Block cipher mode of operation

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
Most modes require a unique binary sequence, often called an initialization vector, for each encryption operation. The IV must be non-repeating, and for some modes must also be random. The initialization vector is used to ensure that distinct ciphertexts are produced even when the same plaintext is encrypted multiple times independently with the same key. Block ciphers may be capable of operating on more than one block size, but during transformation the block size is always fixed. Block cipher modes operate on whole blocks and require that the final data fragment be padded to a full block if it is smaller than the current block size. There are, however, modes that do not require padding because they effectively use a block cipher as a stream cipher.
Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded integrity protection as an entirely separate cryptographic goal. Some modern modes of operation combine confidentiality and authenticity in an efficient way, and are known as authenticated encryption modes.

History and standardization

The earliest modes of operation, ECB, CBC, OFB, and CFB, date back to 1981 and were specified in , DES Modes of Operation. In 2001, the US National Institute of Standards and Technology revised its list of approved modes of operation by including AES as a block cipher and adding CTR mode in , Recommendation for Block Cipher Modes of Operation. Finally, in January, 2010, NIST added XTS-AES in , Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. Other confidentiality modes exist which have not been approved by NIST. For example, CTS is ciphertext stealing mode and available in many popular cryptographic libraries.
The block cipher modes ECB, CBC, OFB, CFB, CTR, and XTS provide confidentiality, but they do not protect against accidental modification or malicious tampering. Modification or tampering can be detected with a separate message authentication code such as CBC-MAC, or a digital signature. The cryptographic community recognized the need for dedicated integrity assurances and NIST responded with HMAC, CMAC, and GMAC. HMAC was approved in 2002 as , The Keyed-Hash Message Authentication Code , CMAC was released in 2005 under , Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, and GMAC was formalized in 2007 under , Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode and GMAC.
The cryptographic community observed that compositing a confidentiality mode with an authenticity mode could be difficult and error prone. They therefore began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. These combined modes are referred to as authenticated encryption, AE or "authenc". Examples of AE modes are CCM, GCM, CWC, EAX, IAPM, and OCB.
Modes of operation are defined by a number of national and internationally recognized standards bodies. Notable standards organizations include NIST, ISO, the IEC, the IEEE, ANSI, and the IETF.

Initialization vector (IV)

An initialization vector or starting variable is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
An initialization vector has different security requirements than a key, so the IV usually does not need to be secret. For most block cipher modes it is important that an initialization vector is never reused under the same key, i.e. it must be a cryptographic nonce. Many block cipher modes have stronger requirements, such as the IV must be random or pseudorandom. Some block ciphers have particular problems with certain initialization vectors, such as all zero IV generating no encryption.
It is recommended to review relevant IV requirements for the particular block cipher mode in relevant specification, for example .
For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix shared by the two messages.
For OFB and CTR, reusing an IV causes key bitstream re-use, which breaks security. This can be seen because both modes effectively create a bitstream that is XORed with the plaintext, and this bitstream is dependent on the key and IV only.
In CBC mode, the IV must be unpredictable at encryption time; in particular, the common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure. If an attacker knows the IV before the next plaintext is specified, they can check their guess about plaintext of some block that was encrypted with the same key before.
For some keys, an all-zero initialization vector may generate some block cipher modes to get the internal state stuck at all-zero. For CFB-8, an all-zero IV and an all-zero plaintext, causes 1/256 of keys to generate no encryption, plaintext is returned as ciphertext. For OFB-8, using all zero initialization vector will generate no encryption for 1/256 of keys. OFB-8 encryption returns the plaintext unencrypted for affected keys.
Some modes are built to be more nonce-misuse resistant, i.e. resilient to scenarios in which the randomness generation is faulty or under the control of the attacker.

Synthetic initialization vectors synthesize an internal IV by running a pseudo-random function construction called S2V on the input, preventing any external data from directly controlling the IV. External nonces / IV may be fed into S2V as an additional data field.
AES-GCM-SIVs synthesize an internal IV by running POLYVAL Galois mode of authentication on input, followed by an AES operation.
Padding

A block cipher works on units of a fixed size, but messages come in a variety of lengths. So some modes require that the final block be padded before encryption. Several padding schemes exist. The simplest is to add null bytes to the plaintext to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is trivial, for example, if the plaintext is a C style string which contains no null bytes except at the end. Slightly more complex is the original DES method, which is to add a single one bit, followed by enough zero bits to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as ciphertext stealing or residual block termination, which do not cause any extra ciphertext, at the expense of some additional complexity. Schneier and Ferguson suggest two possibilities, both simple: append a byte with value 128, followed by as many zero bytes as needed to fill the last block, or pad the last block with n bytes all with value n.
CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since the modes work by XORing the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last keystream block, producing a final ciphertext block that is the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be the same size as the original plaintext data, and for applications that transmit data in streaming form where it is inconvenient to add padding bytes.

Common modes

Authenticated encryption with additional data (AEAD) modes

A number of modes of operation have been designed to combine secrecy and authentication in a single cryptographic primitive. Examples of such modes are,, integrity-aware parallelizable mode, OCB, EAX, CWC, CCM, and GCM. Authenticated encryption modes are classified as single-pass modes or double-pass modes.
In addition, some modes also allow for the authentication of unencrypted associated data, and these are called AEAD schemes. For example, EAX mode is a double-pass AEAD scheme while OCB mode is single-pass.

Galois/counter (GCM)

Galois/counter mode combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is the ease of parallel computation of the Galois field multiplication used for authentication. This feature permits higher throughput than encryption algorithms.
GCM is defined for block ciphers with a block size of 128 bits. Galois message authentication code is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. GCM can take full advantage of parallel processing and implementing GCM can make efficient use of an instruction pipeline or a hardware pipeline. The CBC mode of operation incurs pipeline stalls that hamper its efficiency and performance.
Like in CTR, blocks are numbered sequentially, and then this block number is combined with an IV and encrypted with a block cipher, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.
The ciphertext blocks are considered coefficients of a polynomial which is then evaluated at a key-dependent point, using finite field arithmetic. The result is then encrypted, producing an authentication tag that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.