Chapter 3

Traditional
Symmetric-Key Ciphers

3.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
 Chapter 3
Objectives
❏ To define the terms and the concepts of symmetric
key ciphers
❏ To emphasize the two categories of traditional
ciphers: substitution and transposition ciphers
❏ To describe the categories of cryptanalysis used to
break the symmetric ciphers
❏ To introduce the concepts of the stream ciphers
and
block ciphers
❏ To discuss some very dominant ciphers used in the
3.2 past, such as the Enigma machine
 3-1 INTRODUCTION

Figure 3.1 shows the general idea behind a symmetric-key

cipher. The original message from Alice to Bob is called
plaintext; the message that is sent through the channel is
called the ciphertext. To create the ciphertext from the
plaintext, Alice uses an encryption algorithm and a shared
secret key. To create the plaintext from ciphertext, Bob
uses a decryption algorithm and the same secret key.

Topics discussed in this section:

3.1.1 Kerckhoff’s Principle
3.1.2 Cryptanalysis
3.1.3 Categories of Traditional Ciphers
3.3
3.1 Continued

Figure 3.1 General idea of symmetric-key cipher

3.4
 3.1 Continued

If P is the plaintext, C is the ciphertext, and K is the key,

We assume that Bob creates P1; we prove that P1 = P:

3.5
 3.1 Continued

Figure 3.2 Locking and unlocking with the same key

3.6
 3.1.1 Kerckhoff’s Principle

Based on Kerckhoff’s principle, one should always

assume that the adversary, Eve, knows the
encryption/decryption algorithm. The resistance of the
cipher to attack must be based only on the secrecy of the
key.

3.7
 3.1.2 Cryptanalysis

As cryptography is the science and art of creating secret

codes, cryptanalysis is the science and art of breaking
those codes.

Figure 3.3 Cryptanalysis attacks

3.8
 3.1.2 Continued
Ciphertext-Only Attack

Figure 3.4 Ciphertext-only attack

3.9
 3.1.2 Continued
Known-Plaintext Attack

Figure 3.5 Known-plaintext attack

3.10
 3.1.2 Continued
Chosen-Plaintext Attack

Figure 3.6 Chosen-plaintext attack

3.11
 3.1.2 Continued
Chosen-Ciphertext Attack

Figure 3.7 Chosen-ciphertext attack

3.12
 3-2 SUBSTITUTION CIPHERS

A substitution cipher replaces one symbol with another.

Substitution ciphers can be categorized as either
monoalphabetic ciphers or polyalphabetic ciphers.

Note

A substitution cipher replaces one

symbol with another.

3.13
 3.2.1 Monoalphabetic Ciphers

Note

In monoalphabetic substitution, the

relationship between a symbol in the
plaintext to a symbol in the ciphertext is
always one-to-one.

3.14
 3.2.1 Continued

Example 3.1
The following shows a plaintext and its corresponding ciphertext.
The cipher is probably monoalphabetic because both l’s (els) are
encrypted as O’s.

3.15
 3.2.1 Continued
Additive Cipher

The simplest monoalphabetic cipher is the additive cipher. This

cipher is sometimes called a shift cipher and sometimes a Caesar
cipher, but the term additive cipher better reveals its
mathematical nature.

Figure 3.8 Plaintext and ciphertext in Z26

3.16
 3.2.1 Continued
Figure 3.9 Additive cipher

Note

When the cipher is additive, the

plaintext, ciphertext, and key are
integers in Z26.
3.17
 3.2.1 Continued
Example 3.3
Use the additive cipher with key = 15 to encrypt the message
“hello”.

Solution
We apply the encryption algorithm to the plaintext, character by
character:

3.18
 3.2.1 Continued
Example 3.4

Use the additive cipher with key = 15 to decrypt the message

“WTAAD”.
Solution
We apply the decryption algorithm to the plaintext character by
character:

3.19
 3.2.1 Continued
Shift Cipher and Caesar Cipher
Historically, additive ciphers are called shift ciphers. Julius
Caesar used an additive cipher to communicate with his officers.
For this reason, additive ciphers are sometimes referred to as the
Caesar cipher. Caesar used a key of 3 for his communications.

