OFB

Output Feedback Mode

Security
Introduced in Rel-8
A mode of operation for a block cipher, standardized by 3GPP for cryptographic algorithms. In OFB mode, the cipher is used to generate a keystream, which is then XORed with the plaintext to produce ciphertext. It turns a block cipher into a synchronous stream cipher, useful for encrypting data where bit errors should not propagate.

Description

Output Feedback (OFB) mode is a cryptographic mode of operation specified within 3GPP technical specifications for use with defined block cipher algorithms. It is detailed in security specification series such as 35.205 (for 3GPP algorithms) and 35.909 (for LTE security algorithms). OFB mode transforms a block cipher (like the 3GPP-defined Kasumi or SNOW 3G-based algorithms) into a synchronous stream cipher. Its core operation involves using the block cipher's encryption function not directly on the data, but on an internal state register to generate a pseudorandom keystream block.

The mechanism works as follows: An initialization vector (IV) is loaded into a shift register. The block cipher encrypts the contents of this register. The resulting output block forms the keystream for that iteration. This keystream block is then XORed with a block of plaintext to produce the corresponding block of ciphertext. Crucially, the output keystream block is also fed back to become the input for the next encryption operation (hence 'Output Feedback'), after the register is shifted. This process repeats for each subsequent block of data. A critical characteristic is that the encryption of the feedback register is independent of the plaintext or ciphertext; it depends only on the key and the previous output.

Within 3GPP systems, OFB mode's primary role has been in the specification of cryptographic algorithm design and testing, rather than as a directly used cipher mode in the radio protocol stack. For instance, it is used in the design and evaluation of the underlying cryptographic primitives. Its properties are analyzed to ensure algorithm strength. The synchronous stream cipher nature of OFB means a bit error in transmission causes a bit error in the decrypted plaintext at the same position, without error propagation. This can be desirable in certain real-time communication contexts, though 3GPP's primary air interface ciphering modes (like UEA1, UEA2 for UMTS or EEA for LTE) typically use other modes like Counter Mode (CTR) or specific stream cipher constructions.

Purpose & Motivation

OFB mode was incorporated into 3GPP specifications to provide a standardized, well-understood cryptographic construct for use within the design and analysis of the suite of 3GPP security algorithms. Its purpose is not necessarily as the primary encryption mode for user data over the air, but as a component within the broader cryptographic toolkit. It serves as a reference mode for algorithm testing, validation, and for constructing more complex cryptographic operations if needed.

The historical motivation for including various modes like OFB stems from the need for rigorous security evaluation. When 3GPP develops a new cipher (e.g., for 4G or 5G), its core block cipher or transformation is tested in recognized modes like OFB, CBC, and CTR to assess its cryptographic properties (e.g., randomness, diffusion) under different scenarios. This comprehensive analysis ensures the algorithm's robustness before it is deployed in the more complex, tailored modes used for actual air interface encryption (like AES in CTR mode for 5G).

OFB mode specifically addresses a scenario requiring a synchronous stream cipher. Compared to Cipher Block Chaining (CBC) mode, OFB does not cause error propagation, which can be important for real-time services where retransmission is not feasible. However, its requirement for strict synchronization and the risk of keystream reuse if IVs are repeated led 3GPP to favor other modes like CTR for mainstream use. Thus, OFB's role is primarily one of cryptographic design assurance and completeness within the 3GPP security specification portfolio.

Key Features

  • Turns a block cipher into a synchronous stream cipher
  • Generates a keystream independent of plaintext/ciphertext data
  • Uses the output of the cipher encryption as feedback for next keystream block
  • Decryption uses an identical keystream generator, XORing with ciphertext
  • