upgrade
upgrade

🔐Cryptography

Block Cipher Modes of Operation

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Block ciphers like AES can only encrypt fixed-size chunks of data—typically 128 bits at a time. But real-world data doesn't come in neat 128-bit packages, and encrypting each block the same way creates dangerous patterns. Modes of operation solve this problem by defining how blocks relate to each other, how initialization vectors are used, and whether the mode provides authentication alongside confidentiality. Understanding these modes means understanding the tradeoffs between security, performance, and functionality that cryptographers navigate constantly.

You're being tested on more than just definitions here. Exam questions will ask you to identify which mode is appropriate for a given scenario, explain why certain modes are vulnerable to specific attacks, and compare modes based on properties like parallelizability, error propagation, and authentication. Don't just memorize the acronyms—know what security properties each mode provides and what happens when those properties are violated.

Deterministic Encryption: The Cautionary Tale

Some modes encrypt data without introducing randomness between blocks. This creates predictable relationships between plaintext and ciphertext—a fundamental weakness that attackers can exploit.

Electronic Codebook (ECB)

  • Identical plaintext blocks produce identical ciphertext blocks—this deterministic behavior leaks patterns and is the mode's fatal flaw
  • No initialization vector required, making implementation simple but eliminating any source of randomness between encryptions
  • Fully parallelizable for both encryption and decryption, which explains why it persists despite security weaknesses—it's fast

Compare: ECB vs. CBC—both process discrete blocks, but CBC chains blocks together while ECB treats each independently. If an exam question shows you the "ECB penguin" image (encrypted bitmap that still shows the penguin outline), you're seeing pattern leakage in action.

Chained Modes: Building Block Dependencies

These modes create dependencies between blocks, ensuring that identical plaintext blocks encrypt differently based on their position. The tradeoff is that chaining breaks parallelization.

Cipher Block Chaining (CBC)

  • XORs each plaintext block with the previous ciphertext block before encryption, creating the dependency chain that prevents pattern attacks
  • Requires a random, unpredictable IV—reusing or predicting the IV enables attacks like BEAST against TLS
  • Sequential encryption but parallel decryption—you need block n1n-1's ciphertext to encrypt block nn, but decryption only needs adjacent ciphertext blocks

Cipher Feedback (CFB)

  • Converts a block cipher into a self-synchronizing stream cipher—encrypts the previous ciphertext and XORs the result with plaintext
  • Supports sub-block encryption by using only part of the cipher output, useful for real-time streaming applications
  • Error propagation is limited—a corrupted ciphertext block affects only itself and the next block during decryption

Output Feedback (OFB)

  • Generates keystream independently of plaintext—the cipher repeatedly encrypts its own output, creating a deterministic stream
  • No error propagation—a bit error in ciphertext causes exactly one bit error in plaintext, making it suitable for noisy channels
  • Keystream can be precomputed before plaintext arrives, but IV reuse is catastrophic—same IV means same keystream, enabling trivial XOR attacks

Compare: CFB vs. OFB—both create stream ciphers from block ciphers, but CFB feeds back ciphertext while OFB feeds back cipher output. OFB's independence from plaintext means errors don't propagate, but it also means IV reuse completely breaks security.

Counter-Based Modes: Parallelization Without Patterns

Counter modes achieve the holy grail: they're parallelizable and secure. Instead of chaining blocks, they encrypt unique counter values and XOR the results with plaintext.

Counter Mode (CTR)

  • Encrypts a nonce concatenated with a counter (noncecounter\text{nonce} \| \text{counter}), then XORs the output with plaintext—each block uses a different counter value
  • Fully parallelizable for both encryption and decryption, and supports random access to any block without processing preceding blocks
  • Provides no authentication—vulnerable to bit-flipping attacks where adversaries modify ciphertext to cause predictable plaintext changes

Compare: CTR vs. CBC—CTR is parallelizable and supports random access; CBC is sequential but was historically more trusted. Modern systems increasingly favor CTR-based modes, but CTR alone lacks integrity protection.

Authenticated Encryption: Confidentiality Plus Integrity

Modern cryptography demands more than secrecy—you need to detect tampering. Authenticated encryption (AE) modes combine encryption with a message authentication code (MAC), ensuring both confidentiality and integrity in a single pass.

Galois/Counter Mode (GCM)

  • Combines CTR encryption with GHASH authentication—uses Galois field multiplication (GF(2128)GF(2^{128})) to compute an authentication tag over ciphertext and associated data
  • Supports authenticated associated data (AAD)—you can authenticate headers or metadata without encrypting them, critical for protocols like TLS
  • Extremely fast with hardware support—AES-NI and PCLMULQDQ instructions make GCM the dominant choice for high-throughput applications

Compare: GCM vs. CTR—GCM is essentially CTR plus authentication. If an FRQ asks about protecting data integrity and confidentiality, GCM (or another AEAD mode) is your answer, not plain CTR.

Storage-Specific Modes: Encrypting Data at Rest

Disk encryption presents unique challenges: you need random access to sectors, can't expand data size, and must handle partial blocks. Specialized modes address these constraints.

XEX-based Tweaked-Codebook Mode with Ciphertext Stealing (XTS)

  • Uses a tweak value (typically sector number) combined with block index to ensure identical plaintext in different locations encrypts differently
  • Ciphertext stealing handles non-block-aligned data—no padding required, so encrypted data is exactly the same size as plaintext
  • Parallelizable within each sector but provides no authentication—XTS protects confidentiality only, not integrity

Compare: XTS vs. GCM—XTS is optimized for storage (same-size output, tweakable), while GCM is optimized for network protocols (authentication, streaming). Don't recommend GCM for disk encryption or XTS for TLS.

Quick Reference Table

ConceptBest Examples
Deterministic encryption (avoid)ECB
Block chaining for diffusionCBC
Stream cipher from block cipherCFB, OFB, CTR
Parallel encryptionECB, CTR, GCM, XTS
Parallel decryptionECB, CBC, CTR, GCM, XTS
Authenticated encryptionGCM
Disk/storage encryptionXTS
No error propagationOFB, CTR
IV/nonce reuse is catastrophicAll modes (especially OFB, CTR, GCM)

Self-Check Questions

  1. Which two modes convert a block cipher into a stream cipher but differ in how they generate the keystream? What security implication does this difference create?

  2. An attacker intercepts CBC-encrypted traffic and notices the IV is a simple counter. What attack does this enable, and why doesn't the same vulnerability apply to CTR mode's counter?

  3. Compare GCM and CTR: what additional security property does GCM provide, and what cryptographic mechanism enables it?

  4. You're designing encryption for a database that requires random access to individual records. Which modes would support this requirement, and which would not? Explain why.

  5. A developer proposes using XTS-AES for encrypting network traffic because "it's what BitLocker uses." Explain why this is inappropriate and recommend an alternative with justification.