ISO/IEC 10116:2006

INTERNATIONAL ISO/IEC
STANDARD 10116
Third edition
2006-02-01
Information technology — Security
techniques — Modes of operation for
an n-bit block cipher
Technologies de l'information — Techniques de sécurité — Modes
opératoires pour un chiffrement par blocs de n-bits

Reference number
©
ISO/IEC 2006
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2006 – All rights reserved

Contents Page
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4 Symbols (and abbreviated terms) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6 Electronic Codebook (ECB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7 Cipher Block Chaining (CBC) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8 Cipher Feedback (CFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9 Output Feedback (OFB) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10 Counter (CTR) mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Annex A (normative) Object identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Annex B (informative) Properties of the modes of operation . . . . . . . . . . . . . . . . 16
B.1 Properties of the Electronic Codebook (ECB) mode of operation . . . . . . . . 16
B.2 Properties of the Cipher Block Chaining (CBC) mode of operation . . . . . . . 17
B.3 Properties of the Cipher Feedback (CFB) mode of operation . . . . . . . . . . 18
B.4 Properties of the Output Feedback (OFB) mode of operation . . . . . . . . . . 20
B.5 Properties of the Counter (CTR) mode of operation . . . . . . . . . . . . . . . 21
Annex C (informative) Figures describing the modes of operation . . . . . . . . . . . . . 23
�c ISO/IEC 2006 — All rights reserved iii

Annex D (informative) Examples for the Modes of Operation . . . . . . . . . . . . . . . 26
D.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
D.2 Triple Data Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 26
D.2.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
D.2.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
D.2.3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
D.2.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
D.2.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
D.3 Advanced Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
D.3.1 ECB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
D.3.2 CBC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
D.3.3 CFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
D.3.4 OFB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
D.3.5 Counter Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figures
C.1 The Cipher Block Chaining (CBC) mode of operation with m=1 . . . . . . . . . 23
C.2 The Cipher Block Chaining (CBC) mode of operation . . . . . . . . . . . . . . . . 23
C.3 The Cipher Feedback (CFB) mode of operation . . . . . . . . . . . . . . . . . . . . 24
C.4 The Output Feedback (OFB) mode of operation . . . . . . . . . . . . . . . . . . . 24
C.5 The Counter (CTR) mode of operation . . . . . . . . . . . . . . . . . . . . . . . . . 25
iv �c ISO/IEC 2006 — All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Elec-
trotechnical Commission) form the specialized system for worldwide standardization. National
bodiesthataremembersofISOorIECparticipateinthedevelopmentofInternationalStandards
through technical committees established by the respective organization to deal with particular
fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual
interest. Other international organizations, governmental and non-governmental, in liaison with
ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC
have established a joint technical committee, ISO/IEC JTC 1.
InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,
Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft
International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least 75 %
of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. ISO and IEC shall not be held responsible for identfying any or all
such patent rights.
ISO/IEC 10116 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information tech-
nology, Subcomittee SC 27, IT Security techniques.
Thisthirdeditioncancelsandreplacesthesecondedition(ISO/IEC10116:1997)whichhasbeen
revised. ImplementationsthatcomplywithISO/IEC10116:1997willalsocomplywiththisthird
edition.
The main technical changes between the second edition and this third edition are as follows:
a) CBC mode has been extended to permit interleaving; and
b) a new mode (Counter mode) has been introduced.
�c ISO/IEC 2006 — All rights reserved v

Introduction
ISO/IEC 10116 specifies modes of operation for an n-bit block cipher. These modes provide
methods for encrypting and decrypting data where the bit length of the data may exceed the
size n of the block cipher.
This third edition of ISO/IEC 10116 specifies five modes of operation:
a) Electronic Codebook (ECB);
b) Cipher Block Chaining (CBC);
c) Cipher Feedback (CFB);
d) Output Feedback (OFB); and
e) Counter (CTR).
vi �c ISO/IEC 2006 — All rights reserved

