1  Using Symmetric Cryptosystems

1.1  Stream ciphers

1.2  Block ciphers

• Electronic Codebook Mode (ECB) - apply cipher to each plaintext block. That is, c_i = E_k(m_i) for each i. This becomes in effect a monoalphabetic cipher, where the "alphabet" is the set of all possible blocks and the permutation is defined by E_k. To decrypt, Bob computes m_i = D_k(c_i).
• Cipher Block Chaining Mode (CBC) - encrypt the XOR of the current plaintext block with the previous ciphertext block to produce the current ciphertext block. That is, c_i = E_k(m_i [XOR]c_i−1). To get started, we take c₀ = IV, where IV is a fixed initialization vector which we assume is publicly known. To decrypt, Bob computes m_i = D_k(c_i) [XOR]c_i−1.
• Cipher-Feedback Mode (CFB) - XOR the current plaintext block with the encryption of the previous ciphertext block. That is, c_i = m_i [XOR]E_k(c_i−1), where again, c₀ is a fixed initialization vector. To decrypt, Bob computes m_i = c_i [XOR] E_k(c_i−1). Note that Bob is able to decrypt without using the block decryption function D_k. In fact, it is not even necessary for E_k to be a one-to-one function (but using a non one-to-one function might weaken security).
• Output Feedback Mode (OFB) - the encryption function is iterated on an initial vector (IV) to produce a stream of block keys, which in turn are XORed with the successive plaintext blocks to produce the successive ciphertext blocks. (This is similar to a simple keystream generator.) That is, c_i = m_i [XOR]k_i, where k_i = E_k(k_i−1) is a block key. k₀ is a fixed initialization vector IV. To decrypt, Bob can apply exactly the same method to the ciphertext to get the plaintext, that is, m_i = c_i [XOR]k_i, where k_i = E_k(k_i−1).
• Propagating Cipher-Block Chaining Mode (PCBC) - encrypt the XOR of the current plaintext block, previous plaintext block, and previous ciphertext block. That is, c_i = E_k(m_i [XOR]m_i−1 [XOR]c_i−1). Here, both m₀ and c₀ are fixed initialization vectors. To decrypt, Bob computes m_i = D_k(c_i) [XOR]m_i−1 [XOR]c_i−1.

1. Both CFB and OFB are closely related to stream ciphers since in both cases, c_i is m_i XORed with some function of stuff that came before stage i. Like a one-time pad and other simple XOR stream ciphers, OFB becomes insecure if the same key is ever reused, for the sequence of k_i's generated will be the same. CFB, however, avoids this problem, for even if the same key k is used for two different message sequences m_i and m′_i, it will not generally be the case that m_i [XOR]m′_i = c_i [XOR]c′_i; rather, m_i [XOR]m′_i = c_i [XOR]c′_i [XOR]E_k(c_i−1) [XOR]E_k(c′_i−1), and the dependency on k does not drop out.
2. The different modes differ in their sensitivity to data corruption. With ECB and OFB, if Bob receives a bad block c_i, then he cannot recover the corresponding m_i, but all good ciphertext blocks can be decrypted. With CBC and CFB, he needs both good c_i and c_i−1 blocks in order to decrypt m_i. Therefore, a bad block c_i renders both m_i and m_i+1 unreadable. With PCBC, a bad block c_i renders m_j unreadable for all j ≥ i.
3. Other modes can be easily invented. We see that in all cases, c_i is computed by some expression (which may depend on i) built from E_k() and [XOR] applied to blocks c₁, …, c_i−1, m₁, …, m_i, and the initialization vectors. Any such equation that can be "solved" for m_i (by possibly using D_k() to invert E_k()) is a suitable chaining mode in the sense that Alice is able to produce the ciphertext and Bob is able to decrypt it. Of course, the resulting security properties depend heavily on the particular expression chosen.