NoteVerse

Modes of Operations of Block Ciphers

Comprehensive study notes, diagrams, and exam preparation for Modes of Operations of Block Ciphers.

Modes of Operations of Block Ciphers

Definition

A mode of operation is a standardized method for using a block cipher to encrypt or decrypt data larger than the cipher’s fixed block size, by specifying how successive blocks are processed, chained, randomized, and possibly authenticated.

In simple terms, a block cipher is the core encryption engine, and the mode of operation is the rulebook that tells us how to use that engine safely on real messages.

For example:

  • AES encrypts 128-bit blocks.
  • A file or network message may be thousands of bits long.
  • A mode such as CBC, CTR, or GCM explains how AES should handle the whole message block by block.

Without a mode, block ciphers would be limited to only one block of data and would be insecure or impractical for most applications.

Main Content

1. Electronic Codebook (ECB) Mode

Basic idea

  • Each plaintext block is encrypted independently using the same key. If two plaintext blocks are identical, their ciphertext blocks will also be identical.

Characteristics and weaknesses

  • ECB is simple and fast, but it reveals data patterns because repeated plaintext produces repeated ciphertext. This makes it unsuitable for structured data such as images, text files, or database records where block repetition is common.

ECB is the most straightforward mode, but also the least secure for most practical uses. It does not use an initialization vector, nonce, or chaining mechanism. That means every block is treated independently. While this independence makes ECB highly parallelizable, it also means that an attacker can detect patterns in the encrypted output. A famous illustration is the encryption of an image where the outline remains visible because identical blocks encrypt to identical ciphertext blocks.

Example:
If the plaintext blocks are:

  • P1 = AAAA
  • P2 = BBBB
  • P3 = AAAA

Then in ECB:

  • C1 = E(K, P1)
  • C2 = E(K, P2)
  • C3 = E(K, P3)

Since P1 = P3, we get C1 = C3. This leaks information.

Why ECB is discouraged:

  • It does not hide repetition.
  • It offers no semantic security for repeated plaintext blocks.
  • It is vulnerable to block rearrangement attacks in some contexts.
  • It should generally never be used to encrypt large or structured data.

2. Cipher Block Chaining (CBC) Mode

Basic idea

  • Each plaintext block is XORed with the previous ciphertext block before encryption. The first block uses an initialization vector (IV) instead of a previous ciphertext block.

Characteristics and usage

  • CBC hides patterns better than ECB because each block depends on all previous blocks. It is widely studied and historically very important, but it has limitations such as sequential encryption and padding requirements.

CBC improves security by chaining blocks together. Before encrypting a plaintext block, it combines that block with the previous ciphertext block using XOR. This means that even if two plaintext blocks are identical, their ciphertexts will differ if they occur at different positions in the message. The first block is special because there is no previous ciphertext, so an IV is used.

Encryption process:

  • C1 = E(K, P1 ⊕ IV)
  • C2 = E(K, P2 ⊕ C1)
  • C3 = E(K, P3 ⊕ C2)

Decryption process:

  • P1 = D(K, C1) ⊕ IV
  • P2 = D(K, C2) ⊕ C1
  • P3 = D(K, C3) ⊕ C2

Important properties:

  • Random or unpredictable IVs are essential.
  • The IV does not need to be secret, but it must be unique and ideally unpredictable.
  • Padding is needed when the final plaintext block is not full-sized.
  • Encryption is sequential, so blocks cannot be encrypted fully in parallel.

Example:
If a message contains repeated words or repeated data blocks, CBC ensures the ciphertext blocks still appear different because each block depends on the entire chain before it.

Weaknesses and cautions:

  • Improper IV handling can break security.
  • Padding errors can lead to padding oracle attacks if error messages leak information.
  • While decryption can be parallelized, encryption generally cannot.

3. Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) Modes

Basic idea

  • These are stream-like modes that turn a block cipher into a keystream generator so that data can be encrypted in smaller units or even byte-by-byte.

Characteristics and usage

  • They are useful when handling streaming data, when padding should be avoided, or when encryption must support parallel processing. They differ in how the keystream is generated and whether they tolerate errors differently.

These modes are often grouped together because they all use the block cipher in a way that produces a keystream, which is then XORed with plaintext.

CFB Mode

CFB uses the previous ciphertext block as input to the block cipher. It is self-synchronizing, meaning it can recover after some data loss or misalignment in some communication settings.

  • C1 = P1 ⊕ E(K, IV)
  • C2 = P2 ⊕ E(K, C1)

Features:

  • No padding required when used in smaller segments.
  • Encryption is sequential.
  • Error in a ciphertext block can affect the current and next plaintext blocks.

OFB Mode

OFB generates keystream independently of the plaintext and ciphertext by repeatedly encrypting the previous keystream block.

  • O1 = E(K, IV)
  • O2 = E(K, O1)
  • C1 = P1 ⊕ O1
  • C2 = P2 ⊕ O2

Features:

  • No padding required.
  • Bit errors in ciphertext affect only the corresponding bits in plaintext.
  • Keystream must never repeat for the same key.
  • IV/nonce uniqueness is crucial.

