Better to know some... than all 


Modes of operationA block cipher encrypts plaintext in fixedsize nbit blocks (often n = 64). For messages exceeding n bits, the simplest approach is to partition the message into nbit blocks and encrypt each separately. This electroniccodebook (ECB) mode has disadvantages in most applications, motivating other methods of employing block ciphers (modes of operation) on larger messages. The four most common modes are ECB, CBC, CFB, and OFB. In what follows, Ek denotes the encryption function of the block cipher E parameterized by key K, while E1k denotes decryption. A plaintext message x = x1 …xt is assumed to consist of nbit blocks for ECB and CBC modes, and rbit blocks for CFB and OFB modes for appropriate fixed r<=n. (i) ECB modeThe electronic codebook (ECB) mode of operation is given in Algorithm Properties of the ECB mode of operation: 1. Identical plaintext blocks (under the same key) result in identical ciphertext. 2. Chaining dependencies: blocks are enciphered independently of other blocks. Reordering ciphertext blocks results in correspondingly reordered plaintext blocks. 3. Error propagation: one or more bit errors in a single ciphertext block affect decipherment of that block only. For typical ciphers E, decryption of such a block is then random (with about 50% of the recovered plaintext bits in error). Regarding bits being deleted. Since ciphertext blocks are independent, malicious substitution of ECB blocks does not affect the decryption of adjacent blocks. Furthermore, block ciphers do not hide data patterns  identical ciphertext blocks imply identical plaintext blocks. For this reason, the ECB mode is not recommended for messages longer than one block, or if keys are reused for more than a single oneblock message. Security may be improved somewhat by inclusion of random padding bits in each block. (ii) CBC modeThe cipherblock chaining (CBC) mode of operation, specified in Algorithm, involves use of an nbit initialization vector, denoted IV. Properties of the CBC mode of operation: 1. Identical plaintexts: identical ciphertext blocks result when the same plaintext is enciphered under the same key and IV . Changing the IV , key, or first plaintext block (e.g., using a counter or random field) results in different ciphertext. 2. Chaining dependencies: the chaining mechanism causes ciphertext cj to depend on xj and all preceding plaintext blocks (the entire dependency on preceding blocks is, however, contained in the value of the previous ciphertext block). Consequently, rearranging the order of ciphertext blocks affects decryption. Proper decryption of a correct ciphertext block requires a correct preceding ciphertext block. 3. Error propagation: a single bit error in ciphertext block cj affects decipherment of blocks cj and cj+1 (since xj depends on cj and cj1). Block x0 j recovered from cj is typically totally random (50% in error), while the recovered plaintext x0 j+1 has bit errors precisely where cj did. Thus an adversary may cause predictable bit changes in xj+1 by altering corresponding bits of cj . 4. Error recovery: the CBC mode is selfsynchronizing or ciphertext autokey in the sense that if an error (including loss of one or more entire blocks) occurs in block cj but not cj+1, cj+2 is correctly decrypted to xj+2. Although CBC mode decryption recovers from errors in ciphertext blocks, modifications to a plaintext block xj during encryption alter all subsequent ciphertext blocks. This impacts the usability of chaining modes for applications requiring random read/write access to encrypted data. The ECB mode is an alternative. Although selfsynchronizing in the sense of recovery from bit errors, recovery from "lost" bits causing errors in block boundaries (framing integrity errors) is not possible in the CBC or other modes. While the IV in the CBC mode need not be secret, its integrity should be protected, since malicious modification thereof allows an adversary to make predictable bit changes to the first plaintext block recovered. Using a secret IV is one method for preventing this. However, if message integrity is required, an appropriate mechanism should be used; encryption mechanisms typically guarantee confidentiality only. (iii) CFB modeWhile the CBC mode processes plaintext n bits at a time (using an nbit block cipher), some applications require that rbit plaintext units be encrypted and transmitted without delay, for some fixed r <n (often r = 1 or r = 8). In this case, the cipher feedback (CFB) mode may be used. Properties of the CFB mode of operation: 1. Identical plaintexts: as per CBC encryption, changing the IV results in the same plaintext input being enciphered to a different output. The IV need not be secret. 