|
Server : Apache/2.4.62 System : FreeBSD fbsdweb2.web.rcn.net 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64 User : www ( 80) PHP Version : 8.3.8 Disable Function : NONE Directory : /domains/ap.belleisle/INFOSEC/stds/ |
Upload File : |
<HTML>
<HEAD>
<TITLE>FIPS 46-3 Data Encryption Standard (DES)</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff">
<P ALIGN=Right>
FIPS PUB 46-3<BR>
<P ALIGN=Right>
FEDERAL INFORMATION<BR>
PROCESSING STANDARDS PUBLICATION
<P ALIGN=Right>
Reaffirmed<BR>
1999 October 25<BR>
<BR>
<BR>
<P ALIGN=Right>
U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology
<H2 ALIGN=Center>
<BR>
<BR>
<BR>
<BR>
DATA ENCRYPTION STANDARD (DES)
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</H2>
<P ALIGN=Right>
CATEGORY: COMPUTER SECURITY<BR>
SUBCATEGORY: CRYPTOGRAPHY
<P>
<HR>
<P ALIGN=Center>
U.S. DEPARTMENT OF COMMERCE, William M. Daley, Secretary<BR>
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,<BR>
Raymond G. Kammer, Director<BR>
<BR>
<P ALIGN=Center>
<B>Foreword</B>
<P>
The Federal Information Processing Standards Publication Series of the National
Institute of Standards and Technology (NIST) is the official series of
publications relating to standards and guidelines adopted and promulgated
under the provisions of Section 5131 of the Information Technology Management
Reform Act of 1996 (Public Law 104-106) , and the Computer Security Act of
1987 (Public Law 100-235). These mandates have given the Secretary of Commerce
and NIST important responsibilities for improving the utilization and management
of computer and related telecommunications systems in the Federal Government.
The NIST, through its Information Technology Laboratory, provides leadership,
technical guidance, and coordination of Government efforts in the development
of standards and guidelines in these areas.
<P>
Comments concerning Federal Information Processing Standards Publications
are welcomed and should be addressed to the Director, Information Technology
Laboratory, National Institute of Standards and Technology, Gaithersburg,
MD 20899.<BR>
<P ALIGN=Center>
Shukri Wakid, Director<BR>
Information Technology Laboratory<BR>
<BR>
<P ALIGN=Center>
<B>Abstract</B>
<P>
The selective application of technological and related procedural safeguards
is an important responsibility of every Federal organization in providing
adequate security to its electronic data systems. This publication specifies
two cryptographic algorithms, the Data Encryption Algorithm (DEA) and the
Triple Data Encryption Algorithm (TDEA) which may be used by Federal
organizations to protect sensitive data. Protection of data during transmission
or while in storage may be necessary to maintain the confidentiality and
integrity of the information represented by the data. The algorithms uniquely
define the mathematical steps required to transform data into a cryptographic
cipher and also to transform the cipher back to the original form. The Data
Encryption Standard is being made available for use by Federal agencies within
the context of a total security program consisting of physical security
procedures, good information management practices, and computer system/network
access controls. This revision supersedes FIPS 46-2 in its entirety.
<P>
Key words: computer security, data encryption standard, Federal Information
Processing Standard (FIPS); security.
<P>
<HR>
<P ALIGN=Center>
<B>Federal Information<BR>
Processing Standards Publication 46-3</B>
<P ALIGN=Center>
<B>1999 October 25</B>
<P ALIGN=Center>
Announcing the
<P ALIGN=Center>
<B>DATA ENCRYPTION STANDARD</B>
<P>
Federal Information Processing Standards Publications (FIPS PUBS) are issued
by the National Institute of Standards and Technology after approval by the
Secretary of Commerce pursuant to Section 5131 of the Information Technology
Management Reform Act of 1996 (Public Law 104-106), and the Computer Security
Act of 1987 (Public Law 100-235).
<P>
<B>1. Name of Standard. </B>Data Encryption Standard (DES).
<P>
<B>2. Category of Standard.</B> Computer Security, Cryptography.
<P>
<B>3. Explanation.</B> The Data Encryption Standard (DES) specifies two FIPS
approved cryptographic algorithms as required by FIPS 140-1. When used in
conjunction with American National Standards Institute (ANSI) X9.52 standard,
this publication provides a complete description of the mathematical algorithms
for encrypting (enciphering) and decrypting (deciphering) binary coded
information. Encrypting data converts it to an unintelligible form called
cipher. Decrypting cipher converts the data back to its original form called
plaintext. The algorithms described in this standard specifies both enciphering
and deciphering operations which are based on a binary number called a key.
<P>
A DEA key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are
randomly generated and used directly by the algorithm. The other 8 bits,
which are not used by the algorithm, may be used for error detection. The
8 error detecting bits are set to make the parity of each 8-bit byte of the
key odd, i.e., there is an odd number of "1"s in each 8-bit byte<SUP>1</SUP>.
A TDEA key consists of three DEA keys, which is also referred to as a key
bundle. Authorized users of encrypted computer data must have the key that
was used to encipher the data in order to decrypt it. The encryption algorithms
specified in this standard are commonly known among those using the standard.
The cryptographic security of the data depends on the security provided for the key used to encipher and decipher the data.
<P>
Data can be recovered from cipher only by using exactly the same key used
to encipher it. Unauthorized recipients of the cipher who know the algorithm
but do not have the correct key cannot derive the original data algorithmically.
However, it may be feasible to determine the key by a brute force
“exhaustion attack.” Also, anyone who does have the key and the
algorithm can easily decipher the cipher and obtain the original data. A
standard algorithm based on a secure key thus provides a basis for exchanging
encrypted computer data by issuing the key used to encipher it to those
authorized to have the data.
