Block Cipher Algorithm Modes

7/31/2019 Block Cipher Algorithm Modes

1/9

Bock Cipher Algorithm Modes

In cryptography, modes of operation are the procedure of enabling the repeated and

secure use of a block cipher under a single key. A block cipher by itself allows encryptiononly of

a single data block of the cipher's block length. When targeting a variable-length message, thedata must first be partitioned into separate cipher blocks. Typically, the last block must also be

extended to match the cipher's block length using a suitable padding scheme. A mode of

operation describes the process of encrypting each of these blocks, and generally

uses randomization based on an additional input value, often called an initialization vector, to

allow doing so safely.

Modes of operation have primarily been defined for encryption

and authentication. Historically, encryption modes have been studied extensively in regard to

their error propagation properties under various scenarios of data modification. Later

development regarded integrity protection as an entirely separate cryptographic goal fromencryption. Some modern modes of operation combine encryption and authentication in an

efficient way, and are known as authenticated encryption modes.

While modes of operation are commonly associated with symmetric encryption, they may

also be applied to public-key encryption primitives such as RSA in principle (though in practice

public-key encryption of longer messages is generally realized using hybrid encryption).

Initialization vector (IV)

An initialization vector (IV) is a block of bits that is used by several modes to randomize

the encryption and hence to produce distinct ciphertexts even if the same plaintext is encryptedmultiple times, without the need for a slower re-keying process.

An initialization vector has different security requirements than a key, so the IV usually

does not need to be secret. However, in most cases, it is important that an initialization vector is

never reused under the same key. For CBC and CFB, reusing an IV leaks some information

about the first block of plaintext, and about any common prefix shared by the two messages. For

OFB and CTR, reusing an IV completely destroys security. In CBC mode, the IV must, in

addition, be unpredictable at encryption time; in particular, the (previously) common practice of

re-using the last ciphertext block of a message as the IV for the next message is insecure (for

example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous blockof ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of

some block that was encrypted with the same key before (this is known as the TLS CBC IV

attack).

As a special case, if the plaintexts are always small enough to fit into a single block (with

no padding), then with some modes (ECB, CBC, PCBC), re-using an IV will leakonlywhether


2/9

two plaintexts are equal. This can be useful in cases where one wishes to be able to test for

equality without decrypting or separately storing a hash.

Padding

A block cipher works on units of a fixed size (known as a block size), but messages come

in a variety of lengths. So some modes (namely ECB and CBC) require that the final block be

padded before encryption. Several padding schemes exist. The simplest is to add null bytes to

the plaintext to bring its length up to a multiple of the block size, but care must be taken that the

original length of the plaintext can be recovered; this is so, for example, if the plaintext is

a C style string which contains no null bytes except at the end. Slightly more complex is the

original DES method, which is to add a single one bit, followed by enough zero bits to fill out

the block; if the message ends on a block boundary, a whole padding block will be added. Most

sophisticated are CBC-specific schemes such as ciphertext stealing or residual block termination,which do not cause any extra ciphertext, at the expense of some additional

complexity. Schneier and Ferguson suggest two possibilities, both simple: append a byte with

value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the

last block with n bytes all with value n.

CFB, OFB and CTR modes do not require any special measures to handle messages

whose lengths are not multiples of the block size, since the modes work by XORing the plaintext

with the output of the block cipher. The last partial block of plaintext is XORed with the first few

bytes of the last keystream block, producing a final ciphertext block that is the same size as the

final partial plaintext block. This characteristic of stream ciphers makes them suitable forapplications that require the encrypted ciphertext data to be the same size as the original plaintext

data, and for applications that transmit data in streaming from where it is inconvenient to add

padding bytes.

Electronic codebook (ECB)

The simplest of the encryption modes is the electronic codebook (ECB) mode. The message is

divided into blocks and each block is encrypted separately.


3/9

If the first block has index 1, the

While the mathematical for

CBC has been the most com

encryption is sequential (i.e., it c

multiple of the cipher block size

as ciphertext stealing. Note tha

ciphertext blocks.

Decrypting with the incorrect I

plaintext blocks will be correct.

adjacent blocks of ciphertext. A

bit change to the ciphertext cau

and inverts the corresponding b

remain intact.

mathematical formula for CBC encryption is

ula for CBC decryption is

only used mode of operation. Its main dra

annot be parallelized), and that the message mu

. One way to handle this last issue is through t

t a one-bit change in a plaintext or IV affe

causes the first block of plaintext to be corru

This is because a plaintext block can be rec

a consequence, decryption can be parallelized.

es complete corruption of the corresponding b

it in the following block of plaintext, but the r

wbacks are that

st be padded to a

e method known

ts all following

t but subsequent

vered from two

Note that a one-

lock of plaintext,

est of the blocks


4/9

Propagating cipher-bloc

The propagating cipher-block ch

cause small changes in the ciphe

encrypting.

