50 min read

The Ciphertext Was Unbreakable. The Attacker Rewrote It Anyway: A Field Guide to Block Cipher Modes

Every block cipher mode -- ECB, CBC, CFB, OFB, CTR -- answers only confidentiality, never integrity. A field guide to why, the famous breaks, and the AEAD fix.

Permalink

1. Two Lines of Code

A bank encrypts the message "transfer $9" with AES and a 256-bit key and sends the ciphertext across a network an attacker completely controls. He cannot read a single byte of it. AES is unbroken and will stay unbroken. Yet by flipping a few bits he cannot even decrypt, he turns the message into "transfer $9,000,000," and the receiver accepts the change as authentic. The encryption was never broken. It simply answered the wrong question.

How can a ciphertext be unreadable and freely editable at once? The trick is not a flaw in AES but a property of the mode -- the wrapper that stretches a one-block cipher across a longer message. Many modes turn the cipher into a keystream generator and combine it with the plaintext by XOR, so C=PkeystreamC = P \oplus \text{keystream}. Rearrange the algebra: P=CkeystreamP = C \oplus \text{keystream}. An attacker who XORs a chosen delta into the ciphertext XORs exactly that delta into the recovered plaintext. He needs no key, reads nothing, and the receiver decrypts a perfectly well-formed forgery. That is one half of the story: the integrity question was never answered.

The other half is uglier, because it fails the first question too. In 2013, attackers exposed roughly 153 million Adobe account records. The passwords were not hashed. They were encrypted, with 3DES in ECB mode and no salt [1]. ECB enciphers each block independently, so identical passwords produced identical ciphertext. Combined with the unencrypted password hints Adobe stored beside them, enormous numbers of passwords were reconstructed without anyone ever breaking 3DES [1]. The cipher was fine. The mode leaked the plaintext.

Two stories, one shape. In each, the cipher did exactly what it promised and the attacker still won. That is because a mode of operation answers up to two independent questions, and the five most famous modes answer only one:

  1. Can the attacker read it? That is confidentiality.
  2. Can the attacker change it? That is integrity.

The five modes standardized for decades -- ECB, CBC, CFB, OFB, CTR -- answer only the first question. ECB answers even that one wrongly. Every named break in this field, past or future, reduces to one diagnostic sentence: which of the two questions did this mode answer, and was its IV/nonce contract honored? Hold that sentence in your head and the whole subject becomes legible.

Ctrl + scroll to zoom
The two-question lens. Every SP 800-38A mode answers only confidentiality, and every break is a missing integrity answer or a violated IV/nonce contract.

This is Part 5 of a field guide for protocol designers. It leans on two earlier parts without re-deriving them: Part 1 gave us the security definitions this article keeps invoking -- IND-CPA, IND-CCA2, INT-CTXT -- and Part 2 gave us the discipline of generating initialization vectors and nonces. Here we spend those definitions on a single primitive: the block cipher mode.

If AES was never broken in either story, what actually failed? To answer, you first have to know what a block cipher can and cannot do on its own, and why a mode was mandatory from the very first day it shipped.

2. A Cipher That Only Speaks in Blocks

A block cipher is smaller than you think. DES (1977) enciphers exactly 64 bits at a time. AES (2001) enciphers exactly 128. Feed it more and it simply refuses. It is a keyed permutation on one fixed-size block and physically cannot accept a message longer than that.

Block cipher

A keyed, invertible permutation on one fixed-size block of bits, written Ek:{0,1}n{0,1}nE_k : \{0,1\}^n \to \{0,1\}^n for a key kk and block size nn (64 bits for DES, 128 for AES). It maps one nn-bit input to one nn-bit output and back. It has no notion of a message, a length, or a stream.

Because real messages are almost never exactly one block long, every use of a block cipher needs a wrapper: a rule for chopping the message into blocks, deciding what each block's input should be, and stitching the outputs back together. That wrapper is the mode of operation.

Mode of operation

The algorithm that lifts a one-block cipher to messages of arbitrary length. It specifies how plaintext is partitioned, what feeds into each block cipher call, and how the results combine into a ciphertext. The mode -- not the cipher -- decides whether identical plaintext leaks, whether the scheme is parallel, and what the initialization-vector or nonce rule is.

The primitive came first. Horst Feistel's work at IBM in the early 1970s produced the Feistel network that became DES, a 64-bit keyed permutation blessed as a federal standard in 1977 [2][3]. The 64-bit block chosen here is the exact quantity that dies, 39 years later, to the Sweet32 attack.

The first wrapper followed almost immediately. In 1976, William Ehrsam, Carl Meyer, John Smith, and Walter Tuchman at IBM filed the patent on Cipher Block Chaining -- the idea of feeding each plaintext block the previous ciphertext block before encryption, so that identical plaintext blocks stop producing identical ciphertext (US Patent 4,074,066, granted 1978) [4]. The patent's actual title is "Message verification and transmission error detection by block chaining" [4]. That is historically ironic: CBC as a confidentiality mode provides no message verification -- no integrity -- at all, which is the very gap this article is about.

Counter mode arrived on paper three years later. Whitfield Diffie and Martin Hellman described encrypting a counter to make a keystream in their 1979 survey "Privacy and Authentication," turning a block cipher into a parallelizable stream cipher [5][6]. Counter mode was described "just as early as the basic-four modes," in Rogaway's words, "yet for some reason it was not included in the initial batch" [6]. It waited 22 years for a federal standard. The exact page in Proc. IEEE 67(3) is gated behind IEEE Xplore, so the DOI is the stable handle and Rogaway's 2011 survey carries the attribution [5][6].

Then the standard fixed the toolkit. In December 1980 the National Bureau of Standards published FIPS 81, DES Modes of Operation, sanctioning four ways to stretch DES across real traffic: ECB, CBC, CFB, and OFB [7]. Counter mode was left out. It did not enter a NIST standard until Morris Dworkin's SP 800-38A re-specified all five modes for the AES era in December 2001, finally adding CTR as the fifth -- 22 years after Diffie and Hellman [8].

Ctrl + scroll to zoom
A timeline of block cipher modes, from CBC's 1976 patent to the 2024-2025 retirement of confidentiality-only modes.

Here is the load-bearing historical fact. Every one of these five modes is a confidentiality construction. Integrity -- the second question, "can the attacker change it?" -- was filed under a separate heading called a message authentication code, and in practice it was usually forgotten. FIPS 81 and SP 800-38A specify no integrity mechanism for any of the five [7][8]. That separation of concerns, confidentiality here and integrity somewhere else, is the original sin the rest of this story pays for.

So the toolkit was frozen by 1980 (four modes) and completed by 2001 (a fifth), every one a way to hide data and none a way to protect it from change. The most obvious of the four is also the most broken, and seeing exactly why is the fastest route into the whole subject.

3. ECB, and Why "Just Encrypt Each Block" Fails

The most obvious wrapper is to apply the one-block permutation to each block on its own: Ci=Ek(Pi)C_i = E_k(P_i). This is Electronic Codebook mode, and it is the design every beginner reinvents in an afternoon. It is also broken in a way you can see with your eyes.

The flaw is that ECB is deterministic. It has no initialization vector, no chaining, and no state, so the same plaintext block always encrypts to the same ciphertext block: Pi=PjCi=CjP_i = P_j \Rightarrow C_i = C_j. The plaintext's block-level structure survives encryption intact. Rogaway's survey states it flatly: ECB "leak[s] equality of blocks across both block positions and time" and "does not achieve any generally desirable security goal in its own right" [6].

Ctrl + scroll to zoom
ECB determinism leaks structure. Each arrow is one independent E_k call, and because block A and block C are equal plaintext, they produce identical ciphertext.

