A n-bit block cipher with a k-bit key is a set of 2 k bijections on n-bit strings. A block cipher is a flexible building block; it can be used for encryption and authenticated encryption, to construct MAC algorithms and hash functions. When a block cipher is used for confidentiality protection, the security goal is to prevent a passive eavesdropper with limited computational power to learn any information on the plaintext (except for maybe its length). This eavesdropper can apply the following

more »

... ttacks: known plaintext attacks, chosen plaintext attacks and chosen ciphertext attacks. Applications need to protect the confidentiality of strings of arbitrary length. A mode of operation of a block cipher is an algorithm which specifies how one has to apply an n-bit block cipher to achieve this. One approach is to pad the data with a padding algorithm such that the bit-length of the padded string is a multiple t of n bits, and to define a mode which works on t n-bit blocks. For example, one always appends a '1'-bit followed by as many '0' bits as necessary to make the length of the resulting string a multiple of n. An alternative is to define a mode of operation that can process data in blocks of j ≤ n bits. We first discuss the five modes of operation which have been defined in the FIPS [12] (see also [22] ) and ISO/IEC [16] standards: the ECB mode, the CBC mode, the OFB mode, the CTR mode, and the CFB mode. Next we discuss t some alternative modes that have been defined for triple-DES and modes which allow to encrypt values from finite sets. We use the following notation: E K (p i ) denotes the encryption with a block cipher of the n-bit plaintext block p i with the key K; similarly D K (c i ) denotes the decryption of the ciphertext c i . The operation rchop j (s) returns the rightmost j bits of the string s, and the operation lchop j (s) returns the leftmost j bits. The symbol denotes concatenation of strings and ⊕ denotes addition modulo 2 (exor).