Encryptio

PCBC is used in Kerberos v4 a

message encrypted in PCBC mo

affect the decryption of subsequ

chaining (PCBC)

aining or plaintext cipher-block chainingmode

rtext to propagate indefinitely when decrypting

and decryption algorithms are as follows:

d WASTE, most notably, but otherwise is no

e, if two adjacent ciphertext blocks are exchan

nt blocks. For this reason, PCBC is not used in

was designed to

, as well as when

t common. On a

ed, this does not

Kerberos v5.


5/9

Cipher feedback (CFB)

The cipher feedback(CFB) mo

synchronizing stream cipher. O

identical to CBC encryption perf

This simplest way of using CFB

cipher modes like CBC. If a

synchronize, but losing only a s

able to synchronize after the l

e, a close relative of CBC, makes a block ci

eration is very similar; in particular, CFB dec

ormed in reverse:

described above is not any more self-synchro

hole blocksize of ciphertext is lost both CB

ingle byte or bit will permanently throw off d

ss of only a single byte or bit, a single byt

pher into a self-

ryption is almost

nizing than other

and CFB will

ecryption. To be

or bit must be


6/9

encrypted at a time. CFB can be

for the block cipher.

To use CFB to make a self-sync

x bits lost, start by initializing

vector. This is encrypted with twith x bits of the plaintext to pr

the shift register, and the proces

start with the initialization vecto

ciphertext to produce x bits of

register. This way of proceedin

shifting).

In notation, where Si is the ith st

the x highest bits of a and n is nu

If x bits are lost from the ciph

register once again equals a s

resynchronized. This will result i

Like CBC mode, changes in th

cannot be parallelized. Also like

bit change in the ciphertext affe

plaintext block, and complete c

are decrypted normally.

CFB shares two advantages ove

block cipher is only ever used i

padded to a multiple of the ciphe

padding unnecessary).

Output feedback (OFB)

The output feedback(OFB) mo

generates keystream blocks, wh

ciphertext. Just as with other stre

used this way when combined with a shift re

ronizing stream cipher that will synchronize f

shift register the size of the block size with

e block cipher, and the highest x bits of the rduce x bits of ciphertext. These x bits of outp

s repeats with the next x bits of plaintext. Decr

r, encrypt, and XOR the high bits of the result

plaintext. Then shift the x bits of the ciphert

g is known as CFB-8 or CFB-1 (according t

ate of the shift register, a


7/9

in the plaintext at the same l

function normally even when ap

Because of the symmetry of the

Each output feedback block cip

performed in parallel. However

ocation. This property allows many error co

lied before encryption.

OR operation, encryption and decryption are e

her operation depends on all previous ones,

, because the plaintext or ciphertext is only u

recting codes to

xactly the same:

nd so cannot be

sed for the final


8/9

XOR, the block cipher operatio

performed in parallel once the pl

It is possible to obtain an OFB

zeroes as input. This can be usef

of CBC mode for OFB mode en

Using OFB mode with a partia

length by a factor of or mo

substantiated by experimental

length near to the obtainable m

feedback was removed from the

Counter (CTR)

Like OFB, counter mode tu

next keystream block by encryp

function which produces a sequ

an actual increment-by-one cou

deterministic input function use

cryptosystem to a known syste

is widely accepted, and problem

of the underlying block cipher

attacks like a Hardware Fault A

input.

CTR mode has similar characte

decryption. CTR mode is well

can be encrypted in parallel. Fu

can affect OFB.

Note that the nonce in this grap

graphs. The IV/nonce and the

(concatenation, addition, or XO

ns may be performed in advance, allowing th

aintext or ciphertext is available.

mode keystream by using CBC mode with a

ul, because it allows the usage of fast hardware

ryption.

l block as feedback like CFB mode reduces t

re. A mathematical model proposed by Davie

esults showed that only with full feedback

ximum can be achieved. For this reason, sup

specification of OFB.

rns a block cipher into a stream cipher. I

ting successive values of a "counter". The co

nce which is guaranteed not to repeat for a lo

nter is the simplest and most popular. The u

to be controversial; critics argued that "delibe

atic input represents an unnecessary risk." By

s resulting from the input function are recogniz

instead of the CTR mode. Nevertheless, ther

ttack that is based on the usage of a simple co

istics to OFB, but also allows a random acces

uited to operation on a multi-processor machi

rthermore, it does not suffer from the short-c

h is the same thing as the initialization vector

ounter can be combined together using any l

) to produce the actual unique counter block fo

final step to be

onstant string of

implementations

e average cycle

and Parkin and

n average cycle

ort for truncated

t generates the

nter can be any

g time, although

age of a simple

rately exposing a

now, CTR mode

ed as a weakness

are specialized

unter function as

property during

ne where blocks

cle problem that

(IV) in the other

ssless operation

r encryption.


9/9

Documents

Block Cipher Algorithm Modes