Cryptography Reference
In-Depth Information
CBC mode removes the disadvantages inherent to ECB mode: since the IV is
randomly chosen and each ciphertext block depends on the preceding ones (and
also on the IV), it is unlikely that a statistical attack might be successful or that the
ciphertext can be manipulated without being detected. In fact, if the underlying block
cipher is a pseudo-random permutation, then CBC is CPA secure (we refer for this
to [90, Theorem 6.19]). However, the so-called 'counter version' of CBC mode, in
which the random IV is replaced by a
counter
that is initially randomly chosen and
is increased by one in each subsequent encryption, is not CPA secure (see Exercise
4.6 below).
The fact that if a plaintext block is changed then not only the corresponding
ciphertext block but also the following ones are changed, makes this mode suitable
CBC mode is generally used as the default mode in many implementations but it
also has some inconveniences. One of them is that encryption is carried out sequen-
tially and hence it cannot be parallelized; note, however, that decryption is paral-
lelizable. Another minor drawback is that the IV must be transmitted along with the
ciphertext (so it can be regarded as part of it) and this means that there is “message
expansion” because the ciphertext has one more block than the plaintext. Another
problem is that transmission errors are propagated for, if ciphertext block
c
i
suffers
such an error, then the plaintext blocks
m
i
and
m
i
+
1
can be incorrectly decrypted,
although the remaining blocks decrypt correctly if there are no more transmission
errors. Of course, these errors can be corrected by using suitable error-correcting
codes for transmission.
Exercise 4.6
Show that if the IV in CBC mode is randomly chosen for the first
encryption and then increased by 1 for each subsequent encryption, then the resulting
scheme is not CPA secure.
4.3.1.3 Cipher Feedback Mode
Cipher feedback mode (CFB) is a mode that can be used to turn a block cipher into
a stream cipher by using the block cipher to generate a stream of pseudo-random
bits that are then Xor-ed to the plaintext to obtain the ciphertext bits. This mode
