Modes of operations for Block Ciphers

Block ciphers such as the AES algorithm process on data blocks with fixed length at a time using a single key. As a result, the message should be first partitioned into several data blocks for processing. Except directly encrypting these data blocks, the NIST approved several different modes of operation for confidentiality [45,46], authentication [47], or both [48,49].

The most intuitive mode of operation is the electronic codebook (ECB) mode. Data blocks are processed separately by block ciphers with the same secret key. This mode is similar to the assignment of code words in the codebook. Plain-texts and cipher-texts have one-to-one mapping in the codebook with the same key under this mode. However, this property is undesirable under some applications. For example, when the picture shown in Fig. 2.10 ¹ is encrypted by the ECB mode, the resulting encrypted data can not perfectly hide the information contained in the picture. Therefore, other modes of operation must be used in such applications. In addition to the data confidentiality, the NIST also approves modes for the authentication. All these modes will be briefly introduced in the following subsections.

1Picture source: http://en.wikipedia.org/wiki/Block cipher modes of operation

(a)

(b)

Figure 2.11: The data flow of the CBC mode. (a) Encryption. (b) Decryption.

2.2.1 Cipher Block Chaining (CBC) Mode

In the cipher block chaining mode, plain-text blocks are combined with previous cipher-text blocks to form input blocks of the block cipher. For the first plain-text block, an initial vector (IV) is required to form the first input data block. The IV does not have to be secret, but it must be unpredictable as discussed in [45].

To encrypt data in the CBC mode, the first plain-text block is combined with the IV by XOR operation. The combined data block is then encrypted by the block cipher with the secret key to obtain the first cipher-text block. Then the cipher-text block is combined into the next plain-text block by XOR operation to generate the second input block. The second input block is encrypted by the block cipher with the same key to obtain the second cipher-text block. Then following cipher-cipher-text blocks can be obtained in the same manner as shown in Fig. 2.11(a).

Fig. 2.11(b) shows the decryption flow in the CBC mode. The first cipher-text block is

decrypted with the secret key. Then the first plain-text block is recovered by combining the cipher output and the IV. For the subsequent blocks, the cipher-text blocks are decrypted and combined with previous cipher-text blocks to obtain plain-text blocks.

For the encryption in CBC mode, text blocks depend on all the preceding cipher-text blocks; therefore, the encryption process cannot be done in parallel. On the other hand, since the decryption in CBC mode depends only on the current and previous cipher-text blocks, the decryption can be performed in parallel.

2.2.2 Cipher Feedback (CFB) Mode

Block ciphers in cipher feedback mode work analogously to stream ciphers, the IV and the secret key are used to generate a series of data blocks and these data blocks are XORed with plain-text blocks to produce cipher-text blocks. Note that in CFB mode a parameter s is defined for the length of one plain-text or cipher-text segment. For example, if s is defined as 64, then each plain-text and cipher-text is of length 64 bits and the name of the mode is called 64-bit CFB mode.

The encryption flow of the CFB mode is illustrated in Fig. 2.12(a). Instead of the first plain-text block, the IV is encrypted by the block cipher to generate an output data block.

The most significant s bits are then used to XOR with the first plain-text block to produce the first s-bit cipher-text block. The least significant (b-s) bits of the cipher input is concatenated with the cipher-text block to generate subsequent input blocks.

Since block ciphers in the CFB mode are analogous to stream ciphers, the decryption flow is identical to the encryption flow to generate the same ”key stream”. The IV is encrypted by the block cipher to generate the first output data block. The first cipher-text block is XORed with the most significant s bits to produce the first plain-text block. For following blocks, the least significant (b-s) bits of the previous input block are concatenated with the previous cipher-text block to generate the input block. The most significant s bits are XORed with the cipher-text block to recover plain-text blocks. The decryption in CFB mode is illustrated in Fig. 2.12(b).

(a)

(b)

Figure 2.12: The data flow of the CFB mode. (a) Encryption. (b) Decryption.

Note that in the CFB mode, only the encryption operation of the block cipher is required to accomplish the encryption and decryption flow. Furthermore, since input blocks to the block cipher is dependent on previous cipher-text blocks, the encryption flow can not be performed in parallel. However, the decryption can be done in parallel because the input block only depends on the previous input block and the previous cipher-text block.

2.2.3 Output Feedback (OFB) Mode

Block ciphers in output feedback mode work also analogously to stream ciphers, the IV and the secret key are used to generate a key stream for encryption and decryption. The output data block from the block cipher is used as the input blocks for subsequent operations. To produce cipher-text blocks, output blocks from the cipher is XORed with plain-text blocks, and vice versa.

