Quiz Entry - updated: 2026.07.14
What are the downsides of CBC mode compared to ECB or modern modes?
Encryption is inherently serial (no parallelism), partial encryption isn't possible, and a single-block bit error propagates into the next block on decryption.
| Downside | Why |
|---|---|
| No parallel encryption | Block N+1 needs ciphertext N first → sequential pipeline |
| No partial encryption | Can't encrypt or decrypt block 1000 without processing blocks 1–999 → bad for disk encryption (whole disk re-encrypts on change) |
| Error propagation | Flip one bit in c_i → block m_i becomes garbage AND one bit in m_{i+1} flips at the same position. Two-block corruption from a single error. |
| Padding oracle vulnerability | CBC needs padding; a server that reveals "padding invalid" leaks 1 byte per ~256 requests (POODLE, Lucky 13) |
| No built-in integrity | Attacker can flip ciphertext bits and the change reaches the plaintext — needs separate MAC |
Why modern systems prefer CTR/GCM:
- CTR (Counter) — uses the block cipher as a keystream generator; parallel both ways, partial-encryption friendly. The basis for AES-GCM.
- AES-GCM — CTR + a Galois MAC for built-in integrity (AEAD).
- XTS — the standard for disk encryption (BitLocker, FileVault, LUKS).
Tip: Hardware-accelerated AES-CTR/GCM on modern CPUs runs at multiple GB/s per core. CBC is left in the dust by an order of magnitude purely because of the serial dependency.