Block cipher mode of operation – Wikipedia

Cryptography algorithm
“ Mode of operation ” redirects here. For “ method of operation ”, see Modus operandi In cryptanalysis, a block cipher mode of operation is an algorithm that uses a block nothing to provide information security such as confidentiality or authenticity. [ 1 ] A block cipher by itself is only desirable for the plug cryptanalytic transformation ( encoding or decoding ) of one fixed-length group of bits called a block. [ 2 ] A mode of operation describes how to repeatedly apply a calculate ‘s single-block operation to securely transform amounts of data larger than a block. [ 3 ] [ 4 ] [ 5 ] Most modes require a unique binary star sequence, much called an low-level formatting vector ( IV ), for each encoding operation. The IV has to be non-repeating and, for some modes, random american samoa well. The low-level formatting vector is used to ensure discrete ciphertexts are produced tied when the same plaintext is encrypted multiple times independently with the same key. [ 6 ] Block ciphers may be adequate to of operating on more than one block size, but during transformation the block size is always fixed. Block cipher modes operate on wholly blocks and require that the last separate of the data be padded to a full auction block if it is smaller than the current blockage size. [ 2 ] There are, however, modes that do not require slog because they efficaciously use a block code as a stream calculate.

historically, encoding modes have been studied extensively in respect to their error generation properties under assorted scenarios of data alteration. Later exploitation regarded integrity protection as an entirely separate cryptanalytic goal. Some modern modes of process combine confidentiality and authenticity in an efficient manner, and are known as attested encoding modes. [ 7 ]

history and standardization [edit ]

The earliest modes of operation, ECB, CBC, OFB, and CFB ( see below for all ), go steady back to 1981 and were specified in FIPS 81, DES Modes of Operation. In 2001, the US National Institute of Standards and Technology ( NIST ) revised its list of approved modes of operation by including AES as a stuff nothing and adding CTR mode in SP800-38A, Recommendation for Block Cipher Modes of Operation. last, in January, 2010, NIST added XTS-AES in SP800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. other confidentiality modes exist which have not been approved by NIST. For exercise, CTS is ciphertext stealing modality and available in many democratic cryptanalytic libraries. The block calculate modes ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality, but they do not protect against accidental modification or malicious meddling. modification or meddling can be detected with a separate message authentication code such as CBC-MAC, or a digital touch. The cryptanalytic community recognized the want for dedicate integrity assurances and NIST responded with HMAC, CMAC, and GMAC. HMAC was approved in 2002 as FIPS 198, The Keyed-Hash Message Authentication Code (HMAC), CMAC was released in 2005 under SP800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, and GMAC was formalized in 2007 under SP800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. The cryptanalytic community observed that compositing ( combining ) a confidentiality mood with an authenticity mood could be difficult and error prone. They therefore began to supply modes which combined confidentiality and datum integrity into a unmarried cryptanalytic archaic ( an encoding algorithm ). These combined modes are referred to as attested encoding, AE or “ authenc ”. Examples of AE modes are CCM ( SP800-38C ), GCM ( SP800-38D ), CWC, EAX, IAPM, and OCB. Modes of operation are defined by a count of national and internationally recognized standards bodies. luminary standards organizations include NIST, ISO ( with ISO/IEC 10116 [ 5 ] ), the IEC, the IEEE, ANSI, and the IETF .

Initialization vector ( IV ) [edit ]