That leak is not a metaphor. The famous "ECB penguin" -- an image of Tux encrypted block-by-block whose outline stays perfectly visible -- is community folklore (the Tux image is by Larry Ewing, 1996) with no research primary. The load-bearing evidence for ECB's failure is the Adobe 2013 breach and the BDJR theorem, not the meme. In 2013, roughly 153 million Adobe records showed it at scale: passwords encrypted with 3DES in ECB, no salt, so identical passwords produced identical ciphertext and the plaintext structure reconstructed itself without 3DES ever being broken [1].

Underneath the meme is a theorem. ECB is not IND-CPA.

IND-CPA (indistinguishability under chosen-plaintext attack)

The baseline security goal for encryption. An adversary who may request encryptions of any plaintexts it chooses still cannot tell which of two equal-length messages a challenge ciphertext hides. Bellare, Desai, Jokipii, and Rogaway (1997) proved the consequence: any IND-CPA scheme must be randomized or stateful, so a deterministic mode like ECB cannot qualify [9][10].

The proof is a one-line adversary. Ask the challenger to encrypt a pair of equal blocks (X,X)(X, X) versus an unequal pair (X,Y)(X, Y) and simply look for a repeated ciphertext block; ECB gives itself away every time [9]. This is the same reasoning Part 1 develops in general. ECB is also malleable at block granularity: because blocks are independent, an attacker can cut, paste, and reorder them undetected. It fails both questions at once.

That "never" needs one careful qualifier -- it is easy to overstate.

You can watch the determinism happen. The toy below is not a real cipher, but like ECB it transforms each block with the same deterministic function, so a repeated plaintext block produces a repeated ciphertext block:

JavaScript ECB determinism you can see (toy permutation, not real crypto)
// A toy deterministic block transform. Not a real cipher -- the point is
// only that the same input block always yields the same output block.
function toyBlockCipher(block) {
return block.split('').reverse().map(function (c) {
  return String.fromCharCode((c.charCodeAt(0) + 7) % 128);
}).join('');
}

// ECB: split into 4-char blocks and transform each one independently.
function ecb(message) {
var out = [];
for (var i = 0; i < message.length; i += 4) {
  out.push(toyBlockCipher(message.slice(i, i + 4)));
}
return out;
}

var blocks = ecb('LOVEHATELOVE'); // block 1 and block 3 are identical
console.log(blocks);
console.log('Block 1 equals block 3? ' + (blocks[0] === blocks[2]));
// True. The repeated plaintext block leaks as a repeated ciphertext block,
// with no key required to notice the pattern.

Press Run to execute.

One clarification before moving on. These five are the SP 800-38A confidentiality-only modes, not "all block cipher modes." Disk encryption (XTS-AES, SP 800-38E), authentication (CMAC, SP 800-38B), and authenticated encryption (GCM in SP 800-38D, CCM in SP 800-38C) live in separate NIST publications because they pursue different goals. ECB is the degenerate member of the family, and its failure points straight at the fix.

BDJR's theorem is also the cure. To be IND-CPA, encryption must be randomized or stateful. So add an initialization vector, and make each block's encryption depend on the previous one, so that identical plaintext diverges. That is Cipher Block Chaining -- and the start of a forty-year evolution that improves everything except the one thing that matters.

4. From CBC to CTR, Generation by Generation

Four modes remain, and they line up as a sequence of fixes -- each one repairing the previous mode's limitation, and none of them repairing the missing integrity answer. The field got faster, more flexible, and better specified. It stayed exactly as forgeable as the day it started.

CBC: chain the blocks

CBC seeds the chain with an initialization vector and feeds each plaintext block the previous ciphertext block before encryption: Ci=Ek(PiCi1)C_i = E_k(P_i \oplus C_{i-1}), with C0=IVC_0 = \text{IV}. Decryption runs Pi=Dk(Ci)Ci1P_i = D_k(C_i) \oplus C_{i-1}. Because every ciphertext block now depends on all plaintext before it, identical plaintext blocks diverge, and ECB's pattern leak is gone. With an unpredictable IV, CBC is provably IND-CPA [9].

Initialization Vector (IV)

The per-message starting value a mode mixes in so that encrypting the same plaintext twice yields different ciphertext. For CBC and CFB the IV must be unpredictable -- indistinguishable from random to an attacker -- not merely fresh, because it is the first value fed into the chain [8]. Part 2 of this series covers how to generate one.

CBC answered the first question correctly and left the second blank, and even its confidentiality carries three sharp contract edges. This one mode seeded most of the Failure Catalog. It is malleable: a controlled flip in ciphertext block CiC_i deterministically flips the corresponding bits of plaintext block Pi+1P_{i+1} while randomizing PiP_i -- the "flip-and-garble" gadget, an attacker editing a later block without the key [6].

The three contract edges follow. It needs padding, and a receiver that reveals whether decrypted padding is valid turns that check into a plaintext-recovering oracle. Its IV must be unpredictable, or a chosen-plaintext attacker can distinguish messages. And with a 64-bit block, its ciphertext blocks start colliding after about 2322^{32} blocks, leaking PiPjP_i \oplus P_j. Rogaway's performance verdict is blunt: CBC encryption is "inherently serial," and he can "identify no important advantages over CTR mode" [6]. Ciphertext stealing (CBC-CS, standardized in an addendum to SP 800-38A) is the no-expansion variant that avoids padding by borrowing bits from the penultimate block. It is a useful trick, not a new security property -- CBC-CS is still malleable and still needs an unpredictable IV.

CFB: a self-synchronizing stream

CFB turns the block cipher into a stream by encrypting the previous ciphertext to produce a keystream, then XORing it with the plaintext: Ci=PiEk(Ci1)C_i = P_i \oplus E_k(C_{i-1}). The cipher never touches the plaintext directly, so there is no padding, the mode can operate on sub-block segments (one byte or even one bit at a time), and it self-synchronizes after lost or inserted segments -- a genuinely useful property for noisy character-oriented links [6].

The costs are real. Encryption is still serial, and for a segment size s<ns \lt n the mode makes many more block cipher calls per byte -- Rogaway notes s=8s = 8 means "16 times the number of blockcipher calls as CBC," and s=1s = 1 means 128 times [6]. Folklore (and even the loose version of this article's own scope) sometimes says CFB needs only a unique IV. The primary source is stricter: SP 800-38A Section 5.3 requires the IV for both CBC and CFB to be unpredictable [8]. Treat CFB's IV exactly like CBC's.

CFB's malleability is the middle case, not a pure bit-flip. Because Pi=CiEk(Ci1)P_i = C_i \oplus E_k(C_{i-1}), flipping a ciphertext bit flips exactly the aligned plaintext bit in the current block -- but that same altered block is the cipher's input for the next one, so the following block decrypts to garbage. Efail (2018) weaponized precisely this: Damian Poddebniak and co-authors built malleability "gadgets" in CFB (OpenPGP's mode), engineered to absorb the garbled block while keeping the surgical edit, that turned an encrypted email into a plaintext-exfiltration channel with no key recovery and no padding oracle [12][13].

OFB: a pre-computable stream

OFB makes the keystream independent of the message by feeding back the cipher's own output instead of the ciphertext: Oi=Ek(Oi1)O_i = E_k(O_{i-1}), then Ci=PiOiC_i = P_i \oplus O_i. Because the pad depends only on the key and IV, you can compute it before the plaintext arrives, and a single flipped ciphertext bit corrupts only the corresponding plaintext bit, with no error propagation -- attractive for satellite links and digitized voice [6].

Nonce

A number used once: a value that must never repeat under a given key. OFB and CTR need their nonce only to be unique, not unpredictable, so a simple counter is a perfectly good nonce [8]. Reusing one under the same key is catastrophic for every keystream mode, because it reproduces the exact same pad. Part 2 covers how to source these values safely.

