3

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation (encryption or decryption) of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

  • Most modes require a unique binary sequence, often called an initialization vector (IV), for each encryption operation.
  • The IV has to be non-repeating and, for some modes, random as well.
  • The initialization vector is used to ensure distinct ciphertexts are produced even when the same plaintext is encrypted multiple times independently with the same key.[6]
  • Block ciphers may be capable of operating on more than one block size, but during transformation, the block size is always fixed.
  • Block cipher modes operate on whole blocks and require that the last part of the data be padded to a full block if it is smaller than the current block size.
  • There are, however, modes that do not require padding because they effectively use a block cipher as a stream cipher.

Historically, encryption modes have been studied extensively in regard to their error propagation properties under various scenarios of data modification. Later development regarded integrity protection as an entirely separate cryptographic goal. Some modern modes of operation combine confidentiality and authenticity in an efficient way, and are known as authenticated encryption modes.

Rohit Gupta
  • 451
  • 2
  • 4
  • 10
moyu
  • 73
  • 1
  • 5

3 Answers3

12

Is CTR more secure than CBC?

CTR

Your obligations for CTR mode

  1. You must generate a uniform random 256-bit secret key, and keep it secret all the time;
  2. For each message that is going to be encrypted under the same key choose an Initialization Vector (IV) that must be unique i.e. the (key,IV) pair never repeats. You can send the IV prepended to the ciphertext.
  3. The message size must not exceed $2^{64}$ if you use AES (PRP) instead of a PRF where CTR is designed for PRF.

In return: CTR guarantees

  1. CPA security; that is the adversary cannot distinguish two ciphertexts with the same length, and thus cannot read the message sent.

    That is all you get from the CTR mode if used properly. To achieve authenticated encryption use HMAC with CTR in encrypt-than-MAC as a recommendation. In modern Cryptography, we have AES-GCM mode that provides confidentiality, integrity, and authentication. This is still applicable to (key,IV) reuse problem. The nonce misuse resistant schemes like AES-GCM-SIV are advised.

CBC

Your obligations for CBC mode

  1. You must Generate a uniform random 256-bit secret key, and keep it secret all the time;
  2. For each message that is going to be encrypted under the same key choose an Initialization Vector (IV) that must be unique and unpredictable. You can send the IV prepended to the ciphertext
  3. Make sure that the message size is multiple of 128 with proper padding.
  4. The message size must not exceed $2^{60}$.
  5. The key must not be used more than $2^{45}$ due to the IV collision due to the birthday attack. This will produce $$(2^{45})^2/2^{128}/2 = 2^{90 - 128-1} = 1/2^{39}$$ probability of collision instead of $1/2$ probability of $2^{64}$

In return : CBC guarantees

  1. CPA security; that is the adversary cannot distinguish two ciphertexts with the same length, and thus cannot read the message sent.

    That is all you get from the CBC mode if used properly. To achieve authenticated encryption use HMAC with CBC in encrypt-than-MAC as a recommendation.

    TLS 1.3 left the CBC mode, actually, all of the 5 modes of operations on the TLS 1.3 are Authenticated Encryption modes.

Pros and Cons

  • The IV reuse is catastrophic in CTR mode that can remove the confidentiality ( not the key since CPA secure), in CBC mode it may leak information on the first block.
  • CTR mode doesn't need padding at all whereas CBC mode requires padding at this is vulnerable to padding oracle attacks, that work as a decryption oracle. On that at rest, this is not a problem.
  • Both modes don't have integrity, and therefore bit flipping attacks are possible. CTR is more vulnerable than CBC since for some part of the message the bit flipping attack produces garbage.
  • CTR mode provides full random encrypt/decrypt operations, CBC mode encryption is sequential, decryption can be random with two ciphertexts per block.
  • CTR also can precompute the stream that helps pre-computation, CBC cannot.