An low-level formatting vector ( IV ) or starting variable ( SV ) [ 5 ] is a block of bits that is used by several modes to randomize the encoding and therefore to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the necessitate for a slower re-keying procedure. [ citation needed ] An low-level formatting vector has different security requirements than a key, so the IV normally does not need to be clandestine. For most block nothing modes it is important that an low-level formatting vector is never reused under the lapp samara, i.e. it must be a cryptanalytic time being. many obstruct cipher modes have stronger requirements, such as the IV must be random or pseudorandom. Some block ciphers have particular problems with certain low-level formatting vectors, such as all zero IV generating no encoding ( for some keys ). It is recommended to review relevant IV requirements for the especial block calculate manner in relevant stipulation, for exemplar SP800-38A. For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages. For OFB and CTR, reusing an IV causes key bitstream re-use, which breaks security. [ 8 ] This can be seen because both modes efficaciously create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the key and IV only. In CBC mode, the IV must be unpredictable ( random or pseudorandom ) at encoding prison term ; in particular, the ( previously ) common rehearse of re-using the last ciphertext block of a message as the IV for the future message is insecure ( for example, this method acting was used by SSL 2.0 ). If an attacker knows the IV ( or the previous block of ciphertext ) before the next plaintext is specified, they can check their think about plaintext of some parry that was encrypted with the like samara before ( this is known as the TLS CBC IV attack ). [ 9 ] For some keys an all-zero low-level formatting vector may generate some block cipher modes ( CFB-8, OFB-8 ) to get internal country stuck at all-zero. For CFB-8, an all-zero IV and an all-zero plaintext, causes 1/256 of keys to generate no encoding, plaintext is returned as ciphertext. [ 10 ] For OFB-8, using all zero low-level formatting vector will generate no encoding for 1/256 of keys. [ 11 ] OFB-8 encoding returns the plaintext unencrypted for feign keys. Some modes ( such as AES-SIV and AES-GCM-SIV ) are built to be more nonce-misuse immune, i.e. resilient to scenarios in which the randomness generation is faulty or under the control condition of the attacker .

  • Synthetic Initialization Vector (SIV) synthesize an internal IV by running an Pseudo-Random Function (PRF) construction called S2V on the input (additional data and plaintext), preventing any external data from directly controlling the IV. External nonces / IV may be feed into S2V as an additional data field.
  • AES-GCM-SIV synthesize an internal IV by running POLYVAL Galois mode of authentication on input (additional data and plaintext), followed by an AES operation.

Padding [edit ]

A block cipher works on units of a situate size ( known as a block size ), but messages come in a assortment of lengths. then some modes ( namely ECB and CBC ) require that the final blockage be padded before encoding. several padding schemes exist. The simple is to add nothing bytes to the plaintext to bring its duration improving to a multiple of the block size, but concern must be taken that the original length of the plaintext can be recovered ; this is superficial, for exemplar, if the plaintext is a C stylus string which contains no nothing bytes except at the end. slightly more complex is the original DES method acting, which is to add a one one bit, followed by adequate zero bits to fill out the stop ; if the message ends on a auction block boundary, a whole slog block will be added. Most sophisticated are CBC-specific schemes such as ciphertext steal or residual auction block termination, which do not cause any extra ciphertext, at the expense of some extra complexity. Schneier and Ferguson suggest two possibilities, both simple : append a byte with value 128 ( hex 80 ), followed by as many zero bytes as needed to fill the last block, or pad the last stop with n bytes all with value n. CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the pulley size, since the modes exercise by XORing the plaintext with the end product of the blocking cipher. The last overtone stuff of plaintext is XORed with the first few bytes of the last keystream block, producing a final ciphertext stop that is the same size as the final examination partial plaintext forget. This characteristic of stream ciphers makes them desirable for applications that require the code ciphertext data to be the same size as the original plaintext data, and for applications that transmit data in streaming form where it is inconvenient to add padding bytes .

Common modes [edit ]

Authenticated encoding with extra data ( AEAD ) modes [edit ]

A act of modes of process have been designed to combine secrecy and authentication in a single cryptanalytic primitive. Examples of such modes are extended code stop chain ( XCBC ) [ clarification needed ], [ 12 ] integrity-aware nothing stop chain ( IACBC ) [ clarification needed ], integrity-aware parallelizable mood ( IAPM ), [ 13 ] OCB, EAX, CWC, CCM, and GCM. Authenticated encoding modes are classified as single-pass modes or double-pass modes. Some single-pass authenticated encoding algorithm, such as OCB mode, are encumbered by patents, while others were specifically designed and released in a way to avoid such encumberment. In summation, some modes besides allow for the authentication of unencrypted associated data, and these are called AEAD ( authenticated encoding with associated data ) schemes. For example, EAX modality is a double-pass AEAD scheme while OCB manner is single-pass .