INTERNATIONAL STANDARD ISO/IEC 10116:2006(E)
Information technology —
Security techniques —
Modes of operation for an n-bit block cipher
1 Scope
ThisInternationalStandardestablishesfivemodesofoperationforapplicationsofann-bitblock
cipher (e.g. protection of data transmission, data storage). The defined modes only provide
protection of data confidentiality. Protection of data integrity and requirements for padding the
data are not within the scope of this International Standard. Also most modes do not protect
the confidentiality of message length information.
This International Standard specifies the modes of operation and gives recommendations for
choosing values of parameters (as appropriate).
The modes of operation specified in this International Standard have been assigned object iden-
tifiersinaccordancewithISO/IEC9834. ThelistofassignedobjectidentifiersisgiveninAnnex
A. In applications in which object identifiers are used, the object identifiers specified in An-
nex A are to be used in preference to any other object identifiers that may exist for the mode
concerned.
NOTE Annex B (informative) contains comments on the properties of each mode. Block ciphers
are specified in ISO/IEC 18033-3.
2 Normative references
The following referenced documents are indispensable for the application of this document. For
dated references, only the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
ISO/IEC 18033-3, Information technology – Security techniques – Encryption algorithms – Part 3:
Block ciphers.
�c ISO/IEC 2006 — All rights reserved 1

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
block chaining
encryption of information in such a way that each block of ciphertext is cryptographically de-
pendent upon a preceding ciphertext block.
3.2
block cipher
symmetric encryption algorithm with the property that the encryption algorithm operates on a
block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext.
[ISO/IEC 18033-1]
3.3
ciphertext
data which has been transformed to hide its information content.
3.4
counter
bitarrayoflengthnbits(wherenisthesizeoftheunderlyingblockcipher)whichisusedinthe
Counter mode; its value when considered as the binary representation of an integer increases by
n
one (modulo 2 ) after each block of plaintext is processed.
3.5
cryptographic synchronization
co-ordination of the encryption and decryption processes.
3.6
decryption
reversal of a corresponding encryption.
[ISO/IEC 18033-1]
3.7
encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to
hide the information content of the data.
[ISO/IEC 18033-1]
3.8
feedback buffer (FB)
variable used to store input data for the encryption process. At the starting point FB has the
value of SV.
2 �c ISO/IEC 2006 — All rights reserved

3.9
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encryp-
tion, decryption).
[ISO/IEC 18033-1]
3.10
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length.
3.11
plaintext
unencrypted information.
3.12
starting variable (SV)
variable possibly derived from some initialization value and used in defining the starting point
of the modes of operation.
NOTE The method of deriving the starting variable from the initializing value is not defined in
this International Standard. It needs to be described in any application of the modes of operation.
4 Symbols (and abbreviated terms)
C Ciphertext block.
CTR Counter value.
d Decryption function of the block cipher keyed by key K.
K
E Intermediate variable.
e Encryption function of the block cipher keyed by key K.
K
F Intermediate variable.
FB Feedback buffer.
i Iteration.
j Size of plaintext/ciphertext variable.
K Key.
n Plaintext/ciphertext block length for a block cipher.
m Number of stored ciphertext blocks.
P Plaintext block.
q Number of plaintext/ciphertext variables.
r Size of feedback buffer.
SV Starting variable.
X Block cipher input block.
Y Block cipher output block.
| Concatenation of bit strings.
�c ISO/IEC 2006 — All rights reserved 3

4.1 a mod n
Forintegersaandn,a mod ndenotesthe(non-negative)remainderobtainedwhenaisdivided
by n. Equivalently if b= a mod n, then b is the unique integer satisfying:
— 0≤b — (b−a) is an integer multiple of n
4.2 array of bits
A variable denoted by a capital letter, such as P and C, represents a one-dimensional array of
bits. For example,
A=(a ,a ,.,a ) and B =(b ,b ,.,b )
1 2 m 1 2 m
are arrays of m bits, numbered from 1 to m. All arrays of bits are written with the bit with the
index 1 in the leftmost position. When interpreting a bit array as an integer the leftmost bit
shall be the most significant bit.
4.3 bitwise addition modulo 2
Theoperationofbitwiseaddition, modulo2, alsoknownasthe“exclusiveor”function, isshown
by the symbol⊕. The operation when applied to arrays A and B of the same length is defined
as
A⊕B =(a ⊕b ,a ⊕b ,.,a ⊕b )
1 1 2 2 m m
4.4 decryption
The decryption relation defined by the block cipher is written
P =d (C)
K
where
— P is the plaintext block;
— C is the ciphertext block;
— K is the key.
4.5 encryption
The encryption relation defined by the block cipher is written
C =e (P)
K
where
— P is the plaintext block;
4 �c ISO/IEC 2006 — All rights reserved

