Block Ciphers and Data Encryption Standard DES

1
Block Ciphers and Data Encryption Standard (DES)

• Chapter 3

2
Motivation

• Problem Alice and Bob happen to speak a language
  in which all sentences are only n-bits long
  (n-bit blocks). They want to encrypt their
  message so Trudy who also happens to know a lot
  about statistical analysis of plaintext/ciphertext
  , wont break their message
• Assume that Alice and Bob use substitution and
  encryption is reversible (so decryption would be
  possible), determine the size of the key for each
  of the following n values.
• (a) n 4
• (b) n 64
• what advice would you offer to Alice and Bob?

3
Motivation (cont.)

• Answer
• For an n-bit input, there are total of 2n
  possible outputs (each of these outputs is n-bit
  wide also). To be reversible, we need to have
  one-to-one mapping, that is, each output block
  maps to only one input block.
• Hence the size of the key is n x 2n.
• (a) For n 4 ? key size 64 too small. It
  can be vulnerable to brute attack or statistical
  analysis
• (b) N 64 (which is more reasonable sentence
  size) ? key size 64 x 264 270 ( 1021 ) bits
  with such large key statistical characteristics
  of the source text will be masked to a point that
  cryptanalysis is infeasible no matter how
  determined Trudy is!

4
Motivation (cont.)

• However key size of 270 bits is not manageable
  (i.e., Alice and Bob wont be able to remember
  it, and there is no such large CPU memory to
  store it!)
• Alice and Bob need to consider using a solution
  provided by Shannon (1949) and later by Feistel
  (1971) which is the basis for most symmetric
  ciphers

5
Block vs. Stream Ciphers

• Before we discuss Shannon/Feistel solution, lets
  define Block and Stream ciphers
• Block ciphers work and process one block/work at
  a time (block consists of fix number of bits)
• All of its bits have to be available before the
  block can be processed
• Stream ciphers work on a bit or byte of the
  message at a time, hence process it as a stream
• Most current ciphers are block cipher

6
Block Cipher

• A block of message is encrypted using the same
  key
• The cryptosystem encrypts one block of data at a
  time
• Plaintext is broken into fixed length of blocks
  (often 64 bits) and processed one block at a time
• Last block may be padded to form a complete block
• Each block is applied to the same algorithm and
  key
• Same key is used to encrypt each block at the
  transmitting side and decrypt each block at the
  receiving side.
• At the receiving side, the same key and the same
  algorithm is used to decrypt the block to get the
  original plaintext
• DES and IDEA is the typical Block Cipher

7
Claude Shannon Substitution-and-Permutation
Ciphers

• Claude Shannons 1949 paper has the key ideas
  that led to the development of modern block
  ciphers. Critically, it was the technique of
  layering modern substitution-transposition
  product cipher S-P networks
• S-P networks are based on the two primitive
  cryptographic operations we have seen before
• Substitution (s-box)
• Permutation (P-box)
• The ideas of confusion and diffusion are added

8
Confusion and Diffusion

• Cipher needs to completely obscure statistical
  properties of original message
• More practically Shannon suggested combining
  elements to obtain
• Diffusion dissipates statistical structure of
  plaintext over bulk of ciphertext. This is
  achieved by having each digit plaintext affect
  the value of many ciphertext
• The idea is to make the statistical relationship
  between the plaintext and ciphertext as complex
  as possible in order to thwart attempts to deduce
  the key
• Example encryp a message M m1,m2,m3, of
  characters with an averaging operation

9
Confusion and Diffusion (cont.)

• Confusion makes relationship between ciphertext
  and key as complex as possible, again to thwart
  attempts to discover the key.
• It is achieved through the use of complex and
  nonlinear substitution

10
Feistel Cipher

• Horst Feistel, working at IBM Thomas J Watson
  Research Labs devised a suitable invertible
  cipher structure in early 70s
• One of Feistels main contributions was the
  invention of a suitable structure which adapted
  Shannons S-P network in an easily inverted
  structure
• Essentially the same hardware or software is used
  for both encryption and decryption, with just a
  slight change in how the keys are used.
• One layer of S-box followed by P-box are used to
  form the round function

