of Operation

Block Cipher Modes

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT, PDPU

1
Introduction
• A block cipher (is a function which maps) n-bit plaintext
blocks to n-bit cipher-text blocks; n is called the block

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
length.
• E: {0,1}n × {0,1}k → {0,1}n

• Modes of operation is the procedure of enabling the

repeated and secure use of a block cipher under a single key

• Block cipher encrypt fixed size blocks (e.g. DES – 64bit)

• Needs some way to encrypt/decrypt arbitrary large amounts 2

of data in practise
Need for Modes of Block Cipher
• Block cipher deal with blocks of data

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• In real life there are two important issues:
• Plaintext much larger than a typical block length of 128 bits
• Plaintext not a multiple of block length

• NIST SP 800-38A defines 5 modes

• Obvious solution is the first mode, called Electronic Code

Block
3
Block Cipher Modes
• Electronic codebook mode (ECB)
• Cipher block chaining mode (CBC) – most popular

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Output feedback mode (OFB)
• Cipher feedback mode (CFB)
• Counter mode (CTR)

4
Electronic Code Book (ECB)
• Message is broken into independent blocks

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Each plaintext block gets encrypted by the key to a different
cipher-text
• Ci = EK(Pi)

• Weakness : Same plaintext block gets converted to the same

cipher-text

5
 Schematic Diagram

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

6

PDPU
Properties
• Chaining dependencies:
• Blocks are encrypted independently of other blocks.

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Reordering cipher-text blocks results in correspondingly re-
ordered plaintext blocks.

• Error propagation:
• One or more bit errors in a single cipher-text block affect
decipherment of that block only.
• Other blocks are not affected

7
Security Issues
• Identical blocks of plaintext will be encrypted as identical
blocks of cipher text
• Consider if the plaintext has only two possibilities : all 64 bits

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
(block length) 0 or all 64 bits 1
• ECB leaks all secret
• if aligned with plain text block
• particularly with data such as graphics
• or with messages that change very little, which become a
code-book analysis problem
• Weakness is due to the encrypted message blocks being
independent
• If attacker re-orders blocks it will not be detected by 8
receiver
Limitations of ECB

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
Original Encrypted with ECB Encrypted with other
than ECB
9
From wiki
Cipher Block Chaining (CBC)
• Used to solve the problem of identical plain text blocks
being encrypted to identical cipher-text blocks

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Idea is to use chaining

• Message is broken into blocks

• Each plain text block is XOR with previous cipher text

block before being encrypted, hence name CBC

• Use Initial Vector (IV) to start process 10

• Ci = EK(Pi XOR Ci-1)
• C0 = IV (IV is not a secret like key)
 Schematic Diagram

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
11
IV based attack
• Keeping IV secret is not necessary
• But integrity of IV should be maintained

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Note that : C1 : EK(IV XOR P1)
• Thus, P1 = DK(C1) XOR IV
• If attacker flips certain bits of IV, the corresponding bits of
the recovered plain text also changes
• Can lead to problems in some applications (in which
integrity is required)

12
• if IV is sent in clear, attacker can change bits of first block,
and change IV to Compensate
Properties
• Chaining dependencies
• chaining causes cipher-text cj to depend on all preceding

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
plaintext

• If one of the cipher text block is changed by attacker

• Then how many plain text block would be affected?

13
Properties
• Error propagation
• a single bit error in cj affects decipherment of blocks cj and

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
cj+1
• reordering the cipher-text blocks affects decryption

• Error recovery
• self-synchronizing: if an error occurs in cj (but not cj+1, cj+2),
then cj+2 is correctly decrypted to xj+2.
• can be used as a MAC: x1, x2, . . . , xn, cn (for Authentication)

14
 Example – Error Propagation in CBC

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
15
Message Padding
• What if the message is not in multiple of block length ?

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Last block of message is not as large as the block size of
cipher

• pad either with known non-data value (e.g., nulls)

• or pad last block along with count of pad size
• E.g., [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad + count
• this may require an extra entire block over those in message
16
Cipher Feedback Mode (CFB)
• CBC processes plaintext n-bits at a time with an n-bit block
cipher

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Can encryption begin until a complete block of data received?

• Sometimes, only s bits of n blocks (s = 1 OR s = 8) are

required to be transmitted without delay

• CFB employed when data is to be encrypted in units

smaller than the block size.