2. Chaining dependencies: similar to CBC encryption, the chaining mechanism causes ciphertext block cj to depend on both xj and preceding plaintext blocks; consequently, reordering ciphertext blocks affects decryption. Proper decryption of a correct ciphertext block requires the preceding dn=re ciphertext blocks to be correct (so that the shift register contains the proper value). 3. Error propagation: one or more bit errors in any single rbit ciphertext block cj affects the decipherment of that and the next dn=re ciphertext blocks (i.e., until n bits of ciphertext are processed, after which the error block cj has shifted entirely out of the shift register). The recovered plaintext x0 j will differ from xj precisely in the bit positions cj was in error; the other incorrectly recovered plaintext blocks will typically be random vectors, i.e., have 50% of bits in error. Thus an adversarymay cause predictable bit changes in xj by altering corresponding bits of cj. 4. Error recovery: the CFB mode is selfsynchronizing similar to CBC, but requires dn=re ciphertext blocks to recover. 5. Throughput: for < n, throughput is decreased by a factor of n=r (vs. CBC) in that each execution of E yields only r bits of ciphertext output. Since the encryption function E is used for both CFB encryption and decryption, the CFB mode must not be used if the block cipher E is a publickey algorithm; instead, the CBC mode should be used. The CFB mode may be modified as follows, to allow processing of plaintext blocks (characters) whose bitsize s is less than the bitsize r of the feedback variable (e.g., 7bit characters using 8bit feedback;s < r). The leftmost s (rather than r) bits of Oj are assigned to tj; the sbit ciphertext character cj is computed; the feedback variable is computed from cj by preprepending (on the left) rs 1bits; the resulting rbit feedback variable is shifted into the least significant (LS) end of the shift register as before. (iv) OFB modeThe output feedback (OFB) mode of operation may be used for applications in which all error propagation must be avoided. It is similar to CFB, and allows encryption of various block sizes (characters), but differs in that the output of the encryption block function E (rather than the ciphertext) serves as the feedback. Properties of the OFB mode of operation: 1. Identical plaintexts: as per CBC and CFB modes, changing the IV results in the same plaintext being enciphered to a different output. 2. Chaining dependencies: the keystream is plaintextindependent 3. Error propagation: one or more bit errors in any ciphertext character cj affects the decipherment of only that character, in the precise bit position(s) cj is in error, causing the corresponding recovered plaintext bit(s) to be complemented. 4. Error recovery: the OFB mode recovers from ciphertext bit errors, but cannot self synchronize after loss of ciphertext bits, which destroys alignment of the decrypting keystream (in which case explicit resynchronization is required). 5. Throughput: for r < n, throughput is decreased as per the CFB mode. However, in all cases, since the keystream is independent of plaintext or ciphertext, it may be precomputed (given the key and IV ). The IV , which need not be secret, must be changed if an OFB key K is reused. Otherwise an identical keystream results, and by XORing corresponding ciphertexts an adversary may reduce cryptanalysis to that of a runningkey cipher with one plaintext as the running key. A simplification of OFB involves updating the input block as a counter, Ij+1 = Ij +1, rather than using feedback. This both avoids the shortcycle problem, and allows recovery from errors in computing E. Moreover, it provides a randomaccess property: ciphertext block i need not be decrypted in order to decrypt block i + 1. In OFB with full nbit feedback, the keystream is generated by the iterated function Oj = EK(Oj1). Since EK is a permutation, and under the assumption that for randomK, EK is effectively a random choice among all (2n)! permutations on n elements, it can be shown that for a fixed (random) key and starting value, the expected cycle length before repeating any value Oj is about 2n1. On the other hand, if the number of feedback bits is r < n as allowed in Algorithm , the keystream is generated by the iteration Oj = f(Oj1) for some nonpermutation f which, assuming it behaves as a random function, has an expected cycle length of about 2n=2. Consequently, it is strongly recommended to use the OFB mode with full nbit feedback. It is clear that both the OFB mode with full feedback and the counter mode employ a block cipher as a keystream generator for a stream cipher. Similarly the CFB mode encrypts a character stream using the block cipher as a (plaintextdependent) keystream generator. The CBC mode may also be considered a stream cipher with nbit blocks playing the role of very large characters. Thus modes of operation allow one to define stream ciphers from block ciphers. 