Scribd
Upload
113 views30 pages

Block Cipher Modes

This document discusses different modes of operation for block ciphers. It describes the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes. ECB encrypts each block independently, revealing patterns in plaintext. CBC improves on ECB by chaining blocks together through XOR. CFB and OFB convert block ciphers into stream ciphers. CTR encrypts a counter rather than the plaintext. Each mode has advantages and limitations for security, parallelization, and error propagation.

Uploaded by

ndskjn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views30 pages

Block Cipher Modes

This document discusses different modes of operation for block ciphers. It describes the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes. ECB encrypts each block independently, revealing patterns in plaintext. CBC improves on ECB by chaining blocks together through XOR. CFB and OFB convert block ciphers into stream ciphers. CTR encrypts a counter rather than the plaintext. Each mode has advantages and limitations for security, parallelization, and error propagation.

Uploaded by

ndskjn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Block Cipher Modes of Operation

(CS-452)

CS-452 Cryptography 1/30


Section 6 Block Cipher Modes
of Operation

CS-452 Cryptography 2/30


Block Cipher Modes of Operation
An n-bit block cipher encrypts plaintext n-bits at a time.
Plaintexts longer than n bits are split into multiple blocks.
How should the blocks from the same plaintext be processed?
Has implications on security, implementation complexity, etc.
Block cipher mode of operation: an algorithm that uses block cipher to
encrypt multiple blocks of the plaintext in a way that delivers a particular
security service.
Example: confidentiality and authenticity.

CS-452 Cryptography 3/30


Block Cipher Modes of Operation: Modes

NIST Special Publication 800-38A defines five modes of block cipher


operation:
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)

CS-452 Cryptography 4/30


Electronic Codebook Mode (ECB)

The message is divided into blocks.

Plaintext is handled one block at a


time and each block is encrypted
using the same key.

CS-452 Cryptography 5/30


Advantages and Limitations of ECB

Each block is encrypted independently of the other blocks


Ideal for a short amount of data, e.g. transmit a DES key securely.
For lengthy mesg, the ECB mode may not be secure.
The same n-bit block of plaintext, if it appears more than once in the mesg.,
always produces the same ciphertext - does not hide data patterns well.

CS-452 Cryptography 6/30


Example: Disadvantage of ECB

A pixel-map version of the image on the left was encrypted with ECB mode
and with other modes.

Encrypted using
ECB mode

CS-452 Cryptography 7/30


Example: Disadvantage of ECB

A pixel-map version of the image on the left was encrypted with ECB mode and
with other modes.

Encrypted using Encrypted using


Original
ECB mode other modes

CS-452 Cryptography 8/30


Advantages and Limitations of ECB
Weakness is due to the encrypted message blocks being independent
Would like a technique in which the same plaintext block, if repeated, produces
different ciphertext block.

CS-452 Cryptography 9/30


Cipher Block Chaining (CBC)

The input to the encryption algorithm is the XOR () of the current plaintext
block and the preceding ciphertext block.
Each ciphertext block is dependent on all plaintext blocks processed up to
that point.
Cj = E(K,[Cj-1  Pj]), C0 = IV

P1’ P2’ Pn’

CS-452 Cryptography 10/30


Cipher Block Chaining (CBC)
The input to the encryption algorithm is the XOR () of the current plaintext
block and the preceding ciphertext block. (A  A = 0, 0  A = A)
Each ciphertext block is dependent on all plaintext blocks processed up to
that point.
Cj = E(K,[Cj-1  Pj]), C0 = IV

P1’ P2’ Pn’

CS-452 Cryptography 11/30


Cipher Block Chaining (CBC)
For decryption, each cipher block is passed through the decryption alg.. The
result is XORed with the preceding ciphertext block to produce the plaintext.
Pj = Cj-1  D(K,Cj), C0 = IV

C1’ C2’ Cn’

CS-452 Cryptography 12/30


Cipher Block Chaining (CBC)

How to prove that the decryption process is correct?


