AES Block Ciphers Modes of Operation

The modes of operation of block ciphers are configuration methods that allow those
ciphers to work with large data streams, without the risk of compromising the provided
security.

It is not recommended, however it is possible while working with block ciphers, to use
the same secret key bits for encrypting the same plaintext parts. Using one
deterministic algorithm for a number of identical input data, results in some number
of identical ciphertext blocks.

This is a very dangerous situation for the cipher's users. An intruder would be able
to get much information by knowing the distribution of identical message parts, even
if he would not be able to break the cipher and discover the original messages.

Luckily, there exist ways to blur the cipher output. The idea is to mix the plaintext
blocks (which are known) with the ciphertext blocks (which have been just created),
and to use the result as the cipher input for the next blocks. As a result, the user avoids
creating identical output ciphertext blocks from identical plaintext data. These
modifications are called the block cipher modes of operations.

ECB (Electronic Codebook) Mode

It is the simplest mode of encryption. Each plaintext block is encrypted separately.
Similarly, each ciphertext block is decrypted separately. Thus, it is possible to encrypt
and decrypt by using many threads simultaneously. However, in this mode the created
ciphertext is not blurred.

Encryption in the ECB mode

 Decryption in the ECB mode
A typical example of weakness of encryption using ECB mode is encoding a bitmap
image (for example a .bmp file). Even a strong encryption algorithm used in ECB mode
cannot blur efficiently the plaintext.

The bitmap image encrypted using DES and the same secret key. The ECB mode was
used for the left image and the more complicated CBC mode was used for the right
image.

A message that is encrypted using the ECB mode should be extended until a size that is
equal to an integer multiple of the single block length. A popular method of aligning
the length of the last block is about appending an additional bit equal to 1 and then
filling the rest of the block with bits equal to 0. It allows to determine precisely the end
of the original message. There exist more methods of aligning the message size.

Apart from revealing the hints regarding the content of plaintext, the ciphers that are
used in ECB mode are also more vulnerable to replay attacks.

CBC (Cipher-Block Chaining) Mode

The CBC encryption mode was invented in IBM in 1976. This mode is about adding XOR
each plaintext block to the ciphertext block that was previously produced. The result
is then encrypted using the cipher algorithm in the usual way. As a result, every
subsequent ciphertext block depends on the previous one. The first plaintext block is
added XOR to a random initialization vector (commonly referred to as IV). The vector
has the same size as a plaintext block.

Encryption in CBC mode can only be performed by using one thread. Despite this
disadvantage, this is a very popular way of using block ciphers. CBC mode is used
in many applications.

During decrypting of a ciphertext block, one should add XOR the output data received
from the decryption algorithm to the previous ciphertext block. Because the receiver
knows all the ciphertext blocks just after obtaining the encrypted message, he can
decrypt the message using many threads simultaneously.

Encryption in the CBC mode

 Decryption in the CBC mode
If one bit of a plaintext message is damaged (for example because of some earlier
transmission error), all subsequent ciphertext blocks will be damaged and it will be
never possible to decrypt the ciphertext received from this plaintext. As opposed
to that, if one ciphertext bit is damaged, only two received plaintext blocks will
be damaged. It might be possible to recover the data.

A message that is to be encrypted using the CBC mode, should be extended till the size
that is equal to an integer multiple of a single block length (similarly, as in the case of
using the ECB mode).

Security of the CBC mode

The initialization vector IV should be created randomly by the sender. During
transmission it should be concatenated with ciphertext blocks, to allow decryption of
the message by the receiver. If an intruder could predict what vector would be used,
then the encryption would not be resistant to chosen-plaintext attacks:

In the example presented above, if the intruder is able to predict that the
vector IV1 will be used by the attacked system to produce the response c1, they can
guess which one of the two encrypted messages m0 or m1 is carried by the response c1.
This situation breaks the rule that the intruder shouldn't be able to distinguish between
two ciphertexts even if they have chosen both plaintexts. Therefore, the attacked
system is vulnerable to chosen-plaintext attacks.

