Block cipher mode of operation

[3][4][5] Most modes require a unique binary sequence, often called an initialization vector (IV), for each encryption operation.

The initialization vector is used to ensure that distinct ciphertexts are produced even when the same plaintext is encrypted multiple times independently with the same key.

Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification.

The block cipher modes ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality, but they do not protect against accidental modification or malicious tampering.

Modification or tampering can be detected with a separate message authentication code such as CBC-MAC, or a digital signature.

The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC.

They therefore began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive (an encryption algorithm).

Notable standards organizations include NIST, ISO (with ISO/IEC 10116[5]), the IEC, the IEEE, ANSI, and the IETF.

For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a cryptographic nonce.

Some block ciphers have particular problems with certain initialization vectors, such as all zero IV generating no encryption (for some keys).

For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.

Some modes (such as AES-SIV and AES-GCM-SIV) are built to be more nonce-misuse resistant, i.e. resilient to scenarios in which the randomness generation is faulty or under the control of the attacker.

A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive.

The ciphertext blocks are considered coefficients of a polynomial which is then evaluated at a key-dependent point H, using finite field arithmetic.

[14][15] Synthetic initialization vector (SIV) is a nonce-misuse resistant block cipher mode.

AES-GCM-SIV is an improvement over the very similarly named algorithm GCM-SIV, with a few very small changes (e.g. how AES-CTR is initialized), but which yields practical benefits to its security "This addition allows for encrypting up to 250 messages with the same key, compared to the significant limitation of only 232 messages that were allowed with GCM-SIV.

The purpose of cipher modes is to mask patterns which exist in encrypted data, as illustrated in the description of the weakness of ECB.

ECB mode can also make protocols without integrity protection even more susceptible to replay attacks, since each block gets decrypted in exactly the same way.

[citation needed] Ehrsam, Meyer, Smith and Tuchman invented the cipher block chaining (CBC) mode of operation in 1976.

Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size.

Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.

Explicit initialization vectors[24] take advantage of this property by prepending a single random block to the plaintext.

Unlike CBC, decrypting PCBC with the incorrect IV (initialization vector) causes all blocks of plaintext to be corrupt.

CFB, OFB and CTR share two advantages over CBC mode: the block cipher is only ever used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size (though ciphertext stealing can also be used for CBC mode to make padding unnecessary).

A mathematical model proposed by Davies and Parkin and substantiated by experimental results showed that only with full feedback an average cycle length near to the obtainable maximum can be achieved.

[30] However, today CTR mode is widely accepted, and any problems are considered a weakness of the underlying block cipher, which is expected to be secure regardless of systemic bias in its input.

However, if the offset/location information is corrupt, it will be impossible to partially recover such data due to the dependence on byte offset.

However, when proper integrity protection is used, such an error will result (with high probability) in the entire message being rejected.

Reusing an IV with the same key in CTR, GCM or OFB mode results in XORing the same keystream with two or more plaintexts, a clear misuse of a stream, with a catastrophic loss of security.

Deterministic authenticated encryption modes such as the NIST Key Wrap algorithm and the SIV (RFC 5297) AEAD mode do not require an IV as an input, and return the same ciphertext and authentication tag every time for a given plaintext and key.