of Operation

Block Cipher Modes

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

1
Objective
• Electronic codebook mode (ECB)
• Cipher block chaining mode (CBC) – most popular

16/09/2013
• Output feedback mode (OFB)
• Cipher feedback mode (CFB)

Reema Patel, M.Tech-I, ICS-2013

• Counter mode (CTR)

2
Introduction
• A block cipher (is a function which maps) n-bit plaintext
blocks to n-bit cipher-text blocks; n is called the block

16/09/2013
length.
• E: {0,1}n × {0,1}k → {0,1}n

Reema Patel, M.Tech-I, ICS-2013

• Modes of operation is the procedure of enabling the
repeated and secure use of a block cipher under a single key

• Block cipher encrypt fixed size blocks (e.g. DES – 64bit)

• Needs some way to encrypt/decrypt arbitrary large amounts 3

of data in practise
Need for Modes of Block Cipher
• NIST SP 800-38A defines 5 modes

16/09/2013
• Block cipher deal with blocks of data

Reema Patel, M.Tech-I, ICS-2013

• In real life there are two important issues:
• Plaintext much larger than a typical block length of 128 bits
• Plaintext not a multiple of block length

• Obvious solution is the first mode, called Electronic Code

Block
4
Electronic Code Book (ECB)
• Message is broken into independent blocks

16/09/2013
• Each plaintext block gets encrypted by the key to a different
cipher-text

Reema Patel, M.Tech-I, ICS-2013

• Ci = EK(Pi)

• Weakness : Same plaintext block gets converted to the same

cipher-text

5
 Schematic Diagram

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

6
Properties
• Chaining dependencies:
• Blocks are enciphered independently of other blocks.

16/09/2013
• Reordering cipher-text blocks results in correspondingly re-
ordered plaintext blocks.

Reema Patel, M.Tech-I, ICS-2013

• Error propagation:
• One or more bit errors in a single cipher-text block affect
decipherment of that block only.
• Other blocks are not affected

7
Security Issues
• Identical blocks of plaintext will be encrypted as identical
blocks of cipher text

16/09/2013
• Consider if the plaintext has only two possibilities : all 64 bits
(block length) 0 or all 64 bits 1
• ECB leaks all secret

Reema Patel, M.Tech-I, ICS-2013

• if aligned with plain text block
• particularly with data such as graphics
• or with messages that change very little, which become a
code-book analysis problem
• Weakness is due to the encrypted message blocks being
independent
• If attacker re-orders blocks it will not be detected by 8
receiver
Limitations of ECB

16/09/2013
Reema Patel, M.Tech-I, ICS-2013
Original Encrypted with ECB Encrypted with other
than ECB
9
From wiki
Cipher Block Chaining (CBC)
• Used to solve the problem of identical plain text blocks
being encrypted to identical cipher-text blocks

16/09/2013
• Idea is to use chaining

Reema Patel, M.Tech-I, ICS-2013

• Message is broken into blocks

• Each plain text block is XOR with previous cipher text

block before being encrypted, hence name CBC

• Use Initial Vector (IV) to start process 10

• Ci = EK(Pi XOR Ci-1)
• C0 = IV (IV is not a secret like key)
 Schematic Diagram

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

11
IV based attack
• Keeping IV secret is not necessary
• But integrity of IV should be maintained

16/09/2013
• Note that : C1 : EK(IV XOR P1)

Reema Patel, M.Tech-I, ICS-2013

• Thus, P1 = DK(C1) XOR IV
• If attacker flips certain bits of IV, the corresponding bits of
the recovered plain text also changes
• Can lead to problems in some applications (in which
integrity is required)

12
• if IV is sent in clear, attacker can change bits of first block,
and change IV to Compensate
Properties
• Chaining dependencies
• chaining causes cipher-text cj to depend on all preceding

16/09/2013
plaintext

Reema Patel, M.Tech-I, ICS-2013

• Error propagation
• a single bit error in cj affects decipherment of blocks cj and
cj+1
• reordering the cipher-text blocks affects decryption
• Error recovery
• self-synchronizing: if an error occurs in cj (but not cj+1, cj+2),
then cj+2 is correctly decrypted to xj+2. 13
• can be used as a MAC: x1, x2, . . . , xn, cn (for Authentication)
 Example – Error Propagation in CBC

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

14
Message Padding
• What if the message is not an multiple of block length ?

16/09/2013
• at the end, message may have a possible last short block not
as large as the block size of the cipher

Reema Patel, M.Tech-I, ICS-2013

• pad either with known non-data value (eg nulls)
• or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count
• this may require an extra entire block over those in message
15
Cipher Feedback Mode (CFB)
• CBC processes plaintext n-bits at a time with an n-bit block
cipher

16/09/2013
• Can encryption begin until a complete block of data received?

