Cryptography Reference
In-Depth Information
only 8 bits of ciphertext. These 8 bits of ciphertext are then fed back into the top
register. Because they are not sufficient to replace the current contents of the top
register, they are instead inserted into one end of the top register and the existing
entries are shifted along, with the 8 furthest bits dropping out altogether.
This reduced feedback CFB mode has a significant advantage for certain types
of application. For example, if we are processing 8-bit ASCII characters that are
being input into a secure terminal then we can encrypt the characters immediately
and do not have to wait until a full block (128 bits in our example) of data has
been entered at the terminal. This reduces the time the input data spends sitting
in unencrypted form in an input register.
IMPACT OF TRANSMISSION ERRORS IN CFB MODE
Recall that CFB mode deliberately incorporates message dependency in order to
overcome the weakness of ECB mode. One possible disadvantage of making the
encryption of one plaintext block dependent on the entire preceding encryption
process is that transmission errors could propagate. For example, if one ciphertext
bit gets changed from1 to 0 during transmission then clearly the decryption of that
ciphertext block will be incorrect. However, it might seem inevitable that (because
of the feedback process) all subsequent ciphertext blocks will also be decrypted
wrongly. We are about to see just how clever the design of CFB mode is.
Suppose that we are using CFB mode as depicted in Figure 4.9 using a block
cipher with a block size of 128. Suppose also that a 1-bit transmission error occurs
in ciphertext block
C
i
, but that all previous ciphertext blocks are received correctly.
Clearly all the previous plaintext blocks
P
1
up to
P
i
−
1
are unaffected, since they
were recovered prior to
C
i
arriving. The situation when the erroneous block
C
i
is
processed is depicted in Figure 4.10.
1. When
C
i
is received, the current content of the bottom register consists of the
encryption of
C
i
−
1
and is therefore correct, since
C
i
−
1
was received correctly.
However, when the correct contents of the bottom register are added to the
incorrect ciphertext block
C
i
, the resulting plaintext block
P
i
is incorrect.
2. The incorrect
C
i
is now fed back into the top register. This incorrect value is
encrypted and then placed in the bottom register. The bottom register thus
now contains an incorrect value. When the next correct ciphertext block
C
i
+
1
is received, it is XORed to the incorrect contents of the bottom register. The
result is another incorrect plaintext block
P
i
+
1
.
3. The correct
C
i
+
1
is now fed back into the top register. This correct value is
encrypted and then placed in the bottom register. The bottom register thus
now contains a correct value. When the next correct ciphertext block
C
i
+
2
is
received, it is XORed to the correct contents of the bottom register. The result
is a correct plaintext block
P
i
+
2
.
4. The error has now worked its way out of the system and, assuming that
subsequent ciphertext blocks do not contain transmission errors, the remaining
plaintext blocks will be recovered correctly. We thus see that a 1-bit error in the
