5.4.1 Electronic Codebook Mode (ECB)
Electronic codebook mode is the most obvious way to use a block cipher.
Enciphering.
To explain the name, one should think of this mode as being defined by a lookup table orcodebook. Consider, for example, DES, which operates on 64 bit (binary) strings. These describe, for instance, 8 characters in 8-bit ASCII (or in 7-bit ASCII with one parity check bit). For each key K, the codebook contains the ciphertext image of each of these 8 character strings as a lookup table. In order to encipher the message, the electronic codebook is consulted for the ciphertext encoding of each block. Note that the number of such hypothetical codebooks is itself enormous – for DES there are 256 possible keys, each with its own codebook.
We now consider some of the properties and limitations of ECB mode. The categories below are chosen for comparison with the modes of operations which follow.
Properties:
1. Identical plaintext. The same plaintext block always maps to the same ciphertext block.
2. Chaining dependencies. Reordering the plaintext blocks induces a reordering of the same ciphertext blocks.
3. Error propagation. An error in a ciphertext block results in a deciphering error only in the corresponding plaintext block.
Security Remarks:
42 Chapter 5. Block Ciphers
1. Malicious substitution of a ciphertext block Cj results in substitution of message block Mj.
2. BlocksCj do not hide patterns – the same block Mj is enciphered in the same way.
Conclusion. Although commonly used, electronic codebook mode is not recommended for use if t > 1 with the same key. Security can be improved by inclusion of random padding bits in each block.
5.4.2 Cipher Block Chaining Mode (CBC)
Cipher block chaining mode involves a vector bit sum operation of the message block with the previous ciphertext block prior to enciphering. The ciphertext blocks are initialized with a randomly chosen message which may be transmitted openly, i.e. the security of the cryptosystem is based on the secrecy of the key, not on the secrecy of initialization vector.
Enciphering.
Input:
k-bit key K
n-bit initialization vector C0
n-bit plaintext blocks M =M1M2. . . Mt.
1. Identical plaintext. The same sequence of ciphertext blocks result when the same key and the same initialization vector are used.
2. Chaining dependencies. The chaining mechanism causes Cj to depend on Cj−1 and Mj, so enciphering is not independent of reordering.
3. Error propagation. An error in a ciphertext blockCj affects decipherment ofCj and Cj+1. For a reasonable enciphering algorithm, a single bit error affects 50% of the bits in
Modes of Operation 43
the deciphered plaintext block Mj0, while the bit error affects only that bit of Mj+10 . 3. Error recovery. The cryptosystem is said to be self-recovering, in the sense that while an error inCj results in incorrectly deciphered plaintextMj0 and Mj+10 , the ciphertextCj+2 correctly deciphers to Mj+20 =Mj+2.
5.4.3 Cipher Feedback Mode (CFB)
Cipher feedback mode allows one to process blocks of size r < n at a time. The typical value for r is 1, while n may be of size 64, using DES.
Enciphering.
Input:
k-bit key K
n-bit initialization vector I1
r-bit plaintext blocks M =M1M2. . . Mt. Algorithm:
Cj =Mj⊕Lr(EK(Ij)), Ij+1 =Rn−r(Ij)||Cj,
where Lr and Rn−r are the operators which take the left-most r-bits and the right-most n−r-bits, and || is the concatenation operator.
The vector Ij should be thought of as a shift register, a block of n-bits of memory which stores some state of the algorithm. The formation of Ij+1 is a left-shift by r of this block, discarding the left-most r bits, with the right-most r bits replaced by Cj.
Deciphering.
Input:
k-bit key K
n-bit initialization vector I1
r-bit ciphertext blocks C =C1C2. . . Ct. Algorithm:
Compute I1, . . . , It as in the enciphering algorithm, which can be generated independently of the deciphered message text, and then compute
Mj =Cj⊕Lr(EK(Ij)).
Note that CFB deciphering requires only the block cipher EK, not the inverse block deciphering map DK.
Properties:
1. Identical plaintext. The same sequence of ciphertext blocks results when the same key and initialization vector is used. Changing the initialization vector changes the ciphertext.
2. Chaining dependencies. Ciphertext block Cj depends on the previous plaintext
44 Chapter 5. Block Ciphers
blocksMj−1, . . . , M1as well asMj, so the ciphertext blocks are not reordering independent.
3. Error propagation. An error inCj affects the decipherment of the next [n/r] plaintext blocks. The recovered plaintextMj0 will differ fromMj at exactly the bits for whichCj was in error. These bit errors will appear in subsequent blocks Mj+k0 at translated positions.
4. Error recovery. Proper deciphering requires the shift register to be correct, for which the previous [n/r] ciphertext blocks are required. The decipherment is self-recovering from errors, but only after [n/r] blocks (approximately the same n-bits of the ciphertext block in error).
5. Throughput. The rate of enciphering and deciphering is reduced by a factor of n/r, that is, for every r bits of output the algorithm must carry out one n-bit enciphering operation.
