top of page
  • 586113

Modes of AES for Confidentiality


  1. Introduction to Modes of AES Encryption

    1. Confidentiality

    2. Integrity

    3. Authenticity

    4. AES as a Block Cipher

  2. Electronic Code Book (ECB)

  3. Cipher Block Chain (CBC)

  4. Output Feedback Mode (OFB)

  5. Counter Mode (CTR)

  6. Cipher Feedback Mode (CFB)

  7. Format Preserving Modes of Encryption

    1. FF1

    2. FF3-1

  8. XTS Mode

Introduction to Modes of AES Encryption

Different modes of AES encryption exist to provide the proper set of confidentiality, integrity, and/or authenticity required. Below each of these three terms is explained below.


When we talk about confidentiality what we mean is we want to make sure the information we are encrypting can only be seen by the people we choose to be able to see it. The way we do that with encryption is we ensure only the people that we want to be able to read our secret information know the secret key. All symmetric ciphers accepted in the industry that run in a computer, including AES, require a sequence of bits to serve as the key.


When we are concerned with integrity on the Internet we are concerned with receiving the exact message the sender intended us to receive. Of course, all senders write messages with the expectation that the recipient receives it as the sender wrote it. The problem is when sending information on the Internet data can sometimes get corrupted. Depending on what application the data is meant to be used with--the consequences can be negligible to drastic.

For example, if you are sending a simple plaintext ASCII-encoded document--a single bit being inverted in transmission will probably only cause only a single character to be wrong. However, if you are transmitting an encrypted document over the Internet--inverting a single bit can cause tests of authenticity to fail even if the true sender sent the message.


When we talk about authenticity on the Internet--we mean we want to ensure we receive information from who we expect to be receiving information from. An unfortunate downside of using the Internet is that when we talk to people without having to meet them in person or live video call it is much easier for an impersonator to get away with pretending to be someone else. For example, let's say a criminal stole your friend's phone! Now they can pretend to be your friend when you send messages to your friend!!!

When we test for authenticity we test to ensure the message came from the true person and not an impersonator. There are two ways we do that in cryptography. The way that is done when using an encryption technique is called a Message Authentication Code. To do this you can ask your friend to send a message authentication code along with the actual message.

A message authentication code is an algorithm to generate an identification number unique to a unique message and a secret key only the sender and intended recipient has knowledge of. Every time you receive a message from your friend you expect to receive a message authentication code tied to the message and the secret key you and your friend agreed upon.

So if an attacker steals your friend's phone the attacker next has an additional hassle--figure out the secret key! Without knowledge of the secret key the attacker will fail to send valid MACs tagged to the messages it sends to you. So you will know that whoever you are talking to is not your real friend.

Several modes of encryption for AES offer a combination of confidentiality, integrity, and/or authenticity. We discuss what each industry-standard mode of AES Encryption offers and how each compares to similiar modes of encryption.

AES as a Block Cipher

How AES works is out-of-scope for this blog article. Just know AES has a mathematical function for encryption that accepts 128 bits of plaintext input and spits out 128 bits of ciphertext output. There is a separate mathematical function for decryption that accepts 128 bits of ciphertext and recovers the original 128 bits of plaintext:

AES Modes for Confidentiality Only

The following modes of AES Encryption only ensure confidentiality. The first two I will discuss are Electronic Codebook Mode (ECB) and Ciphertext Blockchain Mode (CBC).

Both of these modes demand the user to supply a message that is an integral multiple of of the block length for the cipher. In the case of AES this means that each message fed to AES-ECB or AES-CBC must have a bit size that is a multiple of 128 bits in length since each block in AES is 128 bits long.

Of course in the real world it is unlikely that your message is an exact integral multiple of 128 bits in length. Imagine making sure all your speech is formatted that way!