Note

Additive ciphers are sometimes referred

to as shift ciphers or Caesar cipher.

3.20
 3.2.1 Continued
Example 3.5
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show
how she can use a brute-force attack to break the cipher.
Solution
Eve tries keys from 1 to 7. With a key of 7, the plaintext is “not
very secure”, which makes sense.

3.21
 3.2.1 Continued
Table 3.1 Frequency of characters in English

Table 3.2 Frequency of diagrams and trigrams

3.22
 3.2.1 Continued
Multiplicative Ciphers

Figure 3.10 Multiplicative cipher

Note

In a multiplicative cipher, the plaintext

and ciphertext are integers in Z26; the
key is an integer in Z26*.
3.23
 3.2.1 Continued

Example 3.7
What is the key domain for any multiplicative cipher?
Solution
The key needs to be in Z26*. This set has only 12 members: 1, 3, 5,
7, 9, 11, 15, 17, 19, 21, 23, 25.
Example 3.8
We use a multiplicative cipher to encrypt the message “hello” with
a key of 7. The ciphertext is “XCZZU”.

3.24
 3.2.1 Continued
Affine Ciphers

Figure 3.11 Affine cipher

3.25
 3.2.1 Continued

Example 3.09
The affine cipher uses a pair of keys in which the first key is from
Z26* and the second is from Z26. The size of the key domain is
26 × 12 = 312.
Example 3.10
Use an affine cipher to encrypt the message “hello” with the key
pair (7, 2).

3.26
 3.2.1 Continued

Example 3.11
Use the affine cipher to decrypt the message “ZEBBW” with the
key pair (7, 2) in modulus 26.
Solution

Example 3.12
The additive cipher is a special case of an affine cipher in which
k1 = 1. The multiplicative cipher is a special case of affine cipher in
which k2 = 0.
3.27
 3.2.1 Continued
Monoalphabetic Substitution Cipher

Because additive, multiplicative, and affine ciphers have small key

domains, they are very vulnerable to brute-force attack.

A better solution is to create a mapping between each plaintext

character and the corresponding ciphertext character. Alice and
Bob can agree on a table showing the mapping for each character.

Figure 3.12 An example key for monoalphabetic substitution cipher

Brute force attack difficult 26! [Link] attack based on frequency of

characters
3.28
 3.2.1 Continued

Example 3.13
We can use the key in Figure 3.12 to encrypt the message

The ciphertext is

3.29
 3.2.2 Polyalphabetic Ciphers
In polyalphabetic substitution, each occurrence of a
character may have a different substitute. The
relationship between a character in the plaintext to a
character in the ciphertext is one-to-many.

We need a key stream k(k1,k2,..ki) where ki is used to

encipher ith character in the plaintext to create cipher
text. Autokey Cipher

3.30
 3.2.2 Continued
Example 3.14
Assume that Alice and Bob agreed to use an autokey cipher with
initial key value k1 = 12. Now Alice wants to send Bob the message
“Attack is today”. Enciphering is done character by character.

Hides single letter frequency of plaintext. Vulnerable to brute force attack,since limited

key space of first subkey.(only 25)

3.31
 Playfair Ciphers
1. Repeating plaintext letters that are in the same pair are
The 'key' for a playfair
separated with a filler letter, such as x, so that full would be
cipher is generally a word,
treated as fu lx lz
for the sake of example we
2. Two plaintext letters that fall in the same row of the
will choose 'monarchy'. This matrix are each replaced by the letter to the right, with the

is then used to generate a first element of the row circularly following the last. For

'key square', e.g. example, ar is encrypted as RM.

3. Two plaintext letters that fall in the same column are

each replaced by the letter beneath, with the top element of

the column circularly following the last. For example, mu is

Note that there is no 'j', it is encrypted as CM.

4. Otherwise, each plaintext letter in a pair is replaced by

combined with 'i'. We now apply
the letter that lies in its own row and the column occupied
the encryption rules to encrypt
 3.2.2 Continued
Playfair Cipher
Figure 3.13 An example of a secret key in the Playfair cipher

Example 3.15
Let us encrypt the plaintext “hello” using the key in Figure 3.13.