That last point is OFB's undoing. If a (key,IV)(\text{key}, \text{IV}) pair ever repeats, the pad repeats, and CC=PPC \oplus C' = P \oplus P' leaks the XOR of two plaintexts with no key -- a two-time pad [6]. OFB is also serial in both directions, so it cannot use hardware parallelism at all, a strictly worse profile than CTR for the same "stream" benefit. And the original FIPS 81 reduced-feedback variants shortened the keystream cycle dangerously, a hazard SP 800-38A removed by defining OFB with full-block feedback only [7][8].

CTR: the parallel stream that wins

CTR keeps OFB's "encrypt something to make a pad" idea but replaces the serial feedback chain with an independent per-block counter: Ci=PiEk(noncei)C_i = P_i \oplus E_k(\text{nonce} \,\|\, i). Because each pad block is a standalone function of its counter, the blocks have no data dependency on one another. CTR is fully parallel on both encryption and decryption, random-access (decrypt block ii alone), precomputable, inverse-free, and needs no padding. Rogaway estimates it "encrypting at more than 10 times the speed of CBC" in hardware [6]. Its contract is the simplest of all: the counter must be unique per key, and unpredictability is explicitly not required [9][6].

Counter mode is "the best and most modern way to achieve privacy-only encryption" and "an important building block for authenticated-encryption schemes." -- Phillip Rogaway, 2011

And here is the cliff. CTR is the best answer to the first question, which is exactly what makes its failure the point of the whole story. It is still malleable, and more transparently so than any other mode: P=CkeystreamP = C \oplus \text{keystream}, so flipping any ciphertext bit flips exactly the corresponding plaintext bit, with no key. The "transfer $9" to "transfer $9,000,000" edit from the opening is a single XOR, and the receiver decrypts a perfectly well-formed message. CTR removed every other excuse -- it is fast, parallel, and clean -- so the blank where integrity should be is the only thing left to see.

Ctrl + scroll to zoom
CBC versus CTR. CBC encryption is a serial chain -- each block waits for the previous ciphertext -- while CTR encrypts independent counters, so every block can be computed at once.

Lined up as a reference grid, the five modes and their exact contracts look like this:

ModeRelationIV / nonce contractParallelismMalleability
ECBC_i = E_k(P_i)none (the flaw)encrypt and decrypt parallelblock-level: cut, paste, reorder
CBCC_i = E_k(P_i XOR C_{i-1})unpredictable IVencrypt serial, decrypt parallelflip-and-garble (block-coupled)
CFBC_i = P_i XOR E_k(C_{i-1})unpredictable IVencrypt serial, decrypt parallelsurgical bit, next block garbled (middle)
OFBC_i = P_i XOR E_k(O_{i-1})unique nonceserial both wayssurgical bitwise
CTRC_i = P_i XOR E_k(counter_i)unique nonce (not unpredictable)encrypt and decrypt parallelsurgical bitwise

The IV and nonce contracts are SP 800-38A's; the parallelism and malleability columns follow Rogaway's summary tables [8][6].

That last column deserves its own magnification, because "malleable" is not one behavior. It runs from surgical (edit one plaintext bit and touch nothing else), through a middle case (edit one bit, but wreck the neighboring block), to block-coupled (your controlled edit lands a block later):

ModeMalleability classWhat one flipped ciphertext bit does
CTR, OFBsurgicalflips exactly the aligned plaintext bit, with zero collateral
CFBmiddle caseflips the aligned bit in the current block, and fully garbles the next block
CBCblock-coupledgarbles the current block, and flips the aligned bit in the next block
ECBblock-levelno sub-block control, but whole blocks can be cut, pasted, and reordered

The distinction is operational, not academic: CTR's surgical malleability is what makes the opening bit-flip a one-line edit, while CFB's "flip here, garble there" is the exact structure Efail's exfiltration gadgets were built around [6][12]. Read as an evolution, the same five tell a story of steady improvement on every axis but one:

ModeYearKey ideaLimitation that drove the next step
ECB1980encrypt each block independentlydeterministic; leaks block equality (not IND-CPA)
CBC1976 / 1980chain each block with the previous ciphertextserial; needs padding; unpredictable IV; 64-bit birthday
CFB1980encrypt the previous ciphertext into a keystreamserial; sub-block sizes multiply cipher calls
OFB1980encrypt the feedback into a message-independent padserial both ways; reuse is a two-time pad
CTR1979 / 2001encrypt an independent counterthe best confidentiality mode, yet still no integrity

One honest caveat: CFB, OFB, and CTR are not a strict quality ladder. They are three parallel answers to CBC's "turn the block cipher into a stream," standardized together, with CTR the clear winner [6]. The linear arrow is a teaching device.

Line the four up and the pattern is undeniable. The bug was never "which chaining?" It was the blank where the second answer should be. Naming that blank correctly is the pivot the whole field turned on.

5. Malleability Is the Real Bug

Here is the reframe that organizes the entire subject: confidentiality is not security. A mode that perfectly hides your message while letting an attacker predictably rewrite it has not handed you a weaker guarantee. It has handed you a different one, and mistaking the two is the single most repeated error in applied cryptography.

Malleability

The property that an attacker can transform a ciphertext into a predictable transformation of the underlying plaintext, without knowing the key or the plaintext. A malleable scheme may be perfectly confidential and still let an attacker edit the message. All five SP 800-38A modes are malleable.

Every one of the five modes answers only confidentiality. The missing integrity answer is malleability, and malleability is the real bug. The fix is authenticated encryption -- not a faster or cleverer confidentiality mode.

This is a provable statement, not a mood. A confidentiality-only mode is not IND-CCA2 and not non-malleable; IND-CPA says nothing about an active attacker who edits ciphertext in transit [9].

The mechanism differs per mode, and that difference is your diagnostic. In the pure keystream modes (CTR and OFB) the relation is P=CkeystreamP = C \oplus \text{keystream}, so flipping ciphertext bit ii flips plaintext bit ii exactly, with no collateral. CFB is the middle case: the flip lands surgically in the current block but garbles the next one, because CFB feeds each ciphertext block back through the cipher. In CBC the coupling runs the other way -- a flip in CiC_i predictably edits Pi+1P_{i+1} while randomizing PiP_i. Part 1 develops why this is a failure of the goal, not the construction.

IND-CCA2 and non-malleability

The stronger targets a confidentiality-only mode provably fails. IND-CCA2 (indistinguishability under adaptive chosen-ciphertext attack) hands the adversary a decryption oracle for any ciphertext but the challenge; non-malleability forbids turning one ciphertext into a predictably related one. Because all five SP 800-38A modes are malleable, none is IND-CCA2. Part 1 of this series formalizes both goals -- here they are exactly what a MAC restores.

You can run the attack from the opening. The demo below encrypts a payment instruction with a toy keystream, then, knowing only the message format, rewrites the amount by XORing a delta into the ciphertext. No key is ever touched:

JavaScript The CTR bit-flip attack (the hook, made runnable)
// Toy CTR: P = C XOR keystream. Editing C edits P, with no key. NOT real crypto.
function xorBytes(a, b) { return a.map(function (x, i) { return x ^ b[i]; }); }
function toBytes(s) { return Array.from(s).map(function (c) { return c.charCodeAt(0); }); }
function toStr(b) { return b.map(function (x) { return String.fromCharCode(x); }).join(''); }

var plaintext = 'amount:0000009';                 // the honest instruction
var keystream = toBytes('SECRETPADSECRET').slice(0, plaintext.length);

// Sender encrypts. The attacker sees only C -- never the key, never the keystream.
var C = xorBytes(toBytes(plaintext), keystream);

// The attacker knows the fixed message FORMAT and wants this instead:
var target = 'amount:9000000';                    // same length, this is the "9 -> 9,000,000" edit
var delta = xorBytes(toBytes(plaintext), toBytes(target));  // computable from the format alone

// He XORs the delta straight into the ciphertext.
var forged = xorBytes(C, delta);

// The receiver decrypts with the real keystream and sees the forgery.
console.log('Receiver reads: ' + toStr(xorBytes(forged, keystream)));  // amount:9000000
console.log('Keys or keystream used by the attacker: none.');

Press Run to execute.

