Block size (cryptography)

Block size (cryptography)Main

Community hub

7 pages, 0 posts

0 subscribers

Recent from talks

Be the first to start a discussion here.

Recent from talks

Be the first to start a discussion here.

Contribute something

About hubMembersContent overviewUpdatesRules

Main reference articles

Block size (cryptography)

View on Wikipedia

from Wikipedia

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Block size" cryptography – news · newspapers · books · scholar · JSTOR (November 2024) (Learn how and when to remove this message)

In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size.^[1] Both the input (plaintext) and output (ciphertext) are the same length; the output cannot be shorter than the input – this follows logically from the pigeonhole principle and the fact that the cipher must be reversible – and it is undesirable for the output to be longer than the input.

Until the announcement of NIST's AES contest, the majority of block ciphers followed the example of the DES in using a block size of 64 bits (8 bytes). However, the birthday paradox indicates that after accumulating several blocks equal to the square root of the total number possible, there will be an approximately 50% chance of two or more being the same, which would start to leak information about the message contents. Thus even when used with a proper encryption mode (e.g. CBC or OFB), only 2³² × 8 B = 32 GB of data can be safely sent under one key.^{[citation needed]} In practice a greater margin of security is desired, restricting a single key to the encryption of much less data — say a few hundred megabytes. At one point that seemed like a fair amount of data, but today it is easily exceeded. If the cipher mode does not properly randomise the input, the limit is even lower.

Consequently, AES candidates were required to support a block length of 128 bits (16 bytes). This should be acceptable for up to 2⁶⁴ × 16 B = 256 exabytes of data, and would suffice for many years after introduction. The winner of the AES contest, Rijndael, supports block and key sizes of 128, 192, and 256 bits, but in AES the block size is always 128 bits. The extra block sizes were not adopted by the AES standard.

Many block ciphers, such as RC5, support a variable block size. The Luby-Rackoff construction and the Outerbridge construction can both increase the effective block size of a cipher.

Joan Daemen's 3-Way and BaseKing have unusual block sizes of 96 and 192 bits, respectively.

References

[edit]

^ "Block size".

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category

Revisions and contributors Edit on Wikipedia Read on Wikipedia

View on Grokipedia

from Grokipedia

In cryptography, the block size is the fixed number of bits in the input or output block processed by a block cipher during a single encryption or decryption operation.^[1] Block ciphers, which form the basis of many symmetric encryption schemes, divide plaintext messages into these discrete blocks for processing, requiring padding for messages that do not align perfectly with the block length.^[2] Historically, early block ciphers like the Data Encryption Standard (DES), standardized in FIPS 46 in 1977, employed a 64-bit block size, which processes 8 bytes of data at a time.^[3] In contrast, modern standards such as the Advanced Encryption Standard (AES), specified in FIPS 197 in 2001, use a 128-bit block size across its variants (AES-128, AES-192, and AES-256), enabling the encryption of 16 bytes per block while supporting key lengths of 128, 192, or 256 bits.^[4] These sizes reflect an evolution driven by the need for enhanced security, as smaller blocks like DES's 64 bits became vulnerable to attacks exploiting the birthday paradox, limiting secure data volumes to approximately 2^{32} blocks.^[5] The block size profoundly influences the security and performance of block cipher modes of operation, such as ECB, CBC, and GCM, where it determines the granularity of data handling and the potential for collisions in ciphertext.^[2] Larger block sizes, like 128 bits in AES, provide greater resistance to cryptanalytic attacks and support higher data throughput in secure communications, though they may increase computational overhead in resource-constrained environments.^[2] As of 2025, NIST is developing standards for wider block sizes, such as 256 bits using Rijndael-256, to support large-scale data protection in block cipher modes.^[6]^[7]

Fundamentals

Definition

In symmetric cryptography, the block size is the fixed number of bits in each input and output block that a block cipher processes during a single encryption or decryption operation.^[1] The plaintext is divided into these uniform blocks for processing, with common sizes including 64 bits or 128 bits.^[2] Block ciphers provide the primary context for block size, as they are symmetric-key algorithms that transform fixed-length blocks of data.^[8] Unlike the key size, which determines the length of the secret key and thereby the cipher's resistance to exhaustive key searches, the block size governs the chunking of data into discrete units for algorithmic application.^[9] For instance, in the Advanced Encryption Standard (AES), the block size remains fixed at 128 bits regardless of the key length, which can be 128, 192, or 256 bits.^[9] The basic processing of blocks in a block cipher is denoted by the equation

