Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 17964-2008 English PDF (GBT17964-2008)

GB/T 17964-2008 English PDF (GBT17964-2008)

Regular price $150.00 USD
Regular price Sale price $150.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 17964-2008
See Chinese contents: GB/T 17964-2008

GB/T 17964-2008: Information technology -- Security techniques -- Modes of operation for a block cipher

This Standard specifies seven operation modes of block cipher algorithm, so as to standardize the use of block cipher.
GB/T 17964-2008
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 17964-2000
Information technology - Security techniques -
Modes of operation for a block cipher
ISSUED ON: JUNE 26, 2008
IMPLEMENTED ON: NOVEMBER 01, 2008
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
3.1 Terms ... 6
3.2 Definitions ... 8
4 Abbreviations and symbols ... 10
5 Electronic codebook (ECB) operation mode ... 10
5.1 Definition of variable ... 10
5.2 Description of ECB encryption ... 10
5.3 Description of ECB decryption ... 10
6 Cipher block chaining (CBC) operation mode ... 11
6.1 Definition of variable ... 11
6.2 Description of CBC encryption ... 11
6.3 Description of CBC decryption ... 12
7 Cipher feedback (CFB) operation mode ... 13
7.1 Definition of parameter ... 13
7.2 Definition of variable ... 13
7.3 Description of CFB encryption ... 13
7.4 Description of CFB decryption ... 15
7.5 Suggestion... 16
8 Output feedback (OFB) operation mode ... 16
8.1 Definition of parameter ... 16
8.2 Definition of variable ... 17
8.3 Description of OFB encryption ... 17
8.4 Description of OFB decryption ... 18
9 Counter (CTR) operation mode ... 19
9.1 Definition of variable ... 19
9.2 Description of CTR encryption ... 20
9.3 Description of CTR decryption ... 21
10 Block chaining (BC) operation mode ... 21
10.1 Definition of variable ... 21
10.2 Description of BC encryption ... 22
10.3 Description of BC decryption ... 23
11 Output feedback with a nonlinear function (OFBNLF) operation mode ... 23 11.1 Definition of variable ... 23
11.2 Description of OFBNLF encryption ... 24
11.3 Description of OFBNLF decryption ... 24
Annex A (normative) Nature of operation mode ... 26
A.1 Nature of electronic codebook (ECB) operation mode ... 26
A.2 Nature of cipher block chaining (CBC) operation mode ... 27
A.3 Nature of cipher feedback (CFB) operation mode ... 29
A.4 Nature of output feedback (OFB) operation mode ... 30
A.5 Nature of counter (CTR) operation mode ... 31
A.6 Block chaining (BC) operation mode ... 32
A.7 Nature of output feedback with a nonlinear function (OFBNLF) operation mode ... 33 Annex B (informative) Example of operation mode ... 35
B.1 Overview ... 35
B.2 ECB mode ... 35
B.3 CBC mode ... 35
B.4 CFB mode ... 36
B.5 OFB mode ... 36
B.6 CTR mode ... 37
Bibliography ... 39
Information technology - Security techniques -
Modes of operation for a block cipher
1 Scope
This Standard specifies seven operation modes of block cipher algorithm, so as to standardize the use of block cipher.
2 Normative references
The provisions in following documents become the provisions of this Standard through reference in this Standard. For dated references, the subsequent amendments (excluding corrigendum) or revisions do not apply to this Standard, however, parties who reach an agreement based on this Standard are
encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB/T 1988-1998, Information technology - 7-bit Coded character set for
information interchange (eqv ISO/IEC 646:1991)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 3.1 Terms
3.1.1 block chaining (BC) operation mode
an operation mode of block cipher algorithm; the current plaintext block is different from the exclusive OR values of all previous ciphertext blocks or operated then encrypted to obtain the current ciphertext block
3.1.2 block cipher
also known as block cipher algorithm; it is a symmetric cryptographic algorithm; it divides plaintext into fixed-length blocks for encryption
3.1.3 block cipher operation mode
a use mode of block cipher algorithm, mainly including electronic codebook (ECB) operation mode, cipher block chaining (CBC) operation mode, cipher starting data that is brought for data transformation so as to increase security or synchronize cipher devices during cryptographic transformation
3.1.14 key
key information or parameter that controls cryptographic transformation 3.1.15 output feedback with a nonlinear function (OFBNLF) operation
mode
an operation mode of block cipher algorithm; it is a variant of OFB and ECB; its key varies with each block
3.1.16 output feedback (OFB) operation mode
an operation mode that block cipher algorithm is used to construct sequence cipher; use the output of the current time of this algorithm as the input of the next moment
3.1.17 plain text/clear text
data to be encrypted
3.2 Definitions
3.2.1 Encryption expression
In this Standard, the functional relationship specified by block cipher is recorded as:
Where,
P is plaintext block;
C is ciphertext block;
K is key;
EK is encryption operation that uses key K.
3.2.2 Decryption expression
The corresponding decryption function is recorded as:
A special case of this function starts with the m-bit variable I(m) of all "1"s and moves the k-bit variable F into it. The result is:
Where, the left-most m-k bit is "1".
4 Abbreviations and symbols
AES advanced encryption standard
BC block chaining
CBC cipher block chaining
CFB cipher feedback
CTR counter
DEA data encryption algorithm
ECB electronic codebook
IV initialization value
OFB output feedback
OFBNLF output feedback with a nonlinear function
5 Electronic codebook (ECB) operation mode
5.1 Definition of variable
a) Sequence consisting of q plaintext blocks P1, P2, ..., Pq. Each block is n bits.
b) Key K.
c) Result sequence consisting of q ciphertext blocks C1, C2, ..., Cq. Each block is n bits.
5.2 Description of ECB encryption
5.3 Description of ECB decryption
7 Cipher feedback (CFB) operation mode
7.1 Definition of parameter
Size of feedback buffer r (n???r???2n);
Size of feedback variable k (1???k???n);
Size of plaintext variable j (1???j???k).
NOTE: r-k can be less than n. Figure 2 shows special case of r-k >n.
7.2 Definition of variable
a) Input variable
1) Sequence consisting of q plaintext blocks P1, P2, ..., Pq. Each block is j bits.
2) Key K.
3) Initialization value of r-bit IV.
b) Intermediate results
1) Sequence consisting of q key input blocks X1, X2, ..., Xq. Each block is n bits.
2) Sequence consisting of q key output blocks Y1, Y2, ..., Yq. Each block is n bits.
3) Sequence consisting of q variables Z1, Z2, ..., Zq. Each block is j bits. 4) Sequence consisting of q-1 feedback variables F1, F2, ..., Fq-1. Each variable is k bits.
5) Sequence consisting of q-1 feedback buffer contents FB1, FB2, ..., FBq- 1. Each block is n bits.
c) Output variable
Sequence consisting of q ciphertext variables C1, C2, ..., Cq. Each block is j bits.
7.3 Description of CFB encryption
Initialization value of feedback buffer FB is:
e) Generate feedback variable:
f) FB bit-shift operation:
For i=1, 2, ?€?, q, repeat the above steps. The last cycle ends at step d). This process is shown in the right half of Figure 2. The leftmost j bit of output block Y of block cipher is used to decrypt j-bit ciphertext variable through modulo 2 plus. Other bits of Y are discarded. The plaintext and ciphertext variables are numbered from 1 to j.
Place k-j "1" bits in the leftmost position of ciphertext variable. Extend ciphertext variable to a k-bit feedback variable F. Then move the bits of the feedback buffer FB to the left by k positions. Place F into the rightmost k positions. Generate a new feedback buffer FB value. In this bit-shift operation, the leftmost k bit of FB is discarded. The new n-bit at the far left of FB is used as the next input X in encryption process.
NOTE: See Annex A for operation nature of CFB mode.
Example: See Annex B for example of CFB mode.
7.5 Suggestion
It is recommended to use CFB method that j and k values are equal. According to this suggested form (j=k), the steps e) of encryption operation and decryption operation can be written as:
(when j=k)
8 Output feedback (OFB) operation mode
8.1 Definition of parameter
OFB operation is defined by one parameter. This parameter is the size of plaintext variable j (1???j???n).
c) Generate plaintext variable:
d) Feedback operation:
For i=1, 2, ?€?, q, repeat the above steps. The last cycle ends at step c). This process is shown in the right half of Figure 3. Values of Xi and Yi, during encryption, shall be same with corresponding values. Only step c) is different. NOTE: See Annex A for operation nature of OFB mode.
Example: See Annex B for example of OFB mode.
9 Counter (CTR) operation mode
9.1 Definition of variable
a) Input variable
1) Sequence consisting of q plaintext variables P1, P2, ..., Pq (where, P1, P2, ?€?, Pq-1 are all n bits, Pq is k bits).
2) Key K.
3) q count sequences T1, ?€?, Tq-1, Tq. Each block is n bits.
b) Intermediate results
1) Sequence consisting of q cipher output blocks X1, X2, ..., Xq. Each block is n bits.
2) k-bit cipher output block Z.
c) Output variable
Sequence consisting of q ciphertext variables C1, C2, ..., Cq (where, C1, C2, ?€?, Cq-1 are all n bits, Cq is k bits).
Annex A
(normative)
Nature of operation mode
A.1 Nature of electronic codebook (ECB) operation mode
A.1.1 Environment
Binary data exchanged between various computers or between people may
have duplicate or shared sequences. In ECB mode, same plaintext block (for same key) generates same ciphertext block.
A.1.2 Nature
The natures of ECB mode are:
a) Encryption or decryption of a block can be performed independently of the other;
b) Rearrangement of ciphertext shall result in a corresponding
rearrangement of plaintext block;