<P>
Data that is considered sensitive by the responsible authority, data that
has a high value, or data that represents a high value should be
cryptographicalIy protected if it is vulnerable to unauthorized disclosure
or undetected modification during transmission or while in storage. A risk
analysis should be performed under the direction of a responsible authority
to determine potential threats. The costs of providing cryptographic protection
using this standard as well as alternative methods of providing this protection
and their respective costs should be projected. A responsible authority then
should make a decision, based on these analyses, whether or not to use
cryptographic protection and this standard.
<P>
<B>4. Approving Authority.</B> Secretary of Commerce.
<P>
<B>5. Maintenance Agency.</B> U.S. Department of Commerce, National Institute
of Standards and Technology, Information Technology Laboratory.
<P>
<B>6. Applicability.</B> This standard may be used by Federal departments
and agencies when the following conditions apply:
<BLOCKQUOTE>
1. An authorized official or manager responsible for data security or the
security of any computer system decides that cryptographic protection is
required; and
<P>
2. The data is not classified according to the National Security Act of 1947,
as amended, or the Atomic Energy Act of 1954, as amended.
</BLOCKQUOTE>
<P>
Federal agencies or departments which use cryptographic devices for protecting
data classified according to either of these acts can use those devices for
protecting sensitive data in lieu of the standard.
<P>
Other FIPS approved cryptographic algorithms may be used in addition to,
or in lieu of, this standard when implemented in accordance with FIPS 140-1.
<P>
In addition, this standard may be adopted and used by non-Federal Government
organizations. Such use is encouraged when it provides the desired security
for commercial and private organizations.
<P>
<B>7. Applications.</B> Data encryption (cryptography) is utilized in various
applications and environments. The specific utilization of encryption and
the implementation of the DEA and TDEA will be based on many factors particular
to the computer system and its associated components. In general, cryptography
is used to protect data while it is being communicated between two points
or while it is stored in a medium vulnerable to physical theft. Communication
security provides protection to data by enciphering it at the transmitting
point and deciphering it at the receiving point. DEA forms the basis for
TDEA. File security provides protection to data by enciphering it when it
is recorded on a storage medium and deciphering it when it is read back from
the storage medium. In the first case, the key must be available at the
transmitter and receiver simultaneously during communication. In the second
case, the key must be maintained and accessible for the duration of the storage
period. FIPS 171 provides approved methods for managing the keys used by
the algorithms specified in this standard. Public-key based protocols may
also be used (e.g., ANSI X9.42).
<P>
<B>8. Implementations.</B> Cryptographic modules which implement this standard
shall conform to the requirements of FIPS 140-1. The algorithms specified
in this standard may be implemented in software, firmware, hardware, or any
combination thereof. The specific implementation may depend on several factors
such as the application, the environment, the technology used, etc.
Implementations which may comply with this standard include electronic devices
(e.g., VLSI chip packages), micro-processors using Read Only Memory (ROM),
Programmable Read Only Memory (PROM), or Electronically Erasable Read Only
Memory (EEROM), and mainframe computers using Random Access Memory (RAM).
When an algorithm is implemented in software or firmware, the processor on
which the algorithm runs must be specified as part of the validation process.
Implementations of an algorithm which are tested and validated by NIST will
be considered as complying with the standard. Note that FIPS 140-1 places
additional requirements on cryptographic modules for Government use. Information
about devices that have been validated and procedures for testing and validating
equipment for conformance with this standard and FIPS 140-1 are available
from the National Institute of Standards and Technology, Information Technology
Laboratory, Gaithersburg, MD 20899.
<P>
<B>9. Export Control.</B> Cryptographic devices and technical data regarding
them are subject to Federal Government export controls and exports of
cryptographic modules implementing this standard and technical data regarding
them must comply with these Federal regulations and be licensed by the Bureau
of Export Administration of the U.S. Department of Commerce.
<P>
<B>10. Patents.</B> Cryptographic devices implementing this standard may
be covered by U.S. and foreign patents, including patents issued to the
International Business Machines Corporation. However, IBM has granted
nonexclusive, royalty-free licenses under the patents to make, use and sell
apparatus which complies with the standard. The terms, conditions and scope
of the licenses are set out in notices published in the May 13, 1975 and
August 31, 1976 issues of the Official Gazette of the United States Patent
and Trademark Office (934 O.G. 452 and 949 O.G. 1717).
<P>
<B>11. Alternative Modes of Using the DEA and TDEA.</B> FIPS PUB 81, DES
Modes of Operation, describes four different modes for using DEA described
in this standard. These four modes are called the Electronic Codebook (ECB)
mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode,
and the Output Feedback (OFB) mode. ECB is a direct application of the DES
algorithm to encrypt and decrypt data; CBC is an enhanced mode of ECB which
chains together blocks of cipher text; CFB uses previously generated cipher
text as input to the DES to generate pseudorandom outputs which are combined
with the plaintext to produce cipher, thereby chaining together the resulting
cipher; OFB is identical to CFB except that the previous output of the DES
is used as input in OFB while the previous cipher is used as input in CFB.
OFB does not chain the cipher.