11
Feistel Cipher (cont.)

• In the Feistel Cipher
• Partitions input block into two halves
• Process through multiple rounds which
• Perform a substitution on data left-half
• Based on round function of right half subkey
• Then have permutation swapping halves

12
Feistel Cipher Structure

• Can be described functionally as (for igt0),
• L(i) R(i 1)
• R(i) L(i1) XOR F(K(i), R(i-1))

13
Feistel Cipher Design Principles

• Block size
• Increasing size improves security, but slows
  cipher
• Key size
• Increasing size improves security, makes
  exhaustive key searching harder, but many slow
  cipher
• Number of rounds
• Increasing the number of rounds improves
  security, but slow cipher
• Subkey generation
• Greater complexity can make analysis harder, but
  slows cipher
• Round function
• Greater complexity can make analysis harder, but
  slows cipher
• Fast software encryption and decryption ease of
  analysis
• Are more recent concerns for practical use and
  testing

14
Feistel Cipher Decryption

• The process of decryption with a Feistel cipher
  is essentially the same as the encryption
  process. The rule is as follows
• Use the ciphertext as input to the algorithm, but
  use the subkeys Ki in reverse order. That is,
  use Kn in the first round, Kn-1 in the second
  round, and so on until K1 is used in the last
  round.
• This is a nice feature because it means we need
  not implement two different algorithms, one for
  encryption and one for decryption

15
Data Encryption Standard (DES)

• Published in 1977 by the National Bureau of
  Standards for use in commercial and unclassified
  US government applications
• Specified in Federal Information Processing
  Standard (FIPS) 42.
• Most widely used block cipher in the world
• Use 56-bit key (8 bits for parity), and maps a
  64-bit input block to produce 64-bits output
  block
• Pretty fast encryption algorithm in hardware
• A de facto standard and widely used
• A symmetric key cryptosystem, 64-bit block cipher
• Small key space with 56-bit key size (256)
• It is not considered to be secure

16
DES History

• Designed by IBM (based on Lucifer cipher) with
  input from NSA
• By team led by Feistel
• Used 64-bit data blocks with 128-bit key
• Then re-developed as a commercial cipher with
  input from NSA and others
• In 1973, NBS (todays NIST) issued request for
  proposals for a national cipher standard
• IBM submitted their revised Lucifer which was
  eventually accepted as the DES
• The American National Standards Institute (ANSI)
  adopted DES as a standard (ANSI X3.92) in 1981.
  It is called Data Encryption Algorithm (DEA)

17
DES Design Controversy Why 56-bit key?

• Was considerable controversy over design
• Over the choice of 56-bit key (vs the original
  version of Lucifer, 128-bit)
• And because design criteria was classified
• Subsequent events and public analysis show in
  fact design was appropriate
• DES has become widely used, especially in
  financial applications.

18
Basic Structure of DES
64-bit input
56-bit key
Initial Permutation
Permuted Choice 1
48-bit K1
Round 1
Left circular shift
Permuted choice 2
48-bit K2
Round 2
Left circular shift
Permuted choice 2
. . .
. . .
. .
48-bit K16
Round 16
Left circular shift
Permuted choice 2
32-bit Swap left and right halves
Final Permutation
64-bit output
19
DES Overview

• Encryption
• 64 bits input block is subjected to an initial
  permutation to obtain a 64 bits result
• 56-bit key is used to generate 16 48-bit per
  round keys
• Each round takes the 64-bit output from previous
  round with 48-bit per round key to produce a
  64-bit output
• Each round is a complex key dependent round
  function involving substitution and permutation
  functions
• After 16 round, the 64-bit output swaps its half
• Then a final permutation (which is the inverse of
  the initial permutation) to produce a 64-bit
  output
• The right side shows the handling of the 56-bit
  key and consist of
• An initial permutation of the key (PC1) which
  selects 56 bits in two 28-bit halves
• 16 stages to generate the subkeys using a left
  circular shift and a permutation

20
Initial Permutation IP

• The initial permutation and its inverse are
  defined by tables, as shown in Tables 3.2a
  3.2b, respectively
• The table are to be interpreted as follows the
  input to a table consists of 64 bits numbered
  from 1 to 64
• The 64 entries in the permutation table contain a
  permutation of the numbers from 1 to 64.
• Each entry in the permutation table indicates the
  position of the numbered input bit in the output,
  which also consists of 64 bits

