CHAPTER 8

Encipherment Using Modern

Block Ciphers
(Solution to Odd-Numbered Problems)

Review Questions
1. Modern block ciphers encrypt and decrypt small blocks. DES uses a block size of
8 bytes (characters) and AES uses a block size of 16 bytes (characters). In real life,
we need to encrypt or decrypt larger units of data. For example, a one-page docu-
ment is normally more than 1000 characters. Mode of operations are designed to
allow us to repeatedly use a modern block cipher for encryption and decryption.
3. In the electronic codebook (ECB) mode, the plaintext is divided into N blocks.
Each block is n bits. The same key is used to encrypt and decrypt each block.
‰ Advantages. This mode has two obvious advantages. First, it is simple. Sec-
ond, transmission error is not propagated from one block to the other.
‰ Disadvantages. This mode has some security problems. First, patterns at the
block level are preserved. Second, block independency creates opportunities
for Eve to substitutes some cipher blocks with some cipher blocks of her own.
5. In the cipher feedback (CFB) mode, the size of the plaintext or ciphertext block is
r, where r ≤ n. The idea is to use DES or AES, not for encrypting the plaintext or
decrypting the ciphertext, but to encrypt or decrypt the contents of a shift register,
S, of size n. Data encryption is done by exclusive-oring an r-bit plaintext block
with r bits of the shift register. Data decryption is done by exclusive-oring an r-bit
ciphertext block with r bits of the shift register. For each block, the shift register Si
is made by shifting the shift register Si−1(previous shift register) r bits to the left
and filling the rightmost r bits with Ci−1.
‰ Advantages. One advantage of CFB is that no padding is required because the
size of the blocks, r, is normally chosen to fit the data unit to be encrypted.
Another advantage is that the system does not have to wait until it has
received a large block of data before starting the encryption.
‰ Disadvantages. One disadvantage of CFB is that it is less efficient than CBC
or ECB, because it needs to apply the encryption function of underlying block

1
 2

cipher for each small block of size r. Another disadvantage is that Eve can add
some ciphertext block to the end of the stream.
7. In the counter (CTR) mode, there is no feedback. The pseudorandomness in the
key stream is achieved using a counter. An n-bit counter is initialized to a pre-
determined value (IV) and incremented based on a predefined rule (mod 2n). To
provide a better randomness, the increment value can depend on the block number
to be incremented. The plaintext and ciphertext block have the same block size as
the underlying cipher (e.g., DEA or AES). Plaintext blocks of size n are encrypted
to create ciphertext blocks of size n.
‰ Advantages. One advantage of CTR is that it can be used to create random
access file as long as the value of the counter is related to the record number in
the file.
‰ Disadvantages. One disadvantage of CTR is that the size of block is the same
as the size of the underlying cipher (DES or AES). Encryption or decryption
needs to be done n-bit at a time; the process needs to wait until n bit of data is
accumulated.
9.

First Group: ECB and CBC Second Group: CFB, OFB, and CTR

11. RC4 uses a state of bytes for key generation. Each key in the key stream is a per-
mutation of a key state. A5/1 uses the result of three LFSR’s to create a key bit. We
can say that key generation in RC4 is byte-oriented, but the key generation in A5/1
is bit-oriented. The other main difference is encryption and decryption. RC4
encrypts and decrypts a character at a time; A5/1 encrypts and decrypts a frame at
a time.
13. ECB can be used for parallel processing because each block is encrypted or
decrypted independently.

Exercises
15. In CFB mode, the key generator for block i uses Ci−1, the ciphertext created in
block (i − 1). According to our definition in Chapter 5, this is a nonsynchronous
stream cipher. In OFB mode, the key generator for block i uses part of the key
from the previous block, but it is independent from the plaintext and ciphertext in
the previous block. According to our definition in Chapter 5, this is a synchronous
stream cipher.
17. In ECB, each block is decrypted independently. However, since the decryption is
done a block at a time (DES or AES), the corrupted bit 17 in ciphertext block 8
may affect all n bits in plaintext block 8.
19. As discussed in the solution to Exercise 16, a corrupted ciphertext block in CFB
affects the corresponding plaintext block and the following n/r plaintext blocks. If
 3

we assume n = 64, the following plaintext blocks may be corrupted: block 11 (bits
3 to 6) and block 12 to 19 (all bits).

21. In OFB mode, the feedback is only in the key-generation system. If ciphertext
block 11 is corrupted, only plaintext block 11 may be corrupted.