<P>
The X9.52 standard, “Triple Data Encryption Algorithm Modes of
Operation” describes seven different modes for using TDEA described
in this standard. These seven modes are called the TDEA Electronic Codebook
Mode of Operation (TECB) mode, the TDEA Cipher Block Chaining Mode of Operation
(TCBC), the TDEA Cipher Block Chaining Mode of Operation - Interleaved (TCBC-I),
the TDEA Cipher Feedback Mode of Operation (TCFB), the TDEA Cipher Feedback
Mode of Operation - Pipelined (TCFB-P), the TDEA Output Feedback Mode of
Operation (TOFB), and the TDEA Output Feedback Mode of Operation - Interleaved
(TOFB-I). The TECB, TCBC, TCFB and TOBF modes are based upon the ECB, CBC,
CFB and OFB modes respectively obtained by substituting the DEA
encryption/decryption operation with the TDEA encryption/decryption operation.
<P>
<B>12. Implementation of this standard.</B> This standard became effective
July 1977. It was reaffirmed in 1983, 1988, 1993, and 1999.
It applies to all Federal agencies, contractors of Federal agencies, or other
organizations that process information (using a computer or telecommunications
system) on behalf of the Federal Government to accomplish a Federal function.
Each Federal agency or department may issue internal directives for the use
of this standard by their operating units based on their data security
requirement determinations.
<P>
With this modification of the FIPS 46-2 standard:
<BLOCKQUOTE>
1. Triple DES (i.e., TDEA), as specified in ANSI X9.52 will be recognized
as a FIPS approved algorithm.
<P>
2. Triple DES will be the FIPS approved symmetric encryption algorithm of
choice.
<P>
3. Single DES (i.e., DEA) will be permitted for legacy systems only. New
procurements to support legacy systems should, where, feasible, use Triple
DES products running in the single DES configuration.
<P>
4. Government organizations with legacy DES systems are encouraged to transition
to Triple DES based on a prudent strategy that matches the strength of the
protective measures against the associated risk.
</BLOCKQUOTE>
<P>
Note: It is anticipated that triple DES and the Advanced Encryption Standard
(AES) will coexist as FIPS approved algorithms allowing for a gradual transition
to AES. (The AES is a new symmetric-based encryption standard under development
by NIST. AES is intended to provide strong cryptographic security for the
protection of sensitive information well into the 21 st century.)
<P>
NIST provides technical assistance to Federal agencies in implementing data
encryption through the issuance of standards, guidelines and through individual
reimbursable projects.
<P>
<B>13. Specifications.</B> Federal Information Processing Standard (FIPS)
46-3, Data Encryption Standard (DES) (affixed).
<P>
<B>14. Cross Index.</B>
<BLOCKQUOTE>
a. FIPS PUB 31, Guidelines to ADP Physical Security and Risk Management.
<P>
b. FIPS PUB 39, Glossary for Computer Systems Security.
<P>
c. FIPS PUB 73, Guidelines for Security of Computer Applications.
<P>
d. FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption
Standard.
<P>
e. FIPS PUB 81, DES Modes of Operation.
<P>
f. FIPS PUB 87, Guidelines for ADP Contingency Planning.
<P>
g. FIPS PUB 112, Password Usage.
<P>
h. FIPS PUB 113, Computer Data Authentication.
<P>
i. FIPS PUB 140-1, Security Requirements for Cryptographic Modules.
<P>
j. FIPS PUB 171, Key Management Using ANSI X9.17.
<P>
k. ANSI X9.42, Agreement of Symmetric Keys on Using Diffie-Hellman and MQV
Algorithms
<P>
l. ANSI X9.52, Triple Data Encryption Algorithm Modes of Operation
</BLOCKQUOTE>
<P>
<B>15. Qualifications.</B>
<P>
Both this standard and possible threats reducing the security provided through
the use of this standard will undergo review by NIST as appropriate, taking
into account newly available technology. In addition, the awareness of any
breakthrough in technology or any mathematical weakness of the algorithm
will cause NIST to reevaluate this standard and provide necessary revisions.
<P>
With regard to the use of single DES, exhaustion of the DES (i.e., breaking
a DES encrypted ciphertext by trying all possible keys) has become increasingly
more feasible with technology advances. Following a recent hardware based
DES key exhaustion attack, NIST can no longer support the use of single DES
for many applications. Therefore, Government agencies with legacy single
DES systems are encouraged to transition to Triple DES. Agencies are advised
to implement Triple DES when building new systems.
<P>
<B>16. Comments.</B> Comments and suggestions regarding this standard and
its use are welcomed and should be addressed to the National Institute of
Standards and Technology, Attn: Director, Information Technology Laboratory,
Gaithersburg, MD 20899.
<P>
<B>17. Waiver Procedure.</B> Under certain exceptional circumstances, the
heads of Federal departments and agencies may approve waivers to Federal
Information Processing Standards (FIPS). The head of such agency may redelegate
such authority only to a senior official designated pursuant to section 3506(b)
of Title 44, United States Code. Waiver shall be granted only when:
<BLOCKQUOTE>
a. Compliance with a standard would adversely affect the accomplishment of
the mission of an operator of a Federal computer system; or
<P>
b. Compliance with a standard would cause a major adverse financial impact
on the operator which is not offset by Government-wide savings.
</BLOCKQUOTE>
<P>
Agency heads may act upon a written waiver request containing the information
detailed above. Agency heads may also act without a written waiver request
when they determine that conditions for meeting the standard cannot be met.
Agency heads may approve waivers only by a written decision which explains
the basis on which the agency head made the required finding(s). A copy of
each decision, with procurement sensitive or classified portions clearly
identified, shall be sent to: National Institute of Standards and Technology;
ATTN: FIPS Waiver Decisions100 Bureau Drive, Stop 8970, Gaithersburg, MD
20899-8970.
<P>
In addition, notice of each waiver granted and each delegation of authority
to approve waivers shall be sent promptly to the Committee on Government
Operations of the House of Representatives and the Committee on Government
Affairs of the Senate and shall be published promptly in the Federal Register.
