Conference PaperPDF Available

Comparative Analysis of Block Cipher Modes of Operation

International Advanced Researches & Engineering Congress-2017
16-18 November 2017
Comparative Analysis of Block Cipher Modes of Operation
Diedon Bujari1* and Erke Aribas1
1 ITU Faculty of Computer and Informatics Engineering, Istanbul/TURKEY
* Corresponding author. Tel.: +90 551 242 23 08, E-mail address:
In this paper, block cipher modes of operation used in cryptography, including both deterministic and probabilistic ones,
are investigated in detail. A block cipher mode of operation is a particular way to use a block cipher, such as DES or AES,
by combining it with some simple operations and feedback mechanism. The modes considered here are the Electronic Code
Book (ECB) mode, the Cipher Block Chaining (CBC) mode, the Output Feedback (OFB) mode, the Cipher Feedback
(CFB) mode, and the Counter (CTR) mode. These operation modes are analyzed, and compared in terms of their security,
efficiency, and performance when implemented in MATLAB.
Keywords: Block ciphers, CBC, CFB, Cryptography, CTR, ECB, Modes of operation, OFB
1. Introduction
Cryptography, or the science of encryption, is the heart
of the communication network today. It is used as an
instrument to maintain the security during the exchange
of data, such as text, audio, image, etc., in the presence of
unauthorized attackers. Throughout history, various
approaches have been practiced, such as transposition and
substitution. With the developments in the field, more
secure and advanced algorithms were introduced, also
called as block ciphers, such as the Data Encryption
Standard (DES), Advanced Encryption Standard (AES),
RSA, etc. These cryptographic algorithms compose about
90% of all encryption that happens in the real world: on
the Internet, cell phones, smart cards, databases, etc. [1].
As shown in Fig. 1, the application scenario is very
simplistic: a data block (e.g. 128 bits) is encrypted using
a key, producing the ciphertext; multiple data blocks are
encrypted one after another. However, in practice, this
approach is not very useful since the length of the data
being encrypted is very short. For example, 128-bit data
corresponds to 16 characters. In order to encrypt larger
amounts of data, a block cipher is combined with some
simple operations and feedback mechanism.
Figure 1. Block cipher scheme
In the first part of the paper, the most used and popular
modes of operation are introduced. Afterwards, they are
analyzed one-by-one by considering the problems they
solve, their security and efficiency. By means of security,
identical plaintext pattern problems, chaining reliance,
and error propagation are evaluated. In addition to these,
the possibility of parallelization of both encryption and
decryption operations are discussed. Finally, the modes
are compared in terms of performance when implemented
in MATLAB. In this part, the Advanced Encryption
Standard (AES) is used as the building block cipher, and
the results are presented in cycles per byte (cpb).
2. Block Cipher Modes of Operation
Block ciphers, excluding as encryption algorithms, can
be utilized for many other tasks in order to build different
cryptographic mechanisms. Here is the list of some of its
Different encryption schemes,
Stream ciphers,
Pseudo-random number generator (PRNG),
Hash functions,
Message authentication codes (MACs), etc.
Different ways of using a block cipher for encryption,
combining some simple operations, are called block cipher
modes of operation. There are several modes of operation,
as illustrated in Fig. 2, which are going to be discussed in
the next sections. They are divided into two groups: the
ones which result in deterministic encryption, and the ones
in probabilistic encryption. In deterministic encryption
schemes, if the key does not change, a particular plaintext is
International Advanced Researches & Engineering Congress-2017
Figure 2. Modes of operation
mapped to a fixed ciphertext. On the other hand,
probabilistic encryption schemes use randomness to
achieve a nondeterministic generation of ciphertext. This
group of schemes can function as both block ciphers and
stream ciphers. All of these operation modes have one main
goal: provide and maintain confidentiality and authenticity
during communication. However, the security is provided
by the cipher, not the mode itself [2].
2.1 Electronic Code Book (ECB) mode
The Electronic Code Book (ECB) mode is the most
straightforward way of using a block cipher. The plaintext
is split into n-bit blocks, and those blocks are encrypted
independently using a block cipher, such as DES or AES.
This means that there is no need for synchronization -
blocks can be encrypted in any order, and then combined.
Similarly, the decryption process is the inverse of this
operation. Both encryption and decryption procedures are
illustrated in Fig. 3.
Let e(xi) denote the encryption of the ith plaintext block,
and d(yi)=e-1(yi) the decryption of the ith ciphertext block.