If the vector IV is generated based on non-random data, for example the user
password, it should be encrypted before use. One should use a separate secret key for
this activity.

The initialization vector IV should be changed after using the secret key a number
of times. It can be shown that even properly created IV used too many times, makes
the system vulnerable to chosen-plaintext attacks. For AES cipher it is estimated to be
248 blocks, while for 3DES it is about 216 plaintext blocks.

PCBC (Propagating or Plaintext Cipher-Block

Chaining) Mode
The PCBC mode is similar to the previously described CBC mode. It also mixes bits from
the previous and current plaintext blocks, before encrypting them. In contrast to
the CBC mode, if one ciphertext bit is damaged, the next plaintext block and all
subsequent blocks will be damaged and unable to be decrypted correctly.

In the PCBC mode both encryption and decryption can be performed using only
one thread at a time.

Encryption in the PCBC mode

 Decryption in the PCBC mode

CFB (Cipher Feedback) Mode

The CFB mode is similar to the CBC mode described above. The main difference is that
one should encrypt ciphertext data from the previous round (so not the plaintext block)
and then add the output to the plaintext bits. It does not affect the cipher security but
it results in the fact that the same encryption algorithm (as was used for encrypting
plaintext data) should be used during the decryption process.

Encryption in the CFB mode

Decryption in the CFB mode

If one bit of a plaintext message is damaged, the corresponding ciphertext block and
all subsequent ciphertext blocks will be damaged. Encryption in CFB mode can
be performed only by using one thread.
On the other hand, as in CBC mode, one can decrypt ciphertext blocks using many
threads simultaneously. Similarly, if one ciphertext bit is damaged, only two received
plaintext blocks will be damaged.

As opposed to the previous block cipher modes, the encrypted message doesn't need
to be extended till the size that is equal to an integer multiple of a single block length.

OFB (Output Feedback) Mode

Algorithms that work in the OFB mode create keystream bits that are used
for encryption subsequent data blocks. In this regard, the way of working of the block
cipher becomes similar to the way of working of a typical stream cipher.

Encryption in the OFB mode

Decryption in the OFB mode

Because of the continuous creation of keystream bits, both encryption and decryption
can be performed using only one thread at a time. Similarly, as in the CFB mode, both
data encryption and decryption uses the same cipher encryption algorithm.

If one bit of a plaintext or ciphertext message is damaged (for example because of

a transmission error), only one corresponding ciphertext or respectively plaintext bit is
damaged as well. It is possible to use various correction algorithms to restore the
previous value of damaged parts of the received message.
The biggest drawback of OFB is that the repetition of encrypting the initialization
vector may produce the same state that has occurred before. It is an unlikely situation
but in such a case the plaintext will start to be encrypted by the same data as
previously.

CTR (Counter) Mode

Using the CTR mode makes block cipher way of working similar to a stream cipher. As
in the OFB mode, keystream bits are created regardless of content of encrypting data
blocks. In this mode, subsequent values of an increasing counter are added to
a nonce value (the nonce means a number that is unique: number used once) and
the results are encrypted as usual. The nonce plays the same role as initialization
vectors in the previous modes.

Encryption in the CTR mode

Decryption in the CTR mode

It is one of the most popular block ciphers modes of operation. Both encryption
and decryption can be performed using many threads at the same time.

If one bit of a plaintext or ciphertext message is damaged, only one corresponding

output bit is damaged as well. Thus, it is possible to use various correction algorithms
to restore the previous value of damaged parts of received messages.

The CTR mode is also known as the SIC mode (Segment Integer Counter).
Security of the CTR mode
As in the case of the CBC mode, one should change the secret key after using it for
encrypting a number of sent messages. It can be proved that the CTR mode generally
provides quite good security and that the secret key needs to be changed less often
than in the CBC mode.

For example, for the AES cipher the secret key should be changed after about
264 plaintext blocks.