Encryption parallelizable Yes
Decryption parallelizable Yes
Random read access Yes

Galois/counter mode ( GCM ) combines the well-known counter mode of encoding with the new Galois mode of authentication. The winder feature is the ease of latitude calculation of the Galois playing field multiplication used for authentication. This have permits higher throughput than encoding algorithm. GCM is defined for stuff ciphers with a block size of 128 bits. Galois message authentication code ( GMAC ) is an authentication-only discrepancy of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept low-level formatting vectors of arbitrary length. GCM can take full advantage of parallel process and implementing GCM can make effective manipulation of an teaching grapevine or a hardware pipeline. The CBC mode of operation incurs grapevine stalls that shackle its efficiency and performance. Like in CTR, blocks are numbered consecutive, and then this forget number is combined with an IV and encrypted with a auction block cipher E, normally AES. The resultant role of this encoding is then XORed with the plaintext to produce the ciphertext. Like all counterpunch modes, this is basically a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted. GCM encryption operation The ciphertext blocks are considered coefficients of a polynomial which is then evaluated at a key-dependent degree H, using finite field arithmetic. The leave is then encrypted, producing an authentication tag that can be used to verify the integrity of the datum. The code text then contains the IV, ciphertext, and authentication tag .

antagonistic with cipher obstruct chaining message authentication code ( CCM ) [edit ]

Counter with cipher block chaining message authentication code ( anticipate with CBC-MAC ; CCM ) is an attested encoding algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits. [ 14 ] [ 15 ]

synthetic low-level formatting vector ( SIV ) [edit ]

synthetic low-level formatting vector ( SIV ) is a nonce-misuse insubordinate parry cipher mood. SIV synthesizes an inner IV using the a pseudorandom function S2V. S2V is a key hashish is based on CMAC, and the remark to the function is :

  • Additional authenticated data (zero, one or many AAD fields are supported)
  • Plaintext
  • Authentication key (K1).

SIV encrypts the S2V output and the plaintext using AES-CTR, keyed with the encoding identify ( K2 ). SIV can support external nonce-based authenticated encoding, in which event one of the authenticated datum fields is utilized for this purpose. RFC5297 [ 16 ] specifies that for interoperability purposes the last authenticate data field should be used external time being. Owing to the use of two keys, the authentication key K1 and encoding identify K2, naming schemes for SIV AEAD-variants may lead to some confusion ; for case AEAD_AES_SIV_CMAC_256 refers to AES-SIV with two AES-128 keys and not AES-256 .
AES-GCM-SIV is a manner of operation for the Advanced Encryption Standard which provides similar performance to Galois/counter modality arsenic well as misuse resistor in the event of the recycle of a cryptanalytic time being. The construction is defined in RFC 8452. [ 17 ] AES-GCM-SIV synthesizes the internal IV. It derives a hashish of the extra authenticated data and plaintext using the POLYVAL Galois hashish function. The hash is then encrypted an AES-key, and used as authentication tag and AES-CTR low-level formatting vector. AES-GCM-SIV is an improvement over the very similarly named algorithm GCM-SIV, with a few very minor changes ( e.g. how AES-CTR is initialized ), but which yields virtual benefits to its security “ This addition allows for encrypting up to 250 messages with the same key, compared to the meaning limitation of entirely 232 messages that were allowed with GCM-SIV. ” [ 18 ]

Confidentiality only modes [edit ]

many modes of operation have been defined. Some of these are described below. The purpose of nothing modes is to mask patterns which exist in encrypted data, as illustrated in the description of the weakness of ECB. Different cipher modes mask patterns by cascading outputs from the code obstruct or other globally deterministic variables into the subsequent zero block. The inputs of the listed modes are summarized in the adopt board :

