Symmetric Ciphers & Block Cipher Modes

1. ECB encrypts each block independently: identical plaintext blocks → identical ciphertext blocks. This leaks patterns (famous example: ECB penguin — encrypting a bitmap preserves visual structure). Any repeated data (headers, padding, structured messages) is immediately visible. ECB provides no semantic security. Never use for more than one block.

2. CTR mode: generate keystream $K_i = E_k(\text{nonce}\|i)$ for $i=0,1,2,\ldots$. Ciphertext: $C_i = P_i \oplus K_i$. This converts a block cipher into a stream cipher: parallelizable encryption/decryption, random access to any block, no padding needed. Security relies on the block cipher being a PRF — distinct (nonce, counter) values give pseudorandom keystream blocks.

3. A nonce (number used once) ensures each encryption produces a unique keystream. In AES-GCM, nonce reuse with the same key is catastrophic: (1) XOR of two ciphertexts reveals XOR of plaintexts (stream cipher reuse). (2) The authentication key $H$ can be recovered from two messages with the same nonce (polynomial root finding over GF($2^{128}$)), allowing universal forgery. Always use unique nonces — preferably a counter or random 96-bit value.

4. Birthday paradox: after $2^{n/2}$ random $n$-bit values, a collision is likely. AES-GCM with random 96-bit nonces: collision expected after $2^{48}$ messages. At that point, nonce reuse becomes probable → catastrophic. Key rotation recommendation: re-key before $2^{32}$ encryptions (conservative) to maintain a negligible collision probability ($\sim 2^{-32}$). For high-volume applications, use deterministic nonce construction or shorter re-key intervals.