The same edit, drawn as it happens on the wire:

Ctrl + scroll to zoom
The bit-flip malleability attack. The attacker cannot read the ciphertext, yet XORs a chosen delta into it and the receiver decrypts an attacker-chosen plaintext.

Confidentiality without integrity is not weaker encryption. It is a different, largely illusory guarantee.

Now turn the lens on the historical record. Every famous break of these modes is one of two diagnoses -- a missing integrity answer, or a violated IV/nonce contract:

BreakYearModeRoot causeLesson
Adobe [1]2013ECBconfidentiality answered wrongly (determinism)never ECB for messages
Padding oracle, Vaudenay [14]2002CBCno integrity plus a distinguishable padding checkverify before decrypting
BEAST [15][16]2011CBCviolated IV contract (predictable IV)IVs must be unpredictable
Lucky Thirteen [17]2013CBCwrong composition order plus a timing leakEncrypt-then-MAC, constant time
POODLE [18][19]2014CBC (SSL 3.0)padding oracle after a downgraderetire the mode and the fallback
Sweet32 [20][21]2016CBC (64-bit)block-size birthday boundno 64-bit ciphers for bulk
Efail [12]2018CBC / CFBmissing integrity (malleability gadget)authenticate the ciphertext
Truncation, Smyth-Pironti [22]2013TLS record (any mode)missing integrity of length and framing (omission)authenticate the end, not just the bytes
GCM nonce reuse [23][24]2016CTR / GCMviolated nonce contractnever repeat a (key, nonce)

Most of these breaks edit or leak bytes, but the subtlest one deletes them. Ben Smyth and Alfredo Pironti showed at WOOT 2013 that silently truncating a TLS stream -- cutting it short at an attacker-chosen point -- changes the meaning a web application infers from a "complete" response, because the record layer authenticated the bytes it carried but never the fact that the message had ended [22]. That is an integrity failure of omission, and it is why the fix in Section 10 authenticates length and end-of-stream, not just content. Most of the rest are TLS history, which the SChannel post tells from the deployment side. Precision on GCM nonce reuse: one repeated (key,nonce)(\text{key}, \text{nonce}) immediately leaks P1P2P_1 \oplus P_2, but uniquely recovering the GHASH subkey HH generally needs two or more collisions. Never say "one reuse leaks HH" [23]. The routinely mis-cited CVE-2016-0270 actually names IBM Domino, not OpenSSL, and NVD warns it "has been incorrectly used for GCM nonce reuse issues in other products." The deployed GCM-nonce forgery is the Nonce-Disrespecting Adversaries paper, whose byline is exactly five authors: Boeck, Zauner, Devlin, Somorovsky, and Jovanovic [25][24].

The fix is to add the missing answer, and the order in which you add it turns out to matter. Bellare and Namprempre (2000) and Krawczyk (2001) proved that Encrypt-then-MAC -- encrypt, then MAC the ciphertext, and verify the tag before decrypting -- generically yields both IND-CPA and INT-CTXT, a scheme that is confidential and unforgeable, while MAC-then-encrypt and encrypt-and-MAC are fragile [26][27].

Message Authentication Code (MAC)

A keyed tag that proves a message was not altered and came from someone holding the key. Anyone with the key can compute the tag over a message; without it, forging a valid tag is infeasible. HMAC, CMAC, and CBC-MAC are common constructions. A MAC supplies the integrity answer a confidentiality mode leaves blank.

Better still, fuse the two answers into one primitive.

AEAD (Authenticated Encryption with Associated Data)

A single primitive that provides confidentiality and integrity at once, and can also authenticate unencrypted "associated data" such as headers. It answers both questions in one object, so a modified ciphertext is rejected before any plaintext is released.

The punchline binds this whole article together: the dominant AES AEADs are literally these modes plus a MAC. GCM equals CTR plus GHASH, a polynomial hash over GF(2128)GF(2^{128}) [29][30]. CCM equals CTR plus CBC-MAC [31][32]. The 1979 counter idea and the 1976 chaining idea, welded into a primitive that finally answers both questions -- the SMB 3.1.1 post shows GCM and CCM running in a real protocol.

Ctrl + scroll to zoom
Authenticated encryption bolts a MAC onto a confidentiality mode and verifies the tag before decrypting. GCM equals CTR plus GHASH, and CCM equals CTR plus CBC-MAC.

One boundary to keep honest: not every modern AEAD is built from these modes. ChaCha20-Poly1305 (a stream cipher plus Poly1305) and Ascon (a sponge permutation) are first-class AEADs that are deliberately not SP 800-38A constructions [33][34]. The lineage claim is bounded to the AES AEADs.

With integrity finally bolted on, every entry in the catalog retroactively dies -- a modified ciphertext fails the tag before a byte is decrypted. So the field declared victory and shipped AEAD everywhere. Then it discovered that AEAD did not repeal the IV/nonce contract. It sharpened it -- which is exactly where the state of the art picks up.

6. The Field Is Retiring Confidentiality-Only Modes

The modern answer to "which block cipher mode should I use?" is no bare confidentiality mode at all. It is a choice of AEAD, and between 2024 and 2026 that answer stopped being folklore and became written policy. The tell is what the standards bodies did not do. Faced with four decades of breaks, nobody proposed a sixth confidentiality mode. Every document below reaches instead for authentication.

Start with the audit. NIST IR 8459, published in September 2024 by Nicky Mouha and Morris Dworkin, is the first formal review of the entire SP 800-38 series, and it reads less like a specification than a post-mortem: it works through the family mode by mode, documenting why each keeps failing, and its recommendations point at authenticated encryption rather than a patched mode -- down to disallowing ECB for the very job it keeps losing at, encrypting secrets [35]. An audit whose answer to "which new mode?" is "stop adding modes" is this whole section in miniature.

The policy machinery had already started turning. In April 2023 NIST's Crypto Publication Review Board published its decision to revise SP 800-38A itself, with goals that read like a confession: to "limit the approval of the Electronic Codebook (ECB) mode," to "provide guidance on the importance of incorporating authentication, where feasible," to fold in "three variations of ciphertext stealing for Cipher Block Chaining mode," and -- once a stronger technique exists -- to "consider deprecating the modes in SP 800-38A" [36]. The document that defines the five modes is contemplating its own retirement, and names authenticated encryption as the successor it is waiting on.

SP 800-131A Revision 3 supplies the compliance lever. Its initial public draft of October 21, 2024 disallows ECB for encrypting secret data and relegates it to legacy (decrypt-only) use; the draft's own phrase is "the retirement of ECB as a confidentiality mode of operation" [11]. For a FIPS-bound product that is an effective-on-finalization change, not a suggestion.

Where the field is heading is just as clear from what it standardized. Ascon, finalized as NIST SP 800-232 in August 2025, is the new AEAD for the constrained, low-power class for which earlier standards specified AES-CCM -- and it is a sponge permutation, pointedly not an SP 800-38A block cipher mode [34]. "Migrate to AEAD" does not mean "migrate to a mode." And for the one contract even AEADs still impose, AES-GCM-SIV (RFC 8452, 2019) is the standardized hedge: a nonce-misuse-resistant scheme that degrades gracefully instead of catastrophically when a nonce repeats [37].

