Skip to main content
Engineering LibreTexts

8.1: A Tour of Common Modes

  • Page ID
    7383
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    As usual, blen will denote the blocklength of a block cipher \(F\). In our diagrams, we’ll write \(F_{k}\) as shorthand for \(F(k, \cdot)\). When \(m\) is the plaintext, we will write \(m=m_{1}\left\|m_{2}\right\| \cdots \| m_{\ell}\), where each \(m_{i}\) is a single block (so \(\ell\) is the length of the plaintext measured in blocks). For now, we will assume that \(m\) is an exact multiple of the block length.

    ECB: Electronic Codebook (NEVER NEVER USE THIS! NEVER!!)

    The most obvious way to use a block cipher to encrypt a long message is to just apply the block cipher independently to each block. The only reason to know about this mode is to know never to use it (and to publicly shame anyone who does). It can’t be said enough times: never use ECB mode! It does not provide security of encryption; can you see why?

    Construction \(8.1\) (ECB Mode)
    fig-ch01_patchfile_01.jpg
    Figure \(\PageIndex{1}\): Copy and Paste Caption here. (Copyright; author via source)

    CBC: Cipher Block Chaining

    \(\mathrm{CBC}\) (which stands for cipher block chaining) is the most common mode in practice. The CBC encryption of an \(\ell\)-block plaintext is \(\ell+1\) blocks long. The first ciphertext block is called an initialization vector (IV). Here we have described CBC mode as a randomized encryption, with the IV of each ciphertext being chosen uniformly. As you know, randomization is necessary (but not sufficient) for achieving CPA security, and indeed CBC mode provides CPA security.

    Construction 8.2 (CBC Mode)
    fig-ch01_patchfile_01.jpg
    Figure \(\PageIndex{1}\): Copy and Paste Caption here. (Copyright; author via source)

    CTR: Counter

    The next most common mode in practice is counter mode (usually abbreviated as CTR mode). Just like CBC mode, it involves an additional IV block \(r\) that is chosen uniformly. The idea is to then use the sequence \[F(k, r) ; \quad F(k, r+1) ; \quad F(k, r+2) ; \quad \cdots\] as a long one-time pad to mask the plaintext. Since \(r\) is a block of bits, the addition expressions like \(r+1\) refer to addition modulo \(2^{\text {blen }}\) (this is the typical behavior of unsigned addition in a processor).

    Construction \(8.3\) (CTR Mode)
    fig-ch01_patchfile_01.jpg
    Figure \(\PageIndex{1}\): Copy and Paste Caption here. (Copyright; author via source)

    OFB: Output Feedback

    OFB (output feedback) mode is rarely used in practice. We’ll include it in our discussion because it has the easiest security proof. As with \(C B C\) and CTR modes, OFB starts with a random IV \(r\), and then uses the sequence: \[F(k, r) ; \quad F(k, F(k, r)) ; \quad F(k, F(k, F(k, r))) ; \quad \cdots\] as a one-time pad to mask the plaintext.

    Construction \(8.4\) (OFB Mode)
    fig-ch01_patchfile_01.jpg
    Figure \(\PageIndex{1}\): Copy and Paste Caption here. (Copyright; author via source)

    Compare & Contrast

    CBC and CTR modes are essentially the only two modes that are ever considered in practice for CPA security. Both provide the same security guarantees, and so any comparison between the two must be based on factors outside of the CPA security definition. Here are a few properties that are often considered when choosing between these modes:

    • Although we have not shown the decryption algorithm for CTR mode, it does not even use the block cipher’s inverse \(F^{-1}\). This is similar to our PRF-based encryption scheme from the previous chapter (in fact, CTR mode collapses to that construction when restricted to 1-block plaintexts). Strictly speaking, this means CTR mode can be instantiated from a PRF; it doesn’t need a PRP. However, in practice it is rare to encounter an efficient PRF that is not a PRP.
    • CTR mode encryption can be parallelized. Once the IV has been chosen, the \(i\) th block of ciphertext can be computed without first computing the previous \(i-1\) blocks. CBC mode does not have this property, as it is inherently sequential. Both modes have a parallelizable decryption algorithm, though.
    • If calls to the block cipher are expensive, it might be desirable to pre-compute and store them before the plaintext is known. CTR mode allows this, since only the IV affects the input given to the block cipher. In CBC mode, the plaintext influences the inputs to the block cipher, so these calls cannot be pre-computed before the plaintext is known.
    • It is relatively easy to modify CTR to support plaintexts that are not an exact multiple of the blocklength. (This is left as an exercise.) We will see a way to make CBC mode support such plaintexts as well, but it is far from trivial.
    • So far all of the comparisons have favored CTR mode, so here is one important property that favors \(C B C\) mode. It is common for implementers to misunderstand the security implications of the IV in these modes. Many careless implementations allow an IV to be reused. Technically speaking, reusing an IV (other than by accident, as the birthday bound allows) means that the scheme was not implemented correctly. But rather than dumping the blame on the developer, it is good design practice to anticipate likely misuses of a system and, when possible, try to make them non-catastrophic.

      The effects of IV-reuse in CTR mode are quite devastating to message privacy (see the exercises). In CBC mode, reusing an IV can actually be safe, if the two plaintexts have different first blocks!


    This page titled 8.1: A Tour of Common Modes is shared under a CC BY-NC-SA 4.0 license and was authored, remixed, and/or curated by Mike Rosulek (Open Oregon State) via source content that was edited to the style and standards of the LibreTexts platform; a detailed edit history is available upon request.