<P>
When the determination on a waiver applies to the procurement of equipment
and/or services, a notice of the waiver determination must be published in
the Commerce Business Daily as a part of the notice of solicitation for offers
of an acquisition or, if the waiver determination is made after that notice
is published, by amendment to such notice.
<P>
A copy of the waiver, any supporting documents, the document approving the
waiver and any accompanying documents, with such deletions as the agency
is authorized and decides to make under 5 United States Code Section 552(b),
shall be part of the procurement documentation and retained by the agency.
<P>
<B>18. Special Information.</B> In accordance with the Qualifications Section
of this standard, reviews of this standard have been conducted every 5 years
since its adoption in 1977. The standard was reaffirmed during each of those
reviews. This revision to the text of the standard contains changes which
allow software implementations of the algorithm, permit the use of other
FIPS approved cryptographic algorithms, and designate Triple DES (i.e., TDEA)
as a FIPS approved cryptographic algorithm.
<P>
<B>19. Where to Obtain Copies of the Standard.</B> Copies of this publication
are for sale by the National Technical Information Service, U.S. Department
of Commerce, Springfield, VA 22161. When ordering, refer to Federal Information
Processing Standards Publication 46-3 (FIPSPUB463), and identify the title.
When microfiche is desired, this should be specified. Prices are published
by NTIS in current catalogs and other issuances. Payment may be made by check,
money order, deposit account or charged to a credit card accepted by NTIS.
<P>
_________________
<P>
<SUP>1</SUP> Sometimes keys are generated in an encrypted form. A random
64-bit number is generated and defined to be the cipher formed by the encryption
of a key using a key encrypting key. In this case the parity bits of the
encrypted key cannot be set until after the key is decrypted.
<P>
<P>
<HR>
<P ALIGN=Center>
<B>Federal Information<BR>
Processing Standards Publication 46-3</B>
<P ALIGN=Center>
<B>1999 October 25</B>
<P ALIGN=Center>
SPECIFICATIONS FOR THE<BR>
<P ALIGN=Center>
<B>DATA ENCRYPTION STANDARD (DES)</B><BR>
<P>
The Data Encryption Standard (DES) shall consist of the following Data Encryption
Algorithm (DEA) and Triple Data Encryption Algorithm (TDEA, as described
in ANSI X9.52). These devices shall be designed in such a way that they may
be used in a computer system or network to provide cryptographic protection
to binary coded data. The method of implementation will depend on the application
and environment. The devices shall be implemented in such a way that they
may be tested and validated as accurately performing the transformations
specified in the following algorithms.
<P ALIGN=Center>
<B>DATA ENCRYPTION ALGORITHM</B>
<P>
<B><I>Introduction</I></B>
<P>
The algorithm is designed to encipher and decipher blocks of data consisting
of 64 bits under control of a 64-bit key.<SUP>**</SUP> Deciphering must be
accomplished by using the same key as for enciphering, but with the schedule
of addressing the key bits altered so that the deciphering process is the
reverse of the enciphering process. A block to be enciphered is subjected
to an initial permutation <B><I>IP</I></B>, then to a complex key-dependent
computation and finally to a permutation which is the inverse of the initial
permutation <I><B>IP<SUP>-1</SUP></B></I>. The key-dependent computation
can be simply defined in terms of a function <B><I>f</I></B>, called the
cipher function, and a function <B><I>KS</I></B>, called the key schedule.
A description of the computation is given first, along with details as to
how the algorithm is used for encipherment. Next, the use of the algorithm
for decipherment is described. Finally, a definition of the cipher function
<B><I>f</I></B> is given in terms of primitive functions which are called
the selection functions <B><I>S<SUB>i</SUB></I></B> and the permutation function
<B><I>P</I></B>. <B><I>S<SUB>i</SUB></I></B>, <B><I>P</I></B> and
<B><I>KS</I></B> of the algorithm are contained in the Appendix.
<P>
___________________
<P>
<SUP>**</SUP> Blocks are composed of bits numbered from left to right, i.e.,
the left most bit of a block is bit one.
<P ALIGN=Center>
<IMG WIDTH="480" HEIGHT="655" SRC="fip46-31.gif">
<P ALIGN=Center>
<B>Figure 1</B>
<P>
The following notation is convenient: Given two blocks <B><I>L</I></B> and
<B><I>R</I></B> of bits, <B><I>LR</I></B> denotes the block consisting of
the bits of <B><I>L</I></B> followed by the bits of <B><I>R</I></B>. Since
concatenation is associative,
<B><I>B<SUB>1</SUB>B<SUB>2</SUB>...B<SUB>8</SUB></I></B>, for example, denotes
the block consisting of the bits of <B><I>B<SUB>1</SUB></I></B> followed
by the bits of <B><I>B<SUB>2</SUB></I></B>...followed by the bits of
<B><I>B<SUB>8</SUB></I></B>.
<P>
<B><I>Enciphering</I></B>
<P>
A sketch of the enciphering computation is given in <B>Figure 1.</B>
<P>
The 64 bits of the input block to be enciphered are first subjected to the
following permutation, called the initial permutation
<B><I>IP</I></B>:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<B><I><U>IP</U></I></B></TD>
</TR>
<TR>
<TD><PRE>58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
That is the permuted input has bit 58 of the input as its first bit, bit
50 as its second bit, and so on with bit 7 as its last bit. The permuted
input block is then the input to a complex key-dependent computation described
below. The output of that computation, called the preoutput, is then subjected
to the following permutation which is the inverse of the initial
permutation:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<U><I><B>IP</B></I></U><I><B><SUP>-1</SUP></B></I></TD>
</TR>
<TR>
<TD><PRE>40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
That is, the output of the algorithm has bit 40 of the preoutput block as
its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput
block is the last bit of the output.