C_i = E_K(P_i)

, where

P_i

is the

i

-th plaintext block of

n

bits,

E_K

is the encryption function parameterized by the key

K

, and

C_i

is the resulting ciphertext block of the same size.^[2] Such ciphers are conventionally referred to as

n

-bit block ciphers, with

n

indicating the block size.^[1]

Role in Block Ciphers

Block ciphers are symmetric-key algorithms that encrypt and decrypt fixed-size blocks of plaintext data using a secret key, processing each block independently or in chained modes of operation.^[10] The block size, typically denoted as

n

bits, defines the unit of data processed in each operation and directly influences the cipher's internal state and computational structure.^[10] For instance, common block sizes include 64 bits in older designs like DES and 128 bits in modern standards like AES, where the size determines the scale of transformations applied to achieve confusion and diffusion. In the encryption process, the input plaintext is divided into blocks of the fixed block size

n

, and each block is then transformed through multiple rounds of a core cipher function to produce the corresponding ciphertext block.^[10] Decryption reverses this process using the same key, ensuring invertibility without requiring additional information. The block size

n

governs the dimensions of this transformation, as the cipher's rounds operate on the entire block or its subdivisions to mix bits thoroughly.^[10] Many block ciphers, such as DES, employ a Feistel structure, where the block size

n

must be even (typically

n = 2t

) to split the input into two equal halves, left

L

and right

R

, each of

t

bits.^[10] In each round

i

, the halves are updated as follows:

L_i = R_{i-1}

R_i = L_{i-1} \oplus f(R_{i-1}, K_i)

where

f

is a round function applying key-dependent substitutions and permutations to the right half, and

K_i

is the subkey for round

i

.^[10] This splitting ensures balanced diffusion across the block, with the even block size enabling the XOR combination that preserves invertibility for decryption by reversing the subkey order. In DES, for example,

n = 64

bits yields

t = 32

-bit halves processed over 16 rounds. Other block ciphers, like AES, use a substitution-permutation network (SPN) structure, where the block size

n

defines the full internal state subjected to layered operations without halving.^[10] In AES, the 128-bit block is arranged as a 4×4 byte array (state), and each round applies byte substitutions via S-boxes, row shifts, column mixing, and key addition, scaled directly to the state size for comprehensive bit mixing. The block size thus dictates the network's width, ensuring that permutations and substitutions propagate changes across the entire block in subsequent rounds.^[10]

Security Aspects

Collision Risks

In block ciphers, the block size directly affects the likelihood of ciphertext collisions, where two distinct plaintext blocks encrypt to the same output under the same key, potentially compromising confidentiality by revealing relationships between plaintexts. This vulnerability arises from the birthday paradox, which states that for an n-bit block size, the probability of a collision reaches approximately 50% after about

2^{n/2}

encryptions, as the output space of

2^n

possible values becomes insufficient to avoid repeats with high probability.^[11] The precise approximation for the probability of at least one collision among k blocks is given by

P(\text{collision}) \approx 1 - e^{-\frac{k(k-1)}{2 \cdot 2^n}},

where

2^n

denotes the size of the block space; this formula derives from the expected number of pairwise comparisons leading to a match, and for

k \approx \sqrt{2 \ln 2 \cdot 2^n} \approx 1.177 \cdot 2^{n/2}

k≈2ln2⋅2n

≈1.177⋅2n/2, the probability approaches 50%. To arrive at this, consider the probability of no collision as the product $\prod_{i=1}^{k-1} (1 - i/2^n)$ , which approximates to $e^{-\sum i / 2^n} = e^{-k(k-1)/(2 \cdot 2^n)}$ using the Taylor expansion for small $i/2^n$ , yielding the complementary probability for a collision.^[11] Small block sizes exacerbate these risks, as seen with 32-bit blocks where collisions become probable after roughly $2^{16} \approx 65{,}000$ encryptions (about 256 KB of data), enabling attackers to distinguish the cipher from a truly random permutation through statistical biases in the output distribution.^[11] Such frequent collisions undermine the diffusion property essential for security, allowing practical attacks that recover plaintext information without key compromise.^[11] A prominent example is the Sweet32 attack, which exploits 64-bit blocks in Triple DES (3DES) when used in CBC mode within TLS, achieving a birthday collision after collecting approximately $2^{32}$ blocks (around 32 GB for 50% probability, or 785 GB in practice for reliable recovery).^[11] In this attack, adversaries force repeated plaintext encryptions via JavaScript in a victim's browser, capturing network traffic to identify colliding ciphertexts and deduce secret data like session cookies through XOR relations between blocks.^[11] This demonstrates how even moderately small block sizes render long-lived sessions vulnerable in real-world protocols.^[11]

