Modes of Operation of a Block Cipher B. Preneel, K.U.Leuven, Belgium A n-bit block cipher with a k-bit key is a set of mode, and the CFB mode. Next we discuss t 2k bijections on n-bit strings. A block cipher is a some alternative modes that have been defined flexible building block; it can be used for encryp- for triple-DES and modes which allow to encrypt tion and authenticated encryption, to construct values from finite sets. MAC algorithms and hash functions. We use the following notation: EK (pi) de- When a block cipher is used for confi- notes the encryption with a block cipher of the dentiality protection, the security goal is to n-bit plaintext block pi with the key K; similarly prevent a passive eavesdropper with limited DK (ci) denotes the decryption of the ciphertext computational power to learn any informa- ci. The operation rchopj(s) returns the right- tion on the plaintext (except for maybe its most j bits of the string s, and the operation length). This eavesdropper can apply the lchopj(s) returns the leftmost j bits. The sym- following attacks: known plaintext attacks, bol k denotes concatenation of strings and ⊕ de- chosen plaintext attacks and notes addition modulo 2 (exor). chosen ciphertext attacks. Applications need to protect the confidential- 1 The Electronic Code Book ity of strings of arbitrary length. A mode of op- eration of a block cipher is an algorithm which (ECB) Mode specifies how one has to apply an n-bit block ci- The simplest mode is the ECB (Electronic Code- pher to achieve this. One approach is to pad Book) mode. After padding, the plaintext p is the data with a padding algorithm such that the divided into t n-bit blocks p and the block ci- bit-length of the padded string is a multiple t of i pher is applied to each block; the decryption also n bits, and to define a mode which works on t operates on individual blocks (see Fig. 1): n-bit blocks. For example, one always appends a ‘1’-bit followed by as many ‘0’ bits as neces- ci = EK (pi) and pi = DK (ci), i = 1, . t . sary to make the length of the resulting string a multiple of n. An alternative is to define a mode Errors in the ciphertext do not propagate beyond of operation that can process data in blocks of the block boundaries (as long as these can be re- j ≤ n bits. covered). However, the ECB mode is the only We first discuss the five modes of operation mode covered in this article which does not hide which have been defined in the FIPS [12] (see patterns (such as repetitions) in the plaintext. also [22]) and ISO/IEC [16] standards: the ECB Usage of this mode should be strongly discour- mode, the CBC mode, the OFB mode, the CTR aged. In the past the ECB mode was sometimes 1 recommended for the encryption of keys; how- a variant of the CBC mode which divides the ever, authenticated encryption would be much plaintext into r parallel streams and applies the better for this application (or the AES key wrap- CBC mode to each of these streams. This re- ping algorithm proposed by NIST). quires however r different I V values. A security proof of the CBC mode (with ran- dom and secret I V ) against an adversary who 2 The Cipher Block Chaining has access to chosen plaintexts has been provided (CBC) mode by Bellare et al. [3]; it shows that if the block ci- pher is secure in the sense that it is hard to dis- The most popular mode of operation of a block tinguish it from a random permutation, the CBC cipher is the CBC (Cipher Block Chaining) mode offers secure encryption in the sense that mode. The plaintext p is divided into t n-bit the ciphertext is random (which implies that it blocks pi. This mode adds (modulo 2) to a plain- does not provide the opponent additional infor- text block the previous ciphertext block and ap- mation on the plaintext). The security result plies the block cipher to this result (see Fig. 2): breaks down if the opponent can obtain approx- imately q = 2n/2 plaintext/ciphertext pairs due ci = EK (pi ⊕ ci−1) to a matching ciphertext attack [18]. This can be pi = DK (ci) ⊕ ci−1 i = 1 . t . seen as follows. Note that the ciphertext blocks ci are random n-bit strings. After observing q n- Note that in the CBC mode, the value ci−1 is bit ciphertext blocks, one expects to find approx- used to randomize the plaintext; this couples the imately