ISO/IEC 10116:2017/Amd 1:2021

INTERNATIONAL ISO/IEC
STANDARD 10116
Fourth edition
2017-07
AMENDMENT 1
2021-02
Information technology — Security
techniques — Modes of operation for
an n-bit block cipher
AMENDMENT 1: CTR-ACPKM mode of
operation
Technologies de l'information — Techniques de sécurité — Modes
opératoires pour un chiffrement par blocs de n bits
AMENDEMENT 1
Reference number
ISO/IEC 10116:2017/Amd.1:2021(E)
©
ISO/IEC 2021
ISO/IEC 10116:2017/Amd.1:2021(E)

© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

ISO/IEC 10116:2017/Amd.1:2021(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part  2 (see www .iso .org/ directives or www .iec .ch/ members
_experts/ refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html. In the IEC, see www .iec .ch/ understanding -standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved iii

ISO/IEC 10116:2017/Amd.1:2021(E)
Information technology — Security techniques — Modes of
operation for an n-bit block cipher
AMENDMENT 1: CTR-ACPKM mode of operation

Introduction
Delete the NOTE and replace the second paragraph with the following:
This document specifies the following modes of operation:
a) electronic codebook (ECB);
b) cipher block chaining (CBC);
c) cipher feedback (CFB);
d) output feedback (OFB);
e) counter (CTR);
f) counter advanced cryptographic prolongation of key material (CTR-ACPKM).

Scope
Replace the first sentence of the first paragraph with the following:
This document establishes the modes of operation for applications of an n-bit block cipher (e.g.
protection of data during transmission or in storage).
Delete NOTE 3 and NOTE 4.
Clause 3, Terms and definitions
Replace the terminological entry with the following:
3.3
counter
bit array of length n bits (where n is the block size of the underlying block cipher) which is used in CTR
mode and CTR-ACPKM mode
Add new entries 3.13 to 3.15 as follows:
3.13
key lifetime
maximum amount of data that could be processed using this key by the particular mode of operation
without loss of some proven security property
3.14
section
part of plaintext that is processed with one key before this key is transformed
© ISO/IEC 2021 – All rights reserved 1

ISO/IEC 10116:2017/Amd.1:2021(E)

3.15
section key
key used to process one section

4.1
Add the following rows at the end of the table:
c number of bits in a counter which can be modified during incrementing in
the CTR-ACPKM mode
J number of constants in the ACPKM transformation
(z)
K section key
len length of the plaintext (in bits)
N section size (the number of bits that are processed with one section key before
this key is transformed)
s number of sections
z iteration for sections
4.2
Replace the third row with the following:
a(t) t-bit string where the value ‘a’ (0 or 1) is assigned to every bit
Add the following row at the end of the table:
smallest integer that is greater than or equal to a
a
 
Clause 5
Add the following sentence after the fourth sentence of the second paragraph:
For the counter advanced cryptographic prolongation of key material (CTR-ACPKM) mode of
operation (see Clause 11), three parameters c, j and N need to be selected.
Replace the first sentence of the fourth paragraph with the following:
For the ECB, CBC, CFB, OFB and CTR modes of operation, the encrypter and all potential decrypters
shall agree on a padding method, unless messages to be encrypted are always a multiple of m bits
(m = n for ECB and CBC modes, m = j for CFB, OFB and CTR modes) in length or unless the mode does
not require padding.
Add the following sentence at the end of the fourth paragraph:
For the CTR-ACPKM mode of operation, padding is not used by default and the bit length of the
plaintext need not be a multiple of j bits. If any padding is applied by the application that invokes the
encryption, then the padding method shall be known to the application that invokes the decryption.
2 © ISO/IEC 2021 – All rights reserved

ISO/IEC 10116:2017/Amd.1:2021(E)

Add the following paragraphs at the end of the clause:
The modes of operation specified in this document have been assigned object identifiers in
accordance with ISO/IEC 9834 (all parts). Annex A lists the object identifiers which shall be used to
identify the modes of operation specified in this document.
Annex B contains comments on the properties of each mode and important security guidance.
Annex C presents figures describing the modes of operation. Annex D provides numerical examples
of the modes of operation.
7.2
Replace the last sentence with the following:
This procedure is shown on the Figure C.1 for m = 1 and on the left side of Figure C.2 for m > 1.

7.3
Replace the first sentence of the fourth paragraph with the following:
This procedure is shown on the Figure C.1 for m = 1 and on the right side of Figure C.2 for m > 1.

