Notes on Symmetric Encryption: ECB Vulnerability and CBC Mode

In the default mode of encryption (ECB), two identical data blocks encrypted with the same key will produce two identical cipher blocks.
This is a vulnerability in symmetric ciphers because repeating patterns in the plaintext can be observed in the ciphertext.
For ECB, the relation for a block is: $Ci = EK(P_i)$
If $Pj = Pk$ for blocks j and k, then $Cj = Ck$ , revealing identical ciphertext blocks for identical plaintext blocks.

CBC is a mode where the cipher block produced by the encryption of a data block is combined with the next data block before its encryption occurs.
The chaining occurs between every two blocks during the encryption process.
More precisely, for block i (i ≥ 1):
- Compute the input to the block cipher as $Xi = Pi \oplus C_{i-1}$
- Then compute the ciphertext block: $Ci = EK(Xi) = EK(Pi \oplus C{i-1})$
The first block uses the IV (Initialization Vector) in place of C{i-1}: $C1 = EK(P1 \oplus \mathrm{IV})$
Block size is typically 64 bits in the transcript context, so we refer to 64-bit blocks.
The chaining ensures that identical plaintext blocks do not map to identical ciphertext blocks across the message.

IV contains random bits and is combined with the first data block before it is encrypted in CBC mode.
The IV provides randomness to the first block and ensures that the same plaintext message encrypted twice with the same key produces different ciphertexts if different IVs are used.
The IV must be available to the decryptor along with the ciphertext blocks and the key.
The IV is the same length as the block size (in this transcript context, 64 bits): $\mathrm{IV} \in {0,1}^{64}$

The decryptor uses the IV and the ciphertext blocks to recover the plaintext blocks:
$Pi = DK(Ci) \oplus C{i-1} \quad \text{with} \quad C_0 = \mathrm{IV}$
Thus, the decryptor requires the IV in addition to the ciphertext blocks and the symmetric key.

Security benefits:
- CBC eliminates the pattern leakage of ECB by chaining each block to the previous ciphertext block.
Performance and parallelism:
- Encryption in CBC is inherently sequential (each block depends on the previous ciphertext), which can impact throughput.
- Decryption can be performed using the same Ci and C{i-1} values, but practical implementations often process blocks in pipelines or use hardware acceleration.
IV management:
- A fresh, random IV should be used for each message; IV reuse with the same key is insecure.
- The IV is not secret but must be correctly transmitted or stored with the ciphertext.
Padding and block size considerations:
- CBC requires that the final block is complete; padding schemes (e.g., PKCS#7) are commonly used to handle short or non-aligned messages.
- For 64-bit blocks, long messages can increase the risk of certain statistical analyses if IVs are not properly managed.
Error propagation:
- An error in a ciphertext block affects the decryption of the current block and the next block due to the XOR with C_{i-1}.

CBC is widely used for bulk data encryption in various protocols and standards when the block cipher has 64- or 128-bit blocks (e.g., DES, 3DES historically; AES uses 128-bit blocks but CBC is still a standard mode).
The concepts of ECB vulnerability, CBC chaining, and IV requirements are foundational for understanding secure symmetric encryption practices in modern systems.

ECB is insecure because identical plaintext blocks yield identical ciphertext blocks: $Ci = EK(P_i)$ ; pattern leakage occurs.
CBC introduces chaining: $Ci = EK(Pi \oplus C{i-1})$ with $C0 = \mathrm{IV}$ and $Pi = DK(Ci) \oplus C{i-1}$ with the same $C0 = \mathrm{IV}$ for decryption.
The IV adds randomness to the first block; it must be random, unique per message, and accessible to the decryptor.
Trade-offs include sequential encryption, need for padding, IV management, and potential error propagation; these factors influence when CBC is preferred over ECB or other modes.