OFB mode (see Figure 2.5) is similar to CFB mode except that the quantity XORed with each plaintext block is generated independently of both the plaintext and ciphertext. An initialization vector s0 is used as a ``seed'' for a sequence of data blocks si, and each data block si is derived from the encryption of the previous data block si-1. The encryption of a plaintext block is derived by taking the XOR of the plaintext block with the relevant data block.
ci = mi Åsi mi = ci Åsi si = Ek(si-1)
Figure 2.5: Output Feedback mode (click for a larger image)
Feedback widths less than a full block are not recommended for security [DP83] [Jue83]. OFB mode has an advantage over CFB mode in that any bit errors that might occur during transmission are not propagated to affect the decryption of subsequent blocks. The security considerations for the initialization vector are the same as in CFB mode.
A problem with OFB mode is that the plaintext is easily manipulated. Namely, an attacker who knows a plaintext block mi may replace it with a false plaintext block x by XORing mi Åx to the corresponding ciphertext block ci. There are similar attacks on CBC and CFB modes, but in those attacks some plaintext block will be modified in a manner unpredictable by the attacker. Yet, the very first ciphertext block (that is, the initialization vector) in CBC mode and the very last ciphertext block in CFB mode are just as vulnerable to the attack as the blocks in OFB mode. Attacks of this kind can be prevented using for example a digital signature scheme (see Question 2.2.2) or a MAC scheme (see Question 2.1.7).
The speed of encryption is identical to that of the block cipher. Even though the process cannot easily be parallelized, time can be saved by generating the keystream before the data is available for encryption.
Due to shortcomings in OFB mode, Diffie has proposed [Bra88] an additional mode of operation, termed the counter mode. It differs from OFB mode in the way the successive data blocks are generated for subsequent encryptions. Instead of deriving one data block as the encryption of the previous data block, Diffie proposed encrypting the quantity i +IV mod 264 for the ith data block, where IV is some initialization vector.