CTR Mode

CTR uses a counter value combined with a nonce or IV, and encrypts that counter sequence to produce a keystream.

  • Keystream block 1 = E(K, nonce || counter1)
  • Keystream block 2 = E(K, nonce || counter2)
  • Ciphertext = plaintext XOR keystream

Features:

  • Highly parallelizable.
  • No padding required.
  • Random access is possible; any block can be decrypted independently.
  • Extremely widely used in modern systems.

Example of CTR advantage:
If a large file is being encrypted, one processor thread can handle blocks 1–1000 while another handles 1001–2000 because each counter block is independent.

Security note for all three modes:
These modes provide confidentiality only, not integrity. If an attacker changes ciphertext, predictable changes may occur in plaintext unless authentication is added separately.

4. Authentication-Oriented Modes: GCM and Related AEAD Modes

Basic idea

  • Modern secure systems often need both confidentiality and integrity, so authenticated encryption modes combine encryption and message authentication in one construction.

Characteristics and usage

  • GCM is one of the most important modes because it provides encryption plus authentication efficiently, especially in high-speed applications and network protocols.

Plain encryption is often not enough. An attacker might not be able to read the message, but they may still tamper with it. Authenticated Encryption with Associated Data (AEAD) addresses this by ensuring:

  • the ciphertext remains confidential,
  • any modification is detected,
  • additional data such as headers can be authenticated without being encrypted.

Galois/Counter Mode (GCM)

GCM is built on CTR mode for encryption and uses a polynomial-based authentication mechanism for integrity.

Main ideas:

  • A counter-based keystream encrypts the plaintext.
  • A cryptographic hash-like tag is computed over ciphertext and associated data.
  • The receiver verifies the tag before accepting the message.

Why GCM is important:

  • Fast and efficient.
  • Supports parallel processing.
  • Widely used in TLS, VPNs, cloud systems, and secure APIs.
  • Protects both confidentiality and integrity.

Example use case:
In HTTPS connections, GCM can encrypt the content of a message and also authenticate protocol headers so that tampering is detected immediately.

Security considerations:

  • Nonce reuse with the same key is catastrophic in GCM.
  • The authentication tag must be verified securely and in constant time.
  • GCM is highly efficient, but misuse of nonce values can destroy security.

Other AEAD-related modes:

  • CCM: Combines CTR encryption with CBC-MAC authentication.
  • EAX: An authenticated encryption mode with flexible design.
  • SIV: Misuse-resistant mode that protects better against nonce reuse.

Working / Process

1. Choose the block cipher and mode

  • Select a block cipher such as AES and decide the mode based on the application.
  • If only confidentiality is needed, a stream-like mode or CBC may be used.
  • If confidentiality and integrity are both needed, an AEAD mode like GCM is preferred.

2. Prepare the message and initialization data

  • Divide the plaintext into blocks if needed.
  • Generate the IV, nonce, or counter value according to the chosen mode.
  • Add padding only when the mode requires it, such as CBC.

3. Encrypt, transmit, and verify

  • Apply the mode rules block by block.
  • On decryption, reverse the process and verify correctness.
  • For authenticated modes, verify the authentication tag before releasing plaintext.

A simple CBC-style flow can be visualized like this:

P1 ---> XOR with IV ---> E(K) ---> C1
P2 ---> XOR with C1 ---> E(K) ---> C2
P3 ---> XOR with C2 ---> E(K) ---> C3

For CTR:

Nonce+Counter1 ---> E(K) ---> Keystream1 ---> XOR with P1 ---> C1
Nonce+Counter2 ---> E(K) ---> Keystream2 ---> XOR with P2 ---> C2
Nonce+Counter3 ---> E(K) ---> Keystream3 ---> XOR with P3 ---> C3

These workflows show why different modes behave differently in speed, security, and implementation complexity.

Advantages / Applications

Secure encryption of data larger than one block

  • Modes allow block ciphers to protect files, messages, database records, and network packets of arbitrary length.

Flexibility for different use cases

  • Some modes are best for simple confidentiality, some for streaming, some for parallel processing, and some for authenticated encryption.

Wide practical application

  • Modes are used in disk encryption, internet protocols, secure messaging, cloud storage, VPNs, wireless communication, and embedded systems.

Block cipher modes are essential because they adapt a fixed-size primitive to many practical environments. ECB may be useful for limited specialized tasks, but CBC, CTR, and especially GCM dominate secure system design. In modern applications, authenticated modes are usually preferred because confidentiality without integrity is incomplete security.

Summary

  • Modes of operation are methods for using a block cipher on long data safely.
  • ECB is simple but insecure because it reveals patterns.
  • CBC, CFB, OFB, CTR, and GCM each solve different practical problems.
  • Important terms to remember: block cipher, mode of operation, IV, nonce, ciphertext, padding, chaining, keystream, authentication tag.
← Prev: CPA-Secure Ciphers from PRF
Next: DES →