Understanding generation of IV in CBC encryption

Question

I am trying to understand CBC encryption and have a question in two parts:

When generating the next block for encryption I XOR the next plaintext block with the current ciphertext as the initialisation vector. The next plaintext block is 16 bytes, the current ciphertext is, say, 120 bytes. Which part of the ciphertext do I use? Is it implementation specific? Could I use 16 bytes from position 40?
What is the advantage of XORing the next plaintext block with current ciphertext over XORing the next plaintext block with the current XORed plaintext block? My guess is that the second option produces predictable patterns.

120 bytes is not a multiple of 16 bytes, so that's an impossible state when you use 16 byte blocks. — CodesInChaos, Apr 05 '17 at 08:39
For a clear graphical presentation of how CBC works https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_.28CBC.29 — dave_thompson_085, Apr 06 '17 at 02:24

score 1 · Accepted Answer · answered Apr 05 '17 at 09:30

The next plaintext block is 16 bytes, the current ciphertext is, say, 120 bytes

No. With CBC you consider a block cipher which transforms a plaintext block (say of size 16 bytes) to a ciphertext block (of the exact same size). So a 120 bytes ciphertext block for a 16 byte block is nonsense.

This also follows from the formula of CBC, which is $$C_0=IV,C_i=E_K(P_i\oplus C_{i-1})$$ As you can see, each ciphertext is an output of a block cipher and thus must have exactly the same size as the input.

What is the advantage of XORing the next plaintext block with current ciphertext over XORing the next plaintext block with the current XORed plaintext block?

So this would be $P_0=IV,C_i=E_K(P_i\oplus P_{i-1})$. Indeed, this mode doesn't hide patterns, and as such this mode is not secure against a chosen plaintext attack as you can distinguish $m=(m_1\parallel m_2 \parallel m_3 \parallel m_4)$ from $m'=(m_1\parallel m_1 \parallel m_2 \parallel m_2)$ because the latter has the same ciphertext blocks at position 2 and 4 (because the plaintexts cancel each other out) whereas the former does not.

Also see "Plaintext block chaining, bad idea why?".

mat · Answer 2 · 2017-04-05T09:44:52.660

0

The size of a ciphertext block and of a plaintext block is always the same (128 bits for modern ciphers like AES).
See the answer of @SEJPM

edited Apr 05 '17 at 09:44

answered Apr 05 '17 at 09:27

mat

2,508
12
28

1

$C_i=E_K(P_i\oplus P_{i-1})\iff P_i=D_K(C_i)\oplus P_{i-1}$ so decryption is possible. – SEJPM Apr 05 '17 at 09:31
You are right. Since we know the $IV$ (or $P_0$, respectively), we can decrypt the message. I'll update my answer. – mat Apr 05 '17 at 09:42

Understanding generation of IV in CBC encryption

2 Answers2