librelist archives

« back to archive

OFB, CFB modes

OFB, CFB modes

From:
Yuri Nahum
Date:
2013-01-15 @ 09:29
Hey Guys,
I think you all know the OFB or CFB modes for block ciphers. My problem 
is, that sometimes in the definition, there is a shift register and not 
all bits are xored with the plaintext, but just j of them. At other 
times, there is no such thing.
For example in wikipedia, and Cryptography Engineering from Schneier 
there is no shift register. In Applied Cryptography from Schneier, and 
the Handbook of Applied Cryptography from Vanstone, Menezes, Oorschot, 
there is a shift register.

Does the shift add any security-relevant attributes or is it just there, 
so that developers can more easily drop some bugs? Which is the 
"correct" version, if there is such a thing?

All the Best
Yuri

Re: [remailer] OFB, CFB modes

From:
Tom Ritter
Date:
2013-01-15 @ 12:33
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/15/2013 4:29 AM, Yuri Nahum wrote:
> Hey Guys,
> I think you all know the OFB or CFB modes for block ciphers. My problem 
> is, that sometimes in the definition, there is a shift register and not 
> all bits are xored with the plaintext, but just j of them. At other 
> times, there is no such thing.
> For example in wikipedia, and Cryptography Engineering from Schneier 
> there is no shift register. In Applied Cryptography from Schneier, and 
> the Handbook of Applied Cryptography from Vanstone, Menezes, Oorschot, 
> there is a shift register.

Yes.  In the NIST pub this is referred to as the "Segment Size" denoted by s.  

> Does the shift add any security-relevant attributes or is it just there, 
> so that developers can more easily drop some bugs? Which is the 
> "correct" version, if there is such a thing?

As I understand it is basically a customizable parameter that can be 
tweaked for specific implementations.  Choosing your segment size can 
eliminate the need for padding to the end of a block - since the block 
size is now in your control.  As an example of this, both PyCrypto and 
mcrypt (PHP) operate with an 8-bit segment size, so it can encrypt any 
number of bytes without requiring padding, since the input will always be 
a multiple of 1 byte.  I don't know if there's a 'most common' or 
'correct' version.  I remember seeing segment size of 128 (to match the 
block ciphers it was implemented with) and obviously 8.

My understanding may be wrong.  You may also want to ask on the randombit 
crypto mailing list.  Remember to authenticate your ciphertext!

- -tom
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJQ9UyTAAoJEA9Hy80CmLjWfB8P/jCt1JVYtjw8R91TazuY+BfR
xmWXIDbqJ1mjIw4Q0MH0A04nuDFdhdVODtYw6FQCCvqm7vqfXUs/72KLTkSXyiOk
/i6Tf+2/nvEyEl8t/RKnK+t0jj2/eDt6WTdlEHrYX4jEu+wYVOtNIP6gQFOCxn2P
jfTr1jc2VDbioreFZAwgkIVkmVnxgwU5kP7Na8yV6z6NRhONIdZzTVL1gl32esfj
+MbMh9CxqDS/zIfyc0upKOkyFbIzpolMVo04Cx4QJLO9y7HF9iPRpkJmqDbx63cz
7dXg9GdWWlLfJ1xrLojKqoUqFRcqsM0o9JCiCD8nFXcLjWgoewux7QcxsqrLt8B9
hnF4KvpXzuwC/ziXI6asDzXKamCeXOidzvGCTDdpsZRJXISfAA3xHvAuHmzK3W5o
HtKovwGEqK8LffGkOQuuRjfjeG+OeRNSgc8wO6r1RU+UMYqJo+cwZcxJgCrstS19
SX7CbMiPheCZb44RPanWeoayIVUFMNJWVoMT8Ps3owCrdUyfJcn/MvuAb6SjDaM7
T/Hh+ptQv3LJP2WtJASaAfhmkeQyddABJvwonc3RsxG1BHbCK5J7VRaAwFcSrGJ8
sDqoitb8tvJQzP+hEoE+z0t+R9TcmNiiGqsa0lCJQk418IOa0PmXljT/RZXwap5O
T3Kqq7O/VwbT0qt0G8sv
=ZDz1
-----END PGP SIGNATURE-----