Output feedback mode

Output Feedback Mode ( OFB ) is an operating mode in which block ciphers can be operated. A block algorithm such as Data Encryption Standard (block length 64 bits) or Advanced Encryption Standard (block length 128 bits) is used to create a ( synchronous ) stream cipher .

In this mode, as shown in the figure, the output of the block cipher is linked with the plain text bit by bit using XOR (exclusive OR) to form the ciphertext . This procedure results in a stream cipher. The output of the block cipher is fed back to its input so that a continuous stream of ciphered blocks is created. Only as many bits as necessary are used for the link with the plain text. This does not have to correspond to a full block length. The bit stream is pseudo-random because it depends on the block cipher, the key and the initialization vector. This is why this system is also known as a pseudo one-time pad . Similar to the cipher block chaining mode, the initialization vector can be seen as a start value and is independent of the selected (secret) key.

One of the advantages is that the bit sequence with which the plaintext data is XORed bit by bit can be calculated in advance. Furthermore, with OFB, as with all stream ciphers, there is the advantage that during decryption, transmission errors (bit errors) in the cipher only affect the corresponding bit position in the decrypted plain text and the error does not propagate in the plain text. In other operating modes, only one bit error in the cipher will result in at least one completely destroyed plain text data block. This makes forward error correction difficult or impossible. On the other hand, the fact that the bit errors caused are predictable in plain text can be used to falsify messages without being noticed.

Another advantage of the method is that no separate decryption function is necessary, because encryption and decryption are identical. In addition, only the encryption of the block algorithm (or only the decryption) is required. The construction is even such that methods that are not bijective are also suitable as block algorithms. For example, a secure hash function such as SHA-256 could also be used as the block algorithm . The block size would then be the output size of the hash function, i.e. 256 bits for SHA-256.

A disadvantage of OFB is the complex synchronization of the block ciphers between sender and receiver, since OFB, in contrast to Cipher Feedback Mode (CFB), is basically not self-synchronizing. The block cipher at the receiver is operated as shown in the figure above, also operated as in the case of encryption, i.e. generates the same binary data sequence with the same initialization vector and the same key with which the XOR operation of the sender can be reversed. The precise temporal interaction required for this must be ensured in the transmission protocols using suitable procedures.

If several messages are encrypted with the same key, a different initialization vector must be used for each message, otherwise the same key stream will be generated. In this case, the method is susceptible to a simple attack in which two ciphers are XORed. As a result, the (identical) key streams used for encryption are deleted, and the result is the XOR of the two plaintexts, from which the plaintexts can easily be determined. If even the plain text of a message is known, a plain text attack can be carried out: By XORing plain text and ciphertext, you can determine the keystream used and decrypt the corresponding sections of the other messages.