— C is the ciphertext block;
— K is the key.
4.6 selection of bits
The operation ofselecting thej leftmost bits ofan arrayA=(a ,a ,.,a ) to generate aj-bit
1 2 m
array is written
(j∼A)=(a ,a ,.,a )
1 2 j
The operation is defined only when 1≤j≤m.
4.7 shift operation
A “shift function” S is defined as follows: Given an m-bit variable X and a t-bit variable F
t
where 1≤t≤m, the effect of the shift function S (X |F) is to produce the m-bit variable
t
S (X |F)=(x ,x ,.,x ,f ,f ,.,f ) (t t t+1 t+2 m 1 2 t
S (X |F)=(f ,f ,.,f ) (t=m)
t 1 2 t
The effect is to shift the bits of array X left by t places, discarding x ,x ,.,x , and to place
1 2 t
the array F in the rightmost t places of X. When t=m the effect is to totally replace X by F.
4.8 I(t)
The variable I(t) is a t-bit variable where the value 1 is assigned to every bit.
5 Requirements
For some of the described modes, padding of the plaintext variables may be required. Padding
techniques, although important from a security perspective, are not within the scope of this In-
ternationalStandard,andthroughoutthisstandarditisassumedthatanypadding,asnecessary,
has already occurred.
NOTE Advice on the selection of a padding method for use with the CBC mode of operation is
provided in Annex B.2.3.
For the Cipher Block Chaining (CBC) mode of operation (see clause 7), one parameter m
needs to be selected. For the Cipher Feedback (CFB) mode of operation (see clause 8), three
parameters r,j and k need to be selected. For the Output Feedback (OFB) mode of operation
(see clause 9) and the Counter (CTR) mode of operation (see clause 10), one parameter j needs
to be selected. When one of these modes of operation is used the same parameter value(s) need
to be chosen and used by all communicating parties. These parameters need not be kept secret.
All modes of operation specified in this International Standard require the parties encrypting
and decrypting a data string to share a secret key K for the block cipher in use. All modes of
�c ISO/IEC 2006 — All rights reserved 5

operation apart from the Electronic Codebook (ECB) mode also require the parties to share a
starting variable SV, where the length of SV will depend on the mode in use. The value of the
starting variable should normally be different for every data string encrypted using a particular
key (see also Annex B). How keys and starting variables are managed and distributed is outside
the scope of this International Standard.
6 Electronic Codebook (ECB) mode
6.1 Preliminaries
The variables employed by the ECB mode of encryption are
a) The input variables
1) A sequence of q plaintext blocks P ,P ,.,P , each of n bits.
1 2 q
2) A key K.
b) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of n bits.
1 2 q
6.2 Encryption
The ECB mode of encryption operates as follows:
C =e (P ) for i=1,2,.,q.
i i
K
6.3 Decryption
The ECB mode of decryption operates as follows:
P =d (C ) for i=1,2,.,q.
i K i
7 Cipher Block Chaining (CBC) mode
7.1 Preliminaries
The CBC mode of operation is defined by an interleave parameter m > 0, the number of
ciphertext blocks that must be stored whilst processing the mode. The value of m should be
small (typically m=1) and at most 1024.
NOTE Thechoiceof1024astheupperlimitformissomewhatarbitrary. Itisintendedtoprovide
a realistic upper bound on the number of hardware processors.
6 �c ISO/IEC 2006 — All rights reserved

The variables employed by the CBC mode are
a) The input variables
1) A sequence of q plaintext blocks P ,P ,.,P , each of n bits.
1 2 q
2) A key K.
3) A sequence of m starting variables SV ,SV ,.,SV each of n bits.
1 2 m
NOTE If m = 1 then this mode is compatible with the CBC mode described in the second
edition of this standard (ISO/IEC 10116:1997).
b) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of n bits.
1 2 q
7.2 Encryption
The CBC mode of encryption operates as follows:
C =e (P ⊕SV ),1≤i≤ min(m,q)
i K i i
If q >m, all subsequent plaintext blocks are encrypted as:
C =e (P ⊕C ),m+1≤i≤q
i K i i−m
NOTE At any time during the computation, the values of the m most recent ciphertext blocks
need to be stored, e.g. in a cyclically used “feedback buffer”FB (see figure C.2).
This procedure is shown in the left side of figure C.2.
7.3 Decryption
The CBC mode of decryption operates as follows:
P =d (C )⊕SV ,1≤i≤ min(m,q)
i K i i
If q >m, all subsequent plaintext blocks are computed as:
P =d (C )⊕C ,m+1≤i≤q
i K i i−m
NOTE At any time during the computation, the values of the m most recent ciphertext blocks
need to be stored, e.g. in a cyclically used ’feedback buffer’ FB (see figure C.2).
This procedure is shown in the right side of figure C.2.
�c ISO/IEC 2006 — All rights reserved 7