21
Initial Permutation IP (cont.)

• Note that the bit numbering for DES reflects IBM
  mainframe practice, and is the opposite of what
  we now mostly use so be careful! Numbers from
  Bit 1 (leftmost, most significant) to bit
  32/48/64 etc (rightmost, least significant)

22
DES Single Round Structure

• DES is a Feistel cipher which can be described as
  follows
• Use two 32-bit L R halves
• Li Ri-1
• Ri Li-1 XOR F(Ri-1 , Ki ), where F is called
  the Mangler Function
• F takes 32-bit R half and 48-bit subkey and
• Expands R to 48 bits using permutation/expansion
• XORed with a 48-bit subkey
• Then passes this through S-boxes to get 32-bit
  new result
• Finally permutes this using 32-bit permutation P

23
Single Round of DES Algorithm
24
Expansion Function

• Expands RH side data input from 32 to 48 bits
• By duplicating 16 bits
• Specifically split input into 8 groups (row in
  the table below) of 4 bits (columns in the table
  below)
• Then duplicate bits from either side to form
  groups of 6 bits

25
Key Addition

• The expanded 48 bits data are then XORed
  (addition modulo 2) to the 48 subkey bits
• Subkeys are obtained from Permuted Choice 2 (PC2)
• Example
• E(R) 20 00 09 1b 3e 2d 1f 36 XOR
• SK 38 09 1b 26 2f 3a 27 0f
• 18 09 12 3d 11 17 38 29

26
Substitution Box S

• The substitution consists of a set of eight
  S-boxes, each of which accepts 6 bits as input
  and produces 4 bits as output (see figure in the
  next slide)
• These transformation are defined in Table 3.3,
  (after the next slide) which is interpreted as
  follows
• The first and last bits of the input to box Si
  form a 2-bit binary number to select one of four
  subsititutions defined by the four rows in the
  table for Si.
• The middle four bits select one of the sixteen
  columns.
• The decimal value in the cell selected by the row
  and column is then converted to its 4-bit
  representation to produce the output

27
DES Round Structure
28
Definition of DES S-Boxes
29
Permutation P

• It is the last transformation of the F function
• It accepts 32 bits data from the S-box as input
  data (see DES Round Structure Slide) to perform
  permutation according to the table below

For example, the 1st output bit is 16th input
bit, the 2nd output bit is the 7th input bit etc.
30
DES Key Schedule

• Generates subkeys which are used in each round
  (Schedule or have a key (Ki) ready at the start
  of its round (roundI)) (Refer to Figure 3.7)
• Start by selecting 56-bit key from 64-bit input
  key data.
• Selection is as indicated in Table 3.4a where bit
  in the last column are ignored (in practice we
  can use these bits as parity check bits)
• At each round do
• Initial permutation of the key (PC1, Permuted
  Choice 1) which governed by the permutation Table
  3.4b (there is no 64 elements in this table, why?
• The result is 56 bits which is treated as two
  28-bit halves (Ci-1 and Di-1 in the figure)

31
DES Key Schedule (Cont.)

• Then perform left shift rotation of 1 or 2 bits
  depending on the round, key rotation schedule K,
  as indicated in Table 3.4d, for each half, Ci-1
  and Di-1 , and separately
• The pass these shifted halves to the next round
  where they will serve as Ci and Di .
• These shifted halves also serve as the inputs for
  Permuted Choice 2, which performs contraction
  (drops 4 bits from each half, so its output is 24
  bits out of 28 bits) and permutation according to
  Table 3.4c

32
DES Key Schedule Calculation
33
DES Overview - Decryption

• Decryption works by running DES backwards
• Take 64 bits output and perform an initial
  permutation to obtain a 64 bits result (the
  initial and final permutations are inverse of
  each other)
• 56-bit key is used to generate 16 48-bit per
  round keys
• Each round takes the 64-bit output from previous
  round with 48-bit per round key to produce a
  64-bit output. This time, use the key in the
  opposite order (i.e., use K16 first)
• After 16 round, the 64-bit output swaps its half
• Then a final permutation (which is the inverse of
  the initial permutation) to produce a 64-bit
  output

