## Block Ciphers Modes of Operation

The modes of operation of block ciphers are configuration methods that allow those ciphers to work with large data streams, without the risk of compromising the provided security.

It is not recommended, however it is possible while working with block ciphers, to use the same secret key bits for encrypting the same plaintext parts. Using one deterministic algorithm for a number of identical input data, results in some number of identical ciphertext blocks.

This is a very dangerous situation for the cipher's users. An intruder would be able to get much information by knowing the distribution of identical message parts, even if he would not be able to break the cipher and discover the original messages.

Luckily, there exist ways to blur the cipher output. The idea is to mix the plaintext blocks (which are known) with the ciphertext blocks (which have been just created), and to use the result as the cipher input for the next blocks. As a result, the user avoids creating identical output ciphertext blocks from identical plaintext data. These modifications are called the block cipher modes of operations.

### ECB (Electronic Codebook) Mode

It is the simplest mode of encryption. Each plaintext block is encrypted separately. Similarly, each ciphertext block is decrypted separately. Thus, it is possible to encrypt and decrypt by using many threads simultaneously. However, in this mode the created ciphertext is not blurred.

A typical example of weakness of encryption using ECB mode is encoding a bitmap image (for example a .bmp file). Even a strong encryption algorithm used in ECB mode cannot blur efficiently the plaintext.

A message that is encrypted using the ECB mode should be extended until a size that is equal to an integer multiple of the single block length. A popular method of aligning the length of the last block is about appending an additional bit equal to 1 and then filling the rest of the block with bits equal to 0. It allows to determine precisely the end of the original message. There exist more methods of aligning the message size.

Apart from revealing the hints regarding the content of plaintext, the ciphers that are used in ECB mode are also more vulnerable to replay attacks.

### CBC (Cipher-Block Chaining) Mode

The CBC encryption mode was invented in IBM in 1976. This mode is about adding XOR each plaintext block to the ciphertext block that was previously produced. The result is then encrypted using the cipher algorithm in the usual way. As a result, every subsequent ciphertext block depends on the previous one. The first plaintext block is added XOR to a random initialization vector (commonly referred to as IV). The vector has the same size as a plaintext block.

Encryption in CBC mode can only be performed by using one thread. Despite this disadvantage, this is a very popular way of using block ciphers. CBC mode is used in many applications.

During decrypting of a ciphertext block, one should add XOR the output data received from the decryption algorithm to the previous ciphertext block. Because the receiver knows all the ciphertext blocks just after obtaining the encrypted message, he can decrypt the message using many threads simultaneously.

If one bit of a plaintext message is damaged (for example because of some earlier transmission error), all subsequent ciphertext blocks will be damaged and it will be never possible to decrypt the ciphertext received from this plaintext. As opposed to that, if one ciphertext bit is damaged, only two received plaintext blocks will be damaged. It might be possible to recover the data.

A message that is to be encrypted using the CBC mode, should be extended till the size that is equal to an integer multiple of a single block length (similarly, as in the case of using the ECB mode).

### Security of the CBC mode

The initialization vector IV should be created randomly by the sender. During transmission it should be concatenated with ciphertext blocks, to allow decryption of the message by the receiver. If an intruder could predict what vector would be used, then the encryption would not be resistant to chosen-plaintext attacks:

In the example presented above, if the intruder is able to predict that the vector IV_{1} will be used by the attacked system to produce the response c_{1}, they can guess which one of the two encrypted messages m_{0} or m_{1} is carried by the response c_{1}. This situation breaks the rule that the intruder shouldn't be able to distinguish between two ciphertexts even if they have chosen both plaintexts. Therefore, the attacked system is vulnerable to chosen-plaintext attacks.

If the vector IV is generated based on non-random data, for example the user password, it should be encrypted before use. One should use a separate secret key for this activity.

The initialization vector IV should be changed after using the secret key a number of times. It can be shown that even properly created IV used too many times, makes the system vulnerable to chosen-plaintext attacks. For AES cipher it is estimated to be 2^{48} blocks, while for 3DES it is about 2^{16} plaintext blocks.

### PCBC (Propagating or Plaintext Cipher-Block Chaining) Mode

The PCBC mode is similar to the previously described CBC mode. It also mixes bits from the previous and current plaintext blocks, before encrypting them. In contrast to the CBC mode, if one ciphertext bit is damaged, the next plaintext block and all subsequent blocks will be damaged and unable to be decrypted correctly.

In the PCBC mode both encryption and decryption can be performed using only one thread at a time.

### CFB (Cipher Feedback) Mode

The CFB mode is similar to the CBC mode described above. The main difference is that one should encrypt ciphertext data from the previous round (so not the plaintext block) and then add the output to the plaintext bits. It does not affect the cipher security but it results in the fact that the same encryption algorithm (as was used for encrypting plaintext data) should be used during the decryption process.

If one bit of a plaintext message is damaged, the corresponding ciphertext block and all subsequent ciphertext blocks will be damaged. Encryption in CFB mode can be performed only by using one thread.

On the other hand, as in CBC mode, one can decrypt ciphertext blocks using many threads simultaneously. Similarly, if one ciphertext bit is damaged, only two received plaintext blocks will be damaged.

As opposed to the previous block cipher modes, the encrypted message doesn't need to be extended till the size that is equal to an integer multiple of a single block length.

### OFB (Output Feedback) Mode

Algorithms that work in the OFB mode create keystream bits that are used for encryption subsequent data blocks. In this regard, the way of working of the block cipher becomes similar to the way of working of a typical stream cipher.

Because of the continuous creation of keystream bits, both encryption and decryption can be performed using only one thread at a time. Similarly, as in the CFB mode, both data encryption and decryption uses the same cipher encryption algorithm.

If one bit of a plaintext or ciphertext message is damaged (for example because of a transmission error), only one corresponding ciphertext or respectively plaintext bit is damaged as well. It is possible to use various correction algorithms to restore the previous value of damaged parts of the received message.

The biggest drawback of OFB is that the repetition of encrypting the initialization vector may produce the same state that has occurred before. It is an unlikely situation but in such a case the plaintext will start to be encrypted by the same data as previously.

### CTR (Counter) Mode

Using the CTR mode makes block cipher way of working similar to a stream cipher. As in the OFB mode, keystream bits are created regardless of content of encrypting data blocks. In this mode, subsequent values of an increasing counter are added to a nonce value (the nonce means a number that is unique: number used once) and the results are encrypted as usual. The nonce plays the same role as initialization vectors in the previous modes.

It is one of the most popular block ciphers modes of operation. Both encryption and decryption can be performed using many threads at the same time.

If one bit of a plaintext or ciphertext message is damaged, only one corresponding output bit is damaged as well. Thus, it is possible to use various correction algorithms to restore the previous value of damaged parts of received messages.

The CTR mode is also known as the SIC mode (Segment Integer Counter).

### Security of the CTR mode

As in the case of the CBC mode, one should change the secret key after using it for encrypting a number of sent messages. It can be proved that the CTR mode generally provides quite good security and that the secret key needs to be changed less often than in the CBC mode.

For example, for the AES cipher the secret key should be changed after about 2^{64} plaintext blocks.