How does CBC (Cipher Block Chaining) mode work, and what is the role of the Initialisation Vector (IV)?
Each plaintext block is XOR'd with the previous ciphertext block before encryption. The first block is XOR'd with a random IV. This fixes ECB's pattern-leak problem.
* Each plaintext block is XOR'd with the previous ciphertext block before encryption; a random IV seeds the very first block. *
Encryption:
c_0 = E(m_0 XOR IV, k)
c_i = E(m_i XOR c_{i-1}, k) for i ≥ 1
Why the IV? Two reasons:
- Without an IV the first block would suffer the ECB problem — identical message starts would produce identical first ciphertexts.
- Even identical messages encrypt to different ciphertexts because the IV is fresh each time. (E.g. encrypting "hello" twice with the same key gives two completely different ciphertexts.)
IV properties — important:
- The IV is not secret — it's transmitted in the clear alongside the ciphertext.
- The IV must be unpredictable (random, from a CSPRNG) for CBC specifically. Predictable IVs broke SSL 3.0 (BEAST attack, 2011).
- The IV is one block long (16 bytes for AES).
- A given (key, IV) pair must never be reused.
Decryption inverts the chain: m_i = D(c_i, k) XOR c_{i-1}. Note the previous ciphertext is needed — not the previous plaintext.
Tip: CBC is being phased out (TLS 1.3 dropped it entirely) because of historical padding-oracle attacks (POODLE, Lucky 13) and the lack of built-in integrity. Modern code uses AES-GCM. But CBC is still in tons of legacy systems and is the canonical "first mode to understand beyond ECB."
Go deeper:
Block cipher mode of operation (Wikipedia) — the CBC section, its IV requirement, and the parallelism and padding-oracle trade-offs versus CTR and GCM.