34
How Secure is DES?

• DES is a quite simple cipher only the S box is
  a nonlinear transformation in the algorithm
• So it would have been easier to break it, if
  S-boxes were linear
• The S-boxes provide the confusion of data and
  key values
• Permutation P then spreads this as widely as
  possible, so each S-box output affects as many
  S-box inputs in the next round as possible,
  giving diffusion
• However, one may get the impression that anyone
  could design a cipher Just take some bits,
  shuffle them, and then shuffle them some more,
  and you got your algorithm (you need to have M
  DK(EK (M)))

35
How Secure is DES? (cont.)

• Since Its adoption there have been some concerns
  (mysterious and controversy) of some of the
  design aspects in DES
• For instance we do not know the details in
  choosing the construction of the S-box
  kaufman2002, pg. 75
• Or why the key size is 56 although the original
  recommendation from IBM is 128 bit, certainly
  would make a stronger cipher
• However, Biham and Shamir 1991, have shown that
  a simple change of DES, an in swapping S-box 3
  with S-box 7, leads to DES with order of
  magnitude less secure

36
DES, Avalanche Effect

• DES exhibits strong avalanche as shown in the
  Table below
• Recall avalanche where a change of one input or
  key bit results in changing approx. half output
  bits
• In table (a), with two plaintexts that differ by
  one bit,
• 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
• 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (hex)
• Results show that about half of the bits in
  ciphertext differ after just a few rounds
• Similarly in table (b) for a single change in the
  key
• See figure in next slide

37
Avalanche Effects in DES
38
Strength and Weakness of DES

• Small key length of 56 bits resulting in 256 key
  space (7.2 x 1016 values)
• Brute force is hard but possible with this small
  key space
• The 56-bit key is susceptible to exhaustive key
  search
• DES was first cracked publicly in the RSA
  Challenge
• Cracking DES, book published by OReilly tell you
  all you need to know including a sample code.
• Very widely used commercially
• Has demonstrated breaks
• 1997 on a large network of computers in a few
  months
• 1998 on dedicated hardware hardward EFF
  (Electronic Frontier in a few days
• 1999 above combined in 22 hours
• Still must be able to recognize plaintext

39
Strength of DES Timing Attacks

• By performing a careful measurement of the amount
  of time it takes to encrypt and decrypt various
  ciphertexts, one can derive some knowledge of
  some/all subkey bits and eventually break the
  cipher this type of attacks is called timing
  attacks
• Timing attacks are particularly problematic for
  smartcards and public keys as it will be
  discussed
• So far and based on previous research results,
  DES appears to be fairly resistant to timing
  attacks

40
Differential Cryptanalysis

• It starts with a pair of messages, say m and m
  with known XOR difference (?m m XOR m) then
  compare and trace the difference between their
  ciphertexts, at each round
• Perform attack by repeatedly encrypting plaintext
  pairs with known input XOR until we obtain
  desired output XOR
• When found
• If intermediate rounds match required XOR have a
  right pair
• If not then, have a wrong pair
• Differential Cryptanalysis is one of the most
  significant recent (public) advances in
  cryptanalysis
• Known by NSA in 70s cf DES design and that lead
  to some researchers to conclude the reason for
  DES resistant to such attack
• We needed to wait until 1990 when Murphy, Biham,
  Shamir made such attack public BIHA93
• Used to analyze most current block ciphers with
  varying degrees of success

41
Linear Cryptanalysis

• This attack is based on finding linear
  approximations to model cipher using statistical
  method
• Not so powerful attack against DES, why?
• Must be iterated over rounds, with decreasing
  probabilities
• Developed by Matsui et al in early 90s
• Based on finding linear approximations
• Can attack DES with 247 known plaintexts, still
  in practice infeasible

42
Modes of Operations

• DES (or any block cipher) forms a basic building
  block, which encrypts/decrypts a fixed sized
  block of data.
• However, in order to use them in practice, we
  usually need to handle arbitrary amounts of data,
  which may be available in advance (in which case
  a block mode is appropriate), and may only be
  available a bit/byte at a time (in which case a
  stream mode is used)
• To cover as much as possible application needs, 4
  modes were defined for for DES in ANSI standard,
  ANSI X3.106-1983

