ECB mode encrypts each block independently with the same key. A developer argues this is fine because AES itself is secure. What specific attack demonstrates ECB's failure?
Think about your answer, then reveal below.
Model answer: Identical plaintext blocks produce identical ciphertext blocks, leaking structural patterns. The classic demonstration is the ECB penguin: encrypting a bitmap image in ECB mode preserves the visual structure because regions of identical pixel blocks produce identical ciphertext blocks. The image is recognizable despite encryption. This violates semantic security — an adversary can distinguish encryptions of different messages by checking for repeated blocks.
ECB fails because semantic security requires that an adversary cannot tell which of two messages was encrypted, even when choosing the messages. With ECB, the adversary submits two messages — one with repeated blocks, one without — and checks for repeated ciphertext blocks. This works regardless of how strong the underlying block cipher is. The mode, not the cipher, is the vulnerability.
Question 2 Multiple Choice
In CBC mode, a single-bit error in ciphertext block i affects which plaintext blocks after decryption?
AOnly block i is affected
BBlock i is completely garbled, and block i+1 has a single-bit flip in the same position as the ciphertext error; all other blocks decrypt correctly
CAll blocks from i onward are garbled
DNo blocks are affected because the error-correcting properties of AES fix it
In CBC decryption, plaintext block i = D_k(c_i) XOR c_{i-1}. A bit error in c_i causes D_k(c_i) to produce a completely different (garbled) output for block i. But c_i also feeds into block i+1's decryption as the XOR mask: p_{i+1} = D_k(c_{i+1}) XOR c_i. The single-bit error in c_i causes a single-bit flip in p_{i+1}. Blocks i+2 onward are unaffected because their decryption depends on c_{i+1} (which is uncorrupted) and later blocks. This error propagation pattern is limited but shows CBC has no integrity protection — bit-flip attacks on block i+1 are possible.
Question 3 True / False
CTR mode turns a block cipher into a stream cipher by encrypting counter values and XORing the result with plaintext. Reusing the same nonce with the same key for two different messages is equivalent to reusing a one-time pad.
TTrue
FFalse
Answer: True
With the same key and nonce, CTR mode generates the same keystream for both messages. XORing the two ciphertexts cancels the keystream, yielding the XOR of the two plaintexts — exactly the same vulnerability as one-time pad reuse. The attacker can then use known-plaintext techniques to recover both messages. This is why nonce uniqueness is critical in CTR mode: a single nonce repetition completely breaks confidentiality for the affected messages.
Question 4 Multiple Choice
GCM mode provides both encryption and authentication. Why is combining these in a single mode preferable to encrypting with CTR and then computing a separate MAC?
AGCM is faster because it skips the authentication step for most blocks
BComposing CTR encryption with a separate MAC can be insecure depending on the order of operations (encrypt-then-MAC is secure, MAC-then-encrypt has known vulnerabilities). GCM is a single, analyzed construction that provides authenticated encryption correctly by design
CSeparate MACs cannot authenticate encrypted data — they can only authenticate plaintext
DGCM uses stronger encryption than CTR mode
The composition order matters critically. Encrypt-then-MAC (compute MAC over ciphertext) is the secure generic composition. MAC-then-encrypt (MAC the plaintext, then encrypt both) has led to real attacks like padding oracles in TLS (the BEAST and Lucky 13 attacks). Encrypt-and-MAC (encrypt plaintext, MAC plaintext separately) can leak plaintext information through the MAC. GCM avoids these pitfalls as an integrated authenticated encryption with associated data (AEAD) scheme, providing confidentiality, integrity, and authenticity with a single key and nonce.
Question 5 True / False
CTR mode is fully parallelizable for both encryption and decryption, while CBC mode is parallelizable only for decryption.
TTrue
FFalse
Answer: True
In CTR, each ciphertext block is computed as E_k(nonce || counter_i) XOR p_i — each block's encryption is independent, enabling full parallelism. In CBC encryption, c_i = E_k(p_i XOR c_{i-1}), so each block depends on the previous ciphertext — encryption is inherently sequential. However, CBC decryption is parallelizable: p_i = D_k(c_i) XOR c_{i-1}, where all D_k(c_i) computations are independent. This parallelism advantage is one reason CTR mode (and GCM, which uses CTR) is preferred in high-throughput applications.