Cryptography Reference
In-Depth Information
≤
≤
requires an integer parameter
s
such that 1
n
, where
n
is the block length of
the cipher. The plaintext length must be a multiple of
s
so padding may be necessary
except when
s
s
1. The value of
s
is often used in the name of the mode, so that one
speaks of, e.g., the 1-bit CFB mode, the 8-bit CFB mode, or the 128-bit CFB mode.
Moreover, as in CBC mode, a random IV is used (actually, for both modes, the IV
is only required in [68] to be
unpredictable
and choosing it at random suffices). We
denote by
LSB
t
the
t
least significant (or rightmost) bits of a bit string, by
MSB
t
the
t
most significant (leftmost) bits, and we use
=
for the concatenation of bit strings.
The encryption and decryption algorithms are given in Algorithms 4.5 and 4.6.
||
Algorithm 4.5. CFB encryption
.
Input
: A message with
ls
-bit blocks,
m
=
m
1
...
m
l
, and a block cipher key
k
.
Output
: The ciphertext
Enc
(
k
,
m
)
=
c
1
...
c
l
.
Initialization
:
IV
n
, chosen at random.
←{
0
,
1
}
Encryption
:
x
1
:=
IV
;
for
i
from 1 to
l
do
c
i
:=
m
i
⊕
MSB
s
(
F
k
(
x
i
))
;
x
i
+
1
:=
LSB
n
−
s
(
x
i
)
||
c
i
end do
;
return
c
1
...
c
l
.
Algorithm 4.6. CFB decryption
.
Input
: An IV, a ciphertext
c
=
c
1
...
c
l
, and a block cipher key
k
.
Output
: The plaintext
Dec
(
k
,
c
)
=
m
1
...
m
l
.
Decryption
:
x
1
IV
;
for
i
from 1 to
l
do
m
i
:=
:=
c
i
⊕
MSB
s
(
F
k
(
x
i
))
;
x
i
+
1
:=
LSB
n
−
s
(
x
i
)
||
c
i
end do
;
return
m
1
...
m
l
.
CFB mode is CPA secure when used with a block cipher that is a pseudo-random
permutation. It is easy to implement since it does not use the block cipher decryption
function and 1-bit CFB does not require padding. But it has also some drawbacks
such as the fact that in order to encrypt
s
bits a full
n
-bit block must be encrypted.
Moreover, CFBmode propagates errors since any erroneously transmitted ciphertext
block affects the decryption of that block and also of the next
blocks. In
addition, each block in the key stream depends also on some bits of the previous
ciphertext block so that it is not possible to precompute the stream before encryption.
n
/
s
