Score:0

does OFB mode has diffusion on the plaintext?

cl flag

In some block modes, if we change one bit (or more) in the plaintext, the whole block\ciphertext will be changed (i.e ecb: block will be different. cbc: whole ciphertext will be different) Does encryption in OFB mode will defuse the text? if we will change one bit in the plaintext, more than one bit will be changed in the ciphertext ?

Score:2
my flag

if we will change one bit in the plaintext, more than one bit will be changed in the ciphertext?

In Output Feedback Mode, no, it does not. Specifically, if you change one bit of the plaintext and nothing else (e.g. you don't modify the IV), then only the corresponding bit of the ciphertext will change.

Output Feedback Mode works by internally generating a bit string based on the key and the IV, and then exclusive-or's that bit string with the plaintext to form the ciphertext. Any mode that can be described in this way (another example, counter mode) will have this 'non-propagation' property.

This has two immediate implications:

  • You don't want to reuse the same (key, IV) pair to encrypt multiple messages; by xoring the ciphertexts, the attacker would recover the xor of the two plaintexts (which can tell him a lot)

  • You really want an integrity transform (e.g. a MAC) along with OFB mode. Without it, the attacker who guesses what the plaintext is can modify the ciphertext so that it decrypts to any plaintext he wants with the same length. Now, you generally do want to use an encryption method that has protection against modifications (such as a MAC or alternatively use an AEAD mode that provides such protection); it is critical with OFB.

Yotam Sofer avatar
cl flag
What do you mean by that? "You don't want to reuse the same (key, IV) pair to encrypt multiple messages; by xoring the ciphertexts, the attacker would recover the xor of the two plaintexts (which can tell him a lot)". How the attacker will know the xor? can you give a simple example? BTW Many thanks! I still don’t have enough reputation to upvote, so thanks (:
poncho avatar
my flag
@YotamSofer: trivial example, suppose the plaintext of one is "Hi" (0x48 0x69); suppose it encrypts to 0x6b 0xbe. Suppose you encrypt a second plaintext "Ho" (0x48 0x6f) with the same key/IV; that'll encrypt to 0x6b 0xb8. If you compute the exclusive-or of the two ciphertexts, you get 0x00 0x06; which is precisely the same as the xor of the two plaintexts "Hi" and "Ho"
Yotam Sofer avatar
cl flag
gotcha, many thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.