Deployment of (Symmetric) Block Ciphers

Cipher Modes

Initially proposed for DES.

  • ECB (Electronic Code Book).

  • CBC (Cipher Block Chaining).

  • OFB (Output Feedback).

  • CFB (Cipher Feedback).

Can be used with other block ciphers.

Some other modes do exist:

  • CTR (Counter Mode).

  • GCM (Galois/ Counter Mode).

ECB - Electronic Code Book

  • Encryption parallelizable

  • Decryption parallelizable

  • Random read access

The simplest (and not to be used anymore) of the encryption modes is the electronic codebook (ECB) mode (named after conventional physical codebooks). The message is divided into blocks, and each block is encrypted separately.

The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. ECB is not recommended for use in cryptographic protocols.

CBC - Cipher Block Chaining

  • Encryption not parallelizable

  • Decryption parallelizable

  • Random read access

In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as ciphertext stealing. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.

Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as the IV for the decryption of the current one.

Block Alignment With Padding

Block cipher modes ECB and CBC require block-aligned inputs.

  • Trailing sub-blocks need special treatment.

Alternative 1: padding

  • Paddinf of the last block is identifiable.

  • Adds data.

PKCS#7

  • X = B (M mod B)

  • X extra bytes, with the value X

  • PKCS#5 (same as PKCS#7 with B=8).

Alternative 2: different processing for the last block

  • Adds implementation complexity.

Padded Block Encryption & Decryption

Handling Trailing Sub-Blocks

OFB - Output Feedback

  • Encryption not parallelizable

  • Decryption not parallelizable

  • Random read access not possible

The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error-correcting codes to function normally even when applied before encryption.

Each output feedback block cipher operation depends on all previous ones, and so cannot be performed in parallel.

However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel once the plaintext or ciphertext is available.

CFB - Cipher Feedback

  • Encryption not parallelizable

  • Decryption parallelizable

  • Random read access

The cipher feedback (CFB) mode, in its simplest form uses the entire output of the block cipher. In this variation, it is very similar to CBC, turning a block cipher into a self-synchronizing stream cipher. CFB decryption in this variation is almost identical to CBC encryption performed in reverse.

Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized.

CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though ciphertext stealing can also be used for CBC mode to make padding unnecessary).

CTR - Counter

  • Encryption parallelizable

  • Decryption parallelizable

  • Random read access

Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk". However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input. Along with CBC, CTR mode is one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier.

CTR mode has similar characteristics to OFB, but also allows a random-access property during decryption. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.

Last updated