Cryptography Reference
In-Depth Information
1
2
3
K
K
K
E
E
E
⊕
⊕
⊕
C
i
C
i
+1
C
i
+2
P
i
P
i
+1
P
i
+2
4
Figure 4.10.
Effect of a 1-bit transmission error using CFB mode
ciphertext propagates to affect two blocks of plaintext. After this, CFB mode
recovers and proceeds without further errors.
It is worth being a bit more precise about just
how wrong
these two affected
plaintext blocks are:
• The value
C
i
contains just one incorrect bit and is XORed to a correct value.
Thus the resulting incorrect
P
i
is in fact only incorrect in the same bit position of
the error in
C
i
. (Whether a 1-bit plaintext error is serious will of course depend
on the nature of the plaintext.)
• When
C
i
is encrypted as part of the decryption process for the incorrect
P
i
+
1
,
the resulting 128 bits placed in the bottom register are 'very wrong'. This is
because, as discussed in Section 4.3.2, even though the erroneous
C
i
is only
wrong in one bit, the result of encrypting this value should be that about half
of the 128 bits in the bottom register are wrong. These are then XORed to the
correct
C
i
+
1
, resulting in
P
i
+
1
also having about half of its bits incorrect.
Assuming that all the later ciphertext blocks have no transmission errors, this
really is a good outcome and shows that CFBmode cleverly contains transmission
errors and has very limited error propagation.
PADDING IN CFB MODE
Another advantage of CFB mode concerns padding. Recall our earlier example
from Section 4.3.2 of a 400-bit plaintext being encrypted using a block cipher with
a 128-bit block length. If we use ECB mode then we need to split the plaintext into
four separate blocks, the last of which only contains 16 bits of our plaintext. Thus
we have to add 112 redundant padding bits to the fourth block.