Each of these blocks, as mentioned above, are of length n.
We can define the encryption (1) and decryption (2) in the
ECB mode as follows:
As mentioned before, one of this mode’s advantages is
that the block sync is not necessary: the receiver can
decrypt the received blocks without getting all of them.
Also, bit errors related to some transmission problems have
impact only on corresponding blocks. In addition, the ECB
mode’s implementation can be considered as fast enough,
which comes from its ability of parallelization. In other
words, different data blocks can be encrypted by different
encryption units in parallel. Due to its speed and
parallelization advantages, it has been used in database
applications; addition or deletion of entries done
independently of other records.
On the other hand, the ECB mode is not the best way of
doing encryption. As long as the key used in encryption
does not change, same plaintext blocks produce same
ciphertext blocks, which makes it highly deterministic.
Figure 3. Electronic Code Book (ECB) mode
Therefore, it is possible to generate a code book (as the
mode’s name comes from), which maps plaintexts to
corresponding ciphertexts. Also, if ciphertexts have
fragments that repeat in the same places, such as the header
and footer, the attacker uses these information in order to
reach the plaintexts. This way of ciphertext-only attack is
known as traffic analysis [3]. Moreover, the ECB mode is
vulnerable to substitution attacks, i.e., manipulations in the
ciphertext level in order to deceive the receiver.
2.2 Cipher Block Chaining (CBC) mode
As mentioned above, determinism makes encryption
vulnerable to attacks; thus, it is essential to make it
probabilistic. In other words, same plaintext should produce
different ciphertexts every time it is encrypted. This feature
is achieved using the Cipher Block Chaining (CBC) mode
of operation, illustrated in Fig. 4. In this mode, blocks are
considered as a whole message - blocks are “chained
together” - such that the influence of each plaintext block is
spread over many ciphertext blocks.
The CBC mode uses some kind of randomness, which is
the initialization vector (IV) in this case, in order to make
the encryption probabilistic. IV does not have to be secret,
but it should be nonce - number used only once. It can be
generated in different ways; for instance, using a true
random number generator, assigning it a counter value, IDA
|| IDB || TIME, etc. The first plaintext block is XORed with
IV, and then encrypted using a block cipher (3). For the
succeeding blocks, there is a feedback mechanism to the
block cipher, as seen in Fig. 4. The previously produced
ciphertext is fed back, and XORed with the plaintext block,
producing the input to the block cipher. The decryption
process (4) is the reverse of these operations.
The Cipher Block Chaining (CBC) mode has been the
most commonly used mode, although its encryption
operation cannot work in parallel. This is because each
plaintext block affects the encryption of the next blocks.
One may think that bit errors will have a huge effect on all
subsequent ciphertext blocks. However, these errors are
recovered in the decryption process, and produce the
Figure 4. Cipher Block Chaining (CBC) mode
encryption: yi=e(xi), such that |xi|=n
decryption: xi=e-1(yi)=e-1(e(xi))
encryption: yi=e(xi), such that |xi|=n
decryption: xi=e-1(yi)=e-1(e(xi))
encryption: y1=e(x1 XOR IV)
yi=e(xi XOR yi-1), for i≥2
decryption: x1=(e-1(y1) XOR IV)
xi=(e-1(yi) XOR yi-1), for i≥2
International Advanced Researches & Engineering Congress-2017
plaintext with the same bit errors. This is called as the self-
recovering feature of the CBC mode, and makes the
parallelization of decryption possible [4]. In contrary to the
ECB mode, substitution attacks do not apply if the IV is
properly chosen for every transfer. But, any alteration in the
ciphertext level produces some random changes in the
plaintext, which is an undesirable fact and may have
negative effects.
2.3 Output Feedback (OFB) mode
As mentioned above, block ciphers can be used as stream
ciphers. These encryption schemes use the block cipher as a
keystream generator, as illustrated in Fig. 5. The first input
to the block cipher is the initialization vector (IV). The n-bit
plaintext is XORed with the n-bit key stream generated in
the encryption operation, yielding an n-bit ciphertext.
Forthcoming key streams are generated by feeding the
previously generated ones to the block cipher used. As it
can be seen from its construction, the scheme produces
streams blockwisely, rather than bitwisely.
