Modes of Operation of a Block Cipher

Modes of Operation of a Block Cipher

B. Preneel, K.U.Leuven, Belgium

A n-bit block cipher with a k-bit key is a set of mode, and the CFB mode. Next we discuss t 2k bijections on n-bit strings. A block cipher is a some alternative modes that have been defined flexible building block; it can be used for encryp- for triple-DES and modes which allow to encrypt tion and authenticated encryption, to construct values from finite sets. MAC algorithms and hash functions. We use the following notation: EK (pi) de- When a block cipher is used for confi- notes the encryption with a block cipher of the dentiality protection, the security goal is to n-bit plaintext block pi with the key K; similarly prevent a passive eavesdropper with limited DK (ci) denotes the decryption of the ciphertext computational power to learn any informa- ci. The operation rchopj(s) returns the right- tion on the plaintext (except for maybe its most j bits of the string s, and the operation length). This eavesdropper can apply the lchopj(s) returns the leftmost j bits. The sym- following attacks: known plaintext attacks, bol k denotes concatenation of strings and ⊕ de- chosen plaintext attacks and notes addition modulo 2 (exor). chosen ciphertext attacks. Applications need to protect the confidential- 1 The Electronic Code Book ity of strings of arbitrary length. A mode of op- eration of a block cipher is an algorithm which (ECB) Mode specifies how one has to apply an n-bit block ci- The simplest mode is the ECB (Electronic Code- pher to achieve this. One approach is to pad Book) mode. After padding, the plaintext p is the data with a padding algorithm such that the divided into t n-bit blocks p and the block ci- bit-length of the padded string is a multiple t of i pher is applied to each block; the decryption also n bits, and to define a mode which works on t operates on individual blocks (see Fig. 1): n-bit blocks. For example, one always appends a ‘1’-bit followed by as many ‘0’ bits as neces- ci = EK (pi) and pi = DK (ci), i = 1, . . . t . sary to make the length of the resulting string a multiple of n. An alternative is to define a mode Errors in the ciphertext do not propagate beyond of operation that can process data in blocks of the block boundaries (as long as these can be re- j ≤ n bits. covered). However, the ECB mode is the only We first discuss the five modes of operation mode covered in this article which does not hide which have been defined in the FIPS [12] (see patterns (such as repetitions) in the plaintext. also [22]) and ISO/IEC [16] standards: the ECB Usage of this mode should be strongly discour- mode, the CBC mode, the OFB mode, the CTR aged. In the past the ECB mode was sometimes

1 recommended for the encryption of keys; how- a variant of the CBC mode which divides the ever, authenticated encryption would be much plaintext into r parallel streams and applies the better for this application (or the AES key wrap- CBC mode to each of these streams. This re- ping algorithm proposed by NIST). quires however r different I V values. A security proof of the CBC mode (with ran- dom and secret I V ) against an adversary who 2 The Cipher Block Chaining has access to chosen plaintexts has been provided (CBC) mode by Bellare et al. [3]; it shows that if the block ci- pher is secure in the sense that it is hard to dis- The most popular mode of operation of a block tinguish it from a random permutation, the CBC cipher is the CBC (Cipher Block Chaining) mode offers secure encryption in the sense that mode. The plaintext p is divided into t n-bit the ciphertext is random (which implies that it blocks pi. This mode adds (modulo 2) to a plain- does not provide the opponent additional infor- text block the previous ciphertext block and ap- mation on the plaintext). The security result plies the block cipher to this result (see Fig. 2): breaks down if the opponent can obtain approx- imately q = 2n/2 plaintext/ciphertext pairs due ci = EK (pi ⊕ ci−1) to a matching ciphertext attack [18]. This can be pi = DK (ci) ⊕ ci−1 i = 1 . . . t . seen as follows. Note that the ciphertext blocks ci are random n-bit strings. After observing q n- Note that in the CBC mode, the value ci−1 is bit ciphertext blocks, one expects to find approx- used to randomize the plaintext; this couples the imately q2/2n+1 pairs of matching ciphertexts blocks and hides patterns and repetitions. To that is, indices (v, w) with cv = cw (see also the enable the encryption of the first plaintext block birthday paradox). As a block cipher is a permu- (i = 1), one defines c0 as the initial value I V , tation, this implies that the corresponding plain- which should be randomly chosen and transmit- texts are equal, or pv ⊕ cv−1 = pw ⊕ cw−1 which ted securely to the recipient. By varying this can be rewritten as pv ⊕pw = cv−1⊕cw−1. Hence, I V , one can ensure that the same plaintext is each pair of matching ciphertexts leaks the sum encrypted into a different ciphertext under the of two plaintext blocks. To preclude such a leak- same key, which is essential for secure encryp- age, one needs to impose that q  2(n+1)/2 or tion. The I V plays a similar role in the OFB, q = α · 2n/2 where α is a small constant (say CTR and CFB modes. 10−3, which leads to a collision probability of The CBC decryption has a limited error prop- 1 in 2 million). If this limit is reached, one agation: errors in the ith ciphertext block will needs to change the key. Note that the proof garble the ith plaintext block completely, and only considers security against chosen plaintext will be copied into the next plaintext block. The attacks; the CBC mode is not secure if cho- CBC decryption allows for parallelism and ran- sen ciphertext attacks are allowed. The security dom access: if necessary, one can decrypt only against these attacks can be obtained by using a small part of the ciphertext. However, the en- authenticated encryption. cryption mode is a serial operation. To overcome For some applications, the ciphertext should this restriction, ISO/IEC 10116 [16] has defined have exactly the same length as the plaintext,