<P>
The computation which uses the permuted input block as its input to produce
the preoutput block consists, but for a final interchange of blocks, of 16
iterations of a calculation that is described below in terms of the cipher
function f which operates on two blocks, one of 32 bits and one of 48 bits,
and produces a block of 32 bits.
<P>
Let the 64 bits of the input block to an iteration consist of a 32 bit block
<B><I>L</I></B> followed by a 32 bit block <B><I>R</I></B>. Using the notation
defined in the introduction, the input block is then <B><I>LR</I></B>.
<P>
Let <B><I>K</I></B> be a block of 48 bits chosen from the 64-bit key. Then
the output <B><I>L'R'</I></B> of an iteration with input <B><I>LR</I></B>
is defined by:
<P>
(1)
<P ALIGN=Center>
<B><I>L'</I></B> = <B><I>R</I></B>
<P ALIGN=Center>
<B><I>R'</I></B> = <B><I>L</I></B> (+) <B><I>f(R,K)</I></B>
<P>
where (+) denotes bit-by-bit addition modulo 2.
<P>
As remarked before, the input of the first iteration of the calculation is
the permuted input block. If <B><I>L'R'</I></B> is the output of the 16th
iteration then <B><I>R'L'</I></B> is the preoutput block. At each iteration
a different block <B>K</B> of key bits is chosen from the 64-bit key designated
by <B><I>KEY</I></B>.
<P>
With more notation we can describe the iterations of the computation in more
detail. Let <B>KS</B> be a function which takes an integer n in the range
from 1 to 16 and a 64-bit block <B><I>KEY</I></B> as input and yields as
output a 48-bit block <B><I>K</I></B><I><SUB>n</SUB></I> which is a permuted
selection of bits from <B><I>KEY</I></B>. That is
<P>
(2)
<P ALIGN=Center>
<B><I>K</I></B><I><SUB>n</SUB></I> =
<B><I>KS(</I></B><I>n</I><B><I>,KEY)</I></B>
<P>
with <B><I>K</I></B><I><SUB>n</SUB></I> determined by the bits in 48 distinct
bit positions of <B><I>KEY</I></B>. <B><I>KS</I></B> is called the key schedule
because the block <B><I>K</I></B> used in the <I>n</I>'th iteration of (1)
is the block <B><I>K</I></B><I><SUB>n</SUB></I> determined by (2).
<P>
As before, let the permuted input block be <B>LR</B>. Finally, let
<B><I>L</I></B><SUB>()</SUB> and <B><I>R</I></B><SUB>()</SUB> be respectively
<B><I>L</I></B> and <B><I>R</I></B> and let
<B><I>L</I></B><SUB><I>n</I></SUB> and <I><B>R</B><SUB>n</SUB></I> be
respectively <B><I>L'</I></B> and <B><I>R'</I></B> of (1) when
<B><I>L</I></B> and <B><I>R</I></B> are respectively
<B><I>L</I></B><I><SUB>n-1</SUB></I> and
<B><I>R</I></B><I><SUB>n-1</SUB></I> and <B><I>K</I></B> is
<B><I>K</I></B><I><SUB>n</SUB></I>; that is, when <I>n</I> is in the range
from 1 to 16,
<P>
(3)
<P ALIGN=Center>
<I><B>L</B><SUB>n</SUB></I> =
<B><I>R</I></B><I><SUP>n-1</SUP></I>
<P ALIGN=Center>
<B><I>R</I></B><SUB>n</SUB> =
<B><I>L</I></B><I><SUB>n-1</SUB></I> (+)
<B><I>f(R</I></B><I><SUB>n-1</SUB></I>,<I><B>K</B>n</I><B><I>)</I></B>
<P>
The preoutput block is then
<I><B>R</B><SUB>16</SUB><B>L</B><SUB>16</SUB></I>.
<P>
The key schedule <B><I>KS</I></B> of the algorithm is described in detail
in the Appendix. The key schedule produces the 16
<I><B>K</B><SUB>n</SUB></I> which are required for the algorithm.
<P>
<B><I>Deciphering</I></B>
<P>
The permutation <B><I>IP<SUP>-1</SUP></I></B> applied to the preoutput block
is the inverse of the initial permutation <B><I>IP</I></B> applied to the
input. Further, from (1) it follows that:
<P>
(4)
<P ALIGN=Center>
<B><I>R</I></B> = <B><I>L'</I></B>
<P ALIGN=Center>
<B><I>L</I></B> = <B><I>R'</I></B> (+) <B><I>f(L',K)</I></B>
<P>
Consequently, to <B><I>decipher</I></B> it is only necessary to apply the
<B><I>very same algorithm to an enciphered message block</I></B>, taking
care that at each iteration of the computation <B><I>the same block of key
bits </I>K<I> is used</I></B> during decipherment as was used during the
encipherment of the block. Using the notation of the previous section, this
can be expressed by the equations:
<P>
(5)
<P ALIGN=Center>
<I><B>R</B><SUB>n-1</SUB></I> = <I><B>L</B><SUB>n</SUB></I>
<P ALIGN=Center>
<I><B>L</B><SUB>n-1</SUB></I> = <I><B>R</B><SUB>n</SUB></I> (+)
<B><I>f(L</I></B><I><SUB>n</SUB></I><B><I>,K</I></B><I><SUB>n</SUB></I><B><I>)</I></B>
<P>
where now <I><B>R</B><SUB>16</SUB><B>L</B><SUB>16</SUB></I> is the permuted
input block for the deciphering calculation and
<I><B>L</B><SUB>0</SUB><B>R</B><SUB>0</SUB></I> is the preoutput block. That
is, for the decipherment calculation with R16L16 as the permuted input,
<I><B>K</B><SUB>16</SUB></I> is used in the first iteration,
<I><B>K</B><SUB>15</SUB></I> in the second, and so on, with
<I><B>K</B><SUB>1</SUB></I> used in the 16th iteration.