(a)

(b)

Figure 2.13: The data flow of the OFB mode. (a) Encryption. (b) Decryption.

The encryption flow is shown in Fig. 2.13(a). To encrypt messages in the OFB mode, the IV is encrypted by the block cipher to generate an output data block. The output data block is then XORed with the first plain-text block to produce the first cipher-text block. The output data block is feedback to the block cipher to generate the next output data block for next plain-text block. For the last block, if the plain-text block contains only u bits, which is less than the block size, then only the most significant u bits are XORed with the plain-text block and the remaining bits are discarded.

The decryption flow in the OFB mode is identical to the encryption flow as shown in Fig. 2.13(b). The same IV is encrypted to generate the first output data block. The first plain-text block can be recovered by XORing the output block of the cipher and the cipher-text block. The output data block is used to generate the next output data block for following cipher-text blocks. Note that the decryption in OFB uses only the encryption function of the block cipher.

Since input blocks of the block cipher are dependent on all the previous output blocks,

(a)

(b)

Figure 2.14: The data flow of the CTR mode. (a) Encryption. (b) Decryption.

the encryption and decryption in OFB mode can not be performed in parallel.

2.2.4 Counter (CTR) Mode

In the counter mode, successive blocks, called counters, are applied to the block cipher to generate a sequence of output blocks that are XORed with plain-text blocks to produce cipher-text blocks, and vice versa. Successive input blocks must be different form each other under the same secret key.

The encryption flow of the CTR mode is shown in Fig. 2.14(a). Each counter block is applied to the block cipher to generate a sequence of output blocks. These output blocks are then XORed with plain-text blocks to produce cipher-text blocks. For the last plain-text block, if the length is u bits, which is less that the block size, then the most significant u bits of the last output block is XORed with the plain-text block while the remaining bits are discarded.

The decryption flow of the CTR mode is exactly the same as the encryption flow as shown

in Fig. 2.14(b). Cipher-text blocks are XORed with output blocks from the block cipher to recover plain-text. For the last block, only the most significant u bits are used if the last cipher-text block is of length u-bit.

In either encryption or decryption of the CTR mode, each output block only depends on the specific counter block. As a result, both the encryption and decryption can be performed in parallel for high throughput applications.

2.2.5 Counter with CBC-MAC (CCM) Mode

The CCM mode is used to provide confidentiality and authenticity of data by combining techniques of CTR mode and CBC mode. The data that CCM protects consists of a message P with bit length Plen and a associated data A. The confidentiality is provided for the message P and the authenticity is provided for both message P and associated data A. In addition, a nonce N is assigned to each data pair, P and A, to be protected.

The encryption process is shown in Fig. 2.15(a). The input data to the generation-encryption process are a valid nonce N, a message P with Plen bits, and an associated data A. For the authenticity, (N, P, A) are used to generate a series of blocks Bi for CBC op-eration. The generation of Bi is specified in NIST SP800-38C [48]. B⁰ is encrypted and then the output block is XORed with B¹ for cipher chaining. After all Bis are incorporated, the most significant Tlen bits are saved as an internal variable. In addition, the nonce N is used to generate a series of counter blocks Ctri. The first counter block Ctri is encrypted and XORed with the former internal variable to produce a tag. For the confidentiality, the following counter blocks are encrypted and concatenated as S with length equal to Plen, the size of the message P. Then S and P are bit-wise XORed to produce the encrypted message.

At last, the encrypted message is concatenated with the tag to generate the output C.

The decryption-verification process is quite similar to the generation-encryption flow as shown in Fig. 2.15(b). Before starting the decryption-verification process, the length of the encrypted message Clen is checked. If the Clen is less or equal to Tlen, which means received message C is invalid, the INVALID message is returned without further processing.

(a)

! "# $

(b)

Figure 2.15: The data flow of the CCM mode. (a) Encryption. (b) Decryption.

On the other hand, if the nonce N is valid, N is used to generate a series of counter blocks Ctri. These blocks are encrypted by the block cipher to produce output block Si. The plain-text P can be recovered by XORing the concatenation of these blocks with the most significant Clen-Tlen bits of the received message. For the authenticity, the (N, A, P) is used to produce a series of blocks Bi. These blocks are used to generate an internal variable as that performed in the generation-encryption flow. Then the internal variable is compared with LSBT len(C) ⊕ M SBT len(S0). If these two variables are equivalent, then the decrypted plain-text P is returned. Otherwise, the INVALID message is returned and the decrypted P and tag should not be revealed.