8 Cipher Feedback (CFB) mode
8.1 Preliminaries
Three parameters define a CFB mode of operation:
— the size of feedback buffer, r, where n≤r≤1024n and r — the size of feedback variable, k, where 1≤k≤n
— the size of plaintext variable, j, where 1≤j≤k
NOTE
a) r−k is not constrained by n in any way, i.e. r−k may be less than, equal to or greater than
n. Figure C.3 shows the special case where r−k >n.
b) If r = n then this mode is compatible with the version of CFB mode described in the first
edition of this standard (ISO/IEC 10116:1991).
c) the upper bound on r, i.e. r≤ 1024n is chosen because it provides a realistic upper bound on
the number of hardware processors.
It is recommended that CFB should be used with equal values of j and k (see clause B.3.2).
The variables employed by the CFB mode of operation are
a) The input variables
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits.
1 2 q
2) A key K.
3) A starting variable SV of r bits.
b) The intermediate results
1) A sequence of q block cipher input blocks X ,X ,.,X , each of n bits.
1 2 q
2) A sequence of q block cipher output blocks Y ,Y ,.,Y , each of n bits.
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits.
1 2 q
4) A sequence of q−1 feedback variables F ,F ,.,F , each of k bits.
1 2 q−1
5) A sequence of q feedback buffer contents FB ,FB ,.,FB each of r bits.
1 2 q
c) The output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
8.2 Encryption
The feedback buffer FB is set to its initial value
FB =SV
8 �c ISO/IEC 2006 — All rights reserved

The operation of encrypting each plaintext variable employs the following six steps.
a) X =n∼FB (Selection of leftmost n bits of FB).
i i
b) Y =e (X ) (Use of block cipher).
i i
K
c) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
d) C =P ⊕E (Generation of ciphertext variable).
i i i
e) F =I(k−j)|C (Generation of feedback variable).
i i
f) FB =S (FB |F ) (Shift function on FB).
i+1 k i i
These steps are repeated for i=1,2,.,q, ending with step (d) on the last cycle. The procedure
is shown in the left side of figure C.3. The leftmost j bits of the output block Y of the block
cipher are used to encrypt the j-bit plaintext variable by modulo 2 addition. The remaining
bits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.
The ciphertext variable is augmented by placing k−j one bits in its leftmost bit positions to
become the k-bit feedback variable F. Then the bits of the feedback buffer FB are shifted left
byk placesandF isinsertedintherightmostk places, toproducethenewvalueofthefeedback
buffer FB. In this shift operation, the leftmost k bits of FB are discarded. The new n leftmost
bits of FB are used as the next input X of the encryption process.
8.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The feedback buffer FB is set to its initial value
FB =SV
The operation of decrypting each ciphertext variable employs the following six steps.
a) X =n∼FB (Selection of leftmost n bits of FB).
i i
b) Y =e (X ) (Use of block cipher).
i K i
c) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
d) P =C ⊕E (Generation of plaintext variable).
i i i
e) F =I(k−j)|C (Generation of feedback variable).
i i
f) FB =S (FB |F ) (Shift function on FB).
i+1 k i i
These steps are repeated for i=1,2,.,q, ending with step (d) on the last cycle. The procedure
is shown in the right side of figure C.3. The leftmost j bits of the output block Y of the block
cipher are used to decrypt the j-bit ciphertext variable by modulo 2 addition. The remaining
bits of Y are discarded. The plaintext and ciphertext variables have bits numbered from 1 to j.
The ciphertext variable is augmented by placing k−j one bits in its leftmost bit positions to
become the k-bit feedback variable F. Then the bits of the feedback buffer FB are shifted left
�c ISO/IEC 2006 — All rights reserved 9

by k places and F is inserted in the rightmost k places to produce the new value of FB. In this
shift operation, the leftmost k bits of FB are discarded. The new n leftmost bits of FB are
used as the next input X of the decryption process.
9 Output Feedback (OFB) mode
9.1 Preliminaries
The OFB mode of operation is defined by one parameter, i.e. the size of the plaintext variable
j, where 1≤j≤n.
The variables employed by the OFB mode of operation are the
a) input variables where
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits;
1 2 q
2) A key K; and
3) A starting variable SV of n bits;
b) intermediate results where
1) A sequence of q block-cipher input blocks X ,X ,.,X , each of n bits;
1 2 q
2) A sequence of q block-cipher output blocks Y ,Y ,.,Y , each of n bits; and
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits; and
1 2 q
c) output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
9.2 Encryption
The input block X is set to its initial value
X =SV
The operation of encrypting each plaintext variable employs the following four steps.
a) Y =e (X ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits).
i i
c) C =P ⊕E (Generation of ciphertext variable).
i i i
d) X =Y (Feedback operation).
i+1 i
These steps are repeated for i=1,2,.,q, ending with step (c) on the last cycle. The procedure
isshownontheleftsideoffigureC.4. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
10 �c ISO/IEC 2006 — All rights reserved