q2/2n+1 pairs of matching ciphertexts blocks and hides patterns and repetitions. To that is, indices (v, w) with cv = cw (see also the enable the encryption of the first plaintext block birthday paradox). As a block cipher is a permu- (i = 1), one defines c0 as the initial value I V , tation, this implies that the corresponding plain- which should be randomly chosen and transmit- texts are equal, or pv ⊕ cv−1 = pw ⊕ cw−1 which ted securely to the recipient. By varying this can be rewritten as pv ⊕pw = cv−1⊕cw−1. Hence, I V , one can ensure that the same plaintext is each pair of matching ciphertexts leaks the sum encrypted into a different ciphertext under the of two plaintext blocks. To preclude such a leak- same key, which is essential for secure encryp- age, one needs to impose that q 2(n+1)/2 or tion. The I V plays a similar role in the OFB, q = α · 2n/2 where α is a small constant (say CTR and CFB modes. 10−3, which leads to a collision probability of The CBC decryption has a limited error prop- 1 in 2 million). If this limit is reached, one agation: errors in the ith ciphertext block will needs to change the key. Note that the proof garble the ith plaintext block completely, and only considers security against chosen plaintext will be copied into the next plaintext block. The attacks; the CBC mode is not secure if cho- CBC decryption allows for parallelism and ran- sen ciphertext attacks are allowed. The security dom access: if necessary, one can decrypt only against these attacks can be obtained by using a small part of the ciphertext. However, the en- authenticated encryption. cryption mode is a serial operation. To overcome For some applications, the ciphertext should this restriction, ISO/IEC 10116 [16] has defined have exactly the same length as the plaintext, 2 p1 p2 p3 ? ? ? K K K - E - E - E ¡ ¡ ¡ c1 c2 c3 ? ? ? K K K - D - D - D ¡ ¡ ¡ ?p1 ?p2 ?p3 Figure 1: The ECB mode of a block cipher P P P IV ? 1 ? 2 ? 3 -+ -+ -+ ... ?e ?e ?e K- E K- E K- E ¡ ¡ ¡ ?C1 ?C2 ?C3 ? ? ? K- D K- D K- D ¡ ¡ ¡ IV ? ? ? -+ -+ -+ ... e?P1 e?P2 e?P3 Figure 2: The CBC mode of a block cipher 3 hence padding methods cannot be used. Two 3 The Output FeedBack (OFB) heuristic constructions have been proposed to mode address this problem; they are not without prob- lems (both leak information in a chosen plaintext The OFB mode transforms a block cipher into a setting). A first solution encrypts the last incom- synchronous stream cipher. This mode uses only plete block pt (of j < n bits) in OFB mode (cf. the encryption operation of the block cipher. It Sect. 3): consists of a finite state machine, which is ini- tialized with an n-bit initial value or s = I V . c = p ⊕ rchop (E (c )) . 0 t t j K t−1 The state is encrypted and the encryption result A second solution is known as ciphertext stealing is used as key stream and fed back to the state [21]: one appends the rightmost n−j bits of ct−1 (see also Fig. 3): to the last block of j bits pt, to obtain a new n- bit block: si = EK (si−1) and ci = pi ⊕ si, i = 1, 2,.... ct−1 = EK (pt−1 ⊕ ct−2) Treating an incomplete last block in the OFB mode is very simple: one selects the leftmost m ct = EK (pt k rchopn−j(ct−1)) . bits of the last key word. The OFB mode can For the last two blocks of the ciphertext, one also be applied when the strings pi and ci consist keeps only the leftmost j bits of ct−1 and n bits of m < n bits; in that case one uses only the m of ct. This variant has the disadvantage that the leftmost bits of each key word si. This results in last block needs to be decrypted before the one a performance penalty with a factor n/m. but last block. It is essential for the security of the OFB mode It turns out that the common padding meth- that the key stream does not repeat. It can be ods are vulnerable to side channel attacks that shown that the average period equals n·2n−1 bits require chosen ciphertexts: an attacker who can [14] and that the probability that an n-bit state submit ciphertexts of her choice to a decryption lies on a cycle of length < c is equal to c/2n. oracle can obtain information on the plaintext This implies that after 2n/2 n-bit blocks one can by noting whether or not an error message is distinguish the output of the OFB mode from a returned stating that the padding is incorrect.