Cryptography Reference
In-Depth Information
Algorithm 4.8. OFB decryption
.
Input
: An IV, a ciphertext
c
=
c
1
...
c
l
, and a block cipher key
k
.
Output
: The plaintext
Dec
(
k
,
c
)
=
m
1
...
m
l
.
Key Stream Computation
:
r
0
IV
;
for
i
from
1
to
l
do
r
i
:=
:=
F
k
(
r
i
−
1
)
end do
;
Decryption
:
for
i
from
1
to
l
do
m
i
:=
c
i
⊕
r
i
end do
;
return
m
1
...
m
l
.
t
n
which, in this case, is Xor-ed with the partial block formed by the first
t
bits
of
r
l
. We also remark that there is a variant of OFB mode in which, if
n
is the block
size of the underlying block cipher, a shorter block length
t
<
<
n
is specified (often
t
=
1or
t
=
8) and encryption and decryption proceed as indicated above except
that, for
i
0, the
i
th block in the keystream consists of the
t
first bits of
r
i
.
As already mentioned, in OFB mode the IV must be a nonce, i.e., different for
each encryption. If the same IV is used for another encryption with the same key then
the same stream
>
would be obtained. This would allow an adversary to obtain
a lot of information about plaintexts by simply Xor-ing the
i
th ciphertext blocks of
both encryptions, because in this case
c
i
⊕
{
r
i
}
m
i
.
Thus the adversary would know the result of Xor-ing two plaintext blocks and the
attack described in [64] would be applicable. Moreover, an adversary who knows a
plaintext block, say
m
i
, can easily find
r
i
by computing
r
i
c
i
m
i
⊕
=
(
m
i
⊕
r
i
)
⊕
(
r
i
)
=
m
i
⊕
c
i
and, if the same
IV is used again, the adversary would know
r
i
and would be able to decrypt the
i
th
ciphertext block of the new message.
One disadvantage of CBC and CFB modes is, as we have seen, error propagation.
Another is that these modes are not really adequate for applications in which real
time encryption/decryption is required because applying
F
k
is usually too costly
for real time. OFB mode addresses these disadvantages because the key stream is
generated independently from the ciphertext blocks. On the one hand, this implies
that there is no error propagation, since an error in the transmission of a ciphertext
block affects only that particular block, a characteristic that makes this mode suitable
for transmissions through very noisy channels (such as, for example, transmissions
from satellites). On the other hand, the key stream may be precomputed prior to
ciphertext transmission and only the Xor operation—which is very fast—must be
carried out during the encryption/decryption process, making the mode suitable for
real time applications.
OFB mode has good security properties as it can also be shown to be CPA secure
if the IV is randomly chosen and the underlying block cipher is a pseudo-random
=
m
i
⊕