Summary of modes
Mode Formulas Ciphertext
Electronic codebook (ECB) Yi = F(PlainTexti, Key) Yi
Cipher block chaining (CBC) Yi = PlainTexti XOR Ciphertexti−1 F(Y, Key); Ciphertext0 = IV
Propagating CBC (PCBC) Yi = PlainTexti XOR (Ciphertexti−1 XOR PlainTexti−1) F(Y, Key); Ciphertext0 = IV
Cipher feedback (CFB) Yi = Ciphertexti−1 Plaintext XOR F(Y, Key); Ciphertext0 = IV
Output feedback (OFB) Yi = F(Yi−1, Key); Y0 = F(IV, Key) Plaintext XOR Yi
Counter (CTR) Yi = F(IV + g(i), Key); IV = token() Plaintext XOR Yi

note : g ( i ) is any deterministic function, much the identity function .

Electronic codebook ( ECB ) [edit ]

Electronic codebook
Encryption parallelizable Yes
Decryption parallelizable Yes
Random read access Yes

The dim-witted ( and not to be used anymore ) of the encoding modes is the electronic codebook ( ECB ) mode ( named after conventional physical codebooks [ 19 ] ). The message is divided into blocks, and each forget is encrypted individually. ECB encryption.svg ECB decryption.svg The disadvantage of this method is a lack of dissemination. Because ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide data patterns well. ECB is not recommended for consumption in cryptanalytic protocols. [ 20 ] [ 21 ] [ 22 ] A outstanding model of the degree to which ECB can leave plaintext datum patterns in the ciphertext can be seen when ECB manner is used to encrypt a bitmap prototype which uses large areas of uniform color. While the color of each individual pixel is encrypted, the overall effigy may still be discerned, as the blueprint of identically colored pixels in the original remains in the code version .
original double Encrypted using ECB mode Modes early than ECB resultant role in pseudo-randomness[ citation needed] The third base effigy is how the image might appear encrypted with CBC, CTR or any of the other more impregnable modes—indistinguishable from random make noise. note that the random appearance of the one-third image does not ensure that the persona has been securely encrypted ; many kinds of insecure encoding have been developed which would produce output just as “ random-looking ”. ECB mode can besides make protocols without integrity security even more susceptible to replay attacks, since each block gets decrypted in precisely the same manner. [ citation needed ]

Cipher forget chain ( CBC ) [edit ]

Cipher block chaining
Encryption parallelizable No
Decryption parallelizable Yes
Random read access Yes

Ehrsam, Meyer, Smith and Tuchman invented the cipher block chain ( CBC ) modality of operation in 1976. [ 23 ] In CBC mode, each forget of plaintext is XORed with the previous ciphertext forget before being encrypted. This way, each ciphertext jam depends on all plaintext blocks processed up to that point. To make each message alone, an low-level formatting vector must be used in the inaugural block .
If the first jam has index 1, the numerical formula for CBC encoding is

C one = E K ( P i ⊕ C iodine − 1 ), { \displaystyle C_ { one } =E_ { K } ( P_ { one } \oplus C_ { i-1 } ), }{\displaystyle C_{i}=E_{K}(P_{i}\oplus C_{i-1}),}
C 0 = I V, { \displaystyle C_ { 0 } =IV, }{\displaystyle C_{0}=IV,}

while the numerical formula for CBC decoding is

P one = D K ( C iodine ) ⊕ C iodine − 1, { \displaystyle P_ { one } =D_ { K } ( C_ { i } ) \oplus C_ { i-1 }, }{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}
C 0 = I V. { \displaystyle C_ { 0 } =IV. }{\displaystyle C_{0}=IV.}
case [edit ]

CBC has been the most normally use mood of process. Its main drawbacks are that encoding is consecutive ( i.e., it can not be parallelized ), and that the message must be padded to a multiple of the code block size. One way to handle this last issue is through the method known as ciphertext larceny. eminence that a one-bit change in a plaintext or low-level formatting vector ( IV ) affects all stick to ciphertext blocks. Decrypting with the wrong IV causes the first engine block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous parry, not the plaintext, then one does not need to decrypt the previous obstruct before using it as the IV for the decoding of the current one. This means that a plaintext forget can be recovered from two adjacent blocks of ciphertext. As a consequence, decoding can be parallelized. note that a one-bit deepen to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the match bite in the trace barricade of plaintext, but the rest of the blocks remain integral. This curio is exploited in different padding oracle attacks, such as POODLE.

