Better to know some
... than all
Modes of operation
A block cipher encrypts plaintext in fixed-size n-bit blocks (often n = 64). For messages exceeding n bits, the simplest approach is to partition the message into n-bit blocks and encrypt each separately. This electronic-codebook (ECB) mode has disadvantages in most applications, motivating other methods of employing block ciphers (modes of operation) on larger messages. The four most common modes are ECB, CBC, CFB, and OFB. In what follows, Ek denotes the encryption function of the block cipher E parameterized by key K, while E-1k denotes decryption. A plaintext message x = x1 …xt is assumed to consist of n-bit blocks for ECB and CBC modes, and r-bit blocks for CFB and OFB modes for appropriate fixed r<=n.
(i) ECB mode
The electronic codebook (ECB) mode of operation is given in Algorithm
Properties of the ECB mode of operation:
1. Identical plaintext blocks (under the same key) result in identical ciphertext.
2. Chaining dependencies: blocks are enciphered independently of other blocks. Reordering ciphertext blocks results in correspondingly re-ordered plaintext blocks.
3. Error propagation: one or more bit errors in a single ciphertext block affect decipherment of that block only. For typical ciphers E, decryption of such a block is then random (with about 50% of the recovered plaintext bits in error). Regarding bits being deleted.
Since ciphertext blocks are independent, malicious substitution of ECB blocks does not affect the decryption of adjacent blocks. Furthermore, block ciphers do not hide data patterns - identical ciphertext blocks imply identical plaintext blocks. For this reason, the ECB mode is not recommended for messages longer than one block, or if keys are reused for more than a single one-block message. Security may be improved somewhat by inclusion of random padding bits in each block.
(ii) CBC mode
The cipher-block chaining (CBC) mode of operation, specified in Algorithm, involves use of an n-bit initialization vector, denoted IV.
Properties of the CBC mode of operation:
1. Identical plaintexts: identical ciphertext blocks result when the same plaintext is enciphered under the same key and IV . Changing the IV , key, or first plaintext block (e.g., using a counter or random field) results in different ciphertext.
2. Chaining dependencies: the chaining mechanism causes ciphertext cj to depend on xj and all preceding plaintext blocks (the entire dependency on preceding blocks is, however, contained in the value of the previous ciphertext block). Consequently, rearranging the order of ciphertext blocks affects decryption. Proper decryption of a correct ciphertext block requires a correct preceding ciphertext block.
3. Error propagation: a single bit error in ciphertext block cj affects decipherment of blocks cj and cj+1 (since xj depends on cj and cj-1). Block x0 j recovered from cj is typically totally random (50% in error), while the recovered plaintext x0 j+1 has bit errors precisely where cj did. Thus an adversary may cause predictable bit changes in xj+1 by altering corresponding bits of cj .
4. Error recovery: the CBC mode is self-synchronizing or ciphertext autokey in the sense that if an error (including loss of one or more entire blocks) occurs in block cj but not cj+1, cj+2 is correctly decrypted to xj+2.
Although CBC mode decryption recovers from errors in ciphertext blocks, modifications to a plaintext block xj during encryption alter all subsequent ciphertext blocks. This impacts the usability of chaining modes for applications requiring random read/write access to encrypted data. The ECB mode is an alternative.
Although self-synchronizing in the sense of recovery from bit errors, recovery from "lost" bits causing errors in block boundaries (framing integrity errors) is not possible in the CBC or other modes. While the IV in the CBC mode need not be secret, its integrity should be protected, since malicious modification thereof allows an adversary to make predictable bit changes to the first plaintext block recovered. Using a secret IV is one method for preventing this. However, if message integrity is required, an appropriate mechanism should be used; encryption mechanisms typically guarantee confidentiality only.
(iii) CFB mode
While the CBC mode processes plaintext n bits at a time (using an n-bit block cipher), some applications require that r-bit plaintext units be encrypted and transmitted without delay, for some fixed r <n (often r = 1 or r = 8). In this case, the cipher feedback (CFB) mode may be used.
Properties of the CFB mode of operation:
1. Identical plaintexts: as per CBC encryption, changing the IV results in the same plaintext input being enciphered to a different output. The IV need not be secret.
