Block Cipher Modes of Operations

A block cipher algorithm can be expressed as a combination of various basic operations. Each such combination is
called a mode of operation. There are four important modes, namely, ECB (Electronic Code Book), CBC (Cipher Block
Chaining), CFB (Cipher Feedback), OFB (Output Feedback). The first two modes operate on block ciphers, and the last
two modes works on block ciphers acting as stream ciphers.
Electronic Code Book (ECB) Mode
ECB is the simplest mode of operation. Here, the incoming plain text message is divided into blocks of 64 bits each.
Each such block is then encrypted independently of the other blocks. For all blocks in a message, the same key is used
for encryption.

At the receiver's end, the incoming data is divided in 64-bit blocks, and by using the same key as used for encryption,
each block is decrypted to produce the corresponding plain text block.

In ECB a single key is used for encrypting all the blocks of a message. If a plain text block repeats in the original
message, the corresponding cipher text block will also repeat in the encrypted message. Therefore, ECB is suitable only
for encrypting small messages, where the scope for repeating the same plain text blocks is small.

Security Issues
Following are security issues in CBC mode:
1. Patterns at the block level are preserved. For example, equal blocks in the plaintext become equal blocks in the
ciphertext. If Eve finds out that ciphertext blocks 1, 5, and 10 are the same, she knows that plaintext blocks 1, 5, and 10
are the same. This is a leak in security. For example, Eve can do an exhaustive search to decrypt only one of these
blocks to find the contents of all of them.
2. The block independency creates opportunities for Eve to exchange some ciphertext blocks without knowing the key.
For example, if she knows that block 8 always conveys some specific information, she can replace this block with the
corresponding block in the previously intercepted message.

Error Propagation
A single bit error in transmission can create errors in several (normally half of the bits or all of the bits) in the
corresponding block. However, the error does not have any effect on the other blocks.

Applications
The ECB mode of operation is not recommended for encryption of messages of more than one block to be transferred
through an insecure channel. If the message is short enough to fit in one block, the security issues and propagation
errors are tolerable. Another advantage of this mode is that we can use parallel processing if we need to create, for
example, a very huge encrypted database.

Cipher Block Chaining (CBC) Mode

CBC mode ensures that even if a block of plain text repeats in the input, those identical plain text blocks will yield
totally different cipher text blocks in the output. To achieve this, a feedback mechanism is used. Chaining adds a
feedback mechanism to a block cipher. In CBC, the result of the encryption of a block is used (feedback) to encrypt the
next block. Thus, each block of cipher text is dependent on the current input plain text block, as well as all encrypted
versions of all the previous plain text blocks.
The encryption process can be described as follows.
1. The first step receives two
inputs: the first block of plain
text and a random block of text,
called Initialization Vector
(IV). The IV has no special
meaning; it is randomly
generated and is used to make
each message unique. It is used
for both encryption and
decryption purposes, hence it
has to transmitted to the
receiver. It is recommended that the IV should be sent to the receiver in encrypted format. The first block of plain text
and IV are combined using XOR and then encrypted using a key to produce the first cipher text block.
2. In the second step, the second plain text block is XOR-ed with the output of step – 1, that is, the first cipher text
block. It is then encrypted with the same key as used in step – 1.
3. This process continues for all the remaining blocks of plain text message.

The decryption process works as follows.

1. The first cipher text block is decrypted using the same key that was used for encryption. The result is then XOR-ed
with the IV, which yields the first plain text block.
2. The second cipher text block is decrypted using the key and the result is XOR-ed with the first cipher text block,
which yields the second plain text block.
3. This process of decryption and then XOR-ing with the previous cipher text block continues for all remaining cipher
text blocks.
Stream ciphers have some desirable properties. First, they can be used in real-time, that is, data can be encrypted
symbol by symbol as they are generated and transmitted. Second, there is no need for padding. It is possible to convert a
block cipher into a stream cipher using Cipher Feedback (CFB), and Output Feedback (OFB) modes.

Cipher Feedback Mode (CFB)

Encryption: The input to the encryption function is a b-bit shift register that is initially set to some initialization vector
(IV). The leftmost (most significant) s bits of the output of the encryption function are XOR-ed with the first segment of
plain text P1 to produce the first unit of cipher text C1, which is then transmitted. In addition, the contents of the shift
register are shifted left by s bits, and C1 is placed in the rightmost (least significant) s bits of the shift register. This
process continues until all plain text units have been encrypted.
Decryption: For decryption, the same scheme is used, except that the received cipher text unit is XOR-ed
with the output of the
encryption function to
produce the plain text
unit. Note that it is the
encryption
function that is used,
not the decryption
function.

