ISO/TR 19038:2005

TECHNICAL ISO/TR
REPORT 19038
First edition
2005-06-15

Banking and related financial services —
Triple DEA — Modes of operation —
Implementation guidelines
Banque et autres services financiers — Triple DEA — Modes
d'opération — Lignes directrices pour la mise en œuvre




Reference number
ISO/TR 19038:2005(E)
©
ISO 2005

---------------------- Page: 1 ----------------------
ISO/TR 19038:2005(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2005 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 19038:2005(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Symbols and abbreviations . 4
5 Specifications. 5
6 TDEA modes of operation. 8
Annex A (informative) ASN.1 syntax for TDEA modes of operation. 36
Annex B (informative) TDEA modes of operation cryptographic attributes . 42
Annex C (informative) Key bundle encryption precautions. 45
Bibliography . 54

© ISO 2005 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 19038:2005(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 19038 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
iv © ISO 2005 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 19038:2005(E)
Introduction
In order to significantly strengthen DEA (Data Encryption Algorithm) and extend its useful lifetime, the use of
Triple Data Encryption Algorithm (TDEA) modes of operation has been recommended. These TDEA modes of
operation not only provide greatly increased cryptographic protection, but because they are based on DEA,
the TDEA learning curve for users and vendors is reduced. Since certain TDEA modes of operation can be
made backward compatible with existing DEA modes of operation, the financial community may leverage its
investment in standard DEA technology by using TDEA to extend its secure lifetime.
Each mode of operation provides different benefits and has different characteristics. The selection,
implementation and use of a particular mode of operation is dependent upon the security requirements, risk
acceptance posture, and operational needs of the financial institution and are beyond the scope of this
Technical Report. This Technical Report is necessary to provide the basis for interoperability between
different parties using any of the TDEA modes specified herein, provided that they use the same mode of
operation and share the same secret cryptographic key(s).
This Technical Report does not replace the Data Encryption Algorithm Standard nor the Triple Data
Encryption Algorithm specified in ISO/IEC 18033. DEA is the basis for the TDEA modes of operation. TDEA
provides increased security in keeping with advances in computing technology and cryptanalytic techniques.
TDEA may be implemented in hardware, software or a combination of hardware and software.
This Technical Report provides implementation guidelines for the modes of operation specified in
ISO/IEC 10116.
It is the responsibility of the financial institution to put overall security procedures in place with the necessary
controls to ensure that the process is implemented in a secure manner. Furthermore, the process should be
audited to ensure compliance with the procedures.

© ISO 2005 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 19038:2005(E)