2 p1 p2 p3

? ? ?

K K K - E - E - E

¡ ¡ ¡

c1 c2 c3 ? ? ?

K K K - D - D - D

¡ ¡ ¡

?p1 ?p2 ?p3

Figure 1: The ECB mode of a block cipher

P P P IV ? 1 ? 2 ? 3 -+ -+ -+ ... ?e ?e e? K- E K- E K- E

¡ ¡ ¡

?C1 ?C2 ?C3

? ? ? K- D K- D K- D

¡ ¡ ¡ IV ? ? ? -+ -+ -+ ... e?P1 e?P2 e?P3

Figure 2: The CBC mode of a block cipher

3 hence padding methods cannot be used. Two 3 The Output FeedBack (OFB) heuristic constructions have been proposed to mode address this problem; they are not without prob- lems (both leak information in a chosen plaintext The OFB mode transforms a block cipher into a setting). A first solution encrypts the last incom- synchronous stream cipher. This mode uses only plete block pt (of j < n bits) in OFB mode (cf. the encryption operation of the block cipher. It Sect. 3): consists of a finite state machine, which is ini- tialized with an n-bit initial value or s = I V . c = p ⊕ rchop (E (c )) . 0 t t j K t−1 The state is encrypted and the encryption result A second solution is known as ciphertext stealing is used as key stream and fed back to the state [21]: one appends the rightmost n−j bits of ct−1 (see also Fig. 3): to the last block of j bits pt, to obtain a new n- bit block: si = EK (si−1) and ci = pi ⊕ si, i = 1, 2,....

ct−1 = EK (pt−1 ⊕ ct−2) Treating an incomplete last block in the OFB mode is very simple: one selects the leftmost m ct = EK (pt k rchopn−j(ct−1)) . bits of the last key word. The OFB mode can For the last two blocks of the ciphertext, one also be applied when the strings pi and ci consist keeps only the leftmost j bits of ct−1 and n bits of m < n bits; in that case one uses only the m of ct. This variant has the disadvantage that the leftmost bits of each key word si. This results in last block needs to be decrypted before the one a performance penalty with a factor n/m. but last block. It is essential for the security of the OFB mode It turns out that the common padding meth- that the key stream does not repeat. It can be ods are vulnerable to side channel attacks that shown that the average period equals n·2n−1 bits require chosen ciphertexts: an attacker who can [14] and that the probability that an n-bit state submit ciphertexts of her choice to a decryption lies on a cycle of length < c is equal to c/2n. oracle can obtain information on the plaintext This implies that after 2n/2 n-bit blocks one can by noting whether or not an error message is distinguish the output of the OFB mode from a returned stating that the padding is incorrect. random string (in a random string one expects to This was first pointed out for symmetric encryp- see repetitions of n-bit blocks after 2n/2 blocks tion by Vaudenay in [24]; further results on con- as a consequence of the birthday paradox, but crete padding schemes can be found in [8, 9, 23]. it is highly unlikely that such repetitions occur The specific choice of the padding rule makes a in an OFB key stream). This suggests that one difference: for example, the simple padding rule should rekey the OFB mode after α · 2n/2 n-bit described in the introduction seems less vulner- blocks for a small constant α. A repetition could able. Moreover, the implementation can to some also be induced in a different way: if I V is cho- extent preclude these attacks, for example by in- sen uniformly at random for every message, the terrupting the session after a few padding er- birthday paradox implies that I V values will re- rors. However, the preferred solution is the use peat with high probability after approximately of authenticated encryption. 2n/2 messages. The impact of such a repetition

