2

In ECB and CBC mode, the size of cipher text is more than the plain-text size by one padding block.

From what I read, ECB does a simple encryption to each 64 bit block of a Plain text, and produces an equivalent 64 bit cipher text block. Then how does an extra padding block exists?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Vasu Deo.S
  • 459
  • 5
  • 15
  • 4
    You should forget about the entire concept of block ciphers and ‘modes of operation’, and you should just reach for authenticated ciphers like AES-GCM or NaCl crypto_secretbox_xsalsa20poly1305, and focus on security contracts. – Squeamish Ossifrage Jun 16 '19 at 18:14
  • 1
    Please refrain from posting multiple separate questions under the same question title. The title should indicate what the question is about so that users can search for it. If we post X different questions under the same vague title, then the information is unorganized and much less helpful to future users. You can ask as many questions as you want, so there is no need to cram them all in one place. Please edit this question to feature only one question, and ask the others separately as needed. I/we can re-open this for you once it has been narrowed down. – Ella Rose Jun 16 '19 at 23:20
  • @EllaRose Sure! Pardon me for that – Vasu Deo.S Jun 16 '19 at 23:23
  • Great! Now if I could just ask you to change the title to something that reflects what is in the body of the question. "doubts regarding ECB and CBC algorithm modes in cryptography" is not reflective of the questions contents. (Indeed, "doubts regarding X" is not a descriptive title in general, especially when there are no doubts raised in the question). Once that's fixed we can re-open it for you. – Ella Rose Jun 16 '19 at 23:42
  • @EllaRose Tried my best to make the title reflect the question. Please Critique – Vasu Deo.S Jun 16 '19 at 23:50
  • 1
    ‘In ECB and CBC mode, the size of ciphertext is more than the plain-text size by one padding block.’ This depends on how you do padding; neither the term ECB nor the term CBC implies any particular padding. Can you cite the source? Otherwise it is impossible to say. – Squeamish Ossifrage Jun 16 '19 at 23:55
  • @SqueamishOssifrage So, is it possible to use these algorithm types without padding, i.e. size of cipher text is the same as that of the plain-text size. – Vasu Deo.S Jun 16 '19 at 23:57
  • 2
    For ECB, if the plaintext is exactly a multiple of the block size, yes; for CBC, if the plaintext is exactly a multiple of the block size and the receiver can pseudorandomly derive the IV without needing it to be transmitted, yes. (You should still forget about block ciphers and modes of operation—and especially about the notion of ECB!) – Squeamish Ossifrage Jun 17 '19 at 00:00
  • @SqueamishOssifrage So is the IV (in CBC) transmitted in the cipher text too? As sharing of IV is also something, that I am unsure of about how it is shared to the recipient party. – Vasu Deo.S Jun 17 '19 at 00:06
  • 1
    The IV is not part of the ciphertext, but might be transmitted along with it. – SAI Peregrinus Jun 17 '19 at 00:33
  • 1
    The receiver needs to know what the IV is for each message, and the adversary must not be able to predict the IV in advance. Often with CBC one transmits the IV alongside the ciphertext, but this is not necessary. Caveat: This is all obscure implementation details for an essentially obsolete way to design an authenticated cipher, which is the thing application developers really need (if not higher-level protocol building blocks like Noise). – Squeamish Ossifrage Jun 17 '19 at 01:46

1 Answers1

4

In ECB and CBC mode, the size of cipher text is more than the plain-text size by one padding block.

Block ciphers can only permute plaintext blocks and produce the permuted output ciphertext blocks. As such, modes of operation are responsible to make sure that the messages in the target messages space can be encrypted and decrypted given this restriction.

Now for a generic cipher you would expect to be able to encrypt / decrypt any message or any size. ECB and CBC mode do not provide this functionality by themselves. They need to be paired with a deterministic padding mode such as PKCS#7 compatible padding to operate on messages of any size.

Such deterministic modes must at least add a single bit of padding as otherwise the padding cannot be distinguished from the last bit of the message. Therefore such deterministic padding modes add one bit to N bits of padding, where N is the block size.

For these deterministic modes a full "padding" block is added if the message is already a multiple of the block size. Otherwise the last block contains a mixture of the plaintext message and padding.

If a fully generic cipher is not required you can use many different methods:

  • just requiring that the message size is a multiple of the block size (the key size of symmetric keys is often a multiple of the block size, so this often works for key wrapping);
  • nondeterministic padding methods such as zero padding (where the message should commonly not end with zero bits, or contain the message size internally);
  • ciphertext stealing, which poses constraints on the minimum message size / IV.

Notes:

  • many implementations are lazy and allocate a buffer size of the message size + 1 block for the ciphertext, this is however a waste of space.
  • AES-192 keys are not a multiple of the block size, which makes key wrapping more awkward.
  • deterministic modes require at least one padding bit, but usually implementations only handle bytes, so the padding would consist of 1..N/8 bytes.
  • Most other modes (CTR, GCM, OFB, CFB) are streaming modes and do not require padding to be able to encrypt messages of any size.
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313