Banking and related financial services — Triple DEA — Modes
of operation — Implementation guidelines
1 Scope
This Technical Report provides the user with technical support and details for the safe and efficient
implementation of the Triple Data Encryption Algorithm (TDEA) modes of operation for the enhanced
cryptographic protection of digital data. The modes of operation described herein are specified for both
enciphering and deciphering operations. The modes described in this Technical Report are implementations
of the block cipher modes of operation specified in ISO/IEC 10116 using the Triple DEA algorithm (TDEA)
specified in ISO/IEC 18033-3.
The TDEA modes of operation may be used in both wholesale and retail financial applications. The use of this
Technical Report provides the basis for the interoperability of products and facilitates the development of
application standards that use the TDEA modes of operation. This Technical Report is intended for use with
other ISO standards using DEA.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10116, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block
ciphers
ISO/IEC 9797-1, Information technology — Security techniques — Message Authentication Codes (MACs) —
Part 1: Mechanisms using a block cipher
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
birthday phenomenon
phenomenon whereby at least two people out of a relatively small group of n people will likely share the same
birthday
EXAMPLE: when n = 23, the probability is over ½. Generally, if one randomly picks up a number from m possible numbers
with replacement, the probability to get at least one coincidence in n experiments (n < m) is approximated by:
2
−n /2m
p = 1 − e
1/2
In the above experiment, the expected number of trials before a coincidence is found is approximately (πm/2) . It implies
32
that for a 64-bit block encryption operation with a fixed key, if one has a text dictionary of 2 plaintext/ciphertext pairs and
© ISO 2005 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/TR 19038:2005(E)
32
2 blocks of ciphertext produced from random input, then it should be expected that one block of unknown ciphertext will
be found in the dictionary (see [11]).
3.2
block
binary string
EXAMPLE: a plaintext or a ciphertext, is segmented with a given length. Each segment is called a block. A plaintext
(ciphertext) is encrypted (decrypted) block by block from left to right. In this Technical Report, for TCBC, TCBC-I, TOFB,
TOFB-I modes, the plaintext and ciphertext are segmented into 64-bit blocks, while for TCFB and TCFB-P modes, the
encryption and decryption support 1-bit, 8-bit and 64-bit plaintext and ciphertext block sizes.
3.3
bundle
collection of elements comprising a TDEA (K) key
NOTE A bundle may consist of two elements (k ,k ) or three elements (k ,k ,k ).
1 2 1 2 3
3.4
ciphertext
encrypted (enciphered) data
3.5
clock cycle
time unit used in this Technical Report to define the time period for executing DEA operation once by one
DEA functional block
3.6
cryptographic initialization
process of entering the initialization vector(s) into the TDEA to initialize the algorithm prior to the
commencement of encryption or decryption
3.7
cryptographic key
key
parameter that determines the transformation from plaintext to ciphertext and vice versa
NOTE A DEA key is a 64-bit parameter consisting of 56 independent bits and 8 parity bits.
3.8
cryptoperiod
time span during which a specific (bundle of) key(s) is authorized for use
3.9
data encryption algorithm
DEA
algorithm specified in ISO/IEC 18033-3
NOTE The term “single DEA” implies DEA, whereas TDEA implies triple DEA as defined in this Technical Report.
3.10
DEA encryption operation
enciphering of 64-bit blocks by DEA with a key K
3.11
DEA decryption operation
deciphering of 64-bit blocks by DEA with a key K
2 © ISO 2005 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TR 19038:2005(E)
3.12
DEA functional block
that which performs either a DEA encryption operation or a DEA decryption operation with a specified key
NOTE In this Technical Report, each DEA functional block is represented by DEA .
j
3.13
decryption
process of transforming ciphertext into plaintext
3.14
encryption
process of transforming plaintext into ciphertext
3.15
exclusive-OR
bit-by-bit modulo 2 addition of binary vectors of equal length
3.16
initialization vector
binary vector used as the input to initialize the algorithm for the encryption of a plaintext block sequence to
increase security by introducing additional cryptographic variance and to synchronize cryptographic
equipment