If a message is shorter than the required length a sequence of zero bits must be appended until the message is long enough to meet the requirement. There are several techniques on how to do that. For example, we may first insert a 1 bit and then add the remaining required zero bits. How many zero bits must we append to the message so we can feed it to either ECB or CBC. Below is a simple math equation:

In the above equation "message_len" is the length of the message in bits. We subtract 1 because of the leading 1 bit in the padding scheme.

With this introduction we begin with our first mode of encryption: Electronic CodeBook Mode.

Electronic Code Book Mode (ECB)

This is the simplest mode of encryption. All ECB does is accept 128 bits of plaintext at a time and allow the AES encryption function to encrypt said block of plaintext. Same logic for decryption using the AES decryption function:

AES-ECB has some advantages over other modes of operation. It can be done in parallel. If an error is made in any block of data for encryption/decryption it will not affect the encryption/decryption of remaining blocks of data. Experts discourage the use of ECB since attackers can figure out your symmetric key (no matter how much entropy it has) using old-school techniques to crack the key: statistical analysis and replay attacks.

Cipher Block Chain Mode (CBC Mode)

The next mode of operation is a little harder to crack. To make AES-CBC more difficult to crack the user must randomly generate a bit sequence of 128 bits called an Initialization Vector (IV). Now the attacker has to figure out the IV and correct key for the target ciphertext. In the real world CBC is the most used mode of operation when the user only cares about confidentiality.

But CBC has its downsides compared to ECB mode. If the encryption/decryption of a block of input text is corrupted the encryption/decryption of all remaining blocks will be affected. You also cannot execute AES-CBC encryption/decryption of blocks in parallel. So encryption/decryption of AES-CBC will take longer than AES-ECB whose execution is divided amongst several CPU cores.

Notice that in the above block diagram the IV is xored to the first plaintext block. But starting from the second block each remaining plaintext blocks are xored to the previous ciphertext block.

AES Modes of Encryption That Work as Stream Ciphers

The Output Feedback Mode (OFB), Counter (CTR), and Cipher Feedback Mode (CFB) do not are meant to allow AES to be used as a stream cipher. One reason to use such modes is that stream ciphers are by default faster and require less system resources than block cipher modes.

However, modern NIST approved modes of AES are optimized using hardware acceleration. So if your hardware and the cryptographic API supports hardware acceleration for an NIST-approved mode of AES just use what is recommended. When this not an option and you care more about speed than integrity or authenticity only then should you use above methods.

With saying we can begin the discussion with the simplest stream cipher mode for AES: Output Feedback Mode (OFB).

Output Feedback Mode (OFB)

This mode does not require padding. First, the user must generate an Initialization Vector (IV). The IV is applied to the AES encryption function. Let us label this output O_1. This output is xored to the first plaintext block. Starting from the second block of plaintext the previous output of the encryption of the IV is applied to the AES encryption function once again. In a sense, this becomes the new IV that is xored to the current-most plain-text block to be encrypted.

Output Feedback Mode is error-propagation free just as ECB mode is since the decryption of each ciphertext block is independent of the contents of other ciphertext blocks.

Counter Mode Operation (CTR)

In Counter Mode a number is applied instead of an Initialization Vector. So the first block is encrypted with the output of AES encryption of a randomly generated number.

Unique CTRs are used for each unique block of each unique message. This is how the output of encryption seems indistinguishable from random gibberish. CTR mode of encryption is even recommended by the National Institute of Standards and Technology in a schematic known as CTR-Deterministic Random Bit Generator.

When CTR is applied by a user for the very first message the first CTR number xored to the first plaintext block of the very first message is a number generated by Cryptographically Secure Pseudo Random Number Generator (CSPRNG). To prepare for the next block of encryption, the previous CTR number is incremented by 1 and then this result is applied to the modulus of 2 raised to the power of the blocksize of encryption in bits. For AES the blocksize is always 128 so the result of the increment is applied to the modulus of 2 raised to the power of 128.

When the user begins encryption the next message, CTR increments the last number used to encrypt the final block in the previous message encrypted.

