Pi = Plaintext block i
Ci = Ciphertext block i
EK = Encryption using key K
DK = Decryption using key K
Requires padding if message length is not a multiple of the block size
For example: Append a 1 bit, then append as many 0 bits as needed to make the message length a multiple of the block size
Never use ECB -- it leaks too much information about the plaintext
Cipher Block Chaining (CBC) Mode
CBC encryption
CBC decryption
Pi = Plaintext block i
Ci = Ciphertext block i
EK = Encryption using key K
DK = Decryption using key K
IV = Initialization vector
+ = Bitwise exclusive-OR (modulo-2 addition)
Similar to ECB, except the previous ciphertext block is used to randomize the next plaintext block
Requires padding (same as ECB)
Requires an initialization vector (IV) to randomize the first plaintext block
Random IV
IV = Random number
Must send IV as an additional block before first ciphertext block
Nonce-generated IV
Each message has a unique number, a nonce (number used once), that both sides know
For example, nonce = message sequence number
IV = nonce
If two messages use the same IV (nonce), CBC mode leaks information about the first plaintext blocks of the messages
Output Feedback (OFB) Mode
OFB encryption
OFB decryption
Xi = Keystream block i
Pi = Plaintext block i
Ci = Ciphertext block i
EK = Encryption using key K
IV = Initialization vector
+ = Bitwise exclusive-OR (modulo-2 addition)
A true stream cipher
Next keystream block generated by encrypting previous keystream block
Does not require using the decryption algorithm
Does not require padding; just discard unneeded portion of last keystream block
Requires an initialization vector (IV) to use as X0 (same as CBC)
If two messages use the same IV (nonce), OFB mode leaks information about the entire plaintexts of both messages
OFB mode also has the possibility of keystream block collisions, which leaks information
Cipher Feedback (CFB) Mode
CFB encryption
CFB decryption
Xi = Keystream block i
Pi = Plaintext block i
Ci = Ciphertext block i
EK = Encryption using key K
IV = Initialization vector
+ = Bitwise exclusive-OR (modulo-2 addition)
Same as OFB mode, except . . .
Next keystream block generated by encrypting previous ciphertext block
No real advantage over OFB mode
Can be used in a different way to encrypt the plaintext one bit or one byte at a time
This requires more applications of the encryption function
This is mainly used for encryption/decryption of a data stream in hardware
Counter (CTR) Mode
CTR encryption
CTR decryption
Xi = Keystream block i
Pi = Plaintext block i
Ci = Ciphertext block i
EK = Encryption using key K
IV = Initialization vector
|| = Concatenation
+ = Bitwise exclusive-OR (modulo-2 addition)
A true stream cipher
Next keystream block generated by encrypting a counter block
Does not require padding; just discard unneeded portion of last key block
Every plaintext block of every message encrypted using a certain key K must use a different counter block
For example, counter block i = IV concatenated with block number (i)
Successive counter blocks typically differ in just one, or just a few, bit positions
But a good block cipher will still yield completely different ciphertexts
Flipping one bit of plaintext should cause each ciphertext bit to behave like a random coin toss
A random subset of about half the ciphertext bit positions should end up the same
A random subset of about half the ciphertext bit positions should end up different
Avalanche effect
If two messages use the same IV (nonce), CTR mode leaks information about the entire plaintexts of both messages
CTR mode does not have the possibility of key block collisions (assuming unique nonces)
Unlike CBC, OFB, and CFB modes, CTR mode can encrypt plaintext blocks in parallel