<P>
<B><I>The Cipher Function</I> f</B>
<P>
A sketch of the calculation of <B><I>f(R,K)</I></B> is given in <B>Figure
2</B>.
<P ALIGN=Center>
<IMG WIDTH="478" HEIGHT="350" SRC="fip46-32.gif">
<P ALIGN=Center>
<B>Figure 2</B>
<P>
Let <B><I>E</I></B> denote a function which takes a block of 32 bits as input
and yields a block of 48 bits as output. Let <B><I>E</I></B> be such that
the 48 bits of its output, written as 8 blocks of 6 bits each, are obtained
by selecting the bits in its inputs in order according to the following
table:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<B><U><I>E</I> BIT-SELECTION TABLE</U></B></TD>
</TR>
<TR>
<TD><PRE> 32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
Thus the first three bits of <B><I>E(R) </I></B>are the bits in positions
32, 1 and 2 of <B><I>R</I></B> while the last 2 bits of E(R) are the bits
in positions 32 and 1.
<P>
Each of the unique selection functions
<I><B>S</B><SUB>1</SUB></I>,<I><B>S</B><SUB>2</SUB></I>,...,<I><B>S</B><SUB>8</SUB></I>,
takes a 6-bit block as input and yields a 4-bit block as output and is
illustrated by using a table containing the recommended
<I><B>S</B><SUB>1</SUB></I>:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<U><B><I>S</I></B><SUB>1</SUB></U><BR>
</TD>
</TR>
<TR>
<TD><PRE> Column Number
Row
No. <U>0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15</U>
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
If <I><B>S</B><SUB>1</SUB></I> is the function defined in this table and
<B><I>B</I></B> is a block of 6 bits, then
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>(B)</I></B>is determined as follows:
The first and last bits of <B><I>B</I></B> represent in base 2 a number in
the range 0 to 3. Let that number be <I>i</I>. The middle 4 bits of
<B><I>B</I></B> represent in base 2 a number in the range 0 to 15. Let that
number be <I>j</I>. Look up in the table the number in the <I>i</I>'th row
and <I>j</I>'th column. It is a number in the range 0 to 15 and is uniquely
represented by a 4 bit block. That block is the output
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>(B)</I></B> of
<I><B>S</B><SUB>1</SUB></I> for the input <B><I>B</I></B>. For example, for
input 011011 the row is 01, that is row 1, and the column is determined by
1101, that is column 13. In row 1 column 13 appears 5 so that the output
is 0101. Selection functions
<I><B>S</B><SUB>1</SUB><B>,S</B><SUB>2</SUB><B>,...,S</B><SUB>8</SUB></I>
of the algorithm appear in the Appendix.
<P>
The permutation function <B><I>P</I></B> yields a 32-bit output from a 32-bit
input by permuting the bits of the input block. Such a function is defined
by the following table:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<B><I><U>P</U></I></B></TD>
</TR>
<TR>
<TD><PRE>16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
The output <B><I>P(L)</I></B> for the function <B><I>P</I></B> defined by
this table is obtained from the input <B><I>L</I></B> by taking the 16th
bit of <B><I>L</I></B> as the first bit of <B><I>P(L)</I></B>, the 7th bit
as the second bit of <B><I>P(L)</I></B>, and so on until the 25th bit of
<B><I>L</I></B> is taken as the 32nd bit of <B><I>P(L)</I></B>. The permutation
function <B><I>P</I></B> of the algorithm is repeated in the Appendix.
<P>
Now let
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>,...,S</I></B><I><SUB>8</SUB></I>
be eight distinct selection functions, let <B><I>P</I></B> be the permutation
function and let <B><I>E</I></B> be the function defined above.
<P>
To define <B><I>f(R,K)</I></B> we first define
<B><I>B</I></B><I><SUB>1</SUB></I><B><I>,...,B</I></B><I><SUB>8</SUB></I>
to be blocks of 6 bits each for which
<P>
(6)
<P ALIGN=Center>
<B><I>B</I></B><I><SUB>1</SUB></I><B><I>B</I></B><I><SUB>2</SUB></I><B><I>...B</I></B><I><SUB>8</SUB></I>
= <B><I>K</I></B> (+) <B><I>E(R)</I></B>
<P>
The block <B><I>f(R,K)</I></B> is then defined to be
<P>
(7)
<P ALIGN=Center>
<B><I>P(S</I></B><I><SUB>1</SUB></I><B><I>(B</I></B><I><SUB>1</SUB></I><B><I>)S</I></B><I><SUB>2</SUB></I><B><I>(B</I></B><I><SUB>2</SUB></I><B><I>)...S</I></B><I><SUB>8</SUB></I><B><I>(B</I></B><I><SUB>8</SUB></I><B><I>))</I></B>
<P>
Thus <B><I>K</I></B> (+) <B><I>E(R)</I></B> is first divided into the 8 blocks
as indicated in (6). Then each <I><B>B</B><SUB>i</SUB></I> is taken as an
input to <B><I>S</I></B><I><SUB>i</SUB></I> and the 8 blocks
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>(B</I></B><I><SUB>1</SUB></I><B><I>),S</I></B><I><SUB>2</SUB></I><B><I>(B</I></B><I><SUB>2</SUB></I><B><I>)...S</I></B><I><SUB>8</SUB></I><B><I>(B</I></B><I><SUB>8</SUB></I><B><I>)</I></B>
of 4 bits each are consolidated into a single block of 32 bits which forms
the input to <B><I>P</I></B>. The output (7) is then the output of the function
<B><I>f</I></B> for the inputs <B><I>R</I></B> and <B><I>K</I></B>.