4   ?n ?n

K K - E - E

¡ ¡ n n ? ? select select m m plaintext- ? - ? plaintextciphertext - g g Figure 3: The m-bit OFB mode of an n-bit block cipher is dramatic, since it will leak the sum of all the 4 The CounTeR (CTR) mode plaintext blocks of the two messages encrypted with this I V value (for simplicity it is assumed The CTR mode is another way to transform a here that all messages have equal length). block cipher into a synchronous stream cipher. As the OFB mode, this mode only use the en- cryption operation of the block cipher. It con- The main advantage of the OFB mode is that sists of a finite state machine, which is initialized it has no error propagation: errors in the ith ci- with an n-bit integer I V . The state is encrypted phertext bit will only affect the ith plaintext bit. to obtain the key stream; the state is updated as The OFB mode does not allow for parallelism or a counter mod2n (see also Fig. 4): random access. n ci = pi ⊕ EK (< (I V + i) mod 2 ) >) , It can be shown that the OFB mode is secure i = 1, 2,... against chosen plaintext attacks if the block ci- The mapping < . > converts an n-bit integer to pher is secure in the sense that it is hard to dis- an n-bit string. The processing of an incomplete tinguish it from a random permutation. The final block or of shorter blocks is the same as for proof requires that one changes the key after the OFB mode. α · 2n/2 n-bit blocks for small α (say 10−3). The period of the key stream is exactly n · 2n bits. This implies that after 2n/2 n-bit blocks Note that an early draft of [12] included a vari- one can distinguish the output of the CTR mode ant of the OFB mode were only m < n bits were from a random string (as for the OFB mode). fed back to the state, which acted as a shift regis- This suggests that one should rekey the CTR ter. However, this variant of the OFB mode has mode after α · 2n/2 n-bit blocks for a small con- an average period of about n·2n/2 bits [11]. This stant α. A repeating value of I V has the same variant was removed because of this weakness. risks as for the OFB mode.

5 counter counter ?n ?n

K K - E - E

¡ ¡ n n ? ? select select m m plaintext- ? - ? plaintextciphertext - g g Figure 4: The m-bit CTR mode of an n-bit block cipher

As the OFB mode, the CTR mode has no error Fig. 5): propagation. Moreover the CTR mode allows for parallelism and for random access in both ci = pi ⊕ lchopm (EK (si−1)) , encryption and decryption. si = lchopn−m(si−1) k ci, i = 1, 2,... It can be shown that the CTR mode is secure Treating an incomplete last block in the CFB against chosen plaintext attacks if the block ci- mode is very simple: one selects the required pher is secure in the sense that it is hard to number of bits from the output of the block ci- distinguish it from a random permutation [3]. pher. The CFB mode is a factor n/m times Again it is recommended to change the key after slower than the CBC mode, since only m bits n/2 −3 α · 2 n-bit blocks for small α (say 10 ). are used per encryption operation. In practice one often uses m = 1 and m = 8; this results in a significant speed penalty. 5 The Cipher FeedBack (CFB) It can be shown that the CFB mode is secure against chosen plaintext attacks if the block ci- mode pher is secure in the sense that it is hard to distinguish it from a random permutation. A The CFB mode transforms a block cipher into matching ciphertext attack also applies to the a self-synchronizing stream cipher. As the OFB CFB mode (cf. Sect. 2) [19]; the analysis is more and CTR mode, this mode only uses the encryp- complex since one can now consider n-bit cipher- tion operation of the block cipher. It consists of text blocks which are shifted over m positions. a finite state machine, which is initialized with To preclude leakage of information on the plain- an n-bit initial value s0 = I V . The state is en- texts one needs to impose that the number q of crypted and the leftmost m bits of the result are m-bit ciphertext blocks to which an opponent added to the m-bit plaintext block; the result- has access satisfies q  2(n+1)/2 or q = α · 2n/2 ing ciphertext is fed back to the state (see also where α is a small constant (say 10−3). If this

