cPlaintext beCiphertext 42Segment#4InputBlock 030405060708090a0b0c0d0e0f3b7942OutputBlock ae4e5e7ffe805f7a4395b180004f8ca8Plaintext e2

Ciphertext 4cSegment#5InputBlock 0405060708090a0b0c0d0e0f3b79424cOutputBlock b205eb89445b62116f1deb988a81e6ddPlaintext 2eCiphertext 9cSegment#6InputBlock 05060708090a0b0c0d0e0f3b79424c9cOutputBlock 4d21d456a5e239064fff4be0c0f85488

39


47/66

PlaintextCiphertextSegment#7InputBlockOutputBlockPlaintext

CiphertextSegment#8InputBlockOutputBlockPlaintextCiphertextSegment#9InputBlockOutputBlockPlaintextCiphertextSegment#10InputBlock

OutputBlockPlaintextCiphertextSegment#11InputBlockOutputBlockPlaintextCiphertextSegment#12InputBlockOutputBlockPlaintextCiphertext

Segment#13InputBlockOutputBlockPlaintextCiphertextSegment#14InputBlockOutputBlockPlaintextCiphertextSegment#15InputBlock

OutputBlockPlaintextCiphertextSegment#16InputBlockOutputBlockPlaintextCiphertextSegment#17InputBlock

400d

060708090a0b0c0d0e0f3b79424c9c0d4b2f5c3895b9efdc85ee0c5178c7fd339f

d4

0708090a0b0c0d0e0f3b79424c9c0dd4a0976d856da260a34104d1a80953db4c9636

08090a0b0c0d0e0f3b79424c9c0dd43653674e5890a2c71b0f6a27a094e5808ce9ba

090a0b0c0d0e0f3b79424c9c0dd436ba

f34cd32ffed495f8bc8adba194eccb7a3dce

0a0b0c0d0e0f3b79424c9c0dd436bacee08cf2407d7ed676c9049586f1d48ba67e9e

0b0c0d0e0f3b79424c9c0dd436bace9e1f5c88a19b6ca28e99c9aeb8982a6dd8110e

0c0d0e0f3b79424c9c0dd436bace9e0ea70e63df781cf395a208bd2365c8779b73d4

0d0e0f3b79424c9c0dd436bace9e0ed4cbcfe8b3bcf9ac202ce18420013319ab9358

0e0f3b79424c9c0dd436bace9e0ed458

7d9fac6604b3c8c5b1f8c5a00956cf56176a

0f3b79424c9c0dd436bace9e0ed4586a65c3fa64bf0343986825c636f4a1efd22a4f

3b79424c9c0dd436bace9e0ed4586a4f

40


48/66

OutputBlock 9cff5e5ff4f554d56c924b9d6a6de21dPlaintext aeCiphertext 32Segment#18InputBlock 79424c9c0dd436bace9e0ed4586a4f32OutputBlock 946c3dc1584cc18400ecd8c6052c44b1

Plaintext 2dCiphertext b9

F.3.8 CFB8-AES128.DecryptKey 2b7e151628aed2a6abf7158809cf4f3cIV 000102030405060708090a0b0c0d0e0fSegment#1InputBlock 000102030405060708090a0b0c0d0e0fOutputBlock 50fe67cc996d32b6da0937e99bafec60Ciphertext 3bPlaintext 6bSegment#2InputBlock 0102030405060708090a0b0c0d0e0f3b

OutputBlock b8eb865a2b026381abb1d6560ed20f68Ciphertext 79Plaintext c1Segment#3InputBlock 02030405060708090a0b0c0d0e0f3b79OutputBlock fce6033b4edce64cbaed3f61ff5b927cCiphertext 42Plaintext beSegment#4InputBlock 030405060708090a0b0c0d0e0f3b7942OutputBlock ae4e5e7ffe805f7a4395b180004f8ca8Ciphertext 4cPlaintext e2Segment#5InputBlock 0405060708090a0b0c0d0e0f3b79424cOutputBlock b205eb89445b62116f1deb988a81e6ddCiphertext 9cPlaintext 2eSegment#6InputBlock 05060708090a0b0c0d0e0f3b79424c9cOutputBlock 4d21d456a5e239064fff4be0c0f85488Ciphertext 0dPlaintext 40Segment#7InputBlock 060708090a0b0c0d0e0f3b79424c9c0d

OutputBlock