3.33
 3.2.2 Continued
Vigenere Cipher

Example 3.16
We can encrypt the message “She is listening” using the 6-
character keyword “PASCAL”.

3.34
 3.2.2 Continued
One-Time Pad

One of the goals of cryptography is perfect secrecy. A

study by Shannon has shown that perfect secrecy can be
achieved if each plaintext symbol is encrypted with a key
randomly chosen from a key domain. This idea is used in
a cipher called one-time pad, invented by Vernam.

3.35
 3-3 TRANSPOSITION CIPHERS
A transposition cipher does not substitute one symbol for
another, instead it changes the location of the symbols.

Note

A transposition cipher reorders symbols.

Topics discussed in this section:

3.3.1 Keyless Transposition Ciphers
3.3.2 Keyed Transposition Ciphers
3.3.3 Combining Two Approaches

3.36
 3.3.1 Keyless Transposition Ciphers

Simple transposition ciphers, which were used in the

past, are keyless.
Text written Column By column and Row by Row
Transmission or Vice versa
A good example of a keyless cipher using the first method is the
rail fence cipher. The ciphertext is created reading the pattern
row by row. For example, to send the message “Meet me at the
park” to Bob, Alice writes

She then creates the ciphertext “MEMATEAKETETHPR”.

3.37
 3.3.1 Continued
Example 3.23

Alice and Bob can agree on the number of columns and use the
second method. Alice writes the same plaintext, row by row, in a
table of four columns.

She then creates the ciphertext “MMTAEEHREAEKTTP”.

3.38
 3.3.1 Continued
Example 3.24

The cipher in Example 3.23 is actually a transposition cipher. The

following shows the permutation of each character in the plaintext
into the ciphertext based on the positions.

The second character in the plaintext has moved to the fifth

position in the ciphertext; the third character has moved to the
ninth position; and so on. Although the characters are permuted,
there is a pattern in the permutation: (01, 05, 09, 13), (02, 06, 10,
13), (03, 07, 11, 15), and (08, 12). In each section, the difference
between the two adjacent numbers is 4.
3.39
 3.3.2 Keyed Transposition Ciphers

3.40
 3.3.2 Continued
Example 3.25

Alice needs to send the message “Enemy attacks tonight” to Bob..

The key used for encryption and decryption is a permutation key,

which shows how the character are permuted.

The permutation yields

3.41
 Keyed columnar transposition ciphers
Example 3.26
Figure 3.21

3.42
 3-4 STREAM AND BLOCK CIPHERS

In stream cipher, encryption/decryption done one symbol

at a time.

3.43
 3.4.1 Stream Ciphers

Call the plaintext stream P, the ciphertext stream C, and

the key stream K.

Figure 3.26 Stream cipher

3.44
 3.4.1 Continued

Example 3.30
Additive ciphers can be categorized as stream ciphers in which the
key stream is the repeated value of the key. In other words, the
key stream is considered as a predetermined stream of keys or
K = (k, k, …, k). In this cipher, however, each character in the
ciphertext depends only on the corresponding character in the
plaintext, because the key stream is generated independently.

Example 3.31
The monoalphabetic substitution ciphers discussed in this chapter
are also stream ciphers. However, each value of the key stream in
this case is the mapping of the current plaintext character to the
corresponding ciphertext character in the mapping table.

3.45
 3.4.1 Continued

Example 3.32
Vigenere ciphers are also stream ciphers according to the
definition. In this case, the key stream is a repetition of m values,
where m is the size of the keyword. In other words,

Example 3.33
We can establish a criterion to divide stream ciphers based on
their key streams. We can say that a stream cipher is a
monoalphabetic cipher if the value of ki does not depend on the
position of the plaintext character in the plaintext stream;
otherwise, the cipher is polyalphabetic.
3.46
 3.4.2 block Ciphers

In a block cipher, a group of plaintext symbols of size m

(m > 1) are encrypted together creating a group of
ciphertext of the same size.
A single key is used to encrypt the whole block even if
the key is made of multiple values.
Figure 3.27 Block cipher

3.47
 3.4.2 Continued

Example 3.34
Playfair ciphers are block ciphers. The size of the block is m = 2.
Two characters are encrypted together.