Nonce-misuse-resistant AEAD

An AEAD that stays secure even when a nonce is accidentally reused, leaking at most whether two identical messages were sent under the same nonce, instead of collapsing into a two-time pad and forgery. AES-GCM-SIV reaches this by deriving its internal counter from a MAC of the whole message, so a repeat is a mild, bounded leak rather than a catastrophe [37][38].

AES-GCM-SIV is engineered to be "nonce misuse resistant -- that is, [it does] not fail catastrophically if a nonce is repeated." -- RFC 8452

DocumentWhat it doesStatus
NIST IR 8459 [35]audits the whole SP 800-38 series; steers ECB and secrets toward AEADpublished, Sept 2024
Decision to revise SP 800-38A [36]limit ECB, add CBC ciphertext stealing, urge authentication, weigh deprecationpublished, Apr 2023
SP 800-131A Rev. 3 [11]moves ECB to legacy (decrypt-only) use; disallowed for encrypting secrets on publicationdraft (Oct 21, 2024 IPD)
Ascon (SP 800-232) [34]a permutation AEAD for constrained devices, deliberately not a 38A modefinal, Aug 2025
AES-GCM-SIV (RFC 8452) [37]a nonce-misuse-resistant AEAD hedgepublished, 2019

The migration is credible now, rather than merely aspirational, because the substrate already moved. TLS 1.3 (RFC 8446, 2018) removed every CBC-mode cipher suite and makes AES-GCM its mandatory-to-implement AEAD [28]; QUIC protects every packet with an AEAD, binding the packet number directly into the AEAD nonce, with no unauthenticated-confidentiality option at all [39].

The performance objection that once favored CBC also evaporated: with AES-NI and the carry-less multiply instruction PCLMULQDQ, AES-GCM fell from roughly 3.7 cycles per byte in optimized software toward about 1, so the fast path and the safe path are now the same path [40][38]. The 2024-2026 standards are simply retiring the confidentiality-only modes to match a deployment reality that migrated years earlier.

The modern "which mode?" question is really "which AEAD?" The five SP 800-38A confidentiality-only modes now survive as internals of authenticated encryption and as legacy interoperability options -- not as something you deploy on purpose.

The cross-references write themselves: the CBC-to-GCM migration is the story the SChannel post tells for Windows TLS, and GCM and CCM running in a shipping protocol is what the SMB 3.1.1 post shows. So the strategic direction is settled: move to AEAD. But "AEAD" is not one thing. The moment you have to ship, the question sharpens from "which mode?" to "which AEAD, with which parameters, for which platform?" -- and that has a real, defensible answer.

7. When You Must Pick a Mode, and Which AEAD

Two comparisons matter in practice. The first is the intra-family one folklore gets wrong. The second is the one you actually face when you ship.

CBC versus CTR: a choice that changes nothing that matters

Both are confidentiality-only, both are malleable, and both are still everywhere. On the merits CTR is superior: fully parallel on encryption and decryption, random-access, and governed by the simplest contract (a unique nonce). CBC survives on forty years of deployment inertia, not on technical advantage -- Rogaway, having surveyed all five modes, reports "no important advantages over CTR mode" for CBC [6].

But here is the point most tuning guides miss: swapping CBC for CTR fixes nothing that matters, because neither answers the second question. You trade a serial mode with padding for a parallel mode without it, and you keep every bit of the malleability. If your reason for the swap is security, you are solving the wrong problem.

Which AEAD

This is the comparison with real stakes, and every option is a defensible answer to a different constraint. AES-GCM is the throughput default on modern CPUs, hardware-accelerated by AES-NI and CLMUL, and brittle exactly where humans err -- a single reused nonce is catastrophic [30]. ChaCha20-Poly1305 is the software default: constant-time by construction, with no AES hardware and no cache-timing hazard [33]. AES-CCM is CTR plus CBC-MAC, two-pass and small-footprint [31][32]; those documents define CCM, and its compact profile is why the IEEE wireless standards adopt it -- WPA2 (802.11i) [40] and IEEE 802.15.4 low-power wireless [44][45] both build their link-layer security on it. AES-GCM-SIV is the nonce-misuse-resistant hedge [37]. Ascon is the lightweight standard for microcontrollers [34].

AEADBuilt fromPassesConstant-timeNonce-reuse penaltyBest fit
AES-GCM [30]CTR + GHASH1, onlineneeds AES-NI, CLMULcatastrophic (forgery)server bulk, TLS
ChaCha20-Poly1305 [33]stream + Poly13051, onlineby construction (software)catastrophicmobile, no AES hardware
AES-CCM [31]CTR + CBC-MAC2, not onlineneeds AES-NIcatastrophicWPA2, IoT, small code
AES-GCM-SIV [37]POLYVAL-SIV + CTR2, not onlineneeds AES-NI, CLMULgraceful (leak equality)nonce-uncertain systems
Ascon [34]sponge permutation1 (duplex)easy to protectcatastrophicmicrocontrollers, IoT

The performance folklore is worth correcting too. The cleanest apples-to-apples software measurement, Krovetz and Rogaway at FSE 2011 on an Intel i5 "Clarkdale," found CCM near 4.2 cycles per byte, GCM near 3.7, OCB near 1.5, and raw CTR near 1.3 [40]. Read that as an ordering under fixed effort, not a modern absolute: with mature AES-NI and CLMUL, AES-GCM reaches roughly 1 cycle per byte on current x86 [38]. The durable lesson is that hardware, not algorithm choice, moved GCM from 3.7 to 1 -- which is the whole reason CTR-based AEADs won.

Every column wins on some axis and loses on another; none is unconditionally best. And the reasons why no single scheme dominates are not engineering accidents. They are theorems. To use any of these correctly, you have to know the walls they are all pressed against.

8. You Cannot Get Integrity From a Confidentiality Mode

The two-question frame is not merely good advice. It is a theorem, and it draws a hard line no amount of clever engineering crosses.

Start with the central impossibility. IND-CPA does not imply IND-CCA2 or non-malleability; BDJR proved ECB is not even IND-CPA and that CBC and CTR are IND-CPA with proper IVs and nonces, but IND-CPA says nothing about an active attacker editing ciphertext [9]. Bellare and Namprempre sharpened the target, separating INT-PTXT from INT-CTXT and proving that only Encrypt-then-MAC generically delivers IND-CPA plus INT-CTXT [26][27].

The consequence is a lower bound, not a tip: you cannot patch integrity into a bare CTR, CBC, CFB, or OFB mode, because malleability is a property of the confidentiality goal, not a bug in any construction. This is the reasoning Part 1 sets up in full.

"Confidentiality does not imply integrity" is a theorem, not advice. IND-CPA does not imply IND-CCA2 or non-malleability, so you cannot patch integrity into a bare CTR, CBC, CFB, or OFB mode. It is a property of the goal, not a bug in the construction.

The second wall is the block size.

Birthday bound

The threshold at which collisions among random nn-bit values become likely: around 2n/22^{n/2} of them. For a block cipher it means ciphertext blocks start repeating -- and leaking PiPjP_i \oplus P_j -- after roughly 2n/22^{n/2} blocks, regardless of key length. This is the ceiling behind Sweet32 and the GCM nonce cap.

Ciphertext-collision leakage grows like q2/2nq^2 / 2^n in the number of blocks qq, so security degrades at about q2n/2q \approx 2^{n/2} blocks: roughly 2322^{32} blocks (about 32 GiB) for a 64-bit cipher, which is the Sweet32 ceiling, and 2642^{64} blocks for AES [9][20]. A provable ceiling, independent of key size -- doubling the key does not move it.

GCM inherits its own two ceilings, and conflating them is a common error. Per SP 800-38D, a single message is capped at 2392562^{39} - 256 bits (about 64 GiB), and, under random 96-bit nonces, the number of invocations per key must stay below about 2322^{32} to keep the nonce-collision probability negligible [30]. One is a length limit; the other is a count limit. They are different numbers that both bite.