Reema Patel, M.Tech-I, ICS-2013

• Sometimes, only r bits of n blocks (r = 1 OR r = 8) are
required to be transmitted without delay

• CFB employed when data is to be encrypted in units

smaller than the block size.

16
Cipher Feedback Mode (CFB)
• The plaintext message
• is treated as a stream of bits

16/09/2013
• is added to the output of the block cipher
• the result is then feed back for next stage (hence the name)

Reema Patel, M.Tech-I, ICS-2013

• standard allows any number of bit (1,8, 64 or 128 etc) to be
feed back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• Ci = Pi XOR DESK1(Ci-1)
• C-1 = IV
17
• uses: stream data encryption, authentication
Cipher Feedback Mode (CFB)
• Input
• k-bit key K;

16/09/2013
• n-bit IV;
• r-bit plaintext blocks x1…, xu (1≤ r≤n)

Reema Patel, M.Tech-I, ICS-2013

• Output
• produce r-bit ciphertext blocks c1,…,cu

18
 Cipher Feedback Mode (CFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

19
 Reema Patel, M.Tech-I, ICS-2013 16/09/2013
20
 Cipher Feedback Mode (CFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

21
Advantages and Limitations of CFB
• Appropriate when data arrives in bits/bytes

16/09/2013
• Most common stream mode

Reema Patel, M.Tech-I, ICS-2013

• Limitation is need to stall while do block encryption after
every n-bits

• Note that the block cipher is used in encryption mode at

both ends

22
• Errors propagate for several blocks after the error
Output Feedback Mode (OFB)
• message is treated as a stream of bits
• output of cipher is added to message

16/09/2013
• output is then feed back (hence name OFB)
• feedback is independent of message

Reema Patel, M.Tech-I, ICS-2013

• can be computed in advance
• Oi = EK(Oi-1)
• Ci = Pi XOR Oi
• O-1 = IV

23
 Output Feedback Mode (OFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

24
 Output Feedback Mode (OFB)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

25
Output Feedback Mode (OFB)
• INPUT
• k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)

16/09/2013
• OUTPUT
• produce r-bit cipher-text blocks c1,…, cu

Reema Patel, M.Tech-I, ICS-2013

• Encryption
• I1←IV. For 1≤ j≤u, given plaintext block xj:
• Oj ← Ek(Ij). (Compute the block cipher output)
• tj ←the r leftmost bits of Oj - assume the leftmost is
identified as bit 1
• cj ←xj ⊕tj - transmit the r-bit ciphertext block cj
• Ij+1 ← Oj - update the block cipher input for the next block 26
• Ij+1 ← 2r ㆍIj + tj mod 2n” - shift output tj into right end of
shift register
Output Feedback Mode (OFB)
• Decryption

16/09/2013
• I1 ←IV.
• For 1≤j≤u, upon receiving cj: xj ← cj ⊕tj, where tj, Oj and

Reema Patel, M.Tech-I, ICS-2013

Ij are computed as above

27
 Reema Patel, M.Tech-I, ICS-2013 16/09/2013
28
Advantages and Limitations of OFB
• needs an IV which is unique for each use
• if ever reuse attacker can recover outputs

16/09/2013
• bit errors do not propagate
• more vulnerable to message stream modification

Reema Patel, M.Tech-I, ICS-2013

• sender & receiver must remain in sync
• only use with full block feedback
• subsequent research has shown that only full block feedback
(ie CFB-64 or CFB-128) should ever be used

29
Counter (CTR)
• a “new” mode, though proposed early on

16/09/2013
• similar to OFB
• but encrypts counter value rather than any feedback value

Reema Patel, M.Tech-I, ICS-2013

• must have a different key & counter value for every
plaintext block (never reused)
• Oi = EK(i)
• Ci = Pi XOR Oi

30
• uses: high-speed network encryptions
 Counter (CTR)

Reema Patel, M.Tech-I, ICS-2013 16/09/2013

31
Advantages and Limitations of CTR
• Efficiency
• can do parallel encryptions in h/w or s/w

16/09/2013
• can preprocess in advance of need
• good for bursty high speed links

Reema Patel, M.Tech-I, ICS-2013

• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break

32
Choosing a Cipher mode
• ECB
• easiest, fastest, weakest

16/09/2013
• should not be used for message encryption
• good for encrypting random data such as key, IV

Reema Patel, M.Tech-I, ICS-2013

• CBC
• best for encrypting files
• speed is the same as the block cipher
• encryption is not parallelizable, but decryption is
• most suitable for software based systems
33
Choosing a Cipher mode
• CFB
• used for encrypting streams of information …8-bit CFB for

16/09/2013
character encryption

Reema Patel, M.Tech-I, ICS-2013

• OFB
• used for high speed synchronous systems
• used if preprocessing is required.

34