3.48
 3.4.3 Combination

In practice, blocks of plaintext are encrypted

individually, but they use a stream of keys to encrypt the
whole message block by block. In other words, the cipher
is a block cipher when looking at the individual blocks,
but it is a stream cipher when looking at the whole
message considering each block as a single unit.

3.49
Claude Shannon and Substitution-
Permutation Ciphers
 in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)
networks
 modern ciphers re -substitution-transposition- product cipher

 S-P networks are based on the two primitive cryptographic operations we

have seen before:
 substitution (S-box)- Each plaintext element/group of element uniquely

replaced by corresponding ciphertext/group of elements.

 permutation (P-box) – Order of elements changed

 provide confusion and diffusion of message

Confusion and Diffusion

 cipher needs to completely obscure statistical properties of original

message (all statists tics of cipher text is independent of key used.)

 a one-time pad does this

 more practically Shannon suggested combining elements to obtain:

 diffusion – dissipates statistical structure of plaintext over bulk of cipher

text
 confusion – makes relationship between ciphertext and key as complex as
possible
Feistel Cipher Structure

 Horst Feistel devised the feistel cipher

 based on concept of invertible product cipher

 partitions input block into two halves

 process through multiple rounds which

 perform a substitution on left data half based on round function of

right half & subkey
 then have permutation swapping halves

 implements Shannon’s substitution-permutation network concept

Feistel Cipher Structure
Feistel Cipher Design Principles
 block size
 increasing size improves security, but slows cipher

 key size
 increasing size improves security, makes exhaustive key searching harder, but may
slow cipher

 number of rounds
 increasing number improves security, but slows cipher

 subkey generation
 greater complexity can make analysis harder, but slows cipher

 round function
 greater complexity can make analysis harder, but slows cipher

 fast software en/decryption & ease of analysis

 are more recent concerns for practical use and testing
Feistel Cipher Systems
Conventional Encryption
Algorithms
 Data Encryption Standard (DES)
 The most widely used encryption scheme
 The algorithm is reffered to the Data
Encryption Algorithm (DEA)
 DES is a block cipher
 The plaintext is processed in 64-bit blocks
 The key is 56-bits in length

57
Data Encryption Standard
(DES)
 The algorithm has 16 rounds. Each
round has the following architecture:

Li and Ri are each

58 32-bit long strings
DES
 The overall processing at each
iteration:
 Li = Ri-1

 Ri = Li-1 F(Ri-1, Ki)


 Concerns about:
 The algorithm and the key length (56-
bits)

59
60
DES
 Before any rounds, the plaintext bits are permuted
using an initial permutation.
 Hence, at the end of the 16 rounds the inverse
permutation is applied.

The initial permutation is public knowledge

61
DES Round Structure

 uses two 32-bit L & R halves

 as for any Feistel cipher can describe as:

Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)

 takes 32-bit R half and 48-bit subkey and:

 expands R to 48-bits using perm E

 adds to subkey

 passes through 8 S-boxes to get 32-bit result

 finally permutes this using 32-bit perm P

63
 DES: Expansion Function
Added

 The 32-bits of Right

half data are
permuted and 16 of
them are repeated
twice to obtain a 48
bit string.

64
DES Round Structure

column

65
 DES: S Blocks.
 S blocks takes in as input 6-bit arguments
and outputs four bits.
 This is the substitution part of the cipher.
 Each S block has a different functionality as
defined by the corresponding tables.

66
67
68
 DES

 After substitution, the

function output is now 32
bits and it goes through a
fixed permutation.
 Thus we perform
“confusion” and
“diffusion” steps in each
round.
69
DES Decryption
 decrypt must unwind steps of data computation
 with Feistel design, do encryption steps again
 using subkeys in reverse order (SK16 … SK1)

71
Avalanche Effect
 key desirable property of encryption algorithm.

 where a change of one input or key bit results in changing approximately

half output bits


Strength of DES (cont.)

 DES exhibits a strong avalanche effect.

Advanced Encryption Standard

(AES)
 1-1 INTRODUCTION

The Advanced Encryption Standard (AES) is a symmetric-key block cipher published by the

National Institute of Standards and Technology (NIST) in December 2001.