Impact on Key Strength

In block ciphers, the effective security against exhaustive key search is fundamentally bounded by the key space of

2^k

possibilities, where

k

is the key length in bits, but the block size

n

imposes additional constraints on the cipher's distinguishability from a random permutation, limiting the overall key strength to effectively

\min(2^k, 2^n)

in scenarios where the block space restricts unique mappings per key. This interplay arises because a block cipher with block size

n

can only produce

2^n!

distinct permutations, far fewer than

2^{2^n}

for an ideal function, making small

n

a potential bottleneck even if

k

is large, as it reduces the per-block uniqueness and exposes the system to structural weaknesses beyond brute-force key recovery. For instance, when

k > n

, the effective key length experiences a measurable loss, quantified as approximately

k + \log_2\left(1 - \left(1 - \frac{3b}{n} + \frac{2k}{n}R\right)\right)

, where

b

is the S-box size and

R

is the number of rounds, highlighting how disproportionate block sizes diminish security margins.^[12] Meet-in-the-middle attacks further illustrate how block size modulates key recovery costs, particularly in multiple encryption schemes where keys are split across encryptions. For double encryption using two subkeys of length

k/2

each, the basic meet-in-the-middle attack achieves key recovery in

2^{k/2}

time and

2^{\min(k/2, n)}

space by exploiting plaintext-ciphertext pairs, but in key-length extension constructions like double XOR-cascades, the security against generic meet-in-the-middle variants reaches up to

2^{k + n/2}

queries, demonstrating that larger

n

amplifies the computational barrier to key exhaustion by integrating block-space limitations into the attack complexity. This amplification occurs because attackers must account for the

2^n

possible intermediate values, effectively raising the time requirement to

2^{k/2 + n/2}

in balanced scenarios where subkey and block sizes align, thus preventing the block size from undermining the key's intended strength. Seminal analyses confirm that such attacks bound the security of two-encryption schemes at

2^{k + n/2}

, underscoring the role of

n

in fortifying key-based protections.^[13] To maintain robust key strength, designers recommend balancing block size such that

n \geq k/2

, ensuring the block space does not become the weak link in key exhaustion resistance; for example, AES employs a 128-bit block size (

n=128

) with key lengths of 128, 192, or 256 bits, where even the longest key satisfies

n \approx k/2

, preserving near-full effective key lengths of approximately 127 bits for AES-128 and 255 bits for AES-256 against exhaustive and related attacks. This guideline stems from observations that fixed-round ciphers achieve optimal effective key lengths when

k \approx n

, avoiding losses from oversized keys relative to blocks. In contrast, the Data Encryption Standard (DES), with its 64-bit block (

n=64

) and 56-bit key (

k=56

), exemplified early vulnerabilities by the 1990s, where the small block size compounded key weaknesses, rendering it susceptible to emerging attacks on both dimensions as computational power grew.^[12]^[14]

Design and Implementation

Selection Criteria

The selection of block size in block cipher design involves balancing security benefits with practical implementation constraints. Larger block sizes enhance security by reducing the likelihood of collisions in modes of operation, where the birthday paradox limits security to approximately