The Output Feedback (OFB) mode runs the block cipher
as a synchronous stream cipher, which makes it very similar
to standard stream ciphers. Neither the plaintext nor the
ciphertext affect the key stream generation. Encryption (5)
and decryption (6) operations are exactly the same: the
XOR function during encryption is reversed by another
XOR function during decryption. One of the advantages of
this mode is that the feedback mechanism can work offline
before the arrival of the data. On the other side, encryption
and decryption cannot be parallelized since each key stream
depends on all previous key streams.
Figure 5. Output Feedback (OFB) mode
Figure 6. Cipher Feedback (CFB) mode
Figure 7. Counter (CTR) mode
2.4 Cipher Feedback (CFB) mode
The Cipher Feedback (CFB) mode is quite similar to the
Output Feedback (OFB) mode: it runs a block cipher as a
stream cipher generator; but instead of the previous key
stream, the ciphertext is fed back to the block cipher in
order to produce the next stream, as in Fig. 6. The first n-bit
key stream is generated by encrypting the initialization
vector (IV), which is then XORed with the n-bit data to
yield the n-bit ciphertext. Subsequent streams are generated
by feeding the ciphertext back to the block cipher. Like in
the OFB operation mode, encryption (7) and decryption (8)
processes are exactly the same process. Also, the encryption
cannot be parallelized. In contrary to OFB, the CFB mode
is an asynchronous stream cipher generator since the key
stream generation is a function of the ciphertext, and the
parallelization of decryption is possible.
2.5 Counter (CTR) mode
The Counter (CTR) mode, introduced by Diffie and
Hellman in 1979 [5], is very similar to the Output Feedback
(OFB) mode and the Cipher Feedback (CFB) mode. It uses
a block cipher as its stream generator, whose input is a
counter value, as illustrated in Fig. 7. The value of the
counter should change every time a new key stream is
generated. In order to produce such a counter, the following
approach is often practiced: a nonce initial vector smaller
than the block length, followed by the counter (CTR)
initialized to zero. Although some argue that this systematic
approach can risk its security, the CTR mode is widely used
and recommended nowadays. In addition, parallelization of
its encryption (9) and decryption (10) operations is possible.
3. Comparison Between Block Cipher Modes of
The Electronic Code Book (ECB) mode is the most
straightforward way of using a block cipher, but not the best
way of encryption. It should not be used while encrypting
multiple data blocks with the same key since same plaintext
encryption: s1=e(IV); y1=(s1 XOR x1)
si=e(si-1); yi=(si XOR xi), i≥2
decryption: s1=e(IV); x1=(s1 XOR y1)
si=e(si-1); xi=(si XOR yi), i≥2
encryption: y1=(e(IV) XOR x1)
yi=(e(yi-1) XOR xi), for i≥2
decryption: x1=(e(IV) XOR y1)
xi=(e(yi-1) XOR yi), for i≥2
encryption: yi=(e(IV || CTRi) XOR xi)
decryption: xi=(e(IV || CTRi) XOR yi)
International Advanced Researches & Engineering Congress-2017
blocks produce same ciphertext blocks, making it highly
deterministic. Also, the mode is vulnerable to traffic
analysis or ciphertext-only and substitution attacks, as
discussed above. On the other hand, the ECB mode has an
advantage over other modes of operation, speed, which is
made possible due to it parallelization ability. This paper
does not consider the running time of this mode since it
does not achieve the security goals desired from a block
cipher mode of operation.
The Cipher Block Chaining (CBC) mode solves the
determinism problem of the ECB mode: using the same
key, same plaintext blocks produce different ciphertext
blocks. Compared to the ECB mode, substitution attacks do
not apply to the CBC mode if the initialization vector (IV)
is properly chosen. On the other hand, even though it has
been the most commonly used one, its encryption process
lacks the parallelization feature - in MATLAB, it takes 4.07
cpb for 1KB of random data. The decryption runs at 1.29
cpb since it can operate in parallel [6].
The Output Feedback (OFB) and the Cipher Feedback
(CFB) modes are very similar to each other: they both run a
block cipher as a synchronous stream cipher generator.
Since the encryption and decryption processes are exactly
the same, it saves code space. However, as in the CBC
mode, parallelization of the encryption process is not
possible. In MATLAB, 1KB data is encrypted at 4.39 cpb
using the OFB mode, and 5.47 cpb using the CFB mode
When speed is essential, as it is in this case, the Counter
(CTR) mode gives the best results. Its parallelization ability
makes it fast enough, and therefore, widely used and
recommended nowadays. It takes 1.28 cpb to encrypt 1KB
of random data in MATLAB [6].