Encryption: Cj = E(K,[Cj-1  Pj]), C0 = IV
Decryption: Pj = Cj-1  D(K,Cj), C0 = IV

CS-452 Cryptography 13/30


Cipher Block Chaining (CBC)
How to prove that the decryption process is correct?
Encryption: Cj = E(K,[Cj-1  Pj]), C0 = IV
Decryption: Pj = Cj-1  D(K,Cj), C0 = IV

Proof:
AA=0
0A=A
Pj = Cj-1  D(K,Cj)
= Cj-1  D(K, E(K,[Cj-1  Pj]))
= Cj-1  Cj-1  Pj
= 0  Pj
= Pj

CS-452 Cryptography 14/30


Message Padding

At end of message must handle a possible last block, which is not as large as
block size of cipher

CS-452 Cryptography 15/30


Message Padding
At end of message must handle a possible last block, which is not as large as
block size of cipher
Pad either with known non-data value (eg nulls)
Or pad last block along with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5] - 3 data bytes, 5 bytes pad+count

CS-452 Cryptography 16/30


Advantages and Limitations of CBC
Advantage:
Avalanche effect: A ciphertext block depends on all blocks before it - any change
to one block affects all the following ciphertext blocks

CS-452 Cryptography 17/30


Advantages and Limitations of CBC
Disadvantage:
Encryption is sequential (i.e., cannot be parallelized)
Need Initialization Vector (IV)
Which must be known to sender & receiver
IV must either be a fixed value or be sent encrypted in ECB mode before rest of
message

CS-452 Cryptography 18/30


Cipher FeedBack Mode (CFB)
When the data unit is smaller than the block size (e.g. data is only available a
bit/byte at a time).
Convert AES/DES into a stream cipher that can be used to encrypt any number
of bits
Property of stream cipher: the ciphertext is of the same length as the plaintext.
Eliminates the need to pad a mesg.

CS-452 Cryptography 19/30


Cipher FeedBack Mode (CFB): Encryption
E.g. The unit of transmission is s bits.
64-bit shift register is initially set to some initialization vector (IV).
The leftmost s bits of the output of the encryption function is XORed with the
first unit of plaintext P1 to produce C1.

CS-452 Cryptography 20/30


Cipher FeedBack Mode (CFB): Encryption
E.g. the unit of transmission is s bits.
The contents of the shift register are shifted left by s bits and C1 is placed in
the rightmost s bits of the shift register.
Continue this process until all plaintext units have been encrypted.

CS-452 Cryptography 21/30


Cipher Feedback Mode (CFB): Decryption
E.g. the unit of transmission is s bits.
Same scheme as encryption, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.

CS-452 Cryptography 22/30


Cipher FeedBack Mode (CFB): Decryption
Question: how to prove that the decryption is correct?

CS-452 Cryptography 23/30


Output FeedBack (OFB)
In OFB, the output of the encryption function is fed back to the shift
register, while in CFB, the ciphertext unit is fed back to the register.

CS-452 Cryptography 24/30


Advantage: OFB
Bit errors in transmission do not propagate
E.g. if a bit error occurs in C1, only the recovered value of P1 is affected.
When using CFB, C1 is the input to the shift register and may corrupt the
subsequent plaintext units.

CS-452 Cryptography 25/30


Counter (CTR)
The counter is initialized to some value and then incremented by 1 for each subsequent
block.
The counter can be any simple function which produces a sequence which is guaranteed
not to repeat for a long time

+N-1

CS-452 Cryptography 26/30


Counter (CTR)

The correctness of the decryption process


Encryption: Cj = E(K, Counter + j -1)  Pj
Decryption: Pj = E(K, Counter + j -1)  Cj

Proof:
AA=0
0A=A
Pj = E(K, Counter + j -1)  Cj
= E(K, Counter + j -1)  E(K, Counter + j -1)  Pj
= 0  Pj
= Pj

CS-452 Cryptography 27/30


Advantages and Requirements of CTR
Advantages:
Efficiency:
Encryption/decryption can be done in parallel on multiple blocks of plaintext or
ciphertext
The execution of the encryption algorithm does not depend on the plaintext and
ciphertext - can preprocess in advance.
Good for high-speed network encryptions
Random access to encrypted data blocks
Provable security (good as other modes)
Security Requirement: The same counter value should not be used multiple
times.

CS-452 Cryptography 28/30


Summary: Comparison of Block Cipher Modes

CS-452 Cryptography 29/30


Credits

Many slides borrowed from Dr. Ping Yang from State University of New York
at Binghamton.

CS-452 Cryptography 30/30

You might also like