• Block ciphers convert b-bit plaintext block into b-bit ciphertext block.
• If the amount of plaintext to be encrypted is greater than b bits, then the plaintext is broken up into b-bit blocks. 
• When multiple blocks of plaintext are encrypted using the same key, a number of security issues arise.
• For enhancing the effect of a cryptographic algorithm and to apply a block cipher in a variety of applications, five modes of operation have been defined by NIST
• These modes are intended for use with any symmetric block cipher, including triple DES and AES

1. Electronic Code Book (ECB)

• for a given key, there is a unique ciphertext for every b-bit block of plaintext in the codebook.
• It is called codebook since one can precompile 2^K codebooks (one for each key) in which each codebook has 2ⁿ entries.
  •     K=number of bits in key, n= number of bits in plaintext block =b
•  however if K and n are large, the codebook can be too large to precompile and maintain.

• Security issues: For lengthy messages, the ECB mode is not secure.
  • Patterns at the block level are preserved. Ie., each block in P becomes equal block in C
  • the block independency creates opportunities for attacker to exchange some ciphertext blocks without knowing the key
• Error propagation : nil (adv.. 
  • A bit error in transmission can create errors in several bits of that block only. But errors does not have any effect on bits of other blocks.
• Application: to short messages which fit into one block, such as an encryption key.

The evaluation criteria for better modes of operation:

• As ECB is not secure for large messages, we have to go for more complex modes.
• The criteria for evaluating and constructing block cipher modes of operation that are superior to ECB  are: 
  1. Overhead: The additional operations needed for the encryption and decryption when compared to the ECB mode.
  2. Error recovery: The property that a (computational) error in the ith ciphertext block is inherited by only a few plaintext blocks
  3. Error propagation: The property that a (transmission) error in the ith ciphertext block is inherited by the ith and all subsequent plaintext blocks.
  4. Diffusion: How the plaintext statistics are reflected in the ciphertext
  5. Security: Whether or not the ciphertext blocks leak information about the plaintext blocks.

2. Cipher Block Chaining (CBC) mode

In CBC, the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block;

Encryption:

     C_i= E (K, [P_i + C _i-1] ) 

           and C₀= IV

Decryption:

     P_i= D (K, C_i ) + C _i-1 

           and C₀= IV

 To overcome the security deficiencies of ECB, we would like a technique in which

the same plaintext block, if repeated, produces different ciphertext blocks. A

simple way to satisfy this requirement is the cipher block chaining  (CBC ) mode

(Figure 7.4). In this scheme, the input to the encryption algorithm is the XOR of the

current plaintext block and the preceding ciphertext block; the same key is used for

each block. In effect, we have chained together the processing of the sequence of

plaintext blocks. The input to the encryption function for each plaintext block bears

no fixed relationship to the plaintext block. Therefore, repeating patterns of b  bits

are not exposed. As with the ECB mode, the CBC mode requires that the last block

be padded to a full b  bits if it is a partial block.

For decryption, each cipher block is passed through the decryption algorithm.

The result is XORed with the preceding ciphertext block to produce the plaintext

block.

 To produce the first block of ciphertext, an initialization vector (IV) is XORed

with the first block of plaintext. On decryption, the IV is XORed with the output

of the decryption algorithm to recover the first block of plaintext. The IV is a data

block that is the same size as the cipher block.

 The IV must be known to both the sender and receiver but be unpredictable

by a third party. In particular, for any given plaintext, it must not be possible to

predict the IV that will be associated to the plaintext in advance of the generation

of the IV. For maximum security, the IV should be protected against unauthorized

changes. This could be done by sending the IV using ECB encryption. One reason

for protecting the IV is as follows: If an opponent is able to fool the receiver into

using a different value for IV, then the opponent is able to invert selected bits in the

first block of plaintext.

 So long as it is unpredictable, the specific choice of IV is unimportant.

SP800-38A recommends two possible methods: The first method is to apply the

encryption function, under the same key that is used for the encryption of the plaintext,

to a nonce .  The nonce must be a data block that is unique to each execution of

the encryption operation. For example, the nonce may be a counter, a timestamp, or

 a message number. The second method is to generate a random data block using a

random number generator.

In conclusion, because of the chaining mechanism of CBC, it is an appropriate

mode for encrypting messages of length greater than b  bits.

In addition to its use to achieve confidentiality, the CBC mode can be used for

authentication. This use is described in Chapter 12.

• The same key is used for each block.
• In effect, we have chained together the processing of the sequence of plaintext blocks. 
• To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block of plaintext. The IV is a data block that is the same size as the cipher block. 
• On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext. 
  • The IV can be a nonce (such as counter or a timestamp) or a random data block generated using a random number generator.
  • Definition of nonce: A time-varying value that has a negligible chance of repeating.

Cipher Feedback Mode (CFB), Output Feedback (OFB) Mode and Counter(CTR) mode

• These three modes make it possible to convert a block cipher into a stream cipher
•  A stream cipher eliminates the need to pad a message to be an integral number of blocks. 
•  It also can operate in real time. ( that is when a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher. In CBC, even if the character is only 8 bits, we have to wait for receiving 64 bits, before starting encryption)

3. Cipher Feedback(CFB) mode

Key K and the initialisation vector IV are of b bits length.

Plain text block is of s bits,

Usually s=8 bits

We can define CFB mode encryption as follows:

Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of

transmission is s  bits; a common value is s =  8. As with CBC, the units of plaintext

are chained together, so that the ciphertext of any plaintext unit is a function of all

the preceding plaintext. In this case, rather than blocks of b  bits, the plaintext is

divided into segments  of s  bits.

First, consider encryption. The input to the encryption function is a b -bit shift

register that is initially set to some initialization vector (IV). The leftmost (most

significant) s  bits of the output of the encryption function are XORed with the

first segment of plaintext P₁  to produce the first unit of ciphertext C₁ , which is then

transmitted. In addition, the contents of the shift register are shifted left by s  bits,

and C₁  is placed in the rightmost (least significant) s  bits of the shift register. This

process continues until all plaintext units have been encrypted.

For decryption, the same scheme is used, except that the received ciphertext

unit is XORed with the output of the encryption function to produce the plaintext

unit. Note that it is the encryption  function that is used, not the decryption function.

 Although CFB can be viewed as a stream cipher, it does not conform to the

typical construction of a stream cipher. In a typical stream cipher, the cipher takes

 as input some initial value and a key and generates a stream of bits, which is then

XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of

bits that is XORed with the plaintext also depends on the plaintext.

In CFB encryption, like CBC encryption, the input block to each forward

Cipher function (except the first) depends on the result of the previous forward

Cipher function; therefore, multiple forward cipher operations cannot be performed

in parallel. In CFB decryption, the required forward cipher operations can be performed

in parallel if the input blocks are first constructed (in series) from the IV and

the ciphertext.

• The unit of transmission is s bits; a common value is s =  8. 
• As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. 
• In this case, rather than blocks of b bits, the plaintext is divided into segments of s bits.
• In CFB encryption, like CBC encryption, the input block to each forward Cipher function (except the first) depends on the result of the previous forward Cipher function; therefore, multiple forward cipher operations cannot be performed in parallel. 

4. Output Feedback(OFB) mode

• In OFB, the output of the encryption function is fed back to become the input for encrypting the next block of plaintext .

• The other difference from CFB is that the OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates on an s -bit subset.

P_N*  ? Let the size of a block be b bits. If the last block of plaintext (indicated by *) contains u bits,   with u < b, the most significant u bits of the last output block ON   are used for the XOR operation; the remaining b - u bits of the last output block are discarded.