Which mode of operation is simple but vulnerable to padding-oracle attacks?

The mode of operation known to be simple yet vulnerable to padding-oracle attacks is Cipher Block Chaining (CBC). This vulnerability arises from how CBC handles padding at the end of the ciphertext. In CBC mode, if the padding is not properly validated, an attacker can conduct a padding-oracle attack, where they exploit the error messages returned by the decryption process to learn about the validity of padding. By making careful modifications to the ciphertext and observing the responses from the decryption application, the attacker can gradually decipher the plaintext or manipulate it without needing to know the encryption key.

Additionally, CBC requires the use of an Initialization Vector (IV) for each encryption operation to ensure that identical plaintexts yield different ciphertexts. While this adds a layer of security, it means that any weaknesses in padding can lead to practical attack vectors. The simplicity of CBC in terms of implementation is also a factor; while it is straightforward, its susceptibility to specific attacks underscores the importance of not only using strong algorithms but also understanding the correct use of modes of operation and ensuring proper validation of encryption results.

Other modes like AES, Galois/Counter Mode (GCM), and ChaCha do not have this same vulnerability associated with padding oracle attacks, especially GCM, which