LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the downsides of CBC mode compared to ECB or modern modes?

Encryption is inherently serial (no parallelism), partial encryption isn't possible, and a single-block bit error propagates into the next block on decryption.

Downside Why
No parallel encryption Block N+1 needs ciphertext N first → sequential pipeline
No partial encryption Can't encrypt or decrypt block 1000 without processing blocks 1–999 → bad for disk encryption (whole disk re-encrypts on change)
Error propagation Flip one bit in c_i → block m_i becomes garbage AND one bit in m_{i+1} flips at the same position. Two-block corruption from a single error.
Padding oracle vulnerability CBC needs padding; a server that reveals "padding invalid" leaks 1 byte per ~256 requests (POODLE, Lucky 13)
No built-in integrity Attacker can flip ciphertext bits and the change reaches the plaintext — needs separate MAC

Why modern systems prefer CTR/GCM:

  • CTR (Counter) — uses the block cipher as a keystream generator; parallel both ways, partial-encryption friendly. The basis for AES-GCM.
  • AES-GCM — CTR + a Galois MAC for built-in integrity (AEAD).
  • XTS — the standard for disk encryption (BitLocker, FileVault, LUKS).

Tip: Hardware-accelerated AES-CTR/GCM on modern CPUs runs at multiple GB/s per core. CBC is left in the dust by an order of magnitude purely because of the serial dependency.

From Quiz: ISF / Symmetric Cryptography | Updated: Jul 14, 2026