Is the CBC mode of operation a stream cipher mode?


Is the CBC mode of operation a stream cipher mode?

I am taking a class on security systems. My professor considers CBC to be a stream cipher mode, like CFB and OFB. Most sources I have read do not agree with this, so I asked my professor about this, and he claims it is usually called a stream cipher mode. Is this true?


Answer 1:

The exact answer may depend on your definition of “usually” or what would be a canonical source for such a statement.

There are few sources (personal opinion) more canonical than Handbook of Applied Cryptography. In it, Remark 7.25 says the following related to your question:

The CBC mode may also be considered a stream cipher with n-bit blocks playing the role of very large characters. Thus modes of operation allow one to define stream ciphers from block ciphers.

This was not really the answer I expected to write when I first read your question, but I would say that you professor’s statement, being inline with what HAC says, is true.

In referencing this remark, the book says (p.3):

Whereas block ciphers generally process plaintext in relatively large blocks (e.g., n ≥ 64), stream ciphers typically process smaller units (see Note 6.1); the distinction, however, is not definitive (see Remark 7.25).

Answer 2:

Terminology is ultimately arbitrary, but few people call CBC a stream cipher, and there are good reasons not to call it a stream cipher.

CBC is prone to padding oracle attacks such as Lucky thirteen (variants of which are still extant in TLS implementations today). CBC requires padding, because input usually comes in octets, not in 16-byte blocks, and this is very important to know when deciding whether to use it. (And because of how difficult it is to manage padding, the answer is usually “don’t use it”.)

If you call CBC a stream cipher, then it is not true that “stream ciphers don’t use padding”, and you have to allow for the fact that stream ciphers are vulnerable to padding oracles. Most symmetric ciphers in use today are bit-based stream ciphers, and do not use padding, which makes them easy to use. It’s useful to have a short word or phrase to designate such easy-to-use ciphers, and almost everyone calls them “stream ciphers”.

So, no, CBC is not a stream cipher. It’s a more complicated construction which has pitfalls that a stream cipher, by construction, doesn’t have.

Answer 3:

This question is old and deserves an adequate answer.

CBC mode needs to have the entire block of plain text before it can encrypt it. This is because it is this block that is the input into the cipher algorithm. Therefore it is a block cipher mode.

Something like CTR doesn’t use the plain text as input to the cipher algorithm but rather a nonce concatenated with a counter. The plain text is then XORed with the output of the cipher algorithm. So, as soon as you have 1 bit of your plain text available, you can encrypt it.

The difference is what goes into the cipher algorithm. If the plain text goes in, it is block cipher. If it is an IV or nonce that goes in, it is stream cipher.