2^{b/2}

operations for a block size of

b

bits, thereby providing stronger resistance to attacks exploiting repeated values.^[15] However, this comes at the cost of increased computational overhead, as processing larger states requires more memory for intermediate values and additional operations per block, potentially degrading performance in resource-constrained environments.^[16] These trade-offs are particularly relevant when considering security aspects like collision risks, motivating designers to avoid excessively small blocks while keeping sizes manageable for efficiency. Hardware and software constraints significantly influence block size choices, with optimal designs aligning the block size as a multiple of the processor's word size to minimize alignment penalties and maximize throughput. For legacy systems based on 32-bit or 64-bit architectures, block sizes like 64 bits facilitate efficient word-level operations, reducing the need for multi-word handling.^[16] In contrast, modern 64-bit architectures favor 128-bit blocks, which align well with double-word operations and SIMD instructions, enabling faster table lookups and bit-slicing implementations without excessive transposition overhead.^[16] Misalignment, such as using a block size not divisible by the word size, can lead to inefficient memory access patterns and increased cycle counts during diffusion layers. In resource-constrained environments, such as IoT devices, 64-bit blocks remain common in NIST-approved lightweight ciphers to prioritize efficiency.^[17] Standardization bodies like NIST have shaped block size preferences since the early 2000s, recommending a minimum of 128 bits for new general-purpose approved block ciphers, as reflected in the adoption of the Advanced Encryption Standard (AES) in 2001, to ensure adequate classical collision resistance. For constrained applications, smaller sizes like 64 bits are still approved. This approach aims to provide resilience against emerging threats, though block size primarily bolsters classical collision resistance; quantum-accelerated attacks like Grover's algorithm more directly impact key sizes rather than block sizes. Post-2000 designs for general use avoid smaller sizes like 64 bits, which were common in earlier ciphers but now fall short for long-term security requirements in non-lightweight contexts.^[4] Performance considerations further guide selection, with throughput often approximated as the block size divided by the time to process one block, including round computations. Larger blocks can improve bytes-per-cycle efficiency by amortizing fixed per-block costs over more data, but achieving adequate diffusion—spreading changes across the entire state—typically demands more rounds or complex layers, offsetting gains.^[16] For instance, 256-bit blocks remain rare in practice because ensuring full diffusion in such wide states requires substantially more rounds or intricate mixing operations, leading to higher latency and area costs in hardware implementations without proportional security benefits for most applications.^[18]

Padding Techniques

In block ciphers, which process data in fixed-size blocks, padding techniques are essential to handle plaintext messages whose lengths are not multiples of the block size, ensuring the input aligns with the cipher's requirements without altering the original data semantics. These methods append standardized bytes to the end of the message, which are removed during decryption after validation. The choice of padding scheme influences both security and compatibility, with improper handling potentially exposing vulnerabilities at block boundaries. The PKCS#7 padding scheme, standardized in RFC 5652 as part of the Cryptographic Message Syntax (CMS), is one of the most commonly used methods for block ciphers. It calculates the required padding length using the formula

\text{pad\_len} = (\text{block\_size} - (\text{input\_len} \mod \text{block\_size})) \mod \text{block\_size},

where if

\text{pad\_len} = 0

, a full block of padding bytes is added to facilitate unambiguous removal. Each of the

\text{pad\_len}

bytes appended to the input is set to the decimal value of

\text{pad\_len}

(ranging from 1 to the block size). For instance, with a 128-bit (16-byte) block size and a 123-byte input, five bytes each valued at 0x05 (decimal 5) are added, resulting in a total length of 128 bytes. This scheme ensures that padding can always be reliably stripped during decryption, as the value of the final byte indicates the number of padding bytes to remove, and all such bytes match that value for validation.^[19] Other padding schemes provide alternatives with different trade-offs in security and implementation. The ANSI X9.23 scheme, originally defined in the withdrawn ANSI X9.23 standard for financial cryptography applications, fills the required padding bytes with zeros except for the last byte, which is set to the number of padding bytes added (including itself). For example, needing five padding bytes would append four 0x00 bytes followed by 0x05. In contrast, ISO 10126 padding, specified in the now-withdrawn ISO/IEC 9797-1 standard, enhances security against certain attacks by filling the padding area with random bytes, followed by a final byte indicating the padding length; this randomization helps mitigate predictable patterns but requires secure random number generation.^[20]^[21] Certain block cipher modes of operation, such as Counter (CTR) mode, eliminate the need for padding altogether by generating a keystream that matches the exact length of the plaintext, allowing encryption of arbitrary-length data without extension to block multiples. This approach, detailed in NIST Special Publication 800-38A, avoids padding-related overhead and risks but requires careful management of the counter to prevent reuse.^[22] Despite their utility, padding techniques introduce security risks if validation is not performed securely, particularly in CBC mode where block boundaries are interdependent. Padding oracle attacks exploit side-channel information from decryption processes that reveal whether padding is valid, enabling attackers to decrypt ciphertexts byte-by-byte with minimal queries; this class of vulnerability was first systematically analyzed by Vaudenay in 2002, demonstrating its applicability to protocols like SSL using PKCS#7 padding. Such attacks underscore the importance of constant-time padding checks and avoiding leakage of validation results.^[23]

