Editing Block cipher (section)

==Modes of operation==
{{Main|Block cipher mode of operation}}
[[File:Tux ecb.jpg|thumb|Insecure encryption of an image as a result of [[electronic codebook]] (ECB) mode encoding]]
A block cipher by itself allows encryption only of a single data block of the cipher's block length. For a variable-length message, the data must first be partitioned into separate cipher blocks. In the simplest case, known as [[electronic codebook]] (ECB) mode, a message is first split into separate blocks of the cipher's block size (possibly extending the last block with [[Padding (cryptography)|padding]] bits), and then each block is encrypted and decrypted independently. However, such a naive method is generally insecure because equal plaintext blocks will always generate equal ciphertext blocks (for the same key), so patterns in the plaintext message become evident in the ciphertext output.{{sfn|Menezes|van Oorschot|Vanstone|1996|loc=Chapter 7|pp=228–230}}

To overcome this limitation, several so-called [[block cipher modes of operation]] have been designed<ref name="NIST-modes">{{cite web|title=Block Cipher Modes|date=4 January 2017|publisher=[[NIST]] Computer Security Resource Center|url=http://csrc.nist.gov/groups/ST/toolkit/BCM/index.html}}</ref>{{sfn|Menezes|van Oorschot|Vanstone|1996|pp=228–233}} and specified in national recommendations such as NIST 800-38A<ref name="nist800-38a">{{citation|url=http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |archive-date=2022-10-09 |url-status=live|author=Morris Dworkin|title=Recommendation for Block Cipher Modes of Operation – Methods and Techniques|journal=Special Publication 800-38A|publisher=National Institute of Standards and Technology (NIST)|date=December 2001|doi=10.6028/NIST.SP.800-38A}}</ref> and [[Bundesamt für Sicherheit in der Informationstechnik|BSI]] TR-02102<ref name="BSI-rec">{{citation|title=Kryptographische Verfahren: Empfehlungen und Schlüssellängen|journal=Bsi Tr-02102|type = Technische Richtlinie|issue=Version 1.0|date=June 20, 2008}}</ref> and international standards such as [[ISO/IEC 10116]].<ref>{{cite web| url = http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38761| title = ISO/IEC 10116:2006 ''Information technology — Security techniques — Modes of operation for an n-bit block cipher''}}</ref> The general concept is to use [[randomization]] of the plaintext data based on an additional input value, frequently called an [[initialization vector]], to create what is termed [[probabilistic encryption]].{{sfn|Bellare|Rogaway|2005|loc=section 5.3|p=101}} In the popular [[cipher block chaining]] (CBC) mode, for encryption to be [[semantic security|secure]] the initialization vector passed along with the plaintext message must be a random or [[pseudo-random]] value, which is added in an [[Exclusive or|exclusive-or]] manner to the first plaintext block before it is encrypted. The resultant ciphertext block is then used as the new initialization vector for the next plaintext block. In the [[cipher feedback]] (CFB) mode, which emulates a [[stream cipher#Self-synchronizing stream ciphers|self-synchronizing stream cipher]], the initialization vector is first encrypted and then added to the plaintext block. The [[output feedback]] (OFB) mode repeatedly encrypts the initialization vector to create a [[key stream]] for the emulation of a [[Stream cipher#Synchronous stream ciphers|synchronous stream cipher]]. The newer [[counter mode|counter]] (CTR) mode similarly creates a key stream, but has the advantage of only needing unique and not (pseudo-)random values as initialization vectors; the needed randomness is derived internally by using the initialization vector as a block counter and encrypting this counter for each block.<ref name="nist800-38a"/>

From a [[provable security|security-theoretic]] point of view, modes of operation must provide what is known as [[semantic security]].{{sfn|Bellare|Rogaway|2005|loc=section 5.6}} Informally, it means that given some ciphertext under an unknown key one cannot practically derive any information from the ciphertext (other than the length of the message) over what one would have known without seeing the ciphertext. It has been shown that all of the modes discussed above, with the exception of the ECB mode, provide this property under so-called [[chosen plaintext attack]]s.