Table 1. Comparison of modes’ run time in MATLAB
(1KB of data)
Mode of
Running time in MATLAB
4.07 cpb
1.29 cpb
4.39 cpb
4.39 cpb
5.47 cpb
5.55 cpb
1.28 cpb
1.28 cpb
Figure 8. Graphical representation of the trendlines for encryption
operations as the size of data increases
Figure 9. Graphical representation of the trendlines for decryption
operations as the size of data increases
4. Conclusion
As discussed above, the Electronic Code Book (ECB)
mode should not be practiced for general purposes since it
lacks essential security requirements. If the initialization
vector is a nonce, the Cipher Block Chaining (CBC) mode
can be considered as a secure encryption scheme; however,
it does not outperform the Counter (CTR) mode - it is about
3 times slower. On the other hand, the CBC decryption
performs well in larger amounts of data because of its
parallelization feature. The Output Feedback (OFB) and the
Cipher Feedback (CFB) modes are the worst considering
their software performce.
All in all, the Counter (CTR) mode is the most secure,
efficient, and fastest way of doing encryption. The
performance advantages of the CTR mode can be seen from
the graphical representations of the trendlines for both
encryption and decryption operations, particularly in Fig. 8
and Fig. 9.
1. Paar, Ch. & Pelzl, J. (2010). Understanding
2. National Institute of Standards and Technology.
(1998). DES Modes of Operation. FIPS PUB 81.
Retrieved from
3. Schneier, B. (1996). Applied Cryptography.
4. National Institute of Standards and Technology.
(2001). Recommendation for Block Cipher Modes of
Operation. NIST Special Publication 800-38A.
Retrieved from
5. Lipmaa, H., Rogaway, Ph. & Wagner, D. (n.d.). CTR-
Mode Encryption. Retrieved from
6. Rogaway, Ph. (2011). Evaluation of Some Blockcipher
Modes of Operation. Retrieved from
16 64 256 1000 8000
Running time (in cpb)
Data size (in bytes)
16 64 256 1000 8000
Running time (in cpb)
Data size (in bytes)
... The main advantages of ECB mode are: it is faster and easier to implement; no data synchronization is needed; encryption or decryption can be done in parallel; moreover, single-bit errors can only affect the corresponding block. However, ECB can be easily deciphered and subjected to substitution attacks [15]. ...
Full-text available
With the advancement of the Internet, many individuals and organizations have started to use it to store and send personal or business information. Some of this information is highly confidential and that, in turn, raises an issue of data privacy and confidentiality. Major advances in the Internet have also aided intruders in getting unauthorized access to confidential information. Information Security is the art of securing data from illegitimate access while ensuring integrity, availability, and confidentiality of data. Information Security is achieved through cryptographic encryption and decryption algorithms. Encryption hides confidential information by converting it to an unreadable form while the reverse process of retrieving data from the unreadable or encrypted form is known as decryption. Many cryptographic algorithms exist today and selecting which one to use depends on several factors and measures. This paper conducts a comparison of the encryption speed for five different cryptographic symmetric block-cipher algorithms: DES, 3DES, Blowfish, Twofish, and Threefish. The simulation is done using Python with various text file sizes. The results show that Blowfish outperforms the rest of the algorithms that were tested.
... 6) CTR: CTR [32] works in a similar manner to a stream cipher. It uses additional input for encrypting the plaintext; this additional input is created by adding an increasing counter with a nonce value (means number used once). ...
Full-text available
The increased exchange of data over the Internet in the past two decades has brought data security and confidentiality to the fore front. Information security can be achieved by implementing encryption and decryption algorithms to ensure data remains secure and confidential, especially when transmitted over an insecure communication channel. Encryption is the method of coding information to prevent unauthorized access and ensure data integrity and confidentiality, whereas the reverse process is known as decryption. All encryption algorithms aim to secure data; however, their performance varies according to several factors such as file size, type, complexity, and platform used. Furthermore, while some encryption algorithms outperform others, they have been proven to be vulnerable to specific attacks. In this paper, we present a general overview of common encryption algorithms and explain their inner workings. Additionally, we select ten different symmetric encryption algorithms and conduct a simulation in Java to test their performance. The algorithms we compare are AES, BlowFish, RC2, RC4, RC6, DES, DESede, SEED, XTEA, and IDEA. We present the results of our simulation in terms of encryption speed, throughput, and CPU utilization rate for various file sizes ranging from 1MB to 1GB. We further analyze our results for all measures that have been tested, taking into account the level of security they provide.