The above summarizes how CTR encryption works.

Cipher Feedback Mode

Unlike all other modes of operation, CFB operates on segments of blocks of bits instead of the blocks themselves! The segment size can be anywhere from 1 to as much as the full bit-size of the block length. A standard segment size is 64 bits. For the rest of this explanation we assume the user has chosen a segment size of 64 bits. This makes the explanation easier to follow.

The user first generates an Initialization Vector using a CSPRNG. This is then applied to the AES encryption function. The 64 most significant bits of this output is applied to the first 64 bits of the plaintext. This means the first ciphertext segment is also 64 bits in size. Next, the first ciphertext segment is appended to the least significant 64 bits of the IV that were never used to generate the first ciphertext segment. This is the brand new IV applied to the AES encryption function whose output is then xored to the second segment of 64 bits of the plaintext. This pattern repeats until the entire message has been encrypted.

Format-Preserving Modes of Encryption

The next two modes of AES encryption are designed to preserve the format and length of ciphertext. Such encryption can quickly locate where specific information may be found in the ciphertext file. If we were to use the previous modes of encryption the computer would have to decrypt several cipher-texts before finally arriving to the desired information--which violates privacy and not to mention time-consuming! Below is a table demonstrating FPE's benefit:

These modes are useful when encrypting a person's financial information in the machines owned by banks. So if a credit card has to be encrypted all important fields must be easy to find quickly! In the real world Format Preserving Encryption is used when we must search for information in a database in general.

There are two modes of Format-Preserving Encryption used in the business world: FF1 and FF3-1.

These modes of encryption are rather complex and are best explained from a complete book rather than a blog. Below is a block diagram of the Feistel structure for Format Preserving Encryption for both FF1 and FF3-1:

Below is the pseudocde for FF3-1:

In the above pseudocode for FF1, the "symbol" means concatenation.


The final mode of encryption for confidentiality is AES-XTS. This is the standard mode of encryption to encrypt all information in non-volatile memory. XTS means Xor-Encrypt-Xor Tweakable Block Cipher with Ciphertext Stealing. It is documented in IEEE Standard 1619. Since it can be used to encrypt entire data drives it is used by operating systems for Full-Disk Encryption. It is another form of format-preserving encryption--although it is standardized by IEEE and not NIST.

AES-XTS only accepts either 256 or 512 bit size keys. AES-XTS splits the key into two pieces. So if the user uses a 256 bit key AES-XTS uses AES-128 with each half of the 256-bit key. Same logic for a 512 bit key.

Below is a block diagram of how AES-XTS works:

AES-XTS looks similiar to AES-ECB since both can be executed in parallel. Unlike ECB AES-XTS applies block sequence numbers and Diffusion by rearranging ciphertexts to avoid the frequency analysis attacks AES-ECB is vulnerable to.

Still AES-XTS has three weaknesses:

  1. Attackers can overwrite sectors--preventing honest users from applying the decryption.

  2. Replay Attack: An attacker can replace a block of ciphertext with a block of ciphertext encrypted in a past message by the same key. So when decryption takes place the ciphertext from the previous message is decrypted along with the rest of the present ciphertext.

  3. Traffic Analysis: The attacker can figure out when sectors of information are changed and design an attack such as the two mentioned above from these patterns.

This article summarized all reputed known modes of AES encryption that offer confidentiality only. Let me know what you found helpful in this article and more importantly, what else you would like to know from AES modes of encryption.


Are you trying to learn how to program these modes of encryption? Before you can do that you should learn the mathematics it takes to program AES and the modes of encryption built on top of them. I am writing a book on how to do just that--and program it so that others can count on it too.

If you have ~6 minutes to spare, please feel free to read the Preface and Table of Contents of the beta draft of my book "Program Cryptography".

You can leave comments and emotes directly on the book's webpage.

Hope to see you there! Thanks for reading!

44 views0 comments


bottom of page