# Deployment of (Symmetric) Block Ciphers

## Cipher Modes

Initially proposed for DES.

* ECB (Electronic Code Book).
* CBC (Cipher Block Chaining).
* OFB (Output Feedback).
* CFB (Cipher Feedback).

Can be used with other block ciphers.

Some other modes do exist:

* CTR (Counter Mode).
* GCM (Galois/ Counter Mode).

## ECB - Electronic Code Book

* **Encryption parallelizable**
* **Decryption parallelizable**
* **Random read access**

The simplest (and not to be used anymore) of the encryption modes is the electronic codebook (ECB) mode (named after conventional physical codebooks). The message is divided into blocks, and each block is encrypted separately.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FmcSOovboj8hO3mPPPZmm%2F601px-ECB_encryption.svg.png?alt=media&#x26;token=0ad1a3bc-9a32-44f7-9a6a-91a8237e272c" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FpKgJQQQVfL2CAeT44HBS%2F601px-ECB_decryption.svg.png?alt=media&#x26;token=ac6b55b1-884c-40df-9f40-df4311bd7b0f" alt=""><figcaption></figcaption></figure>

The disadvantage of this method is a lack of diffusion. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. ECB is not recommended for use in cryptographic protocols.

## CBC - Cipher Block Chaining

* **Encryption not parallelizable**
* **Decryption parallelizable**
* **Random read access**

In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FOaOi5xfHWBiYDz8ugaEg%2FCBC_encryption.svg.png?alt=media&#x26;token=39827ba6-f6dc-4bc8-8cd7-70d68f8c1166" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FrM4kAyLT3pr8kHgsXR89%2FCBC_decryption.svg.png?alt=media&#x26;token=12db8850-2ba8-43d8-b2ed-cfa83df8ddca" alt=""><figcaption></figcaption></figure>

CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as ciphertext stealing. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.

Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as the IV for the decryption of the current one.

## Block Alignment With Padding

Block cipher modes ECB and CBC require block-aligned inputs.

* Trailing sub-blocks need special treatment.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FBxd1uetnJ4e8hCBQAS54%2FScreenshot%20from%202023-09-24%2014-55-49.png?alt=media&#x26;token=ae7d7c37-1f16-46c3-a9b5-f790a5149ec3" alt=""><figcaption></figcaption></figure>

### Alternative 1: **padding**

* Paddinf of the last block is identifiable.
* Adds data.

#### PKCS#7

* **X = B (M mod B)**
* **X** extra bytes, with the value **X**
* PKCS#5 (same as PKCS#7 with **B=8**).

### Alternative 2: different processing for the last block

* Adds implementation complexity.

### Padded Block Encryption & Decryption

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FGNKbZcWSj5dVUIQtMy6k%2FScreenshot%20from%202023-09-24%2015-06-17.png?alt=media&#x26;token=1cb9c89d-27ee-45e4-a29a-6ff4f3beaf3a" alt=""><figcaption></figcaption></figure>

### Handling Trailing Sub-Blocks

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FlyEpArNX9XyYT0yB3Rc6%2FScreenshot%20from%202023-09-24%2015-07-56.png?alt=media&#x26;token=8206ac6d-716b-4c4d-987f-1f270c80860a" alt=""><figcaption><p>Sort of stream cipher</p></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FMiVjiWtoHj3sGc919HZ4%2FScreenshot%20from%202023-09-24%2015-11-27.png?alt=media&#x26;token=8d68010c-a37a-456e-8555-8fb7b060c92d" alt=""><figcaption><p>Ciphertext stealing</p></figcaption></figure>

## OFB - Output Feedback

* **Encryption not parallelizable**
* **Decryption not parallelizable**
* **Random read access not possible**

The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error-correcting codes to function normally even when applied before encryption.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2F2quwcr0HN2JGXVI7HpPJ%2F601px-OFB_encryption.svg.png?alt=media&#x26;token=929060fd-3318-4b17-90ee-dc3c7599385d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2F8e3isMeuSUVnp38ZE3lu%2F601px-OFB_decryption.svg.png?alt=media&#x26;token=a75d31e7-174d-4b5c-a70b-7a943bf50bd8" alt=""><figcaption></figcaption></figure>

Each output feedback block cipher operation depends on all previous ones, and so **cannot be performed in parallel**.

However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel once the plaintext or ciphertext is available.

## CFB - **Cipher Feedback**

* **Encryption not parallelizable**
* **Decryption parallelizable**
* **Random read access**

The cipher feedback (CFB) mode, in its simplest form uses the entire output of the block cipher. In this variation, it is very similar to CBC, turning a block cipher into a self-synchronizing stream cipher. CFB decryption in this variation is almost identical to CBC encryption performed in reverse.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2F46cohejgFGFA36RRv9ZQ%2F601px-CFB_encryption.svg.png?alt=media&#x26;token=7128f3d1-02b4-46dd-af6e-96655777d3d2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2Fv1PT2SaqGR6oqA5aQTFG%2F601px-CFB_decryption.svg.png?alt=media&#x26;token=6bae0fe7-787f-4fa0-a434-45902ca5e19f" alt=""><figcaption></figcaption></figure>

Like CBC mode, changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized. Also like CBC, decryption can be parallelized.

CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though ciphertext stealing can also be used for CBC mode to make padding unnecessary).

## CTR - **Counter**

* **Encryption parallelizable**
* **Decryption parallelizable**
* **Random read access**

Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any function which produces a sequence which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a simple deterministic input function used to be controversial; critics argued that "deliberately exposing a cryptosystem to a known systematic input represents an unnecessary risk". However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input. Along with CBC, CTR mode is one of two block cipher modes recommended by Niels Ferguson and Bruce Schneier.

CTR mode has similar characteristics to OFB, but also allows a random-access property during decryption. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. Furthermore, it does not suffer from the short-cycle problem that can affect OFB.

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2FbuHTvAVEWpoCsFvMnFFa%2F601px-CTR_encryption_2.svg.png?alt=media&#x26;token=eaa23537-34f5-48f7-8767-cba3a255386e" alt=""><figcaption></figcaption></figure>

<figure><img src="https://3450804385-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRIg06sTkCh60KyuJiT39%2Fuploads%2Fp2VZGn0zRP2bnrGzuDCz%2F601px-CTR_decryption_2.svg.png?alt=media&#x26;token=1860f8db-ec00-4552-b6d6-771c7117793e" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/applied-cryptography/cipher-modes/deployment-of-symmetric-block-ciphers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.