Encryption: Modes of Operation

Encryption: Modes of Operation

Now that you're aware of the most common algorithms, we can dig a bit deeper into the modes of operation.

We’ve seen a general idea of how modern symmetric encryption algorithms transform blocks of plaintext data into ciphertext. Of course, the plaintext that we want to encrypt is rarely smaller than the 64- or 128-bit blocks that these algorithms process. The different possible approaches for how these algorithms could process inputs that are larger than the block size into ciphertext are referred to as modes of operation. The designer’s selected mode of operation has critical security implications. We will start by looking at the most “obvious” approach: simply concatenating the individual ciphertext blocks together.

Electronic Code Book (ECB) Mode

By far the most natural approach for encrypting plaintext that is longer than the block size of the encryption algorithm is to encrypt the plaintext block-by-block, and concatenate the resulting ciphertext blocks:

 Unfortunately, this is essentially always an insecure design choice.

To understand why, examine the image at right. On the left is the plaintext image, and on the right is the image encrypted using ECB mode. Clearly, quite a bit of information about the plaintext is revealed, even though the image has been encrypted. This is because ECB mode encrypts identical plaintext blocks into identical ciphertext blocks.

Counter (CTR) Mode

The counter mode of operation is quite similar to ECB mode, retaining all of its nice properties (for example, you can parallelize both encryption and decryption) but offering much better security properties.

 Interestingly, the plaintext is not input into the block cipher at all! Instead, a counter value is input to the block cipher and incremented with each successive invocation. The plaintext itself is combined with the output of the block cipher through exclusive-or to produce the final ciphertext blocks.

Returning to the image example, we can see that encrypting the plaintext using counter mode no longer produces ciphertext that clearly leaks information.

There are many other modes of operation, each with strengths and weaknesses that are appropriate for different use cases. Always remember that the selection of the mode of operation is a critical decision with important security implications.

Asymmetric Encryption Algorithms

 In our previous examples, Alice and Bob have both shared the same key – their information in the system was symmetric. In contrast, asymmetric encryption algorithms use two mathematically related keys: a private key known only to the owner, and a corresponding public key which the owner reveals to everyone. To encrypt a plaintext message, their public key is used. Only the owner is able to decrypt the ciphertext, as only they possess the private key that corresponds to their public key.

Unlike the symmetric encryption algorithms that relied on non-linear substitution boxes, the security of asymmetric encryption algorithms such as RSA and Elliptic Curve Cryptography (ECC) rely on number theoretic assumptions. Asymmetric encryption algorithms tend to be much more computationally expensive than symmetric encryption algorithms, making them poorly suited for encrypting large amounts of data. However, asymmetric algorithms simplify the key distribution problem, as sharing a public key is far easier than sharing a sensitive private key when communicating with a new individual for the first time

To combine the strengths of each, a hybrid approach is taken. For Bob to communicate with Alice, he uses her public key for an asymmetric encryption algorithm to encrypt a shared key for a symmetric encryption algorithm, which he sends to her. Although the asymmetric encryption algorithm is more computationally expensive, it only needs to be invoked once to encrypt a short value: the shared key. Sharing symmetric keys securely in advance of communication is not practical (imagine having to securely transfer keys to each website you visit!), so invoking an asymmetric encryption algorithm addresses the key distribution problem. Once Alice receives the encrypted message, she uses her corresponding private key for the asymmetric encryption algorithm to decrypt the shared key. Now that both Alice and Bob have the same shared key, they can switch to a much faster symmetric encryption algorithm. This allows them to quickly encrypt and exchange large amounts of data, as symmetric encryption algorithms are approximately two orders of magnitude faster than their asymmetric counterparts.

Resource Requirements

 Since symmetric and asymmetric encryption algorithms rely on different types of hard problems to provide security, they are vulnerable to different attacks that target their underlying mathematical framework. Consequently, they require different key lengths to provide the same equivalent security level. This table summarizes the number of key bits required for various constructions to provide an equivalent brute-force security strength. Note that DES is unable to provide the minimum 128-bit brute-force security, and as such it should not be used.


Unlike historical encryption algorithms, modern cryptographic algorithms are built around well-studied hard problems that are only easy to invert with knowledge of the private key. Importantly, the design of the algorithm is always publicly known, with only the private key remaining secret. Although DES was considered secure when it was introduced, its 56-bit key is insecure today and should be avoided in favor of AES and its minimum 128-bit key length. The mode of operation for symmetric encryption algorithms that chains ciphertext blocks together plays a critical role in the security of a construction, and the simplistic electronic codebook (ECB) mode should never be used. Asymmetric encryption algorithms help simplify the key distribution problem by eliminating the need to privately share keys in advance: anyone can encrypt messages using an individual’s public key, as only the individual can decrypt the message with their corresponding private key which is known only to them. Although asymmetric encryption algorithms are more computationally expensive, they can be used briefly to securely exchange a shared key for the much faster symmetric encryption algorithms. Finally, due to the different mathematical problems that underly the security of symmetric and asymmetric encryption algorithms, to provide equivalent security they must use differing key lengths.