- Block ciphers convert b-bit plaintext block into b-bit ciphertext block.
- If the amount of plaintext to be encrypted is greater than b bits, then the plaintext is broken up into b-bit blocks.
- When multiple blocks of plaintext are encrypted using the same key, a number of security issues arise.
- For enhancing the effect of a cryptographic algorithm and to apply a block cipher in a variety of applications, five modes of operation have been defined by NIST
- These modes are intended for use with any symmetric block cipher, including triple DES and AES
1. Electronic Code Book (ECB)
- for a given key, there is a unique ciphertext for every b-bit block of plaintext in the codebook.
- It is called codebook since one can precompile 2K codebooks (one for each key) in which each codebook has 2n entries.
- K=number of bits in key, n= number of bits in plaintext block =b
- however if K and n are large, the codebook can be too large to precompile and maintain.
- Security issues: For lengthy messages, the ECB mode is not secure.
- Patterns at the block level are preserved. Ie., each block in P becomes equal block in C
- the block independency creates opportunities for attacker to exchange some ciphertext blocks without knowing the key
- Error propagation : nil (adv..
- A bit error in transmission can create errors in several bits of that block only. But errors does not have any effect on bits of other blocks.
- Application: to short messages which fit into one block, such as an encryption key.
The evaluation criteria for better modes of operation:
- As ECB is not secure for large messages, we have to go for more complex modes.
- The criteria for evaluating and constructing block cipher modes of operation that are superior to ECB are:
- Overhead: The additional operations needed for the encryption and decryption when compared to the ECB mode.
- Error recovery: The property that a (computational) error in the ith ciphertext block is inherited by only a few plaintext blocks
- Error propagation: The property that a (transmission) error in the ith ciphertext block is inherited by the ith and all subsequent plaintext blocks.
- Diffusion: How the plaintext statistics are reflected in the ciphertext
- Security: Whether or not the ciphertext blocks leak information about the plaintext blocks.
2. Cipher Block Chaining (CBC) mode
In CBC, the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block;
Ci= E (K, [Pi + C i-1] )
and C0= IV
Pi= D (K, Ci ) + C i-1
and C0= IV
To overcome the security deficiencies of ECB, we would like a technique in which
the same plaintext block, if repeated, produces different ciphertext blocks. A
simple way to satisfy this requirement is the cipher block chaining (CBC ) mode
(Figure 7.4). In this scheme, the input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext block; the same key is used for
each block. In effect, we have chained together the processing of the sequence of
plaintext blocks. The input to the encryption function for each plaintext block bears
no fixed relationship to the plaintext block. Therefore, repeating patterns of b bits
are not exposed. As with the ECB mode, the CBC mode requires that the last block
be padded to a full b bits if it is a partial block.
For decryption, each cipher block is passed through the decryption algorithm.
The result is XORed with the preceding ciphertext block to produce the plaintext
To produce the first block of ciphertext, an initialization vector (IV) is XORed
with the first block of plaintext. On decryption, the IV is XORed with the output
of the decryption algorithm to recover the first block of plaintext. The IV is a data
block that is the same size as the cipher block.
The IV must be known to both the sender and receiver but be unpredictable
by a third party. In particular, for any given plaintext, it must not be possible to
predict the IV that will be associated to the plaintext in advance of the generation
of the IV. For maximum security, the IV should be protected against unauthorized
changes. This could be done by sending the IV using ECB encryption. One reason
for protecting the IV is as follows: If an opponent is able to fool the receiver into
using a different value for IV, then the opponent is able to invert selected bits in the
first block of plaintext.
So long as it is unpredictable, the specific choice of IV is unimportant.
SP800-38A recommends two possible methods: The first method is to apply the
encryption function, under the same key that is used for the encryption of the plaintext,
to a nonce . The nonce must be a data block that is unique to each execution of
the encryption operation. For example, the nonce may be a counter, a timestamp, or
a message number. The second method is to generate a random data block using a
random number generator.
In conclusion, because of the chaining mechanism of CBC, it is an appropriate
mode for encrypting messages of length greater than b bits.
In addition to its use to achieve confidentiality, the CBC mode can be used for
authentication. This use is described in Chapter 12.
- The same key is used for each block.
- In effect, we have chained together the processing of the sequence of plaintext blocks.
- To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block of plaintext. The IV is a data block that is the same size as the cipher block.
- On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext.
- The IV can be a nonce (such as counter or a timestamp) or a random data block generated using a random number generator.
- Definition of nonce: A time-varying value that has a negligible chance of repeating.
Cipher Feedback Mode (CFB), Output Feedback (OFB) Mode and Counter(CTR) mode
- These three modes make it possible to convert a block cipher into a stream cipher
- A stream cipher eliminates the need to pad a message to be an integral number of blocks.
- It also can operate in real time. ( that is when a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher. In CBC, even if the character is only 8 bits, we have to wait for receiving 64 bits, before starting encryption)
3. Cipher Feedback(CFB) mode
Key K and the initialisation vector IV are of b bits length.
Plain text block is of s bits,
Usually s=8 bits
We can define CFB mode encryption as follows:
Figure 7.5 depicts the CFB scheme. In the figure, it is assumed that the unit of
transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext
are chained together, so that the ciphertext of any plaintext unit is a function of all
the preceding plaintext. In this case, rather than blocks of b bits, the plaintext is
divided into segments of s bits.
First, consider encryption. The input to the encryption function is a b -bit shift
register that is initially set to some initialization vector (IV). The leftmost (most
significant) s bits of the output of the encryption function are XORed with the
first segment of plaintext P1 to produce the first unit of ciphertext C1 , which is then
transmitted. In addition, the contents of the shift register are shifted left by s bits,
and C1 is placed in the rightmost (least significant) s bits of the shift register. This
process continues until all plaintext units have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext
unit is XORed with the output of the encryption function to produce the plaintext
unit. Note that it is the encryption function that is used, not the decryption function.
Although CFB can be viewed as a stream cipher, it does not conform to the
typical construction of a stream cipher. In a typical stream cipher, the cipher takes
as input some initial value and a key and generates a stream of bits, which is then
XORed with the plaintext bits (see Figure 4.1). In the case of CFB, the stream of
bits that is XORed with the plaintext also depends on the plaintext.
In CFB encryption, like CBC encryption, the input block to each forward
Cipher function (except the first) depends on the result of the previous forward
Cipher function; therefore, multiple forward cipher operations cannot be performed
in parallel. In CFB decryption, the required forward cipher operations can be performed
in parallel if the input blocks are first constructed (in series) from the IV and
- The unit of transmission is s bits; a common value is s = 8.
- As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext.
- In this case, rather than blocks of b bits, the plaintext is divided into segments of s bits.
- In CFB encryption, like CBC encryption, the input block to each forward Cipher function (except the first) depends on the result of the previous forward Cipher function; therefore, multiple forward cipher operations cannot be performed in parallel.
4. Output Feedback(OFB) mode
- In OFB, the output of the encryption function is fed back to become the input for encrypting the next block of plaintext .
- The other difference from CFB is that the OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates on an s -bit subset.
PN* ? Let the size of a block be b bits. If the last block of plaintext (indicated by *) contains u bits, with u < b, the most significant u bits of the last output block ON are used for the XOR operation; the remaining b - u bits of the last output block are discarded.