NOTE The initialization vector need not be secret.
3.17
key
see 3.7 cryptographic key
3.18
plaintext
intelligible data that has meaning and can be read or acted upon without the application of decryption
NOTE Also known as cleartext.
3.19
propagation delay
delay between the presentation of a plaintext block to a TDEA mode and the availability of the resulting
ciphertext block
3.20
re-synchronization
synchronization, after being lost because of the addition or deletion of bits in one or more ciphertext blocks
EXAMPLE: if the additions or deletions can be detected, and if the appropriate number of bits can be deleted or added to
the ciphertext so that the block boundaries are re-established correctly starting at block C such that the succeeding
i
decrypted plaintext is correct from block P for some r, then we say that it is re-synchronized at C .
i+r i+r
3.21
self-synchronization
automatic re-synchronization
EXAMPLE: the TCBC mode exhibits self-synchronization in the sense that if an error (including the loss of one or more
entire blocks) occurs in ciphertext block C but no further error occurs, then C and succeeding ciphertext blocks are
i i+2
correctly decrypted to P and succeeding plaintext blocks (see [11] and [12]).
i+2
© ISO 2005 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/TR 19038:2005(E)
3.22
synchronization
where, for a plaintext with blocks P , P , … P if it is encrypted as a ciphertext with blocks C , C , … C , then
1 2 n 1 2 n
for any i, 1 u i u n, P , P , … P can be correctly decrypted from C , C , … C .
1 2 i 1 2 i
NOTE If some error occurs in the transmission of the ciphertext or if some bits are added or lost from the ciphertext,
then synchronization is lost.
4 Symbols and abbreviations
C i-th ciphertext block consisting of k bits, where k = 1, 8, 64.
i
(j)
C j-th ciphertext substream in TCBC-I mode.
C i-th block in j-th ciphertext substream.
,
j i
CBC Cipher block chaining.
CFB Cipher feedback.
D A DEA decryption operation with key "K ".
K j
j
DEA The data encryption algorithm specified in ISO/IEC 18033-3.
DEA j-th DEA functional block.
j
E A DEA encryption operation with key "K ".
K j
j
ECB Electronic codebook.
I i-th input block of encryption operation consisting of 64 bits in TCFB, TCFB-P, TOFB, and
i
TOFB-I modes of operation.
i Index of blocks.
IV Initialization vector.
j Index of functional blocks, index of keys, and index of plaintext substreams (ciphertext
substreams) in TCBC-I.
h A given counter value of a clock cycle. It is for describing the actions of each DEA functional
block at t = h −1, t = h, and t = h + 1. In the interleaved or pipelined mode, h is used to
describe at clock cycle t = 3(h − 1) + j, j = 1, 2, 3, the simultaneous actions of three functional
blocks. In the interleaved mode, h is used as an index of blocks for tripartition of a plaintext.
k Size of blocks, a parameter for shifting functions S , k = 1, 8, 64.
k
K Cryptographic key.
n Number of blocks in a plaintext.
O i-th output block of encryption operation consisting of 64 bits in TCFB, TCFB-P, TOFB, and
i
TOFB-I modes of operation.
{O } Leftmost k bits of O , k =1, 8, 64. When k = 64, {O } = O .
i k i i k i
OFB Output feedback.
4 © ISO 2005 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TR 19038:2005(E)
P i-th plaintext block consisting of k bits, where k = 1, 8, 64.
i
(j)
P j-th plaintext substream in TCBC-I mode.
P i-th plaintext block in j-th plaintext substream.
j,i
S “k-Shifting” function, defined as follows:
k
Given a 64-bit block I = (i , i , …, i ) and a k-bit block C = (c , c , … c ) where k = 1, 8, 64,
1 2 64 1 2 k
the shifting function S (I | C) produces a 64-bit block:
k
S (I | C) = {i , i , ., i , c , c , . c }
k
k k+1 +2 64 1 2 k
where the bits of I have been shifted left by k places, discarding i , i , . i and placing the k
1 2 k
bits of C in the rightmost k places of I. When k = 64, S (I | C) = C.
k
t Counter of clock cycle starting from 1.
TCBC TDEA cipher block chaining.
TCBC-I TDEA cipher block chaining-interleaved.
TCFB TDEA cipher feedback.
TCFB-P TDEA cipher feedback-pipelined.
TDEA Triple data encryption algorithm.
TECB TDEA electronic codebook.
TOFB TDEA output feedback.
TOFB-I TDEA output feedback-interleaved.
X⊕Y “Exclusive-or” operation of X and Y.
X || Y Concatenation of X and Y.
|X| Length of binary string X.
5 Specifications
5.1 TDEA encryption/decryption operation
In this Technical Report, each TDEA encryption/decryption operation is a compound operation of DEA
encryption and decryption operations as specified in ISO/IEC 18033-3. The following operations are to be