Topics discussed in this section:

1.1.1 History

1.1.2 Criteria

1.1.3 Rounds

1.1.4 Data Units

1.1.5 Structure of Each Round

 1.1.1 History.

In February 2001, NIST announced that a draft of the Federal Information Processing Standard

(FIPS) was available for public review and comment. Finally, AES was published as FIPS 197 in

the Federal Register in December 2001.

Joan Daemen & Vincent Rijment - Rinjndael

 1.1.2 Criteria

The criteria defined by NIST for selecting AES fall into three areas:

1. Security

2. Cost

3. Implementation.
 1.1.3 Rounds.

AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12,

or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of

rounds.

Note

AES has defined three versions, with 10, 12, and 14 rounds.

Each version uses a different cipher key size (128, 192, or 256), but the round

keys are always 128 bits.

1.1.3 Continue

Figure 1.1 General design of AES encryption cipher

1.1.4 Data Units.

Figure 1.2 Data units used in AES

1.1.4 Continue

Figure 1.3 Block-to-state and state-to-block transformation

 1.1.4 Continue
Example 1.1 Continue

Figure 1.4 Changing plaintext to state

1.1.5 Structure of Each Round

Figure 1.5 Structure of each round at the encryption site

 1-2 TRANSFORMATIONS

To provide security, AES uses four types of transformations: substitution, permutation,

mixing, and key-adding.

Topics discussed in this section:

1.2.1 Substitution

1.2.2 Permutation

1.2.3 Mixing

1.2.4 Key Adding

 1.2.1 Substitution

AES, like DES, uses substitution. AES uses two invertible transformations.

SubBytes

The first transformation, SubBytes, is used at the encryption site. To substitute a byte, we interpret

the byte as two hexadecimal digits.

Note

The SubBytes operation involves 16 independent byte-to-byte transformations.

1.2.1 Continue

Figure 1.6 SubBytes transformation

1.2.1 Continue
1.2.1 Continue
 1.2.1 Continue

InvSubBytes
 1.2.1 Continue

InvSubBytes (Continued)
 1.2.1 Continue
Example 1.2

Figure 1.7 shows how a state is transformed using the SubBytes transformation. The figure also shows that

the InvSubBytes transformation creates the original one. Note that if the two bytes have the same values, their

transformation is also the same.

Figure 1.7 SubBytes transformation for Example 1.2

 1.2.2 Permutation

Another transformation found in a round is shifting, which permutes the bytes.

ShiftRows

In the encryption, the transformation is called ShiftRows.

Figure 1.9 ShiftRows transformation

 1.2.2 Continue
Example 1.4

Figure 1.10 shows how a state is transformed using ShiftRows transformation. The figure also shows that

InvShiftRows transformation creates the original state.

Figure 1.10 ShiftRows transformation in Example 1.4

 1.2.3 Mixing

We need an interbyte transformation that changes the bits inside a byte, based on the bits

inside the neighboring bytes. We need to mix bytes to provide diffusion at the bit level.

Figure 1.11 Mixing bytes using matrix multiplication

1.2.3 Continue

Figure 1.12 Constant matrices used by MixColumns and InvMixColumns

 1.2.3 Continue

MixColumns

The MixColumns transformation operates at the column level; it transforms each column of the

state to a new column.

[Link]
Figure 1.13 MixColumns transformation
 1.2.3 Continue

InvMixColumns

The InvMixColumns transformation is basically the same as the MixColumns transformation.

Note

The MixColumns and InvMixColumns transformations are inverses of each

other.
 1.2.3 Continue
Example 1.5

Figure 1.14 shows how a state is transformed using the MixColumns transformation. The figure also shows

that the InvMixColumns transformation creates the original one.

Figure 1.14 The MixColumns transformation in Example 1.5

 1.2.4 Key Adding

AddRoundKey

AddRoundKey proceeds one column at a time. AddRoundKey adds a round key word with each

state column matrix; the operation in AddRoundKey is matrix addition.

Note

The AddRoundKey transformation is the inverse of itself.

1.2.4 Continue

Figure 1.15 AddRoundKey transformation

 1-3 KEY EXPANSION

To create round keys for each round, AES uses a key-expansion process. If the number of

rounds is Nr , the key-expansion routine creates Nr + 1 128-bit round keys from one single

128-bit cipher key.