... Common cipher modes are following: electronic codebook (ECB), the cipher block chaining (CBC), cipher and output feedbacks (CFB and OFB), the counter (CTR). These modes have been described in [4]. ...
A secure, lightweight block cipher provides a comprehensive security solution for applications that run on resource-constrained devices. The Simon and Speck are lightweight block ciphers developed especially for restricted hardware to offer data security. Raspberry Pi is a resource-constraint device employed in various projects, including the creation of gadgets, games, monitoring and surveillance technologies, basic automated machines, robotics, etc. This chapter examines the performance of SIMON and SPECK families on a Raspberry Pi device to see how efficient and fast these algorithms work for different modes of operation. As the objective of designing SIMON and SPECK was to ensure security on very restricted devices, the security strength of SIMON and SPECK families are also explored in different modes of operation. The simulated results of the Raspberry Pi device demonstrate that SPECK performed faster in encryption time and provides a high level of throughput and efficiency compared to SIMON families in all modes of operation. On the other hand, SIMON families performed better in terms of security strength than SPECK families. Therefore, this study can be applied to determine the appropriate performance and security trade-off in contexts with limited resources.
Full-text available
In recent years, the development of high-speed network technology has resulted in the widespread use of the internet and other open channels for transmitting significant amounts of sensitive data. Now, storage devices are bigger, quicker, and less expensive. Block ciphers are often used for secure data network transport as well as safety data storage in fixed and portable hard drives. Cryptographic algorithms users must be satisfied that the block ciphers they are employing are resistant to various attacks. Therefore, it is necessary to determine the encryption algorithm's strength by learning how to analyze the algorithms of cryptographic systems in order to protect data and its transmission over the internet. The implementation of weak encryption techniques; however, might make this intention pointless because it could be used to obtain unauthorized access to these sensitive datasets. The proposed work discovering cryptographic algorithms using deep learning techniques and categorizing cryptographic algorithms via feature extraction. The research combines block cipher modes with encryption algorithms such as Data Encryption Standard (DES), Advanced Encryption Standard (AES), Triple DES, and Blowfish with data encrypted using both the same or a different key in order to assess. At initial, the fully connected neural network (FCNN) model was utilized to diagnose encryption algorithms and assess the models' categorization. Then, using a confusion matrix measurement of True Positive (TP) for satisfactory classification of the detected encryption method and False Positive (FP) for the wrong classification, as all models were tested. The data will be encrypted and kept in a dictionary, with 80% of the data used for training and 20% of the data used for testing retrieved from the dataset's ciphertexts. The unlabeled dataset will be used to evaluate the model using a confusion matrix to identify the encryption algorithm after it has been trained and executed. Using a confusion matrix, the model's II effectiveness was calculated using the Precision, Recall, Loss, Accuracy, and F1- Score measures. Where the success rate of the proposed method appeared in using the same key, as the accuracy was 88%, while the accuracy of using a different key was 53% which indicates for detection complexity of determining the encryption algorithm where a different key was used for each encryption algorithm. The FCNN model's adjusted weights and learning based on large data in order to define and assess encryption algorithms more effectively and efficiently
This paper explores the Advance Encryption Standard (AES) block cipher in Electronic Code Book (ECB), Cipher Block Chaining (CBC), Output Feedback (OFB) and Cipher Feedback (CFB) modes of operation to compare the characteristic properties of ciphertext, and to compare the block complexity level of building ciphertext schemes using the methodology of periodic regularities. This paper investigates the features of four block modes of operation, which includes two analytical principles: the first principle, which defines periodicity with respect to the ciphertext; and the second, which includes the principle of repeated cipher iterations, to react the characteristic manifestations of the ciphertext, under certain control input data. In accordance with the above principles, the results of analysis of the regularities of ciphertext with respect to blocks and with respect to encryption iterations were shown in tables and respectively in obtained formulae. The package Matplotlib of the Python programming language was used for graphical visualization ciphertexts of first iteration of encryption on all investigated modes of operation under different key sizes. The implementation of AES algorithm and obtaining encryption results were performed using the package Crypto.
Full-text available
Counter-mode encryption ("CTR mode") was introduced by Diffie and Hellman already in 1979 [5] and is already
CTRMode Encryption. Retrieved from
  • H Lipmaa
  • Ph Rogaway
  • D Wagner
Lipmaa, H., Rogaway, Ph. & Wagner, D. (n.d.). CTRMode Encryption. Retrieved from proposedmodes/ctr/ctr-spec.pdf