This document provides an overview of block cipher modes of operation including Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Counter (CTR) modes. It describes the basic workings of each mode, their typical applications, and security considerations. ECB encrypts each block independently while CBC and CFB introduce chaining to provide greater security for long messages. CTR mode XORs each plaintext block with an encrypted counter value.
This document provides an overview of block cipher modes of operation including Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Counter (CTR) modes. It describes the basic workings of each mode, their typical applications, and security considerations. ECB encrypts each block independently while CBC and CFB introduce chaining to provide greater security for long messages. CTR mode XORs each plaintext block with an encrypted counter value.
This document provides an overview of block cipher modes of operation including Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Counter (CTR) modes. It describes the basic workings of each mode, their typical applications, and security considerations. ECB encrypts each block independently while CBC and CFB introduce chaining to provide greater security for long messages. CTR mode XORs each plaintext block with an encrypted counter value.
This document provides an overview of block cipher modes of operation including Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Counter (CTR) modes. It describes the basic workings of each mode, their typical applications, and security considerations. ECB encrypts each block independently while CBC and CFB introduce chaining to provide greater security for long messages. CTR mode XORs each plaintext block with an encrypted counter value.
Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
6-1 Block Cipher Modes of Operation
A block cipher algorithm is a basic building block for providing data security. To apply a block cipher in a variety of applications, four "modes of operation" have been defined by NIST. In essence, a mode of operation is a technique for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream. The four modes are intended to cover virtually all the possible applications of encryption for which a block cipher could be used. As new applications and requirements have appeared, NIST has expanded the list of recommended modes to five in Special Publication 800- 38A. These modes are intended for use with any symmetric block cipher, including triple DES and AES. The modes are summarized in Table (6-1) and described briefly in the remainder of this section.
Table (6-1): Block Cipher Modes of Operation
Mode Description Typical Application Electronic Each block of 64 plaintext bits is Secure transmission of single Codebook (ECB) encoded independently using the same values (e.g., an encryption key) key. Cipher Block The input to the encryption algorithm General-purpose block-oriented Chaining (CBC) is the XOR of the next 64 bits of transmission plaintext and the preceding 64 bits of Authentication ciphertext. Cipher Feedback Input is processed j bits at a time. General-purpose stream-oriented (CFB) Preceding ciphertext is used as input transmission to the encryption algorithm to produce Authentication pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext. Output Feedback Similar to CFB, except that the input Stream-oriented transmission (OFB) to the encryption algorithm is the over noisy channel (e.g., satellite preceding DES output. communication)
Counter (CTR) Each block of plaintext is XORed General-purpose block-oriented
with an encrypted counter. The transmission counter is incremented for each Useful for high-speed subsequent block. requirements
1 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
6-2 Electronic Codebook (ECB) Mode
The simplest mode is the electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using the same key (Figure 6-1). The term codebook is used because, for a given key, there is a unique ciphertext for every b-bit block of plaintext. Therefore, we can imagine a gigantic codebook in which there is an entry for every possible b-bit plaintext pattern showing its corresponding ciphertext.
Figure(6-1): Electronic Codebook (ECB) Mode
For a message longer than b bits, the procedure is simply to break the message into b-bit blocks, padding the last block if necessary. Decryption is performed one block at a time, always using the same key. In Figure 6.3, the plaintext (padded as necessary) consists of a sequence of b-bit blocks, P1, P2,..., PN; the corresponding sequence of ciphertext blocks is C1, C2,..., CN.
2 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
The ECB method is ideal for a short amount of data, such as an encryption key. Thus, if you want to transmit a DES key securely, ECB is the appropriate mode to use.
The most significant characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the message, always produces the same ciphertext.
For lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. For example, if it is known that the message always starts out with certain predefined fields, then the cryptanalyst may have a number of known plaintext-ciphertext pairs to work with. If the message has repetitive elements, with a period of repetition a multiple of b bits, then these elements can be identified by the analyst. This may help in the analysis or may provide an opportunity for substituting or rearranging blocks.
6-3 Cipher Block Chaining (CBC) Mode
To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different ciphertext blocks. A simple way to satisfy this requirement is the cipher block chaining (CBC) mode (Figure 6-2). In this scheme, the input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block; the same key is used for each block. In effect, we have chained together the processing of the sequence of plaintext blocks. The input to the encryption function for each plaintext block bears no fixed relationship to the plaintext block. Therefore, repeating patterns of b bits are not exposed.
3 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
Figure (6-2): Cipher Block Chaining (CBC) Mode
For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block. To see that this works, we can write
Cj = E(K, [Cj-1 ⊕Pj])
Then
D(K, Cj) = D(K, E(K, [Cj-1 ⊕ Pj]))
D(K, Cj) = Cj-1 ⊕ Pj
Cj-1 ⊕ D(K, Cj) = Cj-1⊕ Cj-1 ⊕Pj = Pj
To produce the first block of ciphertext, an initialization vector (IV) is XORed
with the first block of plaintext. On decryption, the IV is XORed with the output
4 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
of the decryption algorithm to recover the first block of plaintext. The IV is a
data block that is that same size as the cipher block.
The IV must be known to both the sender and receiver but be unpredictable by a third party. For maximum security, the IV should be protected against unauthorized changes. This could be done by sending the IV using ECB encryption. One reason for protecting the IV is as follows: If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext. To see this, consider the following:
C1 = E(K, [IV ⊕P1])
P1 = IV ⊕D(K, C1)
Now use the notation that X[i] denotes the ith bit of the b-bit quantity X. Then
P1[i] = IV[i] ⊕ D(K, C1)[i]
Then, using the properties of XOR, we can state
P1[i]' = IV[i]' ⊕ D(K, C1)[i]
where the prime notation denotes bit complementation. This means that if an opponent can predictably change bits in IV, the corresponding bits of the received value of P1 can be changed.