A little conclusion

Security is considered according to the attack model. Both algorithms are archaic mode of operations that we don't use them anymore since they cannot provide security mode than CPA. CBC mode is almost left and the CTR mode exists in the authenticated encryption modes like AES-GCM, ChaCha20-Poly1305, and not used alone. While there is no direct conclusion without the attack model, In modern cryptography we prefer the Authenticated encryption modes > Ind-CCA.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • For CTR mode "You can send the IV prepended to the ciphertext.", we can find the description of "The IV need not be secret, so the IV, or information sufficient to determine the IV, may be transmitted with the ciphertext." for CBC mode in Appendix C of <NIST Special Publication 800-38A >, but we can't find similar description for CTR mode. – Emman Sun Aug 30 '21 at 09:23
  • @EmmanSun Did you see the 5.3? – kelalaka Aug 30 '21 at 09:28
  • yes, but there are no CTR mentioned. – Emman Sun Aug 30 '21 at 09:58
  • The IV need not be secret; however, for the CBC and CFB modes, the IV for any particular execution of the encryption process must be unpredictable, and, for the OFB mode, unique IVs must be used for each execution of the encryption process. This isn't clear that CTR has also non secret IV. Anyway, IV is not a key. – kelalaka Aug 30 '21 at 10:09
  • And the appendix C contains the CTR mode, too – kelalaka Aug 30 '21 at 10:09
  • In this article <NIST Special Publication 800-38A >, when talking about CTR mode, COUNTER or COUNTER BLOCK are generally mentioned. However, this article does not emphasize that COUNTER or ICB must be a secret, so I also think that ICB does not have to be a secret. – Emman Sun Aug 31 '21 at 02:06
  • Yes, NIST talks about it as the counter block which is the plaintext for the block cipher. To synchronize you need to send the IV and counter part of the counter block. If the cipher is not a KPA secure then it will fail if you sent it clear. In modern cryptography all cipher must have at least Ind-CPA secure. So there is no problem. Anyway, As I pasted, NIST says The IV need not be secret; however, for the CBC and CFB modes, so yo can send the initial counter block ( IV here ) openly. – kelalaka Aug 31 '21 at 10:01
  • One thing I miss in that reply: The IV for AES CBC is 128 bit, so chances of a collision are 2^128 but the IV of AES CTR is not, since part of the CTR IV is the block counter. If you have a 64 bit block counter, the IV is in fact only 64 bit and chances for a collision are 2^64. And as collisions are worse in case of CTR, wouldn't this make CTR way more likely to suffer from that issue than CBC? – Mecki Jan 12 '23 at 10:50
  • @Mecki the collision is measured with birthday attack. There is a huge distinction on the IV of CTR and nonce of CBC. In CTR, as long as there is no system failure, one can safely use sequential IV, however, in CBC mode that is not possible since the predictable IV attack ( this is online attack). In short, we should talk where they are used and how the IV/nonce are generated. The plain comparison of the IV-reuse and collision is correct. In one approach, you are right. – kelalaka Jan 12 '23 at 18:13
9

Neither mode provides authentication, so in that sense they are both not very secure. CBC has more error propagation obviously, but as the last paragraph of the quote in the question states, error propagation is mostly ignored by now.

CBC requires an unpredictable IV (for the attacker), while CTR mode just requires a nonce. However CBC fails less dramatically if the IV is repeated or when too many data packets are encrypted.

CBC is vulnerable against padding oracle attacks in the correct setting, which makes the mode more vulnerable (if you count padding as part of the mode). However, both are vulnerable against plaintext oracles, and CTR mode then allows each bit to be changed individually, which is just as dangerous in my opinion.

So in the end, which one is more secure depends on how the mode is used. Both can be used to create a secure system by providing confidentiality. CTR has more practical benefits in the end (parallelism, nonce), which is likely why it is ending up as underlying encryption scheme for authenticated modes such as CCM, GCM and EAX.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
1

Comparison: CTR vs CBC

CBC CTR MODE
uses PRP PRF
parallel processing NO YES
Security of rand. enc. q^2L^2 << |x| q^2L << |x|
dummy padding block Yes No
1 byte msgs (none-based) 16x expansion no expansion

It is possible to solve a dummy padding block using ciphertext stealing for CBC

An attack on CBC with rand. IV

CBC where attacker can predict the IV is not CPA-secure !!

Suppose given c <-- E(k,m) can predict IV for next message

enter image description here

Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1)

Amirhossein
  • 183
  • 1
  • 8