The result of each use of the block cipher is Y and this is fed back to become the next value of
i
X, namely X . The leftmost j bits of Y are used to encrypt the input variable.
i+1 i
9.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The input block X is set to its initial value
X =SV
The operation of decrypting each ciphertext variable employs the following four steps.
a) Y =e (X ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits).
i i
c) P =C ⊕E (Generation of plaintext variable).
i i i
d) X =Y (Feedback operation).
i+1 i
Thesestepsarerepeatedfori=1,2,.,q,endingwithstep(c)onthelastcycle. Theprocedure
isshownintherightsideoffigureC.4. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
The result of each use of the block cipher is Y and this is fed back to become the next value of
i
X, namely X . The leftmost j bits of Y are used to decrypt the input variable.
i+1 i
10 Counter (CTR) mode
10.1 Preliminaries
The Counter mode of operation is defined by one parameter, i.e. the size of plaintext variable,
j, where 1≤j≤n.
The variables employed by the Counter mode of operation are the
a) input variables where
1) A sequence of q plaintext variables P ,P ,.,P , each of j bits;
1 2 q
2) A key K; and
3) A starting variable SV of n bits;
b) intermediate results where
1) A sequence of q block cipher input blocks CTR ,CTR ,.,CTR , each of n bits;
1 2 q
�c ISO/IEC 2006 — All rights reserved 11

2) A sequence of q block cipher output blocks Y ,Y ,.,Y , each of n bits; and
1 2 q
3) A sequence of q variables E ,E ,.,E , each of j bits; and
1 2 q
c) output variables, i.e. a sequence of q ciphertext variables C ,C ,.,C , each of j bits.
1 2 q
10.2 Encryption
The counter CTR is set to its initial value
CTR =SV
The operation of encrypting each plaintext variable employs the following four steps.
a) Y =e (CTR ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
c) C =P ⊕E (Generation of ciphertext variable).
i i i
n
d) CTR =(CTR +1) mod 2 (Generation of a new counter value CTR).
i+1 i
These steps are repeated for i=1,2,.,q, ending with step (c) on the last cycle. The procedure
isshownontheleftsideoffigureC.5. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
The counter value is encrypted to give an output block Y and the leftmost j bits of this output
i
block Y are used to encrypt the input value. The counter CTR then increases by one (modulo
i
n
2 ) to produce a new counter value.
10.3 Decryption
The variables employed for decryption are the same as those employed for encryption.
The counter CTR is set to its initial value
CTR =SV
The operation of decrypting each ciphertext variable employs the following four steps.
a) Y =e (CTR ) (Use of block cipher).
i K i
b) E =j∼Y (Selection of leftmost j bits of Y ).
i i i
c) P =C ⊕E (Generation of plaintext variable).
i i i
n
d) CTR =(CTR +1) mod 2 (Generation of a new counter value CTR).
i+1 i
Thesestepsarerepeatedfori=1,2,.,q,endingwithstep(c)onthelastcycle. Theprocedure
isshownintherightsideoffigureC.5. Theplaintextandciphertextvariableshavebitsnumbered
from 1 to j.
12 �c ISO/IEC 2006 — All rights reserved

The counter value is encrypted to give an output block Y and the leftmost j bits of this output
i
block Y are used to encrypt the input value. The counter CTR then increases by one (modulo
i
n
2 ) to produce a new counter value.
�c ISO/IEC 2006 — All rights reserved 13