23. In OFB mode, it is obvious that if ki used at the Bob’s site is the same as ki used at
the Alice’s site, then (Pi)′ created by Bob is the same as Pi sent by Alice (assuming
no corruption in transmission):

(Pi)′ = (Ci)′ ⊗ ki = Pi ⊗ ki ⊗ ki = Pi ⊗ 0 = Pi

The ki used by Bob is definitely the same as ki used by Alice if both Alice and Bob
use the same IV’s.

25. Figure S8.25 shows both the encryption and decryption. It is possible to cancel the
underlying encryption for the first block and exclusive-or the IV directly with P1.

Figure S8.25 Solution to Exercise 25

IV C1 CN−1

K E K E K E

n bits k1 n bits k2 n bits kN

n bits n bits n bits n bits n bits n bits
P1 C1 P2 C2 PN CN
Encryption
IV C1 CN−1

K E K E K E
n bits k1 n bits k2 n bits kN
n bits n bits n bits n bits n bits n bits
C1 P1 C2 P2 CN PN
Decryption

27. The following shows the process:

X = DK (CN−1) → PN = headm (X)

Y = CN | tailn−m (X) → PN−1 = DK(Y)

29. The following shows the process:

 4

U = DK (CN−1) X = U ⊕ [CN|Padn−m(0] → PN = headm (X)

Y = DK [CN | tailn−m (X)] → PN−1 = CN−2 ⊕ Y

31. CFB, OFB, and CRT are stream ciphers, in which the size of the block is usually
fixed (one character). There is no need for padding. This means there is no need
for cipher stealing technique.
33. In this case, the error propagation is the same as the case where the CTS technique
is not used except for the last two blocks. If CN−1 is corrupted, it corrupts both PN−
1 and PN. If CN is corrupted, it corrupts only PN−1.
35. Figure S8.35 shows the PCBC mode. In PCBC an error in a ciphertext block cor-
rupts all plaintext block that follows. This mode was used in Kerberos (See Chap-
ter 15) to create both encryption and integrity of blocks. If a block was corrupted,
all previous blocks were discarded.

Figure S8.35 Solution to Exercise 35

P1 P2 PN P1 P2 PN
n bits n bits n bits n bits n bits n bits

P0 PN−1 P0 PN−1

C0 CN−1 C0 CN−1

K E K E K E K D K D K D

n bits n bits n bits n bits n bits n bits

C1 C2 CN C1 C2 CN
Encryption Decryption

37. We have written a program based on Algorithm 8.6 of the textbook. The result is

41 63 2 212 127 55 201 182 51 242 175 82 133 254 180 107 230 32 241 57

39. This problem can be solved using the classical third birthday problem that we
review in Appendix E. We have a sample set of k values, in which each sample can
take one of the N values. What is the minimum size of k such that it is probable
(with probability P ≥ 1/2) such that at least two samples are the same. The answer
is k = 1.18 N1/2. In this case N = 2128 possible keys, which means k = 1.18 × 264.
41.
a. Majority (1, 0, 0) = 0. Therefore, LFSR2 and LFSR3 whose clocking bits
matches with the value of the Majority function are clocked.
 5

b. Majority (0, 1, 1) = 1. Therefore, LFSR2 and LFSR3 whose clocking bits

matches with the value of the Majority function are clocked.
c. Majority (0, 0, 0) = 0. Therefore all three LFSR’s are clocked.
d. Majority (1, 1, 1) = 1. Therefore all three LFSR’s are clocked.
43.

ECB_Decryption (K, C[1 … N])

{
for (i = 1 to N)
{
P[i] ← DK (C[i])
}
return (P[1 … N])
}

45. We use a variable Pre_C to hold the previous cipher block. In this way, we do not
have to keep an array of ciphertext blocks.

CFB_Decryption (IV, K, r)
{
i←1
while (more blocks to decrypt)
{
input (C)
if (i = 1)
S ← IV
else
{
Temp ← shiftLeft(r , S)
S ← concatenate(Temp, Pre_C)
}
T ← EK(S)
k ← selectLeft(r, T)
P←C ⊕ k
output (P)
Pre_C ← C
i←i+1
}
}
 6

47. We have written the decryption algorithm assuming all N blocks are ready for
decryption to match the encryption algorithm in the text. However, as described in
the text, the algorithm can be written if ciphertext blocks are ready only one at a
time.

CTR_Decryption (IV, K, C[1 … N])

{
Counter ← IV
for (i = 1 to N)
{
Counter ← (Counter + i − 1) mod 2N
ki ← EK (Counter)
P[i] ← C[i] ⊕ k[i]
}
return (P[1 … N])
}

49.

concatenate (X[1 … n], Y[1 … r])

{
for (i = 1 to r)
X[n − r + 1] ← Y[i]
return X
}