The last wall is the sharpest, because no computational assumption stands behind it. Reusing a (key,nonce)(\text{key}, \text{nonce}) in any keystream mode leaks C1C2=P1P2C_1 \oplus C_2 = P_1 \oplus P_2 -- a two-time pad. You can watch it recover a plaintext with nothing but XOR:

JavaScript A two-time pad from nonce reuse (recover plaintext with only XOR)
// Reusing a (key, nonce) reproduces the SAME keystream. That is a two-time pad.
function xorBytes(a, b) { return a.map(function (x, i) { return x ^ b[i]; }); }
function toBytes(s) { return Array.from(s).map(function (c) { return c.charCodeAt(0); }); }
function toStr(b) { return b.map(function (x) { return String.fromCharCode(x); }).join(''); }

var p1 = 'attack at dawn';
var p2 = 'defend the fort';
var n = Math.min(p1.length, p2.length);
var ks = toBytes('REUSEDPADREUSEDPAD').slice(0, n);   // the SAME pad used twice -- the bug

var c1 = xorBytes(toBytes(p1).slice(0, n), ks);
var c2 = xorBytes(toBytes(p2).slice(0, n), ks);

// The attacker never has the key. He XORs the two ciphertexts; the pad cancels:
var leaked = xorBytes(c1, c2);                         // equals p1 XOR p2

// With a crib -- a good guess at p1 -- he recovers p2 outright:
var crib = toBytes('attack at dawn').slice(0, n);
console.log('Recovered from a crib: ' + toStr(xorBytes(leaked, crib)));  // defend the for

Press Run to execute.

The core science, then, is closed. "Confidentiality does not imply integrity" is settled, reuse is an information-theoretic floor, and the block-size wall is provable. If the theory is finished, what is left to work on? More than you would guess -- and it is where the modes still bite.

9. Where Modes Still Bite

The confidentiality-versus-integrity fight is won. The live frontier is one level up: not "is it confidential?" but "how resilient is the authenticated scheme when humans and hardware misbehave?" Four problems are genuinely open, and one popular worry is not a problem at all.

Make nonce-misuse-resistance the default, not the hedge. AES-GCM fails catastrophically on nonce reuse, yet reuse -- from stateless senders, VM clones, restarted counters -- is among the most common real misuses [30]. AES-GCM-SIV delivers graceful degradation at roughly 1 cycle per byte and up to 2502^{50} messages per key, "well suited for real world applications that need a nonce-misuse resistant Authenticated Encryption scheme" [38].

But it is two-pass and offline, and it remains opt-in. The open problem is an AEAD that is online, single-pass, parallel, roughly 1 cycle per byte, and misuse-resistant at once -- and, harder, getting TLS and KMS libraries to make it the default. NIST IR 8459 flags nonce management across the whole SP 800-38 series as a first-order concern [35].

Key commitment

The property that binds a ciphertext to the single key and context that produced it, so it cannot be made to decrypt validly under a second key. Standard AEAD security says nothing about it, which is why AES-GCM and ChaCha20-Poly1305 lack it -- and why a ciphertext can be crafted to open to two different valid plaintexts under two different keys.

Key commitment and robustness. AES-GCM and ChaCha20-Poly1305 are not key-committing: a single ciphertext can be built to decrypt to valid plaintexts under two different keys [47]. Real systems assume otherwise, so this breaks password-based encryption, message franking, and envelope schemes.

Partitioning-oracle attacks turned that gap into practical password recovery against Shadowsocks proxies; the same study only surveyed protocols such as OPAQUE as potentially vulnerable rather than breaking them [48]. The "invisible salamanders" attack built AES-GCM ciphertexts that decrypt to valid files under two keys, defeating message franking [49], a technique later generalized across file formats [47]. A genuine lower bound -- compactly committing AE is provably impossible at AES-GCM's exact performance profile [49] -- meets a cheap upper bound -- committing GCM and GCM-SIV variants at no ciphertext expansion [50]. The bounds nearly meet, yet the deployed default still sits on the wrong side.

Constant-time implementation. CBC-decrypt-then-MAC timing gave us Lucky Thirteen, and table-based AES and GHASH leak through cache [17]. This is effectively solved on hardware with AES-NI and CLMUL, and ChaCha20-Poly1305 is constant-time by design [33]. It stays a live hazard on microcontrollers and throughout the legacy CBC base.

The forty-year migration. A vast deployed base still runs CBC and 64-bit block ciphers, keeping Sweet32 and padding oracles alive. TLS 1.3 removed CBC-mode cipher suites and mandates AEAD [28], and IR 8459 audits the whole series [35], but embedded firmware, file-format crypto, database encryption, and private protocols lag by years. This is an engineering and logistics problem, not a mathematical one -- and it is the one that keeps the Failure Catalog growing.

None of these is a hole in the confidentiality-versus-integrity theory. All are the gap between the ideal AEAD and the one you can install today -- which is exactly the gap a practitioner has to bridge. So here are the rules that bridge it.

10. Use X With These Params In Case Y

Everything so far collapses into one rule and a short decision tree you can apply without re-deriving a theorem. The rule: use a vetted AEAD, not a raw confidentiality mode [52].

The decision guide, in priority order:

  1. Default: AES-GCM with a 96-bit nonce, unique per key -- prefer a deterministic counter -- and a hard cap of fewer than 2322^{32} messages per key [30].
  2. Cannot guarantee unique nonces: AES-GCM-SIV [37], or XChaCha20-Poly1305, which widens the RFC 8439 ChaCha20-Poly1305 construction to a 192-bit random nonce [33]. The 192-bit-nonce XChaCha20 variant is specified in the IRTF draft draft-irtf-cfrg-xchacha, not in RFC 8439, which standardizes only the 96-bit ChaCha20-Poly1305 [33]. The wider nonce is exactly what lets you pick nonces at random without tracking a counter.
  3. No fast AES hardware, or you need constant-time software: ChaCha20-Poly1305 [33].
  4. Constrained or IoT, small code budget: Ascon-AEAD128 [34] or AES-CCM [31].
  5. Need key or context commitment (password-based encryption, franking, envelope, rotation): a committing AEAD [50].
  6. Must drop to a raw mode (interoperability or a FIPS boundary): CTR plus Encrypt-then-MAC (CMAC or HMAC) with a unique nonce, or CBC only with a fresh unpredictable IV plus Encrypt-then-MAC plus constant-time padding [8][26].
  7. Streaming or large objects: do not ship one monolithic AEAD blob you cannot buffer. Split the stream into records, give each a unique per-chunk nonce, and authenticate a sequence number plus an explicit end-of-stream marker, so a dropped, reordered, or truncated record is caught rather than silently accepted. This is the record-protocol pattern DTLS 1.3 uses -- rejecting duplicates through "a sliding receive window" -- and that QUIC uses by binding each packet number into its AEAD nonce; together they close truncation and replay, the two integrity gaps a bare mode cannot see [22][53][39].
  8. Never: ECB for messages, a 64-bit block cipher for bulk data, a reused nonce, or "encryption" with no integrity tag.
Ctrl + scroll to zoom
A 2026 decision tree. Choose an AEAD first, and only drop to a raw mode plus Encrypt-then-MAC when forced.