Historical and Modern Examples

Early Ciphers

The Lucifer cipher, developed by IBM researchers in the 1970s under Horst Feistel, utilized a 128-bit block size as part of its Feistel network structure, making it one of the earliest block ciphers designed for data protection in computing systems.^[24] This larger block was intended to provide robust security for the era's emerging cryptographic needs, serving as a direct precursor to the Data Encryption Standard (DES) through evaluations by the National Security Agency (NSA).^[25] In 1977, the DES was standardized by the National Bureau of Standards (now NIST) with a 64-bit block size and 56-bit effective key length, selected primarily for compatibility with the hardware constraints of late-1970s computing, where 64 bits aligned efficiently with 8-byte memory and processor word sizes.^[26] This choice facilitated fast implementation in dedicated hardware chips, enabling widespread adoption in financial and government applications, though the reduced block size from Lucifer's design later drew criticism for increasing vulnerability to collision-based attacks in modes like CBC, where approximately 2^32 blocks could lead to exploitable repeats.^[27] Despite these limitations, DES's block size balanced security and performance for its time, influencing subsequent designs. The International Data Encryption Algorithm (IDEA), proposed in 1991 by Xuejia Lai and James Massey, maintained a 64-bit block size with a 128-bit key, positioning it as a stronger alternative to DES through its use of mixed operations (XOR, addition, and multiplication modulo 2^16+1) to resist known attacks.^[28] IDEA gained prominence in applications like Pretty Good Privacy (PGP) for email encryption, where security analyses in the early 1990s confirmed its resistance to differential and linear cryptanalysis up to its full 8.5 rounds, deeming it adequate for protecting data against brute-force and analytical threats prevalent then.^[29] During the 1970s and 1980s, the preference for 64-bit blocks in ciphers like DES and its contemporaries stemmed from hardware alignments, as 64 bits corresponded to eight bytes, optimizing processing on systems with byte-addressable memory and limited computational resources, which favored efficiency over larger blocks that would strain early integrated circuits.^[30] This historical trend shaped block cipher evolution until the 1990s, when growing data volumes and computational power began exposing the security trade-offs of smaller blocks.

Contemporary Standards

The Advanced Encryption Standard (AES), standardized by NIST in 2001 as FIPS 197, employs a fixed block size of 128 bits, selected from the broader Rijndael cipher family that originally supported block sizes of 128, 192, or 256 bits.^[31] This choice balances computational efficiency with sufficient security margins against brute-force and collision attacks, making AES suitable for widespread deployment in hardware and software implementations.^[31] While larger block sizes were considered during the AES selection process, the 128-bit option was prioritized for its performance advantages without compromising post-quantum viability when paired with 256-bit keys.^[4] Camellia, developed by NTT and Mitsubishi Electric and standardized by ISO/IEC in 2005 as part of ISO/IEC 18033-3, also uses a 128-bit block size, supporting key lengths of 128, 192, and 256 bits to align closely with AES specifications. Endorsed by ISO for its cryptographic strength equivalent to AES, Camellia's design emphasizes resistance to differential and linear cryptanalysis, facilitating its adoption in international standards for secure communications and data protection.^[32] To address potential limitations of 128-bit blocks in quantum-era scenarios, NIST proposed in 2024 to standardize a 256-bit block variant of AES (Rijndael-256) with a 256-bit key, aiming to enhance collision resistance for high-volume data encryption.^[6] NIST's guidelines, updated through publications like SP 800-38G in 2025, explicitly recommend approved block ciphers with a minimum 128-bit block size for new systems, citing observed vulnerabilities in smaller blocks (e.g., the deprecation of 64-bit TDEA in 2024) that enable practical attacks such as birthday collisions in modes like CBC.^[33]^[34] These standards reflect best practices for maintaining long-term confidentiality in contemporary cryptographic deployments.