used in this Technical Report.
a) TDEA encryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as
follows:
O = E (D (E (I))).
K3 K2 K1
b) TDEA decryption operation: the transformation of a 64-bit block I into a 64-bit block O that is defined as
follows:
O = D (E (D (I))).
K1 K2 K3
© ISO 2005 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/TR 19038:2005(E)
5.2 Keying options
This Technical Report uses the following keying options for the TDEA key.
a) Keying Option 1: K1, K2 and K3 are independent keys;
b) Keying Option 2: K1 and K2 are independent keys and K3 = K1;
c) Keying Option 3: K1 = K2 = K3.
NOTE Keying option 3 is not recommended as its use reduces the strength of the TDEA operation to that of DEA.
5.3 TDEA modes of operation
This Technical Report discusses:
a) TDEA Electronic Codebook Mode (TECB);
b) TDEA Cipher Block Chaining Mode (TCBC);
c) TDEA Cipher Block Chaining Mode — Interleaved (TCBC-I);
d) TDEA Cipher Feedback Mode (TCFB);
e) TDEA Cipher Feedback Mode — Pipelined (TCFB-P);
f) TDEA Output Feedback Mode (TOFB);
g) TDEA Output Feedback Mode — Interleaved (TOFB-I).
These are triple DEA implementations of the ECB, CBC, CFB, and OFB modes of operation specified in
ISO/IEC 10116. For applications in which high TDEA encryption/decryption throughput is important or in which
propagation delay must be minimized, the new interleaved (for TCBC and TOFB) and pipelined (for TCFB)
modes are provided.
5.4 Backward compatibility
In this Technical Report, a TDEA mode of operation is backward compatible with its single DEA counterpart if,
with a proper keying option for TDEA operation,
a) an encrypted plaintext computed using a single DEA mode of operation can be decrypted correctly by a
corresponding TDEA mode of operation;
b) an encrypted plaintext computed using a TDEA mode of operation can be decrypted correctly by a
corresponding single DEA mode of operation.
When using Keying Option 3, TECB, TCBC, TCFB and TOFB modes are backward compatible with single
DEA modes of operation ECB, CBC, CFB, OFB respectively. It should be noted that backward compatibility
with single DEA reduces the security of the TDEA mode to that of the single DEA mode.
5.5 Schedule of DEA functional blocks
In this Technical Report, one clock cycle is defined as the time period for a DEA functional block to perform
E (I) or D (I). In a schedule of DEA functional blocks, O = E (D (E (I))) is broken down into three actions.
K K K3 K2 K1
Each action is finished in one clock cycle by a functional block. The following table shows the schedule for
three DEA functional blocks in performing E (D (E (I))).
K3 K2 K1
6 © ISO 2005 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/TR 19038:2005(E)
Input DEA DEA DEA Output
1 2 3
t = 1 I E(I)
K1
t = 2  D (E(I))
K2 K1
t = 3  E (D (E(I))) O
K3 K2 K1
5.6 Improving throughput and minimizing propagation
As is shown in 5.5, a valid TDEA output block, O, is produced only after the input block, I, has propagated
through the three individual DEA functional blocks. That is, it takes three clock cycles to get the output. Within
each clock cycle, only one DEA functional block is actively encrypting/decrypting data. This configuration
provides the slowest throughput speed and greatest propagation delay.
In order to improve the throughput and minimize the propagation, interleaved and pipelined modes of
operation are provided. They are TCBC-I, TCFB-P, and TOFB-I modes. In an interleaved mode, the plaintext
sequence is split into three subsequences of plaintext. The encryption can be done simultaneously. In a
pipelined mode, the encryption is initiated with three IVs at three clock cycles so that after initialization, the
three DEA functional blocks can process the data simultaneously. The interleaved and pipelined
configurations are intended for systems equipped with multiple DEA processors.
In a mode of operation, which is interleaved or pipelined, a schedule defines simultaneous actions of multiple
DEA functional blocks within each clock cycle.
5.7 Keys and initialization vectors
The following specifications for keys and initialization vectors shall be met in implementing the TDEA modes
of operation.
a) For all TDEA modes of operation, the three cryptographic keys (K , K , K ) define a TDEA key bundle.
1 2 3
The bundle and the individual keys shall:
1) be secret;
2) be generated randomly;
3) have integrity whereby each key in the bundle has not been altered in an unauthorized manner since
the time it was generated, transmitted, or stored by an authorized source;
4) be used in the appropriate order as specified by the particular mode;