Annex A
(normative)
Object identifiers
This annex lists the object identifiers assigned to algorithms specified in this standard.
ModesOfOperation {
iso(1) standard(0) modes-of-operation(10116) single-part(0)
asn1-module(0) algorithm-object-identifiers(0) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- EXPORTS All; --
IMPORTS
BlockAlgorithms
FROM EncryptionAlgorithms-3 { iso(1) standard(0)
encryption-algorithms(18033) part(3)
asn1-module(0) algorithm-object-identifiers(0) };
OID ::= OBJECT IDENTIFIER -- Alias
-- Synonyms --
is10116 OID ::= { iso(1) standard(0) modes-of-operation(10116) single-part(0)}
id-mode OID ::= { is10116 mode(1) }
id-pad OID ::= { is10116 pad(2) }
id-pad-null RELATIVE-OID ::= { 0 } -- no padding algorithm identified
id-pad-1 RELATIVE-OID ::= { 1 } -- padding according to method specified
-- in annex B, clause B.2.3
id-mode-ecb OID ::= { id-mode ecb(1) }
id-mode-cbc OID ::= { id-mode cbc(2) }
id-mode-cfb OID ::= { id-mode cfb(3) }
id-mode-ofb OID ::= { id-mode ofb(4) }
id-mode-ctr OID ::= { id-mode ctr(5) }
-- Algorithm specifications --
ModeOfOperation ::= AlgorithmIdentifier {{ ModeOfOperationAlgorithms }}
ModeOfOperationAlgorithms ALGORITHM ::= {
{ OID id-mode-ecb PARMS EcbParameters } |
{ OID id-mode-cbc PARMS CbcParameters } |
{ OID id-mode-cfb PARMS CfbParameters } |
{ OID id-mode-ofb PARMS OfbParameters } |
{ OID id-mode-ctr PARMS CtrParameters } ,
... -- expect additional algorithms --
}
14 �c ISO/IEC 2006 — All rights reserved

PadAlgo ::= CHOICE {
specifiedPadAlgo RELATIVE-OID,
generalPadAlgo OID
}
EcbParameters ::= SEQUENCE {
bcAlgoBlockCipher OPTIONAL,
padAlgo PadAlgo DEFAULT specifiedPadAlgo:id-pad-null
}
CbcParameters ::= SEQUENCE {
m INTEGER DEFAULT 1,
bcAlgoBlockCipher OPTIONAL,
padAlgo PadAlgo DEFAULT specifiedPadAlgo:id-pad-1
}
CfbParameters ::= SEQUENCE {
r INTEGER, -- n<=r<=1024n where n is the cipher block length
k INTEGER, -- 1<=k<=n
j INTEGER, -- 1<=j<=k
bc BlockCipher OPTIONAL,
padAlgo PadAlgo DEFAULT specifiedPadAlgo:id-pad-null
}
OfbParameters ::= SEQUENCE {
j INTEGER, -- 1<=j<=n where n is the cipher block length
bc BlockCipher OPTIONAL,
padAlgo PadAlgo DEFAULT specifiedPadAlgo:id-pad-null
}
CtrParameters ::= SEQUENCE {
j INTEGER, -- 1<=j<=n where n is the cipher block length
bc BlockCipher OPTIONAL,
padAlgo PadAlgo DEFAULT specifiedPadAlgo:id-pad-null
}
-- Auxiliary definitions --
BlockCipher ::= AlgorithmIdentifier {{ BlockAlgorithms }}
-- Cryptographic algorithm identification --
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { OID &id [PARMS &Type] }
AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id( {IOSet} ),
parameters ALGORITHM.&Type( {IOSet}{@algorithm} ) OPTIONAL
}
END -- ModesOfOperation --
�c ISO/IEC 2006 — All rights reserved 15

Annex B
(informative)
Properties of the modes of operation
As described above, these modes provide only protection of confidentiality. Proofs of security
existfortheCBCmode, theCFBmode, theOFBmodeandtheCTRmode. Theproofsassume
that a block cipher cannot be distinguished from a pseudo-random function. The probability of
thisassumptionbeinginvalidincreasesdramaticallyasthenumberofprocessedblocksincreases
n/2
to 2 and beyond.
B.1 Properties of the Electronic Codebook (ECB) mode of operation
B.1.1 Environment
Binary data exchanged between computers, or people, may contain repetitions or commonly
used sequences. In ECB mode, identical plaintext blocks produce (for the same key) identical
ciphertext blocks.
B.1.2 Properties
Properties of the ECB mode are:
a) encryption or decryption of a block can be carried out independently of the other blocks;
b) reorderingoftheciphertextblockswillresultinthecorrespondingreorderingoftheplaintext
blocks; and
c) thesameplaintextblockalwaysproducesthesameciphertextblock(forthesamekey)mak-
ingitvulnerabletoa“dictionaryattack”, whereadictionaryisbuiltupwithcorresponding
plaintext and ciphertext blocks.
The ECB mode is, in general, not recommended for messages longer than one block. The use of
ECB may only be specified in future International Standards for those special purposes where
therepetitioncharacteristicisacceptable,blockshavetobeaccessedindividually,orblockshave
to be accessed randomly.
B.1.3 Padding requirements
Only multiples of n bits can be encrypted or decrypted. Other lengths need to be padded to an
n-bit boundary.
B.1.4 Error propagation
In the ECB mode, one or more bit errors within a single ciphertext block will only affect the
decryption of the block in which the error(s) occur(s). Decryption of a ciphertext block with
one or more error bits will result in an expected 50% error probability for each plaintext bit in
the corresponding plaintext block.
16 �c ISO/IEC 2006 — All rights reserved