43
Cryptography Mode of Operations

• Larger size of messages
• Described in DES as different mode of operations
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• k-Bit Cipher Feedback Mode (CFB)
• k-Bit Output Feedback Mode (OFB)

44
DES Mode of Operation
45
Electronic Codebook (ECB) Mode

• The simplest mode
• Plaintext is handled 64 bits at a time and each
  plaintext is encrypted using the same key
• Each block is a value which is substituted, like
  a codebook, hence named
• Each block is encoded independently of the other
  blocks
• Ci DESk1 (Pi)
• If the message is longer than 64 bits, the
  procedure is to break the message up into 64-bit
  blocks, padding the last block if necessary

46
Electronic Codebook (ECB) Mode
P1
Pn
P2
Encryption
. . .
K
K
K
C1
Cn
C2
C1
Cn
C2
Decryption
K
K
. . .
K
P1
P2
Pn
47
Advantages and Limitations of ECB

• ECB has some advantages
• Simple
• Allow parallelism implementation, hardware, speed
• However, ECB is not appropriate for large
  quantity of data
• If the plaintext contains two identical 64-bit
  blocks, the corresponding two blocks of
  ciphertext will be identical.
• Cipher can be changed without being detected
• Idea for short amount of data, such as an
  encryption key to be securely transmitted
• Vulnerability
• Someone seeing the ciphertext can gain
  information from repeated blocks
• Someone can rearrange blocks or modify block to
  her own advantage

48
Example

• Lesile, close friend of Trudy, had a fight with
  her Boss, Bob. As a result, Leslie is not
  expecting much bonus this year. Kim, in
  contrast, is the Bosss favorite and everyone
  knows about that. The figure below shows a
  portion of the annual bonuses the company decided
  to award to its employee which will be sent to
  the bank after being encrypted using ECB. Leslie
  asks Trudy if she can rectify this unfairness,
  given on the ciphertext?

49
Example

• Answer
• No problem said Trudy
• She makes a copy of 12th ciphertext block (which
  contains Kims bonus) and uses it to replace the
  4th ciphertext blok (which contains Leslies
  bonus). That is even without knowing what the
  12th block is about
• Leslie can expect to have a good vacation this
  year! (copying the 8th ciphertext block is also
  possible, but Leslie is not that greedy person
  after all!! (TB, book)

50
Randomized Electronic Codebook (ECB) Mode
P1
P2
Pn
Encryption
r1
r2
rn



. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
r1
r2
rn



P1
Pn
P2
51
Cipher Block Chaining (CBC) Mode

• To overcome these problems of repetitions and
  order independence in ECB, we want some ways of
  making the ciphertext dependent on all blocks
  before message is broken into blocks
• Make each previous cipher blocks chained with
  current plaintext block, hence name CBC
• Start with an initial random number, the
  Initialization Vector (IV) do not use a value 0
  as IV
• The IV must known to both the sender and receiver
• For maximum security, IV should be protected as
  well as the key
• Plaintext is then XOR with IV or the preceding
  ciphertext block
• The result is then encrypted with the same key
• Ci DESK1(Pi XOR Ci-1) where C-1 is IV
• The input to the encryption function for each
  plaintext block bears no fixed relationship to
  the plaintext block.

52
Cipher Block Chaining (CBC) Mode
P1
P2
Pn
Encryption
IV



. . .
K
K
K
C1
C2
Cn
C1
C2
Cn
Decryption
K
K
K
. . .
IV



P1
Pn
P2
53
Advantages and Limitations of CBC

• Each ciphertext block depends on all message
  blocks
• Thus a change in the message affects all
  ciphertext blocks after the change as well as the
  original block
• Need IV known to sender and receiver
• However, if IV is sent in the clear, an attacker
  can change bits of the first block, and change IV
  to compensate
• Hence either IV must be a fixed value (as in
  EFTPOS) or it must be sent encrypted in ECB mode
  before rest of message
• Not appropriate for byte-by-byte like interactive
  applications where people type a short message
  and wait for response
• At end of message, handle possible last short
  block
• By padding either with known non-data value
• CBC encryption has the same performance as ECB
  mode except for the cost of generating and
  transmitting the IV