<P ALIGN=Center>
<B>TRIPLE DATA ENCRYPTION ALGORITHM</B>
<P>
Let <I><B>E</B><SUB>K</SUB><B>(I)</B></I> and
<B><I>D</I></B><I><SUB>K</SUB></I><B><I>(I) </I></B>represent the DEA encryption
and decryption of <B><I>I</I></B> using DEA key <B><I>K</I></B> respectively.
Each TDEA encryption/decryption operation (as specified in ANSI X9.52) is
a compound operation of DEA encryption and decryption operations. The following
operations are used:
<BLOCKQUOTE>
1. TDEA encryption operation: the transformation of a 64-bit block I into
a 64-bit block <B><I>O</I></B> that is defined as follows:
<P ALIGN=Center>
<B><I>O</I></B> =
<B><I>E</I></B><I><SUB>K3</SUB></I><B><I>(D</I></B><I><SUB>K2</SUB></I><B><I>(E</I></B><I><SUB>K1</SUB></I><B><I>(I)))</I></B>.
<P>
2. TDEA decryption operation: the transformation of a 64-bit block I into
a 64-bit block <B><I>O</I></B> that is defined as follows:
<P ALIGN=Center>
<B><I>O </I></B>=
<B><I>D</I></B><I><SUB>K1</SUB></I><B><I>(E</I></B><I><SUB>K2</SUB></I><B><I>(D</I></B><I><SUB>K3</SUB></I><B><I>(I)))</I></B>
</BLOCKQUOTE>
<P>
The standard specifies the following keying options for bundle
<B><I>(K</I></B><I><SUB>1</SUB></I><B><I>,
K</I></B><I><SUB>2</SUB></I><B><I>,
K</I></B><I><SUB>3</SUB></I><B><I>)</I></B>
<BLOCKQUOTE>
1. Keying Option 1: <B><I>K</I></B><I><SUB>1</SUB></I><B><I>,
K</I></B><I><SUB>2</SUB></I><B><I>, </I></B>and<B><I>
K</I></B><I><SUB>3</SUB></I> are independent keys;
<P>
2. Keying Option 2: <B><I>K</I></B><I><SUB>1</SUB></I><B><I>
</I></B>and<B><I> K</I></B><I><SUB>2</SUB></I> are independent keys and
<I><B>K</B><SUB>3</SUB></I> = <I><B>K</B><SUB>1</SUB></I>;
<P>
3. Keying Option 3: <B><I>K</I></B><I><SUB>1</SUB> =
</I><B><I>K</I></B><I><SUB>2</SUB></I><B><I> </I></B><I>=</I><B><I>
K</I></B><I><SUB>3</SUB></I>.
</BLOCKQUOTE>
<P>
A TDEA mode of operation is backward compatible with its single DEA counterpart
if, with compatible keying options for TDEA operation,
<BLOCKQUOTE>
1. an encrypted plaintext computed using a single DEA mode of operation can
be decrypted correctly by a corresponding TDEA mode of operation; and
<P>
2. an encrypted plaintext computed using a TDEA mode of operation can be
decrypted correctly by a corresponding single DEA mode of operation.
</BLOCKQUOTE>
<P>
When using Keying Option 3 <B><I>(K</I></B><I><SUB>1</SUB> =
</I><B><I>K</I></B><I><SUB>2</SUB></I><B><I> </I></B><I>=</I><B><I>
K</I></B><I><SUB>3</SUB></I><B><I>)</I></B>, TECB, TCBC, TCFB and TOFB modes
are backward compatible with single DEA modes of operation ECB, CBC, CFB,
OFB respectively.
<P>
The diagram in Appendix 2 illustrates TDEA encryption and TDEA decryption.
<P>
<HR>
<P ALIGN=Center>
<B>APPENDIX 1</B>
<P ALIGN=Center>
<B>PRIMITIVE FUNCTIONS FOR THE<BR>
DATA ENCRYPTION ALGORITHM</B>
<P>
The choice of the primitive functions <B><I>KS</I></B>,
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>,...,S</I></B><I><SUB>8</SUB></I>
and <B><I>P</I></B> is critical to the strength of an encipherment resulting
from the algorithm. Specified below is the recommended set of functions,
describing
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>,...,S</I></B><I><SUB>8</SUB></I>
and <B><I>P</I></B> in the same way they are described in the algorithm.
For the interpretation of the tables describing these functions, see the
discussion in the body of the algorithm.
