Editing Block cipher mode of operation (section)

===={{Anchor|CBC}}Cipher block chaining (CBC)====
{{Infobox
|headerstyle  = background:#ccf;
|labelstyle   = background:#ddf;
|header1 = CBC
|data2   = Cipher block chaining
|label3  = Encryption parallelizable
|data3   = No
|label4  = Decryption parallelizable
|data4   = Yes
|label5  = Random read access
|data5   = Yes
|belowstyle = background:#ddf;
}}
Ehrsam, Meyer, Smith and Tuchman invented the cipher block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.

{{multiple image
| header            = Cipher block chaining (CBC)
| align             = center
| direction         = vertical
| image1            = CBC encryption.svg
| caption1          = CBC mode encryption
| image2            = CBC decryption.svg
| caption2          = CBC mode decryption
| width             = 512
}}

If the first block has index 1, the mathematical formula for CBC encryption is
: <math>C_i = E_K(P_i \oplus C_{i-1}),</math>
: <math>C_0 = IV,</math>

while the mathematical formula for CBC decryption is
: <math>P_i = D_K(C_i) \oplus C_{i-1},</math>
: <math>C_0 = IV.</math>

===== Example =====
{{multiple image
| header = Example
| align = center
| direction = vertical
| image1 = CBC example v3.svg
| caption1 = CBC encryption example with a toy 2-bit cipher
| image2 = Rev CBC example v3.svg
| caption2 = CBC decryption example with a toy 2-bit cipher
| width = 512
}}

CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as ciphertext stealing. Note that a one-bit change in a plaintext or initialization vector (IV) affects all following ciphertext blocks.

Decrypting with the incorrect IV causes the first block of plaintext to be corrupt but subsequent plaintext blocks will be correct. This is because each block is XORed with the ciphertext of the previous block, not the plaintext, so one does not need to decrypt the previous block before using it as the IV for the decryption of the current one. This means that a plaintext block can be recovered from two adjacent blocks of ciphertext. As a consequence, decryption ''can'' be parallelized. Note that a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext, but the rest of the blocks remain intact. This peculiarity is exploited in different padding oracle attacks, such as POODLE.

''Explicit initialization vectors'' take advantage of this property by prepending a single random block to the plaintext. Encryption is done as normal, except the IV does not need to be communicated to the decryption routine. Whatever IV decryption uses, only the random block is "corrupted". It can be safely discarded and the rest of the decryption is the original plaintext.