When you do touch a raw mode, the contract is the whole game. Part 2 covers how to generate these values; this table says what each mode requires:

ModeRequirementConsequence of violation
ECBnone (and that is the flaw)determinism leaks block equality
CBCunpredictable and unique IVa predictable IV enables BEAST
CFBunpredictable and unique IVa predictable IV enables chosen-plaintext distinguishing
OFBunique noncereuse is a two-time pad
CTRunique nonce (unpredictability not required)reuse is a two-time pad

Those requirements come straight from SP 800-38A [8]; the raw bytes that satisfy them come from a CSPRNG, which the Windows CSPRNG post covers, and the real API calls that wire AES-CBC and AES-GCM together live in the CNG post. Finally, every common misuse maps one-to-one to a named break and its fix:

MisuseNamed breakFix
ECB for structured dataAdobe 2013 [1]AEAD over AES
static or predictable IVBEAST [16]fresh unpredictable IV, or an AEAD
reused GCM nonceNonce-Disrespecting Adversaries [24]counter nonces, or GCM-SIV / XChaCha
MAC-then-encrypt or encrypt-and-MACLucky Thirteen [17]Encrypt-then-MAC, verify before decrypt
no integrity at allEfail [12]an AEAD, or Encrypt-then-MAC
64-bit block cipher for bulkSweet32 [20]a 128-bit-block AEAD
truncation with no length integrityTruncation, Smyth-Pironti [22]authenticate length and end-of-stream
A quick way to see which AEAD a server negotiates

Run openssl s_client -connect example.com:443 -tls1_3 and read the Cipher line: a modern server reports an AEAD such as TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256. If you instead see a suite with CBC in the name, you are looking at a legacy, malleable-mode configuration that belongs on the migration list.

Notice that every rule is the same rule wearing different clothes: pick the primitive that answers both questions, and honor its IV/nonce contract. The folklore that gets this wrong is dense enough to deserve its own section.

11. Misconceptions, Named and Corrected

Seven half-truths cause real incidents. Each dissolves under the same two-question lens.

Frequently asked questions

Isn't encrypted data automatically safe from tampering?

No. All five SP 800-38A modes are malleable, so an attacker who cannot read your ciphertext can still predictably edit the plaintext -- bit-for-bit in the additive keystream modes CTR and OFB, block-coupled in CBC, and a mix of the two in CFB. Confidentiality and integrity are different guarantees; you need a MAC or an AEAD to get the second one, and encryption alone does not provide it.

Is ECB fine for random or single-block data?

Only as a building block, never as a message-encryption mode. The raw single-block permutation is legitimate inside key wrap and CMAC or CBC-MAC. But ECB is deterministic, so the moment your data has any structure or repetition it leaks block equality -- which is why NIST is moving ECB to legacy use [11]. The rule is "never ECB for messages," not "ECB has no use anywhere."

Doesn't a random IV make any mode safe?

No. A random IV fixes ECB's determinism, but it adds no integrity -- the mode is still malleable. And the requirement is not uniform: CBC and CFB need an unpredictable IV, while CTR and OFB need only a unique nonce [8]. Getting that distinction wrong is exactly what BEAST exploited.

Are random GCM nonces safe forever?

No. Under random 96-bit nonces you must stay below roughly 2322^{32} invocations per key to keep the nonce-collision probability negligible [30]. Past that, a repeat becomes likely, and a repeated GCM nonce fails catastrophically. If you cannot count, use AES-GCM-SIV or XChaCha20-Poly1305 instead.

CBC is broken -- should I just switch to CTR?

That fixes nothing that matters. Both are confidentiality-only and both are malleable; swapping one for the other trades performance characteristics, not security [6]. The fix is an AEAD, not a different malleable mode.

Is AES-GCM unbreakable?

Not under nonce reuse. A single repeated (key,nonce)(\text{key}, \text{nonce}) leaks P1P2P_1 \oplus P_2, and with two or more collisions it recovers the GHASH subkey HH, enabling universal forgery -- Joux's "forbidden attack," which was later found live on real TLS servers [23][24]. GCM is only as strong as its nonce discipline.

Isn't a MAC over the plaintext enough?

Order matters. MAC-then-encrypt and encrypt-and-MAC are fragile and produced Lucky Thirteen and the padding-oracle family [17]. The proven-safe generic composition is Encrypt-then-MAC: authenticate the ciphertext and verify the tag before you decrypt [26].

Every one dissolves into the same sentence -- which is where this started, and where it ends.

Two Questions, Forty Years

Return to the opening. A ciphertext AES kept perfectly secret, rewritten in transit by an attacker who never read a byte of it, and accepted as authentic -- because the mode answered only the first of two questions. That was not an exotic failure. It was the ordinary shape of every break in this article.

Run the catalog back through the lens and the pattern is total. Adobe [1], Vaudenay's padding oracle [14], BEAST [16], Lucky Thirteen [17], POODLE [19], Sweet32 [21], Efail [12], and GCM nonce reuse [24]: in every case, AES or DES did exactly what it promised, and the variable was always which question the design forgot or which IV/nonce contract it violated. Not one of these was a cipher break.

Read that way, the 2024-2026 state of the art is a single move. The field stopped iterating confidentiality modes and standardized the second answer. Authenticated encryption is the destination -- and its dominant AES instances, GCM and CCM, are literally these very modes plus a MAC, while ChaCha20-Poly1305 and Ascon supply a parallel lineage that is not [35][34]. The frontier moved with it: nonce-misuse resistance and key commitment are the properties the deployed defaults still lack.

The payoff of the field guide is the same as its premise. Master the five not as interchangeable dropdown options but as building blocks with exact contracts, and every break -- past or future -- becomes readable on sight. You do not need to memorize the next CVE. You need one test, and you already have it: which question did this mode answer, and was its IV/nonce contract honored?

That lens outlives every mode, every cipher, and every standard revision. Which is why this is Part 5 of a field guide to protocol design, not a chapter on five diagrams.

Study guide

Key terms

Block cipher
A keyed, invertible permutation on one fixed-size block of bits (64 for DES, 128 for AES).
Mode of operation
The wrapper that lifts a one-block cipher to messages of arbitrary length.
IND-CPA
Indistinguishability under chosen-plaintext attack; it forces secure encryption to be randomized or stateful.
Initialization Vector (IV)
A per-message starting value; it must be unpredictable for CBC and CFB.
Nonce
A number used once per key; CTR and OFB need it unique, not unpredictable.
Malleability
An attacker can turn a ciphertext into a predictable change of the plaintext, with no key.
Message Authentication Code (MAC)
A keyed integrity tag that supplies the answer a confidentiality mode omits.
AEAD
Authenticated Encryption with Associated Data; confidentiality and integrity in one primitive.
Birthday bound
Collisions among n-bit values become likely near 2 to the n over 2; the block-size ceiling.