Explicit initialization vectors [ 24 ] takes advantage of this property by prepending a individual random pulley to the plaintext. encoding is done as normal, except the IV does not need to be communicated to the decoding routine. Whatever IV decoding uses, only the random block is “ defile ”. It can be safely discarded and the rest of the decoding is the master plaintext .

Propagating cipher block chain ( PCBC ) [edit ]

Propagating cipher block chaining
Encryption parallelizable No
Decryption parallelizable No
Random read access No

The propagating cipher block chaining [ 25 ] or plaintext cipher-block chaining [ 26 ] mood was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, a well as when encrypting. In PCBC manner, each blockage of plaintext is XORed with both the previous plaintext obstruct and the previous ciphertext block before being encrypted. Like with CBC mood, an low-level formatting vector is used in the inaugural block .
encoding and decoding algorithms are as follows :

C i = E K ( P i ⊕ P one − 1 ⊕ C one − 1 ), P 0 ⊕ C 0 = I V, { \displaystyle C_ { one } =E_ { K } ( P_ { one } \oplus P_ { i-1 } \oplus C_ { i-1 } ), P_ { 0 } \oplus C_ { 0 } =IV, }{\displaystyle C_{i}=E_{K}(P_{i}\oplus P_{i-1}\oplus C_{i-1}),P_{0}\oplus C_{0}=IV,}
P one = D K ( C one ) ⊕ P one − 1 ⊕ C i − 1, P 0 ⊕ C 0 = I V. { \displaystyle P_ { iodine } =D_ { K } ( C_ { i } ) \oplus P_ { i-1 } \oplus C_ { i-1 }, P_ { 0 } \oplus C_ { 0 } =IV. }{\displaystyle P_{i}=D_{K}(C_{i})\oplus P_{i-1}\oplus C_{i-1},P_{0}\oplus C_{0}=IV.}

PCBC is used in Kerberos v4 and WASTE, most notably, but otherwise is not common. On a message encrypted in PCBC mode, if two adjacent ciphertext blocks are exchanged, this does not affect the decoding of subsequent blocks. [ 27 ] For this reason, PCBC is not used in Kerberos v5 .

Cipher feedback ( CFB ) [edit ]

Full-block CFB [edit ]
Cipher feedback
Encryption parallelizable No
Decryption parallelizable Yes
Random read access Yes

The cipher feedback ( CFB ) modality, in its simplest form uses the entire end product of the block cipher. In this magnetic declination, it is very exchangeable to CBC, makes a stop zero into a self-synchronizing stream zero. CFB decoding in this variation is about identical to CBC encoding performed in invert :

C one = { IV, one = 0 E K ( C i − 1 ) ⊕ P one, differently P one = E K ( C i − 1 ) ⊕ C one, { \displaystyle { \begin { aligned } C_ { one } & = { \begin { cases } { \text { IV } }, & i=0\\E_ { K } ( C_ { i-1 } ) \oplus P_ { i }, & { \text { otherwise } } \end { cases } } \\P_ { i } & =E_ { K } ( C_ { i-1 } ) \oplus C_ { iodine }, \end { aligned } } }{\displaystyle {\begin{aligned}C_{i}&={\begin{cases}{\text{IV}},&i=0\\E_{K}(C_{i-1})\oplus P_{i},&{\text{otherwise}}\end{cases}}\\P_{i}&=E_{K}(C_{i-1})\oplus C_{i},\end{aligned}}}

CFB encryption.svg CFB decryption.svg
NIST SP800-38A defines CFB with a bit-width. [ 28 ] The CFB mode also requires an integer parameter, denoted s, such that 1 ≤ s ≤ b. In the specification of the CFB mode below, each plaintext segment (Pj) and ciphertext segment (Cj) consists of s bits. The value of s is sometimes incorporated into the name of the mode, e.g., the 1-bit CFB mode, the 8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode. These modes will truncate the output of the underlying barricade zero .