54
Cipher Feedback (CFB) Mode

• Message is treated as a stream of bits. So CFB
  converts DES (a block cipher into stream cipher)
• The unit of transmission is k bits (see diagram
  in next slide)
• The Ci result of each plaintext Pi (of k-bit in
  size) is feedback for next stage (hence name)
• Standard allows any number of k bit (1,8 or 64
  ..) to be feedback
• Denoted CFB-1, CFB-8, CFB-64, etc.
• It uses 64 bit shift register that is initially
  set to some IV value
• The k- MSB of the register are pushed to left and
  replace by the next k-bit on the register
• Only the k-MSB of the encryption box are XOR with
  plaintext Pi (of size k bits)
• At the end of processing, Pi (of size k bits) the
  register is shifted to the left by k bits (so k
  MSB are dropped) and the new s bits from Ci are
  placed to right of the register

55
K-bit Cipher Feedback (CFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
56
K-bit Cipher Feedback (CFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
57
Advantages and Limitation of CFB

• Appropriate when data arrives in bits/bytes
• Most common stream mode
• Limitation is need to stall while do block
  encryption after every k bits
• Note that the block cipher is used in encryption
  mode and both ends
• Errors propagate for several blocks after the
  error
• This eliminate the padding of the last block and
  can operate in real time
• The ciphertext should be the same length as
  plaintext
• CFB-encrypted messages are somewhat less subject
  to tampering than either CBC or OFB

58
Output Feedback (OFB) Mode

• Like CFB, message is treated as a stream of bits
• The output of encryption box is feedback (hence
  named) as compared to CFB that we have to wait
  until we got the ciphertext itself then feed it
  back
• Act like a pseudorandom generator, assuming IV is
  b0
• The encryption of IV with a key K produce b1
• The results is a string of pseudorandom stream
  b0b1
• The ciphertext is obtained by XOR with Plaintext.
• This is also called one-time pad
• Feedback is independent of message, so can be
  computed in advance (see figure in the next
  slide)
• Ci Pi XOR Oi
• Oi DESK1(Oi-1) where O-1 is IV

59
K-bit Output Feedback (OFB) Mode
Encryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
P1
P2
P3



k bits
k bits
k bits
C1
C2
C3
60
K-bit Output Feedback (OFB) Mode
Decryption
k
k
IV
K
K
K
discarded
discarded
discarded
k bits
k bits
k bits
b1
b2
b3
C1
C2
C3



k bits
k bits
k bits
P1
P2
P3
61
Limitation and Advantages of OFB

• Used when error feedback a problem or where need
  to encryptions before message is available
• Superficially similar to CFB
• But feedback is from the output of cipher and is
  independent of message
• Another advantage over CFB, any bit error only
  affects a single bit. Thus this is good for
  noisy links (e.g., satellite TV transmissions
  etc.), i.e., Any errors in transmission will not
  propagate and only the recover value of P is
  affected
• No costly cryptographic operations are needed
  (just XOR)
• Sender and receiver must remain in sync, and some
  recovery method is needed to ensure this occurs
• Originally specified with m-bit feedback in the
  standards
• Subsequent research has shown that only OFB-64
  should ever be used
• Vulnerability subject to message stream
  modification attacks
• Bad guys can modify the plaintext into any he
  wants by simply XORing the ciphertext with the
  known plaintext

62
Counter (CTR)

• A new mode, though proposed early on
• Similar to OFB but encrypts counter value rather
  than any feedback value
• Must have a different key and counter value for
  every plaintext block (never reused)
• Ci Pi XOR Oi
• Oi DESK1(i)
• Uses high speed network encryptions

63
Counter (CTR)
64
Advantages and Limitations of CTR

• Efficiency
• Can do parallel encryptions
• In advance of need
• Good for bursty high speed link
• Random access to encrypted data blocks
• Provable security (good as other modes)
• But must ensure never reuse key/counter values,
  otherwise could break (cf OFB)

65
Summary of Block Cipher Modes