References

  1. Troy Hunt (2013). Adobe credentials and the serious insecurity of password hints. https://www.troyhunt.com/adobe-credentials-and-serious/
  2. Horst Feistel (1973). Cryptography and Computer Privacy (Scientific American 228(5)). https://doi.org/10.1038/scientificamerican0573-15 - Offline; cited by issue.
  3. National Institute of Standards and Technology (1999). FIPS 46-3: Data Encryption Standard (DES). https://csrc.nist.gov/pubs/fips/46-3/final
  4. William F. Ehrsam, Carl H. W. Meyer, John L. Smith, & Walter L. Tuchman (1978). Message verification and transmission error detection by block chaining (US Patent 4,074,066). https://patents.google.com/patent/US4074066A/en
  5. Whitfield Diffie & Martin E. Hellman (1979). Privacy and Authentication: An Introduction to Cryptography. https://doi.org/10.1109/PROC.1979.11256
  6. Phillip Rogaway (2011). Evaluation of Some Blockcipher Modes of Operation. https://web.cs.ucdavis.edu/~rogaway/papers/modes.pdf
  7. National Bureau of Standards (1980). FIPS 81: DES Modes of Operation. https://nvlpubs.nist.gov/nistpubs/Legacy/FIPS/fipspub81.pdf
  8. Morris Dworkin (2001). NIST SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques. https://csrc.nist.gov/pubs/sp/800/38/a/final
  9. Mihir Bellare, Anand Desai, Eron Jokipii, & Phillip Rogaway (1997). A Concrete Security Treatment of Symmetric Encryption. https://cseweb.ucsd.edu/~mihir/papers/sym-enc.pdf
  10. Jonathan Katz & Yehuda Lindell (2020). Introduction to Modern Cryptography, 3rd edition. ISBN 978-0815354369. - Offline; cited by edition.
  11. Elaine Barker & Allen Roginsky (2024). NIST SP 800-131A Rev. 3 (Initial Public Draft): Transitioning the Use of Cryptographic Algorithms and Key Lengths. https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd
  12. Damian Poddebniak, Christian Dresen, Jens Mueller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, & Joerg Schwenk (2018). Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-poddebniak.pdf
  13. Damian Poddebniak, Christian Dresen, Jens Mueller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, & Joerg Schwenk (2018). Efail. https://efail.de/
  14. Serge Vaudenay (2002). Security Flaws Induced by CBC Padding -- Applications to SSL, IPSEC, WTLS.... https://link.springer.com/chapter/10.1007/3-540-46035-7_35
  15. Gregory V. Bard (2004). The Vulnerability of SSL to Chosen Plaintext Attack. https://eprint.iacr.org/2004/111
  16. National Vulnerability Database (2011). CVE-2011-3389 (BEAST). https://nvd.nist.gov/vuln/detail/CVE-2011-3389
  17. Nadhem J. AlFardan & Kenneth G. Paterson (2013). Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf
  18. Bodo Moeller, Thai Duong, & Krzysztof Kotowicz (2014). This POODLE Bites: Exploiting the SSL 3.0 Fallback. https://openssl-library.org/files/ssl-poodle.pdf
  19. National Vulnerability Database (2014). CVE-2014-3566 (POODLE). https://nvd.nist.gov/vuln/detail/CVE-2014-3566
  20. Karthikeyan Bhargavan & Gaetan Leurent (2016). On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. https://sweet32.info/SWEET32_CCS16.pdf
  21. National Vulnerability Database (2016). CVE-2016-2183 (Sweet32). https://nvd.nist.gov/vuln/detail/CVE-2016-2183
  22. Ben Smyth & Alfredo Pironti (2013). Truncating TLS Connections to Violate Beliefs in Web Applications. https://www.usenix.org/conference/woot13/workshop-program/presentation/smyth
  23. Antoine Joux (2006). Authentication Failures in NIST Version of GCM. https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/joux_comments.pdf
  24. Hanno Boeck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, & Philipp Jovanovic (2016). Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. https://www.usenix.org/conference/woot16/workshop-program/presentation/bock
  25. National Vulnerability Database (2016). CVE-2016-0270 (IBM Domino GCM nonce generation). https://nvd.nist.gov/vuln/detail/CVE-2016-0270
  26. Mihir Bellare & Chanathip Namprempre (2000). Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition. https://eprint.iacr.org/2000/025
  27. Hugo Krawczyk (2001). The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). https://eprint.iacr.org/2001/045
  28. Eric Rescorla (2018). RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. https://www.rfc-editor.org/rfc/rfc8446
  29. David A. McGrew & John Viega (2004). The Security and Performance of the Galois/Counter Mode (GCM) of Operation. https://eprint.iacr.org/2004/193
  30. Morris Dworkin (2007). NIST SP 800-38D: Galois/Counter Mode (GCM) and GMAC. https://csrc.nist.gov/pubs/sp/800/38/d/final
  31. Doug Whiting, Russ Housley, & Niels Ferguson (2003). RFC 3610: Counter with CBC-MAC (CCM). https://www.rfc-editor.org/rfc/rfc3610
  32. Morris Dworkin (2004). NIST SP 800-38C: The CCM Mode for Authentication and Confidentiality. https://csrc.nist.gov/pubs/sp/800/38/c/upd1/final
  33. Yoav Nir & Adam Langley (2018). RFC 8439: ChaCha20 and Poly1305 for IETF Protocols. https://www.rfc-editor.org/rfc/rfc8439
  34. National Institute of Standards and Technology (2025). NIST SP 800-232: Ascon-Based Lightweight Cryptography Standards for Constrained Devices. https://csrc.nist.gov/pubs/sp/800/232/final
  35. Nicky Mouha & Morris Dworkin (2024). NIST IR 8459: Report on the Block Cipher Modes of Operation in the NIST SP 800-38 Series. https://csrc.nist.gov/pubs/ir/8459/final
  36. National Institute of Standards and Technology (2023). Decision to Revise NIST SP 800-38A. https://csrc.nist.gov/News/2023/decision-to-revise-nist-sp-800-38a
  37. Shay Gueron, Adam Langley, & Yehuda Lindell (2019). RFC 8452: AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. https://www.rfc-editor.org/rfc/rfc8452
  38. Shay Gueron, Adam Langley, & Yehuda Lindell (2017). AES-GCM-SIV: Specification and Analysis. https://eprint.iacr.org/2017/168
  39. Martin Thomson & Sean Turner (2021). RFC 9001: Using TLS to Secure QUIC. https://www.rfc-editor.org/rfc/rfc9001
  40. Ted Krovetz & Phillip Rogaway (2011). The Software Performance of Authenticated-Encryption Modes. https://web.cs.ucdavis.edu/~rogaway/papers/ae.pdf
  41. Morris Dworkin (2016). NIST SP 800-38G: Methods for Format-Preserving Encryption. https://csrc.nist.gov/pubs/sp/800/38/g/final
  42. F. Betul Durak & Serge Vaudenay (2017). Breaking the FF3 Format-Preserving Encryption Standard Over Small Domains. https://eprint.iacr.org/2017/521
  43. Morris Dworkin (2019). NIST SP 800-38G Revision 1 (Initial Public Draft): FF3-1. https://csrc.nist.gov/pubs/sp/800/38/g/r1/ipd
  44. Gabriel Montenegro, Nandakishore Kushalnagar, Jonathan Hui, & David Culler (2007). RFC 4944: Transmission of IPv6 Packets over IEEE 802.15.4 Networks. https://www.rfc-editor.org/rfc/rfc4944
  45. Malisa Vucinic, Jonathan Simon, Kris Pister, & Michael Richardson (2021). RFC 9031: Constrained Join Protocol (CoJP) for 6TiSCH. https://www.rfc-editor.org/rfc/rfc9031
  46. Ted Krovetz & Phillip Rogaway (2014). RFC 7253: The OCB Authenticated-Encryption Algorithm. https://www.rfc-editor.org/rfc/rfc7253
  47. Ange Albertini, Thai Duong, Shay Gueron, Stefan Koelbl, Atul Luykx, & Sophie Schmieg (2022). How to Abuse and Fix Authenticated Encryption Without Key Commitment. https://eprint.iacr.org/2020/1456
  48. Julia Len, Paul Grubbs, & Thomas Ristenpart (2021). Partitioning Oracle Attacks. https://eprint.iacr.org/2020/1491
  49. Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, & Joanne Woodage (2018). Fast Message Franking: From Invisible Salamanders to Encryptment. https://eprint.iacr.org/2019/016
  50. Mihir Bellare & Viet Tung Hoang (2022). Efficient Schemes for Committing Authenticated Encryption. https://eprint.iacr.org/2022/268
  51. National Institute of Standards and Technology (2016). NIST IR 8105: Report on Post-Quantum Cryptography. https://csrc.nist.gov/pubs/ir/8105/final
  52. Niels Ferguson, Bruce Schneier, & Tadayoshi Kohno (2010). Cryptography Engineering. ISBN 978-0470474242. - Offline; cited by edition.
  53. Eric Rescorla, Hannes Tschofenig, & Nagendra Modadugu (2022). RFC 9147: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3. https://www.rfc-editor.org/rfc/rfc9147