I 0 = IV. { \displaystyle I_ { 0 } = { \text { IV } }. }{\displaystyle I_{0}={\text{IV}}.}
I i = ( ( I i − 1 ≪ second ) + C one ) mod 2 b, { \displaystyle I_ { iodine } = { \big ( } ( I_ { i-1 } \ll south ) +C_ { i } { \big ) } { \bmod { 2 } } ^ { b-complex vitamin }, }{\displaystyle I_{i}={\big (}(I_{i-1}\ll s)+C_{i}{\big )}{\bmod {2}}^{b},}
C one = MSB mho ⁡ ( E K ( I i − 1 ) ) ⊕ P one, { \displaystyle C_ { i } =\operatorname { MSB } _ { s } { \big ( } E_ { K } ( I_ { i-1 } ) { \big ) } \oplus P_ { one }, }{\displaystyle C_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus P_{i},}
P i = MSB s ⁡ ( E K ( I i − 1 ) ) ⊕ C one, { \displaystyle P_ { one } =\operatorname { MSB } _ { s } { \big ( } E_ { K } ( I_ { i-1 } ) { \big ) } \oplus C_ { iodine }, }{\displaystyle P_{i}=\operatorname {MSB} _{s}{\big (}E_{K}(I_{i-1}){\big )}\oplus C_{i},}

CFB-1 is considered self synchronize and bouncy to personnel casualty of ciphertext ; “ When the 1-bit CFB manner is used, then the synchronism is automatically regenerate b+1 positions after the slip in or edit morsel. For other values of randomness in the CFB modality, and for the early confidentiality modes in this recommendation, the synchronization must be restored outwardly. ” ( NIST SP800-38A ). I.e. 1-bit loss in a 128-bit-wide stuff calculate like AES will render 129 invalid bits before emitting valid bits. CFB may besides self synchronize in some particular cases early than those specified. For model, a one bit change in CFB-128 with an underlying 128 bite barricade cipher, will re-synchronize after two blocks. ( however, CFB-128 etc. will not handle sting loss graciously ; a one-bit loss will cause the decryptor to lose alliance with the encryptor )

CFB compared to other modes [edit ]

Like CBC manner, changes in the plaintext spread everlastingly in the ciphertext, and encoding can not be parallelized. besides like CBC, decoding can be parallelized. CFB, OFB and CTR share two advantages over CBC mode : the block nothing is only ever used in the code steering, and the message does not need to be padded to a multiple of the cipher engine block size ( though ciphertext steal can besides be used for CBC mode to make pad unnecessary ) .

Output feedback ( OFB ) [edit ]

Output feedback
Encryption parallelizable No
Decryption parallelizable No
Random read access No

The output feedback ( OFB ) mode makes a block nothing into a synchronous pour cipher. It generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flip bite in the plaintext at the same localization. This property allows many error-correcting codes to function normally even when applied before encoding. Because of the symmetry of the XOR operation, encoding and decoding are precisely the lapp :

C joule = P joule ⊕ O joule, { \displaystyle C_ { joule } =P_ { j } \oplus O_ { joule }, }{\displaystyle C_{j}=P_{j}\oplus O_{j},}
P joule = C j ⊕ O j, { \displaystyle P_ { j } =C_ { joule } \oplus O_ { j }, }{\displaystyle P_{j}=C_{j}\oplus O_{j},}
O joule = E K ( I j ), { \displaystyle O_ { j } =E_ { K } ( I_ { joule } ), }{\displaystyle O_{j}=E_{K}(I_{j}),}
I j = O joule − 1, { \displaystyle I_ { joule } =O_ { j-1 }, }{\displaystyle I_{j}=O_{j-1},}
I 0 = IV. { \displaystyle I_ { 0 } = { \text { IV } }. }