6 shift reg.  shift reg.  m ?n m ?n

K K - E - E

¡ ¡ ?n ?n select select m m plaintext- ? - ? plaintextciphertext - g g Figure 5: The m-bit CFB mode of an n-bit block cipher limit is reached, one needs to change the key. state always contains eight ‘1’ bits. A second ex- The CFB decryption has a limited error prop- tension allows for a larger state s (for example agation: errors in the ith ciphertext block will of r · n bits). This allows for parallel processing be copied into the ith plaintext block; about n (with r processors) in the CFB encryption, at subsequent plaintext bits will be completely gar- the cost of r I V s, a delayed error propagation bled, since the error will stay for n/m steps in and a slower synchronization. the state register s. From then on the decryp- Yet another variant of the CFB mode [1] im- tion will recover. Moreover, if a multiple of m proves the efficiency by using all the bits of bits of the ciphertext are lost, synchronization EK (si−1). A new encryption is only calculated will return as soon as n consecutive correct ci- if all bits of the n-bit block have been used or if phertext bits have been received. Particularly a specific pattern of fixed length is observed in when m = 1, this is very attractive, since this the ciphertext. The latter property allows resyn- allows for a recovery after loss of an arbitrary chronization: the shorter the pattern, the faster number of bits. The CFB decryption allows for the resynchronization, but the slower the perfor- random access and parallel processing, but the mance. encryption process is serial. ISO/IEC 10116 [16] specifies two extensions 6 Other Modes of Operation of the CFB mode: a first extension allows to en- crypt plaintext blocks of length m0 < m; m − m0 In the early 1990s, modes for ‘1’ bits are then prepended to the ciphertext ci multiple encryption of DES were analyzed. before feeding it back to the state. This mode The simplest solution is to replace DES by offers a better speed, but increases the risk of triple-DES and to use triple-DES in one of the a matching ciphertext attack. For example, if five modes discussed above. For triple-DES, n = 64, m = 8, and m0 = 7, on expects repeti- these solutions are known as the outer modes tions of the state after 228 blocks, since the 64-bit [17]. However, their disadvantage is that one

7 can only encrypt α · 2n/2 blocks with a single that it seems possible to improve significantly key for small α (for example due to matching over the matching ciphertext attacks. However, ciphertext attacks on CBC and CFB mode). the security results strongly depend on the This motivated research on inner modes, also model, security proofs have not been found so known as interleaved or combined modes, far and the resulting schemes are rather slow. where the modes themselves are considered It seems more appropriate to upgrade DES to as primitives (e.g., inner-CBC for triple-DES AES. consists of three layers of single-DES in CBC A second area of research is on how to en- mode). Biham has analyzed all the 36 double crypt plaintexts from finite sets, which are not and 216 triple interleaved modes [4, 5], where necessarily of size 2n; this problem is partially each layer consists of ECB, OFB, CBC, CFB addressed by Davies and Price in [11]; a formal and the inverses of CBC and CFB. His goal is treatment has been developed by Black and Ro- to recover the secret key (total break). He notes gaway in [7]. that by allowing chosen plaintext and chosen ciphertext attacks, “all triple modes of operation References are theoretically not much more secure than a single encryption.” The most secure schemes in [1] A. Alkassar, A. Geraldy, B. Pfitzmann, A.- 67 this class require for DES 2 chosen plaintexts R. Sadeghi, “Optimized self-synchronizing 75 66 or ciphertexts, 2 encryptions, and 2 storage. mode of operation,” Fast Software En- Biham also proposes a small set of triple modes, cryption, Lecture Notes in Computer Sci- where a single key stream is generated in OFB ence 2355, M. Matsui, Ed., Springer-Verlag, mode and exored before every encryption and 2002, pp. 78–91. after the last encryption and a few quadruple [2] ANSI X9.52, “Triple Data Encryption Al- modes [4] with a higher conjectured security. gorithm Modes of Operation,” 1998. However, Wagner has shown that if one allows [3] M. Bellare, A. Desai, E. Jokipii, P. Ro- chosen ciphertext/chosen I V attacks, the se- gaway, “A concrete security treatment of curity of all but two of these improved modes symmetric encryption,” Proceedings 38th with DES can be reduced to 256 encryptions Annual Symposium on Foundations of and between 2 and 232 chosen chosen-I V texts Computer Science, FOCS ’97 IEEE Com- [25]. A further analysis of the influence of the puter Society, 1997, pp. 394–403. constraints on the I V s has been provided by Handschuh and Preneel [15]. The ANSI X9.52 [4] E. Biham, “Cryptanalysis of triple-modes standard [2] has opted for the outer modes of of operation,” Technion Technical Report triple-DES. Coppersmith et al. propose the CS0885, 1996. CBCM mode [10], which is a quadruple mode; [5] E. Biham, “Cryptanalysis of triple modes of this mode has also been included in ANSI X9.52. operation,” Journal of Cryptology, Vol. 12, Biham and Knudsen present a certificational No. 3, 1999, pp. 161–184. attack on this mode with DES requiring 265 [6] E. Biham, L.R. Knudsen, “Cryptanalysis of chosen ciphertexts and memory that requires the ANSI X9.52 CBCM mode,” Journal of 258 encryptions [6]. In conclusion, one can state Cryptology, Vol. 15, No. 1, 2002, pp. 47–59.