c) Same plaintext block (for same key) always generates same ciphertext block, which makes it vulnerable to a "dictionary attack". Such a dictionary is composed of corresponding plaintext and ciphertext blocks.
For information with more than one block, it is generally recommended not to use ECB mode. For those special use cases where repeatability is acceptable or individual blocks must be accessed separately, the usage of ECB can be specified in future standards.
A.1.3 Filling requirements
Only multiples of the block length can be encrypted or decrypted. Other lengths need to be filled to the block length boundary.
A.1.4 Error diffusion
In ECB mode, one or more bit-errors in a ciphertext block shall only affect decryption of the block in which the error occurs. Decryption of a ciphertext block with one or more error bits shall result in a 50% probability of error for each plaintext bit in the corresponding plaintext block.
A.1.5 Block boundary
If the block boundary of decryption or between decryptions is lost (for example due to a bit slip), then before re-establishing the correct block boundary, the synchronization between encryption and decryption shall be lost. If the block boundary is lost, the result of all decryption operations shall be incorrect. A.3 Nature of cipher feedback (CFB) operation mode
A.3.1 Environment
As long as same key and initialization value are used to encrypt the same plaintext, CFB mode shall generate same ciphertext. Users who care about this nature need to use some way to change the start, key, or initialization value of the plaintext. One possible approach is to add a unique identifier (for example, an incremental counter) to the beginning of each CFB information. When it encrypts a record of which its size cannot be increased, it may use another approach. It uses some value such as initialization value. This value can be calculated from the record and it is unnecessary to know its content (for example, its address in random access storage mode).
A.3.2 Nature
The natures of CFB are:
a) Chaining operation makes ciphertext variable depend on the current and all previous plaintext variables except one variable of which number is certain. This number depends on selection of r, k and j (see Figure 2). Therefore, the rearrangement of the j-bit ciphertext variable does not
result in a rearrangement of the corresponding j-bit plaintext variable; b) Use different IV values to prevent the same plaintext from being encrypted to become the same ciphertext;
c) All encryption and decryption in CFB mode use block cipher encryption operation;
d) The strength of CFB mode depends on the size of k (maximum when j=k) and the relative sizes of j, k, n, and r;
NOTE: j< k shall increase the probability that the value of input block occurs repeatedly. This recurrence shall reveal the linear relationship between the plaintexts. e) A smaller j value, for each plaintext unit, shall require more block cipher operations. Therefore, it shall cause greater processing overhead;
f) Select r???n+k to enable pipelined continuous operation of block ciphers. A.3.3 Filling requirements
d) CTR mode does not depend on plaintext to generate key stream that is used to perform modulo 2 plus to plaintext.
A.5.3 Filling requirements
Counter mode solves the n-bit output problem of which OFB mode is less than block length. It can handle information of any length. Filling is unnecessary. A.5.4 Error diffusion
CTR mode does not output the diffusion ciphertext error in the generated plaintext. Each error bit in the ciphertext shall only cause an error bit in the decrypted plaintext.
A.5.5 Synchronization
CTR mode is not automatically synchronized. If encryption and decoding are not synchronized, the system needs to be reinitialized. This loss of
synchronization may be caused by the insertion or loss of any number of ciphertexts.
A new counter value shall be used for each reinitialization. It is different from the previous counter value that is used with the same key. The reason is that for the same parameters, the same bit stream is generated each time, which shall be vulnerable to "known plaintext attacks".
A.6 Block chaining (BC) operation mode
A.6.1 Environment
In order to use block algorithm in block chaining (BC) mode, it can simply perform exclusive OR to input of block cipher algorithm with exclusive OR values of all previous ciphertext blocks. Just as CBC algorithm, the process shall start with an initialization vector IV.
As long as the same key and initialization plaintext are used to encrypt the same plaintext, BC mode shall generate same ciphertext. Users who care about this nature need some way to change the start, key, or initialization value of the plaintext.
A.6.2 Nature
BC mode has the following natures:
a) Chaining operation makes ciphertext block depend on previous and
current plaintext blocks. Therefore, the rearrangement of ciphertext blocks does not result in a rearrangement of the corresponding plaintext blocks;

View full details