<P>
The primitive functions
<B><I>S</I></B><I><SUB>1</SUB></I><B><I>,...,S</I></B><I><SUB>8</SUB></I>
are:
<P>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>1</SUB></I></TD>
</TR>
<TR>
<TD><PRE>14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
<B>O</B> 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 <B>O</B> 6 13
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>2</SUB></I></TD>
</TR>
<TR>
<TD><PRE>15 1 8 14 6 11 3 4 9 7 2 13 12 <B>O</B> 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>3</SUB></I></TD>
</TR>
<TR>
<TD><PRE>10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 <B>O</B> 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>4</SUB></I></TD>
</TR>
<TR>
<TD><PRE> 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 <B>O</B> 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 <B>O</B> 6 10 1 13 8 9 4 5 11 12 7 2 14
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>5</SUB></I></TD>
</TR>
<TR>
<TD><PRE> 2 12 4 1 7 10 11 6 8 5 3 15 13 <B>O</B> 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 <B>O</B> 14
11 8 12 7 1 14 2 13 6 15 <B>O</B> 9 10 4 5 3
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>6</SUB></I></TD>
</TR>
<TR>
<TD><PRE>12 1 10 15 9 2 6 8 <B>O</B> 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 <B>O</B> 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>7</SUB></I></TD>
</TR>
<TR>
<TD><PRE> 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<I><B>S</B><SUB>8</SUB></I></TD>
</TR>
<TR>
<TD><PRE>13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
The primitive function <B><I>P</I></B> is:
<P ALIGN=Left>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><PRE>16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
Recall that <B><I>K</I></B><I><SUB>n</SUB></I>, for
1<U><</U><I>n</I><U><</U>16, is the block of 48 bits in (2) of the
algorithm. Hence, to describe <I><B>KS</B></I>, it is sufficient to describe
the calculation of <B><I>K</I></B><I><SUB>n</SUB></I> from
<B><I>KEY</I></B> for <I>n</I> = 1, 2,..., 16. That calculation is illustrated
in <B>Figure 3</B>. To complete the definition of <B><I>KS</I></B> it is
therefore sufficient to describe the two permuted choices, as well as the
schedule of left shifts. One bit in each 8-bit byte of the <B><I> KEY</I></B> may be utilized for error detection in key generation, distribution and storage. Bits 8, 16,..., 64 are for use in assuring that each byte is of odd parity.
<P>
Permuted choice 1 is determined by the following table:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<B><I><U>PC-</U></I><U>1</U></B></TD>
</TR>
<TR>
<TD><PRE>57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
The table has been divided into two parts, with the first part determining
how the bits of <I><B>C</B><SUB>()</SUB></I> are chosen, and the second part
determining how the bits of <I><B>D</B><SUB>()</SUB></I> are chosen. The
bits of <B><I>KEY</I></B> are numbered 1 through 64. The bits of
<I><B>C</B><SUB>()</SUB></I> are respectively bits 57, 49, 41,..., 44 and
36 of KEY, with the bits of <I><B>D</B><SUB>()</SUB></I> being bits 63, 55,
47,..., 12 and 4 of <B><I>KEY</I></B>.
<P>
With <I><B>C</B><SUB>()</SUB></I> and <I><B>D</B><SUB>()</SUB></I> defined,
we now define how the blocks <I><B>C</B><SUB>n</SUB></I> and
<I><B>D</B><SUB>n</SUB></I> are obtained from the blocks
<I><B>C</B><SUB>n-1</SUB></I> and <I><B>D</B><SUB>n-1</SUB></I>, respectively,
for <I>n</I> = 1, 2,..., 16. That is accomplished by adhering to the following
schedule of left shifts of the individual blocks:
<P ALIGN=Center>
<IMG WIDTH="475" HEIGHT="602" SRC="fip46-33.gif">
<P ALIGN=Center>
<B>Figure 3</B>
<P>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><B>Iteration</B><BR>
<U><B>Number</B></U></TD>
<TD> </TD>
<TD><P ALIGN=Center>
<B>Number of</B><BR>
<U><B>Left Shifts</B></U></TD>
</TR>
<TR>
<TD><PRE> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
</PRE>
</TD>
<TD></TD>
<TD><PRE> 1
1
2
2
2
2
2
2
1
2
2
2
2
2
2
1
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
For example, <I><B>C</B><SUB>3</SUB></I> and
<I><B>D</B><SUB>3</SUB></I> are obtained from
<I><B>C</B><SUB>2</SUB></I> and <I><B>D</B><SUB>2</SUB></I>, respectively,
by two left shifts, and <I><B>C</B><SUB>16</SUB></I> and
<B><I>D</I></B><I><SUB>16</SUB></I> are obtained from
<I><B>C</B><SUB>15</SUB></I> and <I><B>D</B><SUB>15</SUB></I>, respectively,
by one left shift. In all cases, by a single left shift is meant a rotation
of the bits one place to the left, so that after one left shift the bits
in the 28 positions are the bits that were previously in positions 2, 3,...,
28, 1.
<P>
Permuted choice 2 is determined by the following table:<BR>
<CENTER>
<TABLE CELLPADDING="2" ALIGN="Center">
<TR>
<TD><P ALIGN=Center>
<B><I><U>PC-2</U></I></B></TD>
</TR>
<TR>
<TD><PRE>14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
</PRE>
</TD>
</TR>
</TABLE>
</CENTER>
<P ALIGN=Left>
Therefore, the first bit of <I><B>K</B><SUB>n</SUB></I> is the 14th bit of
<B><I>C</I></B><I><SUB>n</SUB></I><B><I>D</I></B><I><SUB>n</SUB></I>, the
second bit the 17th, and so on with the 47th bit the 29th, and the 48th bit
the 32nd.
<P>
<HR>
<P ALIGN=Center>
<B>APPENDIX 2<BR>
TRIPLE DEA BLOCK DIAGRAM<BR>
(ECB Mode)</B>
<P>
<B>TDEA Encryption Operation:</B>
<BLOCKQUOTE>
<P ALIGN=Left>
<IMG WIDTH="437" HEIGHT="41" SRC="fip46-34.gif">
</BLOCKQUOTE>
<P>
<P>
<B>TDEA Decryption Operation:</B>
<BLOCKQUOTE>
<P ALIGN=Left>
<IMG WIDTH="439" HEIGHT="39" SRC="fip46-35.gif">
</BODY></HTML>