In conclusion, because of the chaining mechanism of CBC, it is an appropriate
mode for encrypting messages of length greater than b bits.
In addition to its use to achieve confidentiality, the CBC mode can be used for authentication.
6-4 Cipher Feedback (CFB) Mode
The DES scheme is essentially a block cipher technique that uses b-bit blocks. However, it is possible to convert DES into a stream cipher, using either the cipher feedback (CFB) or the output feedback mode. A stream cipher eliminates the need to pad a message to be an integral number of blocks. It
5 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
also can operate in real time. Thus, if a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher.
One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext. Thus, if 8-bit characters are being transmitted, each character should be encrypted to produce a cipher text output of 8 bits. If more than 8 bits are produced, transmission capacity is wasted.
Figure (6-3) depicts the CFB scheme. In the figure, it is assumed that the unit of transmission is s bits; a common value is s = 8. As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext. In this case, rather than units of b bits, the plaintext is divided into segments of s bits.
Figure (6-3): s-bit Cipher Feedback (CFB) Mode
6 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
First, consider encryption. The input to the encryption function is a b-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) s bits of the output of the encryption function are XORed with the first segment of plaintext P1 to produce the first unit of ciphertext C1, which is then transmitted. In addition, the contents of the shift register are shifted left by s bits and C1 is placed in the rightmost (least significant) s bits of the shift register. This process continues until all plaintext units have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext unit is XORed with the output of the encryption function to produce the plaintext unit. Note that it is the encryption function that is used, not the decryption function. This is easily explained. Let Ss(X) be defined as the most significant s bits of X. Then
C1 = P1 ⊕ Ss[E(K, IV)]
Therefore,
P1 = C1 ⊕ Ss[E(K, IV)]
The same reasoning holds for subsequent steps in the process.
6-5 Output Feedback (OFB) Mode
The output feedback (OFB) mode is similar in structure to that of CFB, as illustrated in Figure (6-4). As can be seen, it is the output of the encryption function that is fed back to the shift register in OFB, whereas in CFB the ciphertext unit is fed back to the shift register.
7 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
Figure (6-4): s-bit Output Feedback (OFB) Mode
One advantage of the OFB method is that bit errors in transmission do not propagate. For example, if a bit error occurs in C1 only the recovered value of is P1 affected; subsequent plaintext units are not corrupted. With CFB, C1 also serves as input to the shift register and therefore causes additional corruption downstream.
The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB. Consider that complementing a bit in the ciphertext complements the corresponding bit in the recovered plaintext. Thus, controlled changes to the recovered plaintext can be made. This may make it possible for an opponent, by making the necessary changes to the
8 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
checksum portion of the message as well as to the data portion, to alter the ciphertext in such a way that it is not detected by an error-correcting code.
6-6 Counter (CTR) Mode
Although interest in the counter mode (CTR) has increased recently, with applications to ATM (asynchronous transfer mode) network security and IPSec (IP security), this mode was proposed early on 1979.
Figure (6-5) depicts the CTR mode. A counter, equal to the plaintext block size is used. The only requirement is that the counter value must be different for each plaintext block that is encrypted. Typically, the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo 2b where b is the block size). For encryption, the counter is encrypted and then XORed with the plaintext block to produce the ciphertext block; there is no chaining. For decryption, the same sequence of counter values is used, with each encrypted counter XORed with a ciphertext block to recover the c o r r e s p o n d i n g p l a i n t e x t b l o c k .
Figure (6-5): Counter (CTR) Mode.
9 Chapter Six Prepared By : Block Ciphers Modes Of Operation Asst. Prof. Dr. Muhanad Tahrir Younis
The following are some advantages of CTR mode:
Hardware efficiency: Unlike the three chaining modes, encryption (or
decryption) in CTR mode can be done in parallel on multiple blocks of plaintext or ciphertext. For the chaining modes, the algorithm must complete the computation on one block before beginning on the next block. This limits the maximum throughput of the algorithm to the reciprocal of the time for one execution of block encryption or decryption. In CTR mode, the throughput is only limited by the amount of parallelism that is achieved. Software efficiency: Similarly, because of the opportunities for parallel execution in CTR mode, processors that support parallel features, such as aggressive pipelining, multiple instruction dispatch per clock cycle, a large number of registers, and SIMD instructions, can be effectively utilized. Preprocessing: The execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext. Therefore, if sufficient memory is available and security is maintained, preprocessing can be used to prepare the output of the encryption boxes that feed into the XOR functions in Figure (6-5). When the plaintext or ciphertext input is presented, then the only computation is a series of XORs. Such a strategy greatly enhances throughput. Random access: The ith block of plaintext or ciphertext can be processed in random-access fashion. With the chaining modes, block Ci cannot be computed until the i - 1 prior block are computed. There may be applications in which a ciphertext is stored and it is desired to decrypt just one block; for such applications, the random access feature is attractive. Provable security: It can be shown that CTR is at least as secure as the other modes discussed in this section. Simplicity: Unlike ECB and CBC modes, CTR mode requires only the implementation of the encryption algorithm and not the decryption algorithm. This matters most when the decryption algorithm differs substantially from the encryption algorithm, as it does for AES. In addition, the decryption key scheduling need not be implemented.