2. Chaining dependencies: similar to CBC encryption, the chaining mechanism causes ciphertext block cj to depend on both xj and preceding plaintext blocks; consequently, re-ordering ciphertext blocks affects decryption. Proper decryption of a correct ciphertext block requires the preceding dn=re ciphertext blocks to be correct (so that the shift register contains the proper value).
3. Error propagation: one or more bit errors in any single r-bit ciphertext block cj affects the decipherment of that and the next dn=re ciphertext blocks (i.e., until n bits of ciphertext are processed, after which the error block cj has shifted entirely out of the shift register). The recovered plaintext x0 j will differ from xj precisely in the bit positions cj was in error; the other incorrectly recovered plaintext blocks will typically be random vectors, i.e., have 50% of bits in error. Thus an adversarymay cause predictable bit changes in xj by altering corresponding bits of cj.
4. Error recovery: the CFB mode is self-synchronizing similar to CBC, but requires dn=re ciphertext blocks to recover.
5. Throughput: for < n, throughput is decreased by a factor of n=r (vs. CBC) in that each execution of E yields only r bits of ciphertext output.
Since the encryption function E is used for both CFB encryption and decryption, the CFB mode must not be used if the block cipher E is a public-key algorithm; instead, the CBC mode should be used. The CFB mode may be modified as follows, to allow processing of plaintext blocks (characters) whose bitsize s is less than the bitsize r of the feedback variable (e.g., 7-bit characters using 8-bit feedback;s < r). The leftmost s (rather than r) bits of Oj are assigned to tj; the s-bit ciphertext character cj is computed; the feedback variable is computed from cj by pre-prepending (on the left) r-s 1-bits; the resulting r-bit feedback variable is shifted into the least significant (LS) end of the shift register as before.
(iv) OFB mode
The output feedback (OFB) mode of operation may be used for applications in which all error propagation must be avoided. It is similar to CFB, and allows encryption of various block sizes (characters), but differs in that the output of the encryption block function E (rather than the ciphertext) serves as the feedback.
Properties of the OFB mode of operation:
1. Identical plaintexts: as per CBC and CFB modes, changing the IV results in the same plaintext being enciphered to a different output.
2. Chaining dependencies: the keystream is plaintext-independent
3. Error propagation: one or more bit errors in any ciphertext character cj affects the decipherment of only that character, in the precise bit position(s) cj is in error, causing the corresponding recovered plaintext bit(s) to be complemented.
4. Error recovery: the OFB mode recovers from ciphertext bit errors, but cannot self synchronize after loss of ciphertext bits, which destroys alignment of the decrypting keystream (in which case explicit re-synchronization is required).
5. Throughput: for r < n, throughput is decreased as per the CFB mode. However, in all cases, since the keystream is independent of plaintext or ciphertext, it may be pre-computed (given the key and IV ).
The IV , which need not be secret, must be changed if an OFB key K is re-used. Otherwise an identical keystream results, and by XORing corresponding ciphertexts an adversary may reduce cryptanalysis to that of a running-key cipher with one plaintext as the running key.
A simplification of OFB involves updating the input block as a counter, Ij+1 = Ij +1, rather than using feedback. This both avoids the short-cycle problem, and allows recovery from errors in computing E. Moreover, it provides a random-access property: ciphertext block i need not be decrypted in order to decrypt block i + 1.
In OFB with full n-bit feedback, the keystream is generated by the iterated function Oj = EK(Oj-1). Since EK is a permutation, and under the assumption that for randomK, EK is effectively a random choice among all (2n)! permutations on n elements, it can be shown that for a fixed (random) key and starting value, the expected cycle length before repeating any value Oj is about 2n-1. On the other hand, if the number of feedback bits is r < n as allowed in Algorithm , the keystream is generated by the iteration Oj = f(Oj-1) for some non-permutation f which, assuming it behaves as a random function, has an expected cycle length of about 2n=2. Consequently, it is strongly recommended to use the OFB mode with full n-bit feedback.
It is clear that both the OFB mode with full feedback and the counter mode employ a block cipher as a keystream generator for a stream cipher. Similarly the CFB mode encrypts a character stream using the block cipher as a (plaintext-dependent) keystream generator. The CBC mode may also be considered a stream cipher with n-bit blocks playing the role of very large characters. Thus modes of operation allow one to define stream ciphers from block ciphers.