2

I was wondering if CFB can be better than OFB in any ways. I would like to know in what cases one would use CFB over OFB.

tgwtdt
  • 123
  • 1
  • 4

3 Answers3

6

The only reason I can imagine why one would prefer CFB over OFB or CTR is error propagation. Another reason may be technical issues with the relieability of the transmission line.

This comes from the fact that if you flip a single bit in an OFB ciphertext then you only get the same bit flipped in the underlying plaintext. But if you flip a single bit in CFB mode, you get the bit flipped in the plaintext and get the following block to decrypt to gibberish. So there's a larger chance of you detecting a manipulation of the ciphertext because the effect on the plaintext is bigger.

However the above reason stems from the dark ages of cryptography, where authenticated encryption was usually done ad-hoc or not at all, so people actually relied on these error propagation properties. These days, using anything but CTR is pointless, because CTR allows very nicely for SIMD parallelization and error propagation as a property is kinda irrelevant because the authentication tag will catch any modifications.

SEJPM
  • 46,697
  • 9
  • 103
  • 214
2

Advantages of CFB over OFB:

  1. Ability to parallel decryption, and hence it has better performance.
  2. Ability to random read access during decryption. There is no need to calculate all previous (expensive) steps to decrypt some part of information.
  3. Presence of error propagation, though it lasts only for some parts of the message. In my opinion, it's not a big advantage.

Advantages of OFB over CFB:

  1. Ability to calculate almost all the work in advance and perform only xor with cipher text.
  2. Absence of error propagation.
backdround
  • 21
  • 2
0

CFB allows random access. I can start decrypting at any offset, because all the information I need to decrypt a block is the encryption key, the IV, the encrypted block itself and the next encrypted block. With OFB I have to calculate all values up to the block I want to decrypt, even though I don't care for anything in between and won't ever decrypt it.

And contrary to what people keep claiming, it's not always better to use CTR. Either form of chaining is only secure if you never use the same key and same IV for different data. In case of CBC, CFB, or OFB, as long as this is guaranteed for the first block of data, it is pretty much guaranteed for the entire chain (at least until you encrypt so much data, that you run into birthday attacks). In case of CTR, though, every block is like a chain of its own, that means you must ensure this condition is true for every single block and if you cannot guarantee that, you cannot guarantee that your CTR encryption will be secure. This is easy to do if you are encrypting data, that naturally has a higher-level block structure with block numbering (like when encrypting file data blocks for an encrypted file system, one of the first major uses for CTR) but it's nowhere as easy when encrypting a stream of data of unknown length and with no higher-level structure and with no history on previous key and IV data.

Mecki
  • 187
  • 2
  • 10