B.1.5 Synchronization
If block boundaries are lost between encryption and decryption (e.g. due to loss or insertion of
a ciphertext bit), synchronization between the encryption and decryption operations will be lost
untilthecorrectblockboundariesarere-established. Theresultofalldecryptionoperationswill
be incorrect while the block boundaries are lost.
B.2 Properties of the Cipher Block Chaining (CBC) mode of operation
B.2.1 Environment
The CBC mode produces the same ciphertext whenever the same plaintext is encrypted using
the same key and starting variable. Users who are concerned about this characteristic need to
adopt some procedure to change the start of the plaintext, the key, or the starting variable. One
possibility is to incorporate a unique identifier (e.g. an incremented counter) at the beginning
of each plaintext. Another technique, which may be used when encrypting records whose size
should not be increased, is to use a value for the starting variable which can be computed from
the record without knowing its contents (e.g. its address in random access storage).
A randomly chosen statistically unique SV is recommended. To prevent information leakage an
integrity-protected secret SV is recommended.
B.2.2 Properties
Properties of the CBC mode are:
a) the chaining operation makes the ciphertext blocks dependent on the current and the pre-
ceding plaintext blocks P ,P ,P ,. and therefore rearranging ciphertext blocks
i−m i−2m i−3m
does not result in a rearranging of the corresponding plaintext blocks;
b) theuseofdifferentSV valuespreventsthesameplaintextencryptingtothesameciphertext;
c) selection of m > 1 enables the block cipher encryption operations to be performed in
parallel. With use of parallel processing hardware, such as a pipeline-oriented circuit, it
facilitates high-throughput implementations;
d) decryption of any ciphertext block is possible without decrypting any of the preceding
sequence of ciphertext blocks; that is, this mode has the “random access”property for
ciphertext; and
e) if the block cipher can be modelled by a pseudo-random permutation, and the SV has been
randomly chosen, the CBC mode is mathematically proven to be secure in the sense that
the encryption leaks no computationally non-trivial information about the plaintext, see
[5].
NOTE It is a common misunderstanding that CBC mode provides data integrity — it does not.
�c ISO/IEC 2006 — All rights reserved 17

B.2.3 Padding requirements
Only multiples of n bits can be encrypted or decrypted. Other lengths need to be padded to an
n-bit boundary.
In circumstances where padding is necessary, padding method 2 of ISO/IEC 9797-1 [2], also
specified as padding method 2 in ISO/IEC 10118-1 [3], is recommended for use with the CBC
mode of operation. This padding method is not only simple to implement, but it also resists
certain attacks on CBC mode encryption [6], [7], [8], [9]. For certain other padding methods, if
an attacker is able to manipulate encrypted messages, and is also able to detect whether or not
an encrypted message causes a decrypting device to fail because the decryption process reveals
an incorrectly formatted padded data string, then repeated probing of this type can be used to
reveal information about the plaintext.
B.2.4 Error propagation
In the CBC mode, one or more bit errors within a single ciphertext block will affect the decryp-
tion of two blocks (the block in which the error occurs and the m-th block after). An error in
the i-th ciphertext block has the following effect on the resulting plaintext: the i-th plaintext
block will have an expected 50% error probability for each bit. The i+m-th plaintext block
will have an error pattern equal to that in the i-th ciphertext block.
B.2.5 Synchronization
If block boundaries are lost between encryption and decryption (e.g. due to loss or insertion of
a ciphertext bit), synchronization between the encryption and decryption operations will be lost
untilthecorrectblockboundariesarere-established. Theresultofalldecryptionoperationswill
be incorrect while the block boundaries are lost.
B.3 Properties of the Cipher Feedback (CFB) mode of operation
B.3.1 Environment
The CFB mode produces the same ciphertext whenever the same plaintext is encrypted using
the same key and starting variable. Users who are concerned about this characteristic need to
adopt some procedure to change the start of the plaintext, the key, or the starting variable. One
possibility is to incorporate a unique identifier (e.g. an incremented counter) at the beginning
of each CFB message. Another technique, which may be used when encrypting records whose
size should not be increased, is to use a value for the starting variable which can be computed
from the record without knowing its contents (e.g. its address in random access storage).
A randomly chosen statistically unique SV is recommended.
18 �c ISO/IEC 2006 — All rights reserved

B.3.2 Properties
Properties of the CFB mode are:
a) the chaining operation makes the ciphertext variables dependent on the current and all but
a certain number of immediately preceding plaintext variables. This number depends on
the selection of r, k, and j. Therefore rearranging j-bit ciphertext variables does not result
in a rearranging of the corresponding j-bit plaintext variables;
b) theuseofdifferentSV valuespreventsthesameplaintextencryptingtothesameciphertext;
c) the encryption and decryption processes in the CFB mode both use only the encryption
operation of the block cipher;
d) the strength of the CFB mode depends on the size of k (maximal if j = k = n) and the
relative sizes of j, k, n and r;
NOTE A choice of j < k will result in an increased probability of repeating occurrences
of values of the input blocks. Such repeated occurrences will reveal linear relations between
plaintext bits.
e) use of this mode will require approximately n/j times as many block cipher encryption
operations than would ECB mode, and hence selection of a small value for j will cause
greater processing overheads;
f) selectionofr≥n+k enablesthepipeliningandthecontinuousoperationoftheblockcipher
(assuming the use of parallel processing hardware, such as a pipeline-oriented circuit); and
g) a security proof for CFB mode is given in [4].
B.3.3 Padding requirements
Only multiples of j bits can be encrypted or decrypted. Other lengths need to be padded to a
j-bit boundary. However, usually j will be chosen equal to such a size that no padding will be
required, e.g. j can be modified for the last portion of the plaintext.
B.3.4 Error propagation
In the CFB mode, errors in any j-bit unit of ciphertext will affect the decryption of succeeding
ciphertext until the bits in error have been shifted out of the CFB feedback buffer. An error in
the i-th ciphertext variable has the following effect on the resulting plaintext: the i-th plaintext
variable will have an error pattern equal to that in the i-th ciphertext variable. The succeeding
plaintext variables will have an expected 50% error probability for each bit until all incorrectly
received bits have been shifted out of the feedback buffer.
B.3.5 Synchronization
If j-bit boundaries are lost between encryption and decryption (e.g. due to loss or insertion of a
ciphertextbit),cryptographicsynchronizationwillbere-establishedr bitsafterj-bitboundaries
arere-established. Ifamultiple ofj bits are lostsynchronizationwillbere-establishedautomat-
�c ISO/IEC 2006 — All rights reserved 19

ically after r bits. Consequently, when j = k = 1, the CFB mode automatically re-establishes
cryptographic synchronization after the loss or insertion of any number of ciphertext bits.
B.4 Properties of the Output Feedback (OFB) mode of operation
B.4.1 Environment
TheOFBmodeproducesthesameciphertextwheneverthesameplaintextisencryptedusingthe
same key and starting variable. Moreover, in the OFB mode the same keystream (the sequence
of intermediate results E ) is produced when the same key and SV are used. Consequently, for
i
security reasons a specific SV should be used only once for a given key.
A randomly chosen statistically unique SV is recommended.
B.4.2 Properties
Properties of the OFB mode are:
a) theuseofdifferentSV valuespreventsthesameplaintextencryptingtothesameciphertext,
by producing different keystreams;
b) the encryption and decryption processes in the OFB mode both use only the encryption
operation of the block cipher;
c) the OFB mode does not depend on the plaintext to generate the keystream used to add
modulo 2 to the plaintext;
d) use of this mode will require approximately n/j times as many block cipher encryption
operations than would ECB mode, and hence selection of a small value for j will cause
greater processing overheads; and
e) security proofs for the OFB mode are analogous to those for the CTR mode.
B.4.3 Padding requirements
Only multiples of j bits can be encrypted or decrypted. Other lengths need to be padded to a
j-bit boundary. However, usually j will be chosen equal to such a size that no padding will be
required, e.g. j can be modified for the last portion of the plaintext. No padding is required
when a plaintext block with z bits, z < j is encrypted by bitwise addition with only the first z
bits of the corresponding variable E.
B.4.4 Error propagation
The OFB mode does not extend ciphertext errors in the resultant plaintext output. Every bit
in error in the ciphertext causes only one bit to be in error in the decrypted plaintext.
20 �c ISO/IEC 2006 — All rights reserved

B.4.5 Synchronization
TheOFBmodeisnotself-synchronizing. Ifthetwooperationsofencryptionanddecryptionget
out of synchronization, the system needs to be re-initialized. Such a loss of synchronis
...