Block Cipher Modes of Operation

How to use a block cipher?

• Block ciphers encrypt fixed-size blocks
– e.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of
arbitrary length
– e.g. a message of 1000 bytes
• NIST defines several ways to do it
– called modes of operation

2
 Five Modes of Operation

– Electronic codebook mode (ECB)

– Cipher block chaining mode (CBC) – most

popular
– Output feedback mode (OFB)

– Cipher feedback mode (CFB)

– Counter mode (CTR)

3
 Message Padding
• The plaintext message is broken into
blocks, P1, P2, P3, ...
• The last block may be short of a whole
block and needs padding.
• Possible padding:
– Known non-data values (e.g. nulls)
– Or a number indicating the size of the pad
– Or a number indicating the size of the plaintext
– The last two schemes may require an extra block.

4
 Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...
• Each block is encrypted independently:
Ci = EK(Pi)
• For a given key, this mode behaves like we have a codebook, in
which each plaintext block has an entry, hence the name Electronic
Code Book

5
 Remarks on ECB
• Advantages:
– It’s simple.
– Process multiple blocks simultaneously (Increases
speed).
– If any plaintext or ciphertext block lost, it does not affect
the output of other blocks.
• Weakness:
– Repetitive information contained in the plaintext may
show in the ciphertext.
– If the same message is encrypted (with the same key)
their ciphertexts are the same.
• Typical application: secure transmission of short pieces of
information (e.g. a temporary encryption key)
6
 Cipher Block Chaining (CBC)
 The plaintext is broken into blocks: P1 , P2 , P3 , ...
 Each plaintext block is XORed chained  with the previous
ciphertext block before encryption (hence the name):

Ci  E K Ci  1  Pi 

C0  IV

 Use an Initial Vector IV  to start the process.

 Decryption : Pi  Ci  1  D K (Ci )
 Application : general block-oriented transmission.
7
Cipher Block Chaining (CBC)

8
 Remarks on CBC
• The encryption of a block depends on the current
and all blocks before it.
• So, repeated plaintext blocks are encrypted
differently.
• Initialization Vector (IV)
– Must be known to both the sender & receiver
– Typically, IV is either a fixed value or is sent
encrypted in ECB mode before the rest of ciphertext.

9
 Without knowing the key k , for any data block x,
Ek ( x ) is unknown to the adversary.

 To encrypt P1 , P2 , P3 ,..., we may use Ek to generate

a key stream (a sequence of "masks")
K1 , K 2 , K 3 ,..., and encrypt Pi as Ci Pi  Ki .

 Three different ways to generate K1, K 2 , K 3 ,...

10
 Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k 1, k2, k3, …
• Encryption:
c0 IV

ki Ek (ci  1 ), for i 1

ci  pi  ki , for i 1

11
Cipher Feedback (CFB) Mode
 The plaintext is a sequence of segments of s bits
(where s block-size): P1, P2 , P3 , P4 , 
 Encryption is used to generate a sequence of keys,
each of s bits: K1 , K 2 , K 3 , K 4 , 
 The ciphertext is C1 , C2 , C3 , C4 , , where
Ci  Pi  Ki
 How to generate the key stream?

12
Generating Key Stream for CFB
 The input to the block cipher is a shift register x;
its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi shift-left-s-bits(xi  1 ) Ci  1.

 Then, K i s -most-significant-bits(E K ( xi )).

13
Encryption in CFB Mode

14
 Decryption in CFB Mode
 Generate key stream K1 , K 2 , K 3 , K 4 , 
the same way as for encryption.
 Then decrypt each ciphertext segment as:
Pi  Ci  K i

15
 Remark on CFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and
all preceding plaintext segments.
• A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
– How many plaintext segments will be affected?

16
 Output feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k
• Basic idea: construct key stream k 1, k2, k3, …
• Encryption:
k0 IV

ki  Ek (ki  1 ), for i 1

ci  pi  ki , for i 1

17
 Output Feedback (OFB) Mode
 Very similar to Cipher Feedback in structure.
 But K i  1 rather than Ci  1 is fed back to the next stage.

 As in CFB, the input to the block cipher is a shift

register x; its value at stage i is denoted as xi .

 Initially, x1  an initial vector (IV).

For i  1, xi shift-left-s-bits(xi  1 )  K i  1.

 Then, K i s -most-significant-bits(E K ( xi )).

18
Cipher Feedback

Output Feedback

19
 Remark on OFB
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
• Disadvantage:
– Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with
the ciphertext.

20
 Counter Mode (CTR)
• Plaintext blocks: p1, p2, p3, …
• Key: k
• Basic idea: construct key stream k 1, k2, k3, …
• Encryption:

T1 = IV (random)
Ti = IV + i - 1
Ci = Pi ♁ EK(Ti)
C = (IV, C1, C2, C3, ...)
21
 Remark on CTR
• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
– Random access to encrypted data blocks
• IV should not be reused.

22
Thanks

23