Block Ciphers & Modes

Why this module exists

Most production bugs in symmetric crypto are mode and misuse bugs, not cipher bugs. Engineers call AES correctly but reuse nonces, choose ECB, or fail to authenticate ciphertexts. This module teaches how block ciphers really work, why modes exist, and how small mistakes create catastrophic failures.

We implement AES-128 from scratch and then build CBC and CTR modes on top. The goal is to move you from "AES user" to someone who can reason about designs, review code, and spot misuse.

1) Block ciphers as permutations

A block cipher is a keyed permutation:

• Input: fixed-size block (AES = 128 bits) and a secret key.
• Output: a block of the same size.
• For each key, encryption is a bijective mapping of 128-bit blocks.

Security goal (informal): an attacker who does not know the key cannot Distinguish AES from a random permutation with feasible computation.

Implications:

• Encrypting the same block with the same key yields the same ciphertext.
• Determinism is dangerous for structured data. Hence, modes.

2) AES structure (SPN)

AES is a Substitution-Permutation Network (SPN) with 10 rounds for AES-128. Each round mixes bytes (confusion) and spreads influence (diffusion).

Round components:

• SubBytes: S-box applied to every byte (non-linear).
• ShiftRows: row rotations to spread bytes across columns.
• MixColumns: linear mixing in GF(2^8) for diffusion.
• AddRoundKey: XOR with round key.

Final round omits MixColumns.

3) Finite-field arithmetic (GF(2^8))

MixColumns uses multiplication over GF(2^8) with the AES irreducible polynomial:

x^8 + x^4 + x^3 + x + 1  (0x11b)

Practical consequence:

• Multiplication by 2 is a left shift plus conditional XOR with 0x1b.
• MixColumns is invertible; decryption uses multipliers 9, 11, 13, 14.

Understanding this prevents common implementation bugs.

4) Key schedule and related risks

AES derives 11 round keys (AES-128) from the original key.

Key expansion uses:

• RotWord (byte rotation)
• SubWord (S-box)
• Rcon constants

Common pitfalls:

• Wrong byte order (AES uses column-major state).
• Incorrect Rcon or word rotation.
• Mixing big-endian and little-endian in word assembly.

5) Modes: why they exist

Because block ciphers are deterministic, we need modes to hide patterns.

ECB (do not use)

• Each block encrypted independently.
• Equal plaintext blocks -> equal ciphertext blocks.
• Leaks structure (the "ECB penguin").

CBC

• C0 = IV
• Ci = Enc(Pi XOR C(i-1))
• Requires unpredictable IV.
• Decryption: Pi = Dec(Ci) XOR C(i-1)
• Malleable: flipping bits in C(i-1) flips bits in Pi.

CTR

• Keystream block = Enc(nonce || counter)
• Ciphertext = plaintext XOR keystream
• Decryption is identical to encryption.
• Nonce reuse is fatal (keystream reuse).

6) Padding and padding oracles

Block modes like CBC require full blocks. PKCS#7 padding is standard:

• Add k bytes of value k (1..blockSize).
• Always add padding even if already aligned.

If you report padding errors differently, you may create a padding oracle that leaks plaintext one byte at a time. This is a classic real-world failure.

7) Integrity and AEAD

CBC and CTR provide confidentiality only. They do not prevent tampering.

• Modify ciphertext -> predictably modifies plaintext.
• You must combine encryption with authentication (e.g., HMAC or AEAD).

A secure pattern is Encrypt-then-MAC or a modern AEAD like GCM or ChaCha20-Poly1305.

8) Implementation pitfalls

• Reusing IVs or nonces.
• Incorrect padding validation (timing leaks or oracles).
• Implementing AES with wrong state ordering.
• Forgetting to authenticate ciphertexts.
• Using ECB for structured data.

These are common even in professional codebases.

What you will build

1. AES-128 block cipher: full encryption and decryption from scratch.
2. CBC with PKCS#7: correct padding, encryption, and decryption.
3. CTR mode: stream encryption with nonce + counter.
4. CBC bitflipping: exploit malleability to change decrypted plaintext.

Key takeaways

• AES is a deterministic permutation; modes are essential.
• CBC and CTR are malleable without authentication.
• Nonce/IV reuse breaks confidentiality.
• Correct padding and error handling matter as much as the cipher.