5.4.4 Output Feedback Mode (OFB)
Output feedback mode has a similar use as cipher feedback mode, but is relevant to appli-cations for which error propagation must be avoided. Output feedback mode is an example of asynchronous stream cipher (constructed from a block cipher), in which the keystream is created independently of the plaintext stream.
Enciphering.
Input:
k-bit key K
n-bit initialization vector I0
r-bit plaintext blocks M =M1M2. . . Mt.
n-bit initialization vector I0
r-bit ciphertext blocks C =C1C2. . . Ct. Algorithm:
Compute I1, . . . , It as in the enciphering algorithm.
Mj =Cj ⊕Lr(Ij) Properties:
1. Identical plaintext. The same comments for CBC and CFB apply.
2. Chaining dependencies. The ciphertext output is order dependent, but the keystream I1, I2, . . . is plaintext independent.
Modes of Operation 45
3. Error propagation. An error in a ciphertext bit affects only that bit of the plaintext.
4. Error recovery. The cipher is self-synchronizing, and bit errors in a ciphertext block affect only that bit of the recovered plaintext. It recovers immediately from bit errors, but bit losses affect alignment.
5. Throughput. As with CFB, the rate of enciphering and deciphering is reduced by a factor of n/r, however the vectors Ij can be precomputed from K and I0, independently of the ciphertext blocks.
Exercises
We summarise the modes of operation covered in this chapter.
Electronic Codebook Mode. For a fixed key K, the output ciphertext is given by Cj =EK(Mj) with output C1C2. . ..
Ciphertext Block Chaining Mode. For input keyK, and initialization vectorIV =C0, the output ciphertext is given by Cj =EK(Cj−1⊕Mj), with output C0C1C2. . ..
Ciphertext Feedback Mode. Given plaintext M1M2. . . in r-bit blocks, a key K, an n-bit cipher EK, and ann-bit initialization vector IV =I1, the ciphertext is computed as:
Cj =Mj ⊕Lr(EK(Ij)) Ij+1 =Rn−r(Ij)||Cj
whereRn−rand Lr are the operators which take the right-mostn−rbits and the left-most r bits, respectively, and ||is concatenation.
Output Feedback Mode. Given plaintext M1M2. . . in r-bit blocks, a key K, an n-bit cipher EK, and an n-bit initialization vector IV =I0, the ciphertext is computed as:
Ij =EK(Ij−1) Cj =Mj ⊕Lr(Ij), where Lr is the operator which takes the left-most r bits.
Exercise 5.1 What mode of operation has been used in the assignment and in class up to this point, and why? What are the security disadvantages of this mode of operation?
Exercise 5.2 Let EK be the 4-bit cipher defined by:
EK(M) = (K ⊕M)
46 Chapter 5. Block Ciphers
where X =K⊕M = (X1, X2, X3, X4). Encipher the message M given by 11010110111001110010010001001000,
using the key K = 1011, in (i) ECB mode, in (ii) CBC mode with initialization vector 1001, and in (iii) CFB mode with initialization vector 1001 and r= 1.
Exercise 5.3 How many steps are required for error recovery from a ciphertext transmis-sion error in ECB and CBC modes?
Exercise 5.4 If n = 64 and r = 8, how many steps in CFB mode does it take to recover from an error in a ciphertext block? What about in OFB mode?
Modes of Operation 47
48
CHAPTER
SIX
Stream Ciphers
A stream cipher enciphers individual characters, usually bits, of a plaintext message one at a time, with a cipher that varies with time. Block ciphers arememoryless, in the sense that the same function is used to encipher successive blocks. Stream ciphers, in contrast, must have memory. As such they are state functions because the current state Si of the function is recorded in a memory buffer. We saw how various modes of operation (CFB, OFB) turn a memoryless block cipher into a state function by feedback buffer. Akeystream is a sequence of characters generated from the key and the current state, as input to the stream cipher.
6.1 Types of Stream Ciphers
In a synchronous stream ciphers the keystream is generated independently of the plaintext message (or ciphertext). Given a key K, if the initial state is designated S0, then, for each cycle i = 0,1,2, . . ., the following equations describe the generation of the keystream, ciphertext, and next state:
Key stream function: ki = gK(Si) Output function: ci = h(ki, mi) Next state function: Si+1 = fK(Si)
An additive binary stream cipher is defined to be a synchronous stream cipher in which h=XOR.
A self-synchronizingor asynchronousstream cipher is a stream cipher in which the keystream is a function of the key and a fixed number of previous ciphertext characters.
Given a key K and initial state S0 = (c−t, . . . , c−1), the keystream and ciphertext are generated for each cycle i= 0,1,2, . . . as for a synchronous stream cipher:
Key stream function: ki =gK(Si) Output function: ci =h(ki, mi) with the next state set to Si+1 = (ci+1−t, . . . , ci).
49