Cryptography Reference
In-Depth Information
There are also a couple disadvantages that should be kept in mind when using
a symmetric encryption system in CFB mode:
•
The major disadvantage is performance. Note that a full encryption of
n
bits
is required to encrypt only
r
bits. The impact of this disadvantage depends
on the symmetric encryption system in use and the size of
r
as compared to
the block length
n
. For example, if DES is used in CFB mode and
r
is 8 bits
(meaning that the encryption is character oriented), then the performance is
n/r
=64
/
8=8times slower than “normal” DES (whether it is operated in
the ECB or CBC mode). Consequently, there is a tradeoff to make to choose
an optimal value for
r
(and this tradeoff may depend on the application one
has in mind). Note that it is at least possible to use the
n
−
r
bits of the output
register to encrypt subsequent plaintext blocks or bits.
•
The size of
r
also influences the error propagation properties of the encryption.
Note that an incorrectly transmitted ciphertext block disturbs the decryption
process until it “falls out” of the input register. Consequently, the larger
r
is,
the fewer errors are propagated.
•
As mentioned earlier, the encryption is a simple addition modulo 2, and
the block cipher is only used to generate the key stream. This generation,
however, also depends on the ciphertext bits that are fed back into the input
register (that's why the mode is called cipher feedback in the first place).
Consequently, it is not possible to precompute the key stream.
The last point (i.e., the impossibility to precompute the key stream) is the
major difference between the CFB and the mode addressed next.
10.2.3.4
Output Feedback Mode
The
output feedback
(OFB) mode is conceptually similar to the CFB mode. As
illustrated in Figure 10.12 (and contrary to the CFB mode), the key stream is
generated independently from the ciphertext blocks in the OFB mode. This suggests
that the OFB mode has no error propagation. In some application settings, this is
advantageous, and only the OFB mode is used for this purpose. In other application
settings, the lack of error propagation is disadvantageous, and the CFB mode is used
instead. From a performance viewpoint, the OFB mode is advantageous because the
key stream can be computed independently from the plaintext or ciphertext. This
means that the key stream can be precomputed and that the encryption throughput
can be made very large.
In OFB mode, it is important to change the IV regularly (e.g., [18]). This
is particularly true if two plaintext messages are encrypted with the same key
k
.
