B lock c ipher
4.3 Block Cipher Modes
What if the size of a message is longer than the considered block size? To resolve this issue, there are five block cipher modes that have been defined by the National Institute of Standards and Technology (NIST). All these modes of operation are briefly described below.
4.3.1 Electronic Codebook (ECB) Mode
This is the simplest mode of operation. In this mode, a plaintext is divided into blocks of n bits and every block is encrypted/decrypted separately using a similar secret key. This is depicted in Figure 4.2.
A plaintext is divided into m different blocks, i.e., P1, P2, P3, …, Pm. After encryption, it produces m blocks of ciphertext, namely, C1, C2, C3,
…, Cm. The ECB encryption and decryption can be defined as follows:
Encryption:
C1 = EK (P1)
Decryption:
) (
) )
( (
= = −
1 1 1
P D CK E E PK K 1
In this scheme, since all the blocks are independent of each other, it does not suffer any propagation error. There are a couple of prob-lems with this approach, which is absent in the single-block case. If a plaintext block contains two identical n-bit blocks, the corresponding
Decrypt
(b) Decryption (a) Encryption
Pi Ci
Encrypt K
Ci Pi
K
Figure 4.2 Electronic codebook (ECB) mode.
ciphertext blocks will be also identical. These regularities provide sufficient hints to a cryptoanalyst to decipher the message.
4.3.2 Cipher Block Chaining (CBC)
To overcome the deficiencies of the ECB, IBM invented the CBC mode in 1976. In this mode, every block of the plaintext is XORed with the previous ciphertext block. Therefore, identical blocks in the plaintext would not produce identical ciphertext blocks. Since the decryption is dependent on the previous block, a single bit error in a block will cause the failure. Since there is no previous ciphertext block for the first plaintext block, a fixed initialization vector (IV) is XORed with this block. The IV is not secret and must be known to the receiver. To make every message unique, a different IV could be uti-lized for every plaintext, which must be generated in such a way that a malicious user has no influence on it. The encryption/ decryption of CBC can be expressed as follows:
Encryption:
C1 = EK (P1 ⊕ IV)
Ci = EK (Pi ⊕ Ci−1), where i ≥ 2 Decryption:
= ⊕
= ⊕ ≥
−
− −
( )
( ), 2
1 1
1
1 1
P E C IV
P E C C where i
K
i K i i
Figure 4.3 illustrates the CBC scheme. The CBC also suffers from a couple of problems. For instance, if someone predictably changes bits in IV intentionally, the corresponding bits of the received value of P1 can be changed.
4.3.3 Cipher Feedback (CFB) Mode
All the modes discussed previously require a fixed data block. If there are not enough bits to fill up a block, the padding bits are affixed to make it of a desirable size. Unlike the ECB and CBC, the CFB
mode is a stream cipher. One desirable property of a stream cipher is that it produces the ciphertext of the same length as the plaintext.
Like the CBC, the CFB requires an IV for the initial input block that is n bits long. It also requires an integer value, denoted by s, that is assumed to be the unit of transmission. Figure 4.4 illustrates the CFB scheme. As can be observed from the figure, the first input block is the IV, and the forward cipher operation is performed over it to produce the first output block. Keeping the s most significant bits, the remaining n – s bits are discarded. Then, s bits are XORed with the first plaintext segment of s bits to produce a first ciphertext seg-ment of s bits. To produce the second input block, the IV is circularly shifted s bits to the left and the recently produced ciphertext segment is placed in the least significant s bits. This process continues until all the plaintext segments produce the relative ciphertext segment.
PN
Figure 4.3 Cipher block chaining (CBC) mode.
The decryption utilizes a scheme similar to that for encryption, except that the received ciphertext segment is XORed with the output block of the encryption function. Note that there is no decryption function utilized to decrypt a ciphertext, but an encryption function is used.
All the operations can be expressed as below:
Encryption:
Figure 4.4 Cipher feedback (CFB) mode.
The CFB suffers from error propagation since all the ciphertext segments are related to each other.
4.3.4 Output Feedback (OFB) Mode
The OFB mode is similar in terms of structure to that of the CFB.
Like the CFB, the first input block requires the IV, which is then encrypted with a secret key to produce an output block of n bits.
Unlike the CFB, the ciphertext segment is not fed back to the next input block. Instead, the output of the encryption function is fed back to the next input block. In the first input block, the IV and a secret key are required by an encryption function that produces an output block.
All the bits except the most significant s bits are discarded. These bits are fed back to the next input block. These s bits are also XORed with the plaintext to produce a ciphertext segment of s bits. To produce the second input block, the IV is circularly left shifted to s number of bits, and the least significant s bits are replaced by the s bits received from the previous output block. The OFB mode is illustrated in Figure 4.5.
In case of decryption, no ciphertext segment is required, unlike CFB.
The encryption/ decryption operations can be expressed as follows:
Encryption:
s1 = EK (IV) and C1 = (s1 ⊕ P1)
si = EK (si−1) and Ci = (si ⊕ Pi), where i ≥ 2 Decryption:
s1 = EK (IV) and C1 = (s1 ⊕ C1)
si = EK (si−1) and Ci = (si ⊕ Ci), where i ≥ 2
Since all the ciphertext segments are independent of each other, this mode is more vulnerable to a message stream modification attack than CFB.
4.3.5 Counter (CTR) Mode
In this mode, a counter equal to the plaintext block is used to produce an output block. If there is a sequence of plaintext blocks, in that case,
a sequence of counters is utilized. Each counter is distinct from the other. In general, the counter is initialized to some value that is then incremented by 1 for every subsequent block. Every block receives a counter and a key, and produces an output block. The resultant output block is XORed with the corresponding plaintext block to produce the ciphertext block. The encryption/decryption scheme can be expressed as below:
Encryption:
Ci = EK (CTRi) ⊕ Pi
Decryption:
Pi = EK (CTRi) ⊕ Ci
One notable advantage of this technique is that unlike the CFB and OFB modes, both the CTR encryption and the CTR decryption
n–s bits
Figure 4.5 Output feedback (OFB) mode.
can be parallelized since the second encryption can begin before the first one has finished. Moreover, if necessary, any particular cipher-text block/plaincipher-text block can be recovered independently if the corresponding counter block can be determined. Figure 4.6 illustrates the CTR mode.
References
1. H. Feistel. Cryptography and computer privacy. Scientific American, May 1973.
2. C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, No. 4, 1949.
3. W. Stallings. Cryptography and network security, 4th ed. Pearson, India, 2006.
Decrypt
(b) Decryption (a) Encryption
+ Counteri
Ci
Pi Encrypt K
+ Counteri
Pi
Ci K
Figure 4.6 Counter (CTR) mode.
57