One interesting point about this mode is that no padding is required because the size of the blocks, r, is normally chosen
to fit the data unit to be encrypted (a character, for example). Another interesting point is that the system does not have
to wait until it has received a large block of data (64 bits or 128 bits) before starting the encryption. The encrypting
process is done for a small block of data (such as a character). These two advantages come with a disadvantage. CFB is
less efficient than CBC or ECB, because it needs to apply the encryption function of underlying block cipher for each
small block of size r.

CFB as a Stream Cipher

Although CFB is an operation mode for using block ciphers such as DES or AES, the result is a stream cipher. In fact, it
is a nonsynchronous stream cipher in which the key stream is dependent on the ciphertext.

Security Issues
There are three primary security issues in CFB mode:
1. Just like CBC, the patterns at the block level are not preserved.
2. More than one message can be encrypted with the same key, but the value of the IV should be changed for each
message. This means that Alice needs to use a different IV each time she sends a message.
3. Eve can add some ciphertext block to the end of the ciphertext stream.

Error Propagation
In CFB, a single bit error in ciphertext block Cj during transmission creates a single bit error (at the same position) in
plaintext block Pj.

Application
The CFB mode of operation can be used to encipher blocks of small size such as one character or bit at a time. There is
no need for padding because the size of the plaintext block is normally fixed (8 for a character or 1 for a bit).

Output Feedback Mode (OFB)

The output feedback (OFB) mode is similar in structure to that of CFB. For OFB, the output of the encryption function
is fed back to become the input for encrypting the next block of plaintext. In CFB, the output of the XOR unit is fed
back to become input for encrypting the next block. The other difference is that the OFB mode operates on full blocks
of plain text and cipher text, whereas CFB operates on an s-bit subset.
As with CBC and CFB, the OFB mode requires an initialization vector. In the case of OFB, the IV must be a nonce; that
is, the IV must be unique to each execution of the encryption operation. The reason for this is that the sequence of
encryption output blocks, Oi, depends only on the key and the IV and does not depend on the plaintext. Therefore, for a
given key and IV, the stream of output bits used to XOR with the stream of plaintext bits is fixed. If two different
messages had an identical block of plaintext in the identical position, then an attacker would be able to determine that
portion of the Oi stream.
One advantage of the OFB method is that bit errors in transmission do not propagate. For example, if a bit error occurs
in C1, only the recovered value of P1 is affected; subsequent plain text units are not corrupted. With CFB, C1 also
serves as input to the shift register and therefore causes additional corruption downstream.
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack than is CFB. OFB has
the structure of a typical stream cipher, because the cipher generates a stream of bits as a function of an initial value and
a key, and that stream of bits is XOR-ed with the plain text bits. The generated stream that is XOR-ed with the plain text
is itself independent of the plain text.

Security Issues
Following are two of the security issues in OFB mode:
1. Just like the CFB mode, patterns at the block level are not preserved.
2. Any change in the ciphertext affects the plaintext encrypted at the receiver side.

Error Propagation
A single error in the ciphertext affects only the corresponding bit in the plaintext.

Counter Mode (CTR)

A counter equal to the plain text block size is used. The only requirement is that the counter value must be different for
each plain text block that is encrypted. Typically, the counter is initialized to some value and then incremented by 1 for
each subsequent block (modulo 2b where b is the block size). For encryption, the counter is encrypted and then XOR-ed
with the plain text block to produce the cipher text block; there is no chaining. For decryption, the same sequence of
counter values is used, with each encrypted counter XOR-ed with a cipher text block to recover the corresponding plain
text block. Thus, the initial counter value must be made available for decryption.
As with the OFB mode, the initial counter value must be a nonce; that is, T1 must be different for all of the messages
encrypted using the same key. Further, all Ti values across all messages must be unique. If, contrary to this requirement,
a counter value is used multiple times, then the confidentiality of all of the plain text blocks corresponding to that
counter value may be compromised.

Security Issues
The security issues for the CTR mode are the same as the those for OFB mode.

Error Propagation
A single error in the ciphertext affects only the corresponding bit in the plaintext.