5) be considered a fixed quantity in which an individual key cannot be manipulated while leaving the
other two keys unchanged;
6) cannot be unbundled for any purpose.
b) IVs shall meet the following attributes:
1) for TECB, no IV is used;
2) for all modes using IV(s), the IV(s) may be public information;
3) in the cryptoperiod of a given bundle of keys, a new IV or three new IVs shall be generated whenever
the encryption process is reinitialized.
© ISO 2005 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/TR 19038:2005(E)
c) IVs shall be generated by one of the following methods, which are given in order of preference:
1) generate randomly or
2) use values of a monotonically increasing counter such that the values will not be repeated during the
cryptoperiod of the keys.
d) When three IVs are required, then generate IV by method 1) or method 2) in item c) such that
1) IV = IV;
1
64
2) IV = IV + R mod 2 , where R = (5555555555555555);
2 1 1 1
64
3) IV = IV + R mod 2 , where R = (AAAAAAAAAAAAAAAA).
3 1 2 2
 In the above equations for IV and IV , the binary strings or hexadecimal strings are converted to integers.
2 3
64
The operation is integer addition modulo 2 . The operation results shall be converted back to binary
strings or hexadecimal strings.
 When the IV is generated by method 2), i.e. values of a monotonically increasing counter are used, the IV
value, once converted to an integer, shall be smaller than R . R is considered as the integer converted
1 1
from (5555555555555555).
5.8 Input and output
For the input and output of the TDEA modes of operation, the following specification applies.
a) The input and output of a TDEA operation are 64-bit blocks. For TCFB and TCFB-P modes, the
plaintext/ciphertext block size may be 1 bit, 8 bits, or 64 bits. For TECB, TCBC, TCBC-I, TOFB, TOFB-I
modes, the plaintext/ciphertext requires complete data blocks of 64 bits for its operation. Blocks of less
than 64 bits require special handling, which is not addressed in this Technical Report.
b) As knowledge of intermediate results reduces the strength of the TDEA to that of DEA, implementations
of any TDEA mode of operation should ensure that the intermediate results between the different DEA
functional blocks are not revealed. Thus to protect against attacks on the device implementing TDEA the
device itself must be a physically secure device and must not reveal intermediate results.
c) The initial output data shall be suppressed because it is invalid and may create a security risk if revealed.
Each mode of operation shall specify how many bits of output should be suppressed.
6 TDEA modes of operation
6.1 TDEA electronic codebook mode of operation
6.1.1 TECB definition
6.1.1.1 General
Three keying options are defined for TECB mode as described in Section 6.2.
6.1.1.2 TECB encryption
 Input: P , P , … P ; |P | = 64.
1 2 n i
 Output: C , C , … C ; |C | = 64.
1 2 n i
8 © ISO 2005 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/TR 19038:2005(E)
For i = 1, 2, … n, do
1) C = E (D (E (P )));
i K3 K2 K1 i
2) Output C .
i
The TECB encryption is shown in Figure 1.
Suppose that three DEA functional blocks, DEA , DEA , and DEA , are simultaneously clocked. Let DEA
1 2 3 1
perform the E operation, DEA perform the D operation and DEA perform the E operation. At each
K1 2 K2 3 K3
clock cycle, each DEA performs the specified operation with the input from DEA (or input buffer) and
j
j−1
passes the result to DEA (or output buffer). Table 1 shows how three DEA functional blocks are scheduled.
j+1
At the first two clock cycles, the 128-bit output of the TDEA should be suppressed since valid output is not
produced.
Table 1 — Schedule of TECB encryption
Clock Input DEA DEA DEA Output
1 2 3
t = 1 P E (P) idle idle N/A
1 K1 1
t = 2 P E (P) D (E (P)) idle N/A
2 K1 2 K2 K1 1
t = 3 P E (P) D (E (P)) E (D (E (P))) C
3 K1 3 K2 K1 2 K3 K2 K1 1 1
t = 4 P E (P) D (E (P)) E (D (E (P))) C
4 K1 4 K2 K1 3 K3 K2 K1 2 2
 … … …
t = h P E (P) D (E (P)) E (D (E (P))) C
h K1 h K2 K1 h−1 K3 K2 K1 h−2 h−2
 … … …
t = n P E (P) D (E (P)) E (D (E (P))) C
n K1 n K2 K1 n−1 K3 K2 K1 n−2 n−2
t = n + 1 N/A idle D (E (P)) E (D (E (P))) C
K2 K1 n K3 K2 K1 n−1 n−1
t = n + 2 N/A idle idle E (D (E (P))) C
K3 K2 K1 n n
For example:
If the plaintext to be enciphered is “Now is the time for all good men” which when encoded in ASCII is
represented in hexadecimal as:
X'4E6F772069732074 68652074696D6520 666F7220616C6C20 676F6F64206D656E'
is enciphered using TECB mode with Key X'0123456789ABCDEFFEDCBA9876543210' the following results.
© ISO 2005 – All rights reserved 9