OFB encryption.svg OFB decryption.svg Each output signal feedback block cipher operation depends on all previous ones, and thus can not be performed in parallel. however, because the plaintext or ciphertext is merely used for the concluding XOR, the block code operations may be performed in progress, allowing the final examination step to be performed in twin once the plaintext or ciphertext is available. It is potential to obtain an OFB mood keystream by using CBC mode with a constant string of zeroes as input. This can be utilitarian, because it allows the usage of fast hardware implementations of CBC mode for OFB mode encoding. Using OFB modality with a partial derivative obstruct as feedback like CFB modality reduces the average cycle distance by a divisor of 232 or more. A mathematical exemplar proposed by Davies and Parkin and substantiated by experimental results showed that merely with wax feedback an average cycle length near to the gettable utmost can be achieved. For this reason, defend for truncate feedback was removed from the specification of OFB. [ 29 ]

Counter ( CTR ) [edit ]

Encryption parallelizable Yes
Decryption parallelizable Yes
Random read access Yes
Note: CTR mode (CM) is also known as integer counter mode (ICM) and segmented integer counter (SIC) mode.

Like OFB, antagonistic mode turns a block cipher into a stream nothing. It generates the next keystream block by encrypting consecutive values of a “ counter ”. The counter can be any function which produces a succession which is guaranteed not to repeat for a long time, although an actual increment-by-one counter is the simplest and most popular. The usage of a childlike deterministic input signal function used to be controversial ; critics argued that “ measuredly exposing a cryptosystem to a known systematic stimulation represents an unnecessary risk ”. [ 30 ] however, today CTR manner is widely accepted, and any problems are considered a weakness of the underlying obstruct nothing, which is expected to be plug regardless of systemic bias in its input. Along with CBC, CTR mood is one of two obstruct calculate modes recommended by Niels Ferguson and Bruce Schneier. [ 32 ] CTR manner was introduced by Whitfield Diffie and Martin Hellman in 1979. CTR mood has similar characteristics to OFB, but besides allows a random-access property during decoding. CTR mode is well suited to operate on a multi-processor machine, where blocks can be encrypted in parallel. furthermore, it does not suffer from the short-cycle problem that can affect OFB. [ 33 ] If the IV/nonce is random, then they can be combined with the counter using any invertible operation ( concatenation, addition, or XOR ) to produce the actual unique counter obstruct for encoding. In case of a non-random time being ( such as a packet counter ), the time being and antagonistic should be concatenated ( for example, storing the time being in the upper berth 64 bits and the rejoinder in the lower 64 bits of a 128-bit buffet block ). Simply adding or XORing the time being and counter into a single prize would break the security under a chosen-plaintext attack in many cases, since the attacker may be able to manipulate the integral IV–counter copulate to cause a collision. Once an attacker controls the IV–counter match and plaintext, XOR of the ciphertext with the known plaintext would yield a measure that, when XORed with the ciphertext of the other blocking sharing the like IV–counter pair, would decrypt that block. [ 34 ] note that the time being in this diagram is equivalent to the low-level formatting vector ( IV ) in the other diagram. however, if the offset/location information is defile, it will be impossible to partially recover such data due to the dependence on byte set-back. CTR encryption 2.svg CTR decryption 2.svg

erroneousness generation [edit ]

“ Error propagation ” properties describe how a decoding behaves during spot errors, i.e. how error in one bite cascades to different decrypted bits. Bit errors may occur intentionally in attacks or randomly due to infection errors .

