Modes of Operation

Topics

Electronic Codebook
Cipher Block Chaining
Cipher Feedback
Output Feedback
Counter Mode
Galois Counter Mode

ECB (Electronic Codebook)

ECB is the simplest and most straightforward mode of block cipher operation. It divides the plaintext into blocks and encrypts each block independently using the same key. However, it reveals patterns in the plaintext because identical plaintext blocks produce identical ciphertext blocks.

Encryption: C_i = E(K, P_i)
Decryption: P_i = D(K, C_i)
Error propagation: Errors affect only corresponding block in plaintext.
Security: ✘ Not IND-CPA secure — deterministic and reveals patterns.
Padding required? ✓ (block-aligned input needed)
Randomized? ✘ (no IV or nonce used)
Parallel encryption/decryption? ✓
Use case? Rarely used — only when plaintext structure is non-repeating and predictable, or data is very short.

Encryption

plaintext ──► [ Encrypt with K ] ──► ciphertext
      P₁     ──►    E(K,·)      ──►     C₁
      P₂     ──►    E(K,·)      ──►     C₂
      P₃     ──►    E(K,·)      ──►     C₃

Decryption

ciphertext ──► [ Decrypt with K ] ──► plaintext
      C₁     ──►    D(K,·)      ──►     P₁
      C₂     ──►    D(K,·)      ──►     P₂
      C₃     ──►    D(K,·)      ──►     P₃

CBC (Cipher Block Chaining)

CBC improves on ECB by introducing chaining between blocks. Each plaintext block is XORed with the previous ciphertext block before encryption. This hides patterns in plaintext, achieving IND-CPA security. A random IV is used for the first block.

Encryption: C_i = E(K, P_i ⊕ C_i−1), C₀ = IV
Decryption: P_i = D(K, C_i) ⊕ C_i−1
Error propagation: Affects current and next block
Security: ✓ IND-CPA secure
Padding required? ✓
Randomized? ✓
Parallelizable? ✘ encryption, ✓ decryption

Encryption

       IV
        │
P₁ ──⊕──┘
      │
    [E]──► C₁
            │
P₂ ──⊕◄──────┘
      │
    [E]──► C₂
            │
P₃ ──⊕◄──────┘
      │
    [E]──► C₃

Decryption

       IV
        │
    [D]◄── C₁
      │
P₁ ◄─⊕──┘
            │
    [D]◄───── C₂
      │
P₂ ◄─⊕──┘
            │
    [D]◄───── C₃
      │
P₃ ◄─⊕──┘

CFB (Cipher Feedback)

CFB mode turns a block cipher into a self-synchronizing stream cipher. The encryption of the previous ciphertext block (or IV) is XORed with the current plaintext block to produce the ciphertext. Only encryption function is used.

Encryption: C_i = E(K, C_i−1) ⊕ P_i, with C₀ = IV
Decryption: P_i = E(K, C_i−1) ⊕ C_i
Error propagation: A 1-bit error in C_i causes 1-bit error in P_i and corrupts all bits of P_i+1
Security: ✓ IND-CPA secure
Padding required? ✘
Randomized? ✓ (IV)
Parallelizable? ✘ encryption, ✓ decryption

Encryption

       IV
        │
    [E]──►
        │
P₁ ──⊕──┘──► C₁
            │
        [E]◄──
            │
P₂ ──⊕───────┘──► C₂
                │
            [E]◄──
                │
P₃ ──⊕───────────┘──► C₃

Decryption

       IV
        │
    [E]──►
        │
C₁ ──⊕──┘──► P₁
            │
        [E]◄──
            │
C₂ ──⊕───────┘──► P₂
                │
            [E]◄──
                │
C₃ ──⊕───────────┘──► P₃

OFB (Output Feedback)

OFB mode transforms a block cipher into a synchronous stream cipher. It repeatedly encrypts an internal state (starting from IV), and XORs it with the plaintext. It avoids ciphertext feedback and ensures that transmission errors do not propagate.

Keystream: O_i = E(K, O_i−1), with O₀ = IV
Encryption: C_i = P_i ⊕ O_i
Decryption: P_i = C_i ⊕ O_i
Error propagation: A 1-bit error in C_i affects only 1-bit in P_i
Security: ✓ IND-CPA secure
Padding required? ✘
Randomized? ✓ (IV)
Parallelizable? ✘ encryption and decryption (but keystream can be precomputed)

Encryption

       IV
        │
    [E]──► O₁
            │
P₁ ──⊕───────┘──► C₁

        │
    [E]──► O₂
            │
P₂ ──⊕───────┘──► C₂

        │
    [E]──► O₃
            │
P₃ ──⊕───────┘──► C₃

Decryption

       IV
        │
    [E]──► O₁
            │
C₁ ──⊕───────┘──► P₁

        │
    [E]──► O₂
            │
C₂ ──⊕───────┘──► P₂

        │
    [E]──► O₃
            │
C₃ ──⊕───────┘──► P₃

CTR (Counter Mode)

CTR mode converts a block cipher into a fully parallelizable stream cipher. It generates keystream blocks by encrypting successive values of a counter combined with a nonce. The keystream is XORed with plaintext to encrypt and with ciphertext to decrypt.

Keystream: O_i = E(K, N ∥ i), where N is a nonce and i is the block index
Encryption: C_i = P_i ⊕ O_i
Decryption: P_i = C_i ⊕ O_i
Error propagation: 1-bit error in C_i only affects 1-bit in P_i
Security: ✓ IND-CPA secure
Padding required? ✘
Randomized? ✓ (unique nonce required)
Parallelizable? ✓ encryption and decryption

Encryption

Nonce∥0 ──► [E]──► O₀ ──⊕──► C₀
                   ▲
                 P₀

Nonce∥1 ──► [E]──► O₁ ──⊕──► C₁
                   ▲
                 P₁

Nonce∥2 ──► [E]──► O₂ ──⊕──► C₂
                   ▲
                 P₂

Decryption

Nonce∥0 ──► [E]──► O₀ ──⊕──► P₀
                   ▲
                 C₀

Nonce∥1 ──► [E]──► O₁ ──⊕──► P₁
                   ▲
                 C₁

Nonce∥2 ──► [E]──► O₂ ──⊕──► P₂
                   ▲
                 C₂

GCM (Galois/Counter Mode)

GCM provides authenticated encryption by combining CTR-mode encryption with a GHASH-based authentication tag. It ensures both confidentiality and integrity of the data, making it suitable for modern protocols like TLS.

Encryption: C_i = P_i ⊕ E(K, N∥i)
Authentication: Tag = GHASH(C, AAD, len(C), len(AAD))
Error propagation: 1-bit error in ciphertext only affects corresponding plaintext bit.
Security: IND-CCA secure (confidentiality + integrity)
Padding required? ✘ (stream-style operation)
Randomized? ✓ (nonce required)
Parallel encryption/decryption? ✓
Precomputation? ✓ for keystream, ✓ for GHASH key

Authentication Process

Additional Authenticated Data (AAD) is optional and is not encrypted, but included in tag generation.
Tag is sent with ciphertext. Receiver re-computes tag using AAD, C, and nonce.
If tags match, ciphertext is considered authentic. If not, decryption is rejected entirely.

           Nonce
             │
Counter₀ ───► [E]──► O₀ ──⊕──► C₀
Counter₁ ───► [E]──► O₁ ──⊕──► C₁
Counter₂ ───► [E]──► O₂ ──⊕──► C₂
             ...
      C₀,C₁,C₂,...,AAD
             │
          GHASH
             │
            Tag (Authentication)