---------------------- Page: 14 ----------------------
ISO/TR 19038:2005(E)
Table 2 — Example of TECB encryption
DEA DEA DEA
Clock Input Output
1 2 3
P

1
E (P )
K1 1
t = 1
idle idle N/A
4E6F772069732074

3FA40E8A984D4815

P

2
E (P ) D (E (P ))
K1 2 K2 K1 1
t = 2 idle N/A
68652074696D652
6A271787AB8883F9 0EF220F064194595
0
P E (P ) D (E (P )) E (D (E (P ))) C

3 K1 3 K2 K1 2 K3 K2 K1 1 1
t = 3
666F7220616C6C20 893D51EC4B563B53 174B332E073DE8AF D80A0D8B2BAE5E4E D80A0D8B2BAE5E4E
P E (P ) D (E (P )) E (D (E (P )) C

4 K1 4 K2 K1 3 K3 K2 K1 2 2
t = 4
676F6F64206D656E 73C1ADB2171F7894 47B3F7F0E82E1F35 6A0094171ABCFC27 6A0094171ABCFC27
D (E (P )) E (D (E (P ))) C
K
K2 K1 4 K3 K2 1 3 3
t = 5 N/A idle
7A1E4ABD1DA455C6 75D2235A706E232C 75D2235A706E232C
E (D (E (P ))) C
K3 K2 K1 4 4
t = 6 N/A idle idle
41B637F9AB83FFD4 41B637F9AB83FFD4
6.1.1.3 TECB decryption
 Input: C , C , … C ; |C | = 64.
1 2 n i
 Output: P , P , … P ; |P | = 64.
1 2 n i
For i = 1, 2, …, n, do
1) P = D (E (D (C )));
K1
i K2 K3 i
2) Output P .
i
The TECB decryption is shown in Figure 1.
Suppose that three DEA functional blocks, DEA , DEA , and DEA , are simultaneously clocked. Let DEA
1 2 3 1
perform the D operation, DEA perform the E operation, and DEA perform the D operation. At each
K2
K3 2 3 K1
clock cycle, each DEA performs the specified operation with the input from DEA (or input buffer) and
j j−1
passes the result to DEA (or output buffer). Table 2 shows how three DEA functional blocks are scheduled.
j+1
At the first two clock cycles, the 128-bit output of the TDEA should be suppressed since valid output is not
produced.
10 © ISO 2005 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/TR 19038:2005(E)

Encryption Decryption
Figure 1 — TDEA electronic codebook
Table 3 — Schedule of TECB decryption
DEA DEA DEA
Clock Input Output
1 2 3
C D (C )
t = 1 1 idle idle N/A
1 K3
C D (C) E (D (C ))
2
t = 2 idle N/A
2 K3 K2 K3 1
C D (C) E (D (C)) D (E (D (C))) P
t = 3 3
3 K3 K2 K3 2 K1 K2 K3 1 1
C D (C) E (D (C)) D (E (D (C))) P
t = 4 4
4 K3 K2 K3 3 K1 K2 K3 2 2
 … … …
C D (C ) E (D (C)) D (E (D (C))) P
t = h
h K3 h K2 K3 h−1 K1 K2 K3 h−2 h−2
 … … …
C D (C )
E (D (C)) D (E (D (C))) P
t = n
n K3 n
K2 K3 n−1 K1 K2 K3 n−2 n−2
E (D (C )) D (E (D (C))) P
t = n + 1
N/A idle
K2 K3 n K1 K2 K3 n−1 n−1
D (E (D (C))) P
t = n + 2
N/A idle idle
K1 K2 K3 n n
© ISO 2005 – All rights reserved 11

--
...