  • Random bit errors occur independently in any bit position with an expected probability of ½.
  • Specific bit errors occur in the same bit position(s) as the original bit error(s).
  • Specific bit errors in stream cipher modes (OFB, CTR, etc.) are trivial. They affect only the specific bit intended.
  • Specific bit errors in more complex modes such (e.g. CBC): adaptive chosen-ciphertext attack may intelligently combine many different specific bit errors to break the cipher mode. In Padding oracle attack, CBC can be decrypted in the attack by guessing encryption secrets based on error responses. The Padding Oracle attack variant “CBC-R” (CBC Reverse) lets the attacker construct any valid message.

For modern authenticated encoding ( AEAD ) or protocols with message authentication codes chained in MAC-Then-Encrypt order, any snatch error should wholly abort decoding and must not generate any specific bite errors to decryptor. I.e. if decoding succeeded, there should not be any snatch error. As such mistake generation is less crucial submit in modern code modes than in traditional confidentiality-only modes .

Mode Effect of bit errors in Ci Effect of bit errors in the IV or nonce
ECB Random bit errors in Pi N/A
CBC Random bit errors in Pi
Specific bit errors in Pi+1
Specific bit errors in P1
CFB Specific bit errors in Pi
Random bit errors in Pi+1, …, until synchronization is restored
Random bit errors in P1, …, until synchronization is restored
OFB Specific bit errors in Pi Random bit errors in P1, P2, …, Pn
CTR Specific bit errors in Pi Random bit errors in Pi for bit error in counter block Ti

( reference : SP800-38A table D.2 : Summary of Effect of Bit Errors on Decryption ) It might be observed, for exercise, that a one-block mistake in the air ciphertext would result in a one-block error in the reconstructed plaintext for ECB mood encoding, while in CBC mood such an erroneousness would affect two blocks. Some felt that such resilience was desirable in the face of random errors ( for example, production line noise ), while others argued that error adjust increased the scope for attackers to maliciously tamper with a message. however, when proper integrity protection is used, such an erroneousness will result ( with senior high school probability ) in the entire message being rejected. If resistance to random error is desirable, error-correcting codes should be applied to the ciphertext before infection .

other modes and other cryptanalytic primitives [edit ]

many more modes of operation for stop ciphers have been suggested. Some have been accepted, fully described ( flush standardized ), and are in habit. Others have been found insecure, and should never be used. still others do n’t categorize as confidentiality, authenticity, or authenticated encoding – for example key feedback manner and Davies–Meyer hash. NIST maintains a number of proposed modes for block ciphers at Modes Development. [ 28 ] [ 35 ] Disk encoding frequently uses limited determination modes specifically designed for the application. Tweakable narrow-block encoding modes ( LRW, XEX, and XTS ) and wide-block encoding modes ( CMC and EME ) are designed to securely code sectors of a disk ( see harrow encoding hypothesis ). many modes use an low-level formatting vector ( IV ) which, depending on the manner, may have requirements such as being merely used once ( a time being ) or being unpredictable ahead of its publication, etc. Reusing an four with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more plaintexts, a clear pervert of a pour, with a catastrophic loss of security. Deterministic authenticated encoding modes such as the NIST Key Wrap algorithm and the SIV ( RFC 5297 ) AEAD mood do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key. other IV misuse-resistant modes such as AES-GCM-SIV profit from an IV input, for model in the maximal sum of data that can be safely encrypted with one keystone, while not failing catastrophically if the same IV is used multiple times. Block ciphers can besides be used in other cryptanalytic protocols. They are broadly used in modes of operation similar to the block modes described here. As with all protocols, to be cryptographically impregnable, care must be taken to design these modes of operation correctly. There are respective schemes which use a barricade calculate to build a cryptanalytic hashish function. See one-way compression routine for descriptions of respective such methods. cryptographically dependable pseudorandom act generators ( CSPRNGs ) can besides be built using block ciphers.

message authentication codes ( MACs ) are often built from blocking ciphers. CBC-MAC, OMAC and PMAC are examples .

See besides [edit ]

References [edit ]

Leave a Reply

Your email address will not be published.