# Block Ciphers and Modes of Operation

January 17, 2018

# What is a Block Cipher?

There are two main types of ciphers: block and stream ciphers. In a stream cipher (which are discussed in a previous post), the plaintext is encrypted one bit at a time. In a block cipher, the plaintext is broken into blocks of a set length and the bits in each block are encrypted together.

# Notable Block Ciphers

Many well-known encryption algorithms are block ciphers. A few of the most popular block ciphers are DES/3DES, AES, Blowfish, and Twofish.

The **Data Encryption Cipher (DES)** is an algorithm developed by IBM as a submission to the US National Bureau of Standards (precursor to National Institute of Standards and Technology) for a contest to select a government-approved block cipher. DES is a Feistel cipher with a 64-bit block size and a 56-bit key. Due to (legitimate) concerns about the security of a 56-bit key, it became common to run a plaintext through three DES encryptions in sequence, each using a different key (producing a 168-bit key). This variation is called **3DES** or **Triple DES**.

The **Advanced Encryption Standard (AES)** was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, as a submission to the National Institute of Technology (NIST) for a competition to replace DES. The algorithm, originally called *Rijndael*, uses a fixed block size of 128 bits and key sizes of 128, 192, or 256 bits. Each version uses a slightly different key schedule, which will be described in a later post.

**Blowfish** is a block cipher developed by Bruce Schneier, a cryptographer and cyber security researcher. Blowfish is a 16-round Feistel ciper and uses a 64-bit block and variable key length from one to four hundred and forty-eight bits. Blowfish was designed as a replacement to DES and placed in the public domain by Schneier to make it accessible to anyone.

**Twofish** is based upon the Blowfish algorithm (and cowritten by Blowfish’s author). It was entered in the competition to select AES but lost to Rijndael. Twofish uses a 128-bit block size and has a maximum key size of 128 bits. Like Blowfish, Twofish is in the public domain and freely usable by anyone.

Each of the four block ciphers mentioned here have their own upcoming posts to provide more detail on implementation and cryptanalysis details.

# Block Cipher Modes of Operation

One of the main issues with block ciphers is that they only allow you to encrypt messages the same size as their block length. If you’re using TEA, which has a block size of 64 bits, to encrypt a 65 bit message, you need a way to define how the second block should be encrypted. The solution to this is called *block cipher modes of operation*.

Several block cipher modes of operation exist with varying advantages and disadvantages. In this section, we’ll provide a brief explanation of how each of them work and touch briefly on disadvantages of some.

## Electronic Code Book (ECB) Mode

Electronic Code Book (ECB) is the simplest block cipher mode of operation. In this mode, as shown in the Figure below, each block of plaintext is encrypted separately. The “Block Cipher Encryption” in this diagram could be our TEA cipher from above or any other block cipher. The main disadvantage to this mode is that identical plaintexts encrypted with the same key create identical ciphertexts, which allows an attacker to learn some information about the encrypted message based solely on the ciphertext.

## Cipher Block Chaining (CBC) Mode

In the cipher block chaining (CBC) mode of operation, an *initialization vector* (IV) is exclusive-ored with the plaintext prior to encryption. For the first round of encryption, this is a random, public value. For subsequent rounds, it is the ciphertext of the previous round. This is intended to fix the issue with ECB mode where identical plaintext blocks create identical ciphertext blocks.

## Cipher Feedback (CFB) Mode

The cipher feedback (CFB) mode differs from the previous two in that the plaintext never passes through the encryption algorithm at all. Instead an initialization vector (IV) is encrypted and the result is exclusive-ored with the plaintext to create the ciphertext of a block. This is the equivalent of encrypting the plaintext with a one-time pad generating from the encryption of the IV. Similar to CBC mode, this IV is a random value for the first block and the previous block’s ciphertext.

## Output Feedback (OFB) Mode

The output feedback (OFB) mode of operation is almost identical to cipher feedback mode. The only difference is what is used as the initialization vector for every round after the first. In cipher feedback mode, the output of the encryption is exclusive-ored with the plaintext and this value is used as the next block’s IV. In output feedback mode, the output of the encryption is used as the next block’s IV. As a result, encryption of the same plaintext with the same key using CFB and OFB modes will produce the same ciphertext for the first block but different ones for every other block.

## Counter (CTR) Mode

The counter (CTR) mode of operation differs from the all of the others that we have seen so far. Similar to ECB mode, every encryption operation is completely separate, which is useful for parallelization of encryption (since each block can be encrypted simultaneously). Counter mode also uses a non-plaintext output to encryption (like the feedback modes), but, instead of an initialization vector, it uses a combination of a *nonce* and a counter. The nonce is a random number used for all blocks of an encryption operation and the counter is exactly what it sounds like: a value that starts at zero for block zero and increments to one for block one and so on.

This combination guarantees that the same values will not pass through the encryption algorithm in the same encryption session (where every block will have the same nonce but different counter values) or the same blocks in different sessions (where every block will have the same counter value but difference nonces). Similar to the feedback modes of operation (OFB and CFB), the plaintext is exclusive-ored with the output of the encryption operation to produce the ciphertext.

## Galois Counter Mode

Galois Counter Mode (GCM) is a special case of counter mode. It differs in two main ways. The first is that it doesn’t use a nonce (as shown in the Figure below), relying only on a counter. The second is that it calculates a *message authentication code* (MAC), which provides a means for ensuring that a message was not tampered with en route. The calculation of the MAC is outside the scope of this discussion of block ciphers, so only the encryption part of the GCM mode is shown.

# Advantages of Block Ciphers

One advantage of block ciphers as compared to stream ciphers is the ease of implementation and less restrictive requirements. Since stream ciphers essentially generate a one-time pad for encryption, they generated keystream must be random

Another advantage of block ciphers is that some provide integrity protection mechanisms (like the MAC in the GCM mode of operation). This allows the recipient to verify that the message was not tampered with in transit.

# Disadvantages of Block Ciphers

Block ciphers are slower and less memory efficient than stream ciphers. Since block ciphers require plaintexts to be encrypted in blocks of a given size, it is often necessary to pad plaintexts to a multiple of the block length. This increases the memory requirements of the cipher to store the padded plaintext and ciphertext.

Another disadvantage to block ciphers is that transmission errors often cause the rest of the ciphertext to be unrecoverable. In a stream cipher, a single bit error in transmission typically affects a single bit of decrypted plaintext, which may be recoverable. In a block cipher using a feedback mode of operation, a single bit error in transmission changes the decryption of its block and every block whose decryption depends on it.