17
Cipher Feedback Mode (CFB)
• The plaintext message
• is treated as a stream of bits

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• is added to the output of the block cipher
• the result is then feed back for next stage (hence the name)
• standard allows any number of bit (1,8, 64 or 128 etc) to be
feed back
• denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• most efficient to use all bits in block (64 or 128)
• Ci = Pi XOR DESK1(Ci-1)
• C-1 = IV
18
• uses: stream data encryption, authentication
Cipher Feedback Mode (CFB)
• Input
• k-bit key K;

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• n-bit IV;
• s-bit plaintext blocks x1…, xu (1≤ s≤n)
• Output
• produce s-bit cipher-text blocks c1,…,cu

19
 Cipher Feedback Mode (CFB)

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
20
 Decryption in CFB mode

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
21
Advantages and Limitations of CFB
• Appropriate when data arrives in bits/bytes

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• Most common stream mode

• Note that the block cipher is used in encryption mode at

both ends

• Errors propagate for several blocks after the error

22
Advantages and Limitations of CFB
• A cipher-text segment depends on the current and all
preceding plaintext segments.

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• A corrupted cipher-text segment during transmission will
affect the current and next several plaintext segments.
• How many plaintext segments will be affected?

23
Advantages and Limitations of CFB
• Bit errors in the incoming cipher block (bytes in this
context) will cause bit error at the same bit positions in the

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
first plain text block.

• This cipher block will then be fed to the shift register and
cause bit errors in the plain text for as long as the erroneous
bits stay in the shift register.

• Hence, for 8-bit CFB the following 8 bytes will be garbled.

After that, the system recovers, and all following bytes is
decrypted correctly. 24
Output Feedback Mode (OFB)
• message is treated as a stream of bits
• output of cipher is added to message

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• output is then feed back (hence name OFB)
• feedback is independent of message
• can be computed in advance
• Oi = EK(Oi-1)
• Ci = Pi XOR Oi
• O-1 = IV

25
 Cipher Feedback

Output Feedback

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT, PDPU

26
 Output Feedback Mode (OFB)

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
27
Output Feedback Mode (OFB)
• INPUT
• k-bit key K; n-bit IV; r-bit plaintext blocks x1,…, xu (1≤r≤n)
• OUTPUT

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• produce r-bit cipher-text blocks c1,…, cu
• Encryption
• I1←IV. For 1≤ j≤u, given plaintext block xj:
• Oj ← Ek(Ij). (Compute the block cipher output)
• tj ←the r leftmost bits of Oj - assume the leftmost is
identified as bit 1
• cj ←xj ⊕tj - transmit the r-bit ciphertext block cj
• Ij+1 ← Oj - update the block cipher input for the next block 28
• Ij+1 ← 2r ㆍIj + tj mod 2n” - shift output tj into right end of
shift register
Output Feedback Mode (OFB)
• Decryption

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• I1 ←IV.
• For 1≤j≤u, upon receiving cj: xj ← cj ⊕tj, where tj, Oj and
Ij are computed as above

29
 Dr. Reema Patel, IS 2019, B.Tech,
30

CE/ICT, SOT, PDPU

Advantages and Limitations of OFB
• needs an IV which is unique for each use
• if ever reuse attacker can recover outputs

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• more resistant to transmission errors; a bit error in a ciphertext segment
affects only the decryption of that segment.

• Cannot recover from lost ciphertext segments; if a ciphertext segment

is lost, all following segments will be decrypted incorrectly (if the
receiver is not aware of the segment loss).

• more vulnerable to message stream modification

31
• sender & receiver must remain in sync
Counter (CTR)
• similar to OFB
• but encrypts counter value rather than any feedback value

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• must have a different key & counter value for every
plaintext block (never reused)
• Oi = EK(i)
• Ci = Pi XOR Oi

• uses: high-speed network encryptions

32
 Counter (CTR)

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

33

PDPU
 Counter (CTR)

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
34
 Nonce CTR Mode

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
35
Advantages and Limitations of CTR
• Efficiency
• can do parallel encryptions in h/w or s/w

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• can pre process in advance of need
• good for high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise
could break

36
 Summary of Block Cipher Modes

Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,

PDPU
37
Choosing a Cipher mode
• ECB
• easiest, fastest, weakest

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
• should not be used for message encryption
• good for encrypting random data such as key, IV

• CBC
• best for encrypting files
• speed is the same as the block cipher
• encryption is not parallelizable, but decryption is
• most suitable for software based systems
38
Choosing a Cipher mode
• CFB
• used for encrypting streams of information …8-bit CFB for

PDPU
Dr. Reema Patel, IS 2019, B.Tech, CE/ICT, SOT,
character encryption

• OFB
• used for high speed synchronous systems
• used if pre-processing is required.

39