Modes of Operation

In block cipher cryptography, modes of operation define how a fixed-size block cipher processes messages longer than a single block, with the block size directly influencing the structure, security properties, and efficiency of the encryption process. The block size, typically denoted as

b

bits (e.g., 128 bits for AES), determines the granularity of data processing, the size of initialization vectors (IVs) or counters, and potential vulnerabilities like pattern leakage in certain modes. These modes chain or parallelize block encryptions to handle arbitrary-length inputs while preserving the underlying cipher's security.^[35] The Electronic Codebook (ECB) mode encrypts each plaintext block independently using the block cipher, without any dependency between blocks. Here, the block size

b

directly dictates the unit of encryption, requiring the plaintext to be a multiple of

b

bits, and identical plaintext blocks will always produce identical ciphertext blocks, amplifying collision risks if repetitive patterns exist in the data—such as in images or structured text—since the mode reveals statistical information about the plaintext. This independence makes ECB simple but insecure for most applications, as the block size limits the cipher's ability to diffuse patterns across the message. ECB does not use an IV, and its deterministic nature heightens the impact of small block sizes on privacy.^[35]^[36] Cipher Block Chaining (CBC) mode introduces dependency between blocks to mitigate ECB's weaknesses, where each plaintext block is XORed with the previous ciphertext block before encryption, and the first block uses an IV of exactly

b

bits. The block size thus determines both the IV length and the chain's step size, ensuring that changes in one block propagate to subsequent ones, which enhances diffusion but requires the message to be padded to a multiple of

b

if necessary. This chaining makes CBC sequential, with the block size influencing the overall security margin against certain attacks by tying the encryption of each

b

-bit segment to the prior output.^[35]^[36] Counter (CTR) mode transforms the block cipher into a stream-like cipher by encrypting a sequence of counter blocks, each of

b

bits, initialized from an IV or nonce, and XORing the resulting keystream with the plaintext. Unlike ECB or CBC, CTR does not require padding, as partial blocks can be handled directly, and the block size defines the counter's width and the keystream's chunk size, enabling parallel processing of multiple blocks for improved performance. This mode avoids chaining dependencies, making it suitable for high-speed applications where the block size's fixed nature supports efficient, nonce-based uniqueness without altering the message length.^[35]^[36] Modes like Galois/Counter Mode (GCM) extend CTR by adding authentication, using the block size for both encryption and tag generation; for instance, AES-GCM employs 128-bit blocks to process plaintext via counter encryption while deriving a 128-bit (or truncated) authentication tag through Galois field multiplication over the ciphertext and additional authenticated data. The block size in GCM ensures alignment for the hash subkey and counter operations, providing confidentiality and integrity in a single pass. Some modes, such as CTR and GCM, mitigate padding needs inherent to block sizes in ECB and CBC.^[37]

Stream Ciphers Comparison

Stream ciphers differ fundamentally from block ciphers by generating a pseudorandom keystream on a bit-by-bit or byte-by-byte basis, eliminating the need for fixed block sizes and allowing direct encryption of arbitrary-length data without segmentation.^[38] This approach contrasts with block ciphers, where data must be divided into uniform blocks, often requiring padding for incomplete segments, which can introduce overhead and potential vulnerabilities in handling.^[39] A key advantage of stream ciphers is their ability to process data continuously, resulting in lower latency, particularly for small or real-time transmissions, as there is no delay from block buffering or padding operations.^[40]^[41] However, this design carries risks, such as susceptibility to attacks if the keystream is reused— for instance, when initialization vectors are improperly managed—leading to XOR-based recovery of plaintext through bitwise operations on ciphertext.^[42] Exemplifying traditional stream ciphers, RC4 generates a variable-length keystream byte-by-byte without block constraints, but its deployment was deprecated in TLS protocols by the IETF in 2015 due to exploitable biases in the keystream that enabled plaintext recovery in high-volume traffic.^[43] In contrast, modern stream ciphers like ChaCha20 produce a continuous keystream directly from the key and nonce, avoiding block sizes altogether while offering high speed and resistance to such biases, making it suitable for applications like VPNs and mobile encryption.^[44] Block size becomes less relevant in hybrid scenarios where block ciphers emulate stream behavior through modes of operation, such as output feedback (OFB), which iteratively encrypts an initialization vector to generate a keystream independent of plaintext, effectively transforming the block cipher into a synchronous stream cipher.^[45] Similarly, counter (CTR) mode, as applied to AES, increments a counter to produce unique blocks that are encrypted and XORed with plaintext, yielding stream-like processing without padding for arbitrary lengths.^[46] This shift toward block-derived streams, like AES-CTR, has gained prominence post-RC4 deprecation, balancing the security of established block ciphers with stream efficiency.^[47]

Info Pages

Talk Pages

Special Pages

Block size (cryptography)

Recent from talks

Recent from talks

Contribute something

Contribute something

Media Pages

Timelines

Articles

Notes collections

Notes

Notes

Days in Chronicle

Block size (cryptography)

See also

References