Topics discussed in this section:

1.3.1 Key Expansion in AES-128

1.3.2 Key Expansion in AES-192 and AES-256

1.3.3 Key-Expansion Analysis

1-3 Continued
1.3.1 Key Expansion in AES-128

Figure 1.16 Key expansion in AES

7.104
7.105
1.3.1 Continue
 1.3.2 Key Expansion in AES-192 and AES-256

Key-expansion algorithms in the AES-192 and AES-256 versions are very similar to the key

expansion algorithm in AES-128, with the following differences:

3.108
Modes of Operation
 block ciphers encrypt fixed size blocks

 eg. DES encrypts 64-bit blocks, with 56-bit key

 need way to use in practise, given usually have arbitrary amount of

information to encrypt

 four were defined for DES in ANSI standard ANSI X3.106-1983 Modes
of Use

 subsequently now have 5 for DES and AES

 have block and stream modes

Electronic Codebook Book (ECB)

 message is broken into independent blocks which are encrypted

 each block is a value which is substituted, like a codebook, hence name

 each block is encoded independently of the other blocks

Ci = DESK1 (Pi)

 uses: secure transmission of single values

Electronic Codebook Book (ECB)
Advantages and Limitations of ECB

 repetitions in message may show in ciphertext

 if aligned with message block

 particularly with data such graphics

 or with messages that change very little, which become a code-book

analysis problem

 weakness due to encrypted message blocks being independent

 main use is sending a few blocks of data

Cipher Block Chaining (CBC)

 message is broken into blocks

 but these are linked together in the encryption operation

 each previous cipher blocks is chained with current plaintext block, hence
name

 use Initial Vector (IV) to start process

Ci = DESK1(Pi XOR Ci-1)
C-1 = IV

 uses: bulk data encryption, authentication

Cipher Block Chaining (CBC)
Advantages and Limitations of CBC
 each ciphertext block depends on all message blocks

 thus a change in the message affects all ciphertext blocks after the change as
well as the original block

 need Initial Value (IV) known to sender & receiver

 however if IV is sent in the clear, an attacker can change bits of the first
block, and change IV to compensate
 hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message

 at end of message, handle possible last short block

 by padding either with known non-data value (eg nulls)
 or pad last block with count of pad size
 eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
Cipher FeedBack (CFB)
 message is treated as a stream of bits

 added to the output of the block cipher

 result is feed back for next stage (hence name)

 standard allows any number of bit (1,8 or 64 or whatever) to be feed back

 denoted CFB-1, CFB-8, CFB-64 etc

 is most efficient to use all 64 bits (CFB-64)

Ci = Pi XOR DESK1(Ci-1)
C-1 = IV

 uses: stream data encryption, authentication

Cipher FeedBack (CFB)
Advantages and Limitations of CFB

 appropriate when data arrives in bits/bytes

 most common stream mode

 limitation is need to stall while do block encryption after every n-bits

 note that the block cipher is used in encryption mode at both ends

 errors propogate for several blocks after the error

Output FeedBack (OFB)
 message is treated as a stream of bits

 output of cipher is added to message

 output is then feed back (hence name)

 feedback is independent of message

 can be computed in advance

Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV

 uses: stream encryption over noisy channels

Output FeedBack (OFB)
Advantages and Limitations of OFB
 used when error feedback a problem or where need to encryptions before
message is available

 superficially similar to CFB

 but feedback is from the output of cipher and is independent of message

 a variation of a Vernam cipher
 hence must never reuse the same sequence (key+IV)

 sender and receiver must remain in sync, and some recovery method is needed to
ensure this occurs

 originally specified with m-bit feedback in the standards

 subsequent research has shown that only OFB-64 should ever be used
Counter (CTR)
 a “new” mode, though proposed early on

 similar to OFB but encrypts counter value rather than any feedback value

 must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)

 uses: high-speed network encryptions

Counter (CTR)
Advantages and Limitations of CTR

 efficiency
 can do parallel encryptions

 in advance of need

 good for bursty high speed links

 random access to encrypted data blocks

 provable security (good as other modes)

 but must ensure never reuse key/counter values, otherwise could break (cf
OFB)