8 [7] J. Black, P. Rogaway, “Ciphers with arbi- J. Stern, Ed., Springer-Verlag, 1999, trary finite domains,” Topics in Cryptology pp. 329–354. – CT-RSA 2002, LNCS 2271, B. Preneel, [15] H. Handschuh, B. Preneel, “On the se- Ed., Springer-Verlag, 2002, pp. 114–130. curity of double and 2-key triple modes [8] J. Black, H. Urtubia, “Sidechannel attacks of operation,” Fast Software Encryption, on symmetric encryption schemes: the case LNCS 1636, L.R. Knudsen, Ed., Springer- for authenticated encryption,” Proceedings Verlag, 1999, pp. 215–230. of the 11th USENIX Security Symposium, [16] ISO/IEC 10116, “Information technology – 2002, pp. 327–338. Security techniques – Modes of operation of [9] B. Canvel, A. P. Hiltgen, S. Vaudenay, an n-bit block cipher algorithm,” IS 10116, M. Vuagnoux, “Password interception in 1991. a SSL/TLS channel,” Advances in Cryp- [17] B. S. Kaliski, M.J.B. Robshaw, “Multiple tology, Proceedings Crypto’03, LNCS 2729, encryption: Weighing security and perfor- D. Boneh, Ed., Springer-Verlag, 2003, mance,” Dr. Dobb’s Journal, January 1996, pp. 583–599. pp. 123–127. [10] D. Coppersmith, D.B. Johnson, [18] L. Knudsen, “Block Ciphers – Analysis, De- S.M. Matyas, “A proposed mode for sign and Applications,” PhD thesis, Aarhus triple-DES encryption,” IBM Journal of University, Denmark, 1994. Research and Development, Vol. 40, No. 2, 1996, pp. 253–262. [19] U.M. Maurer, “New approaches to the de- sign of self-synchronizing stream ciphers,” [11] D.W. Davies, W.L. Price, “Security for Advances in Cryptology, Proceedings Eu- Computer Networks. An Introduction to rocrypt’91, LNCS 547, D.W. Davies, Ed., Data Security in Teleprocessing and Elec- Springer-Verlag, 1991, pp. 458–471. tronic Funds Transfer,” (Second Edition), Wiley, 1989. [20] A. Menezes, P.C. van Oorschot, S. Van- [12] FIPS 81, “DES Modes of Operation,” stone, “Handbook of Applied Cryptography”, Federal Information Processing Standard CRC Press, 1998. (FIPS), Publication 81, National Bureau of [21] C.H. Meyer, S.M. Matyas, “Cryptography: Standards, US Department of Commerce, A New Dimension in Data Security,” Wiley Washington D.C., December 1980. & Sons, 1982. [13] FIPS 197, “Advanced Encryption Stan- [22] NIST, “SP 800-38A Recommendation for dard (AES),” Federal Information Process- Block Cipher Modes of Operation – Meth- ing Standard (FIPS), Publication 197, Na- ods and Techniques,” December 2001. tional Institute of Standards and Technol- [23] K.G. Paterson, A. Yau, “Padding oracle ogy, US Department of Commerce, Wash- attacks on the ISO CBC mode encryp- ington D.C., November 26, 2001. tion standard,” Topics in Cryptology – The [14] P. Flajolet, A.M. Odlyzko, “Random map- Cryptographers’ Track at the RSA Con- ping statistics,” Advances in Cryptol- ference, LNCS 2964, T. Okamoto, Ed., ogy, Proceedings Eurocrypt’99, LNCS 1592, Springer-Verlag, 2004, pp. 305–323.

9 [24] S. Vaudenay, “Security flaws induced by CBC padding – Applications to SSL, IPSEC, WTLS . . . ,” Advances in Cryptol- ogy, Proceedings Eurocrypt’02, LNCS 2332, L. Knudsen, Ed., Springer-Verlag, 2002, pp. 534–546. [25] D. Wagner, “Cryptanalysis of some recently-proposed multiple modes of operation,” Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer- Verlag, 1998, pp. 254–269.

10