Clause 11
Add new Clause 11 as follows:
11  Counter advanced cryptographic prolongation of key material (CTR-ACPKM) mode
11.1  General
The CTR-ACPKM mode employs an approach to increase the key lifetime by using a transformation of
a data processing key (section key) during the processing of each message. Each message is processed
starting with the same first section key and each section key is updated after processing one section
which consists of N bits.
NOTE CTR-ACPKM mode is the same as CTR mode except that the key is transformed during processing of
the mode.
The main idea behind the CTR-ACPKM mode is presented in Figure 1.
© ISO/IEC 2021 – All rights reserved 3

ISO/IEC 10116:2017/Amd.1:2021(E)

Key
p maximum number of messages encrypted under one initial key K
max
len maximum length of message (in bits)
max
s
lenN/
 
max
 
max
Figure 1 — Basic principles of message processing in the CTR-ACPKM mode
During the processing of the plaintext message P of length len (in bits) in the CTR-ACPKM encryption
1 s z
 
mode the message is divided into sl= en /N sections (denoted by P , ., P , where P has an N-bit
 
max
s
length for 1 ≤ z ≤ s−1 and the length of the last section P can be less than or equal to N bits). The first
(1)
section of each message is processed with the section key K , which is equal to the initial key K. To
(z+1)
process the (z+1)-th section of each message the section key K is calculated using the ACPKM
transformation defined in 11.5.
11.2  Preliminaries
For the CTR-ACPKM mode the block size n of the chosen block cipher shall be a multiple of 8.
Three parameters define the CTR-ACPKM mode of operation:
— the size of the plaintext variable j, where 1 ≤ j ≤ n and j is a multiple of 8;
— the section size in bits, N, where N is a multiple of j;
— the number of bits in a counter to be incremented, c, where 0 < c < n and c is a multiple of 8.
The variables employed by the CTR-ACPKM mode of operation when being used for encryption are:
a) the input variables:
1) a plaintext message P of length len, which can be represented as:
— a concatenation of q plaintext variables PP …P , where P , P , …, P are j-bit strings
1 2 q-1
12 q
and P contains less than or equal to j bits;
q
12 s
1 2 s-1
— a concatenation of s section variables PPP . , where P , P , …, P are N-bit strings
s
and P contains less than or equal to N bits;
2) an initial key K;
3) a starting variable SV of n−c bits. See Annex B for security guidance on the value of SV;
b) the intermediate results:
(1) (2) (s)
1) a sequence of s section keys K , K , … , K , each of k bits;
4 © ISO/IEC 2021 – All rights reserved

ISO/IEC 10116:2017/Amd.1:2021(E)

2) a sequence of q block cipher input blocks CTR , CTR , ., CTR , each of n bits;
1 2 q
3) a sequence of q block cipher output blocks Y , Y , ., Y , each of n bits;
1 2 q
4) a sequence of q variables E , E , ., E , each of j bits;
1 2 q
c) the output variable: an encrypted message C of length len, which can be represented as a
concatenation of q ciphertext variables CCC … , where C , C , ., C are j-bit strings and C
1 2 q-1 q
12 q
contains less than or equal to j bits.
Using the CTR-ACPKM mode it is possible to avoid ciphertext expansion by truncating the variable E to
q
the length of the final plaintext/ciphertext variable. The bit length of the plaintext message P need not be
a multiple of j (the bit length of the last plaintext/ciphertext variable P /C can be less than or equal to j).
q q
The following limitations should be observed when using the CTR-ACPKM mode (see Annex B for a
detailed explanation of these limitations):
c-1
— the length len of every message should be less than or equal to j · 2 ;
n−c
— the number of messages encrypted under one initial key K should be less than or equal to 2 .
11.3  Encryption
The section keys are generated from the initial key K using the ACPKM key transformation defined
in 11.5.
(1) (1)
a) The first section key K is equal to the initial key K : K = K.
(z)
b) For z = 2, ., s, where sl=  en/N , the section key K is generated as follows:
 
z
()
()z−1
KA= CPKM K .
()
The counter CTR is set using the starting variable padded with c zeros:
CTRS= Vc|0 .
()
The operation of encrypting each plaintext variable P employs the following four steps.
i
z
()
a) Ye= KCTR , where zi= ·/jN (use of block cipher);
()
 
i i
b) Ej=∼Y (selection of leftmost j bits of Y );
i
ii
c) CP=⊕E (generation of ciphertext variable);
ii i
n
d) CTRC=+TR 12 mod (generation of the next counter value CTR).
()
ii+1
These steps are repeated for i = 1, 2, ., q, ending with step c) on the last cycle. The procedure is shown
in Figure C.6.
(z)
The counter value CTR is encrypted under the corresponding section key K to give an output block
i
Y and the leftmost j bits of this output block Y are used to encrypt the input value. The counter then
i i
n
increases by one (modulo 2 ) to produce a new counter value.
11.4  Decryption
The variables employed for decryption are the same as those employed for encryption.
The section keys are generated from the initial key K using the ACPKM key transformation defined
in 11.5.
(1) (1)
a) The first section key K is equal to the initial key K: K = K.
© ISO/IEC 2021 – All rights reserved 5

ISO/IEC 10116:2017/Amd.1:2021(E)

(z)
b) For z = 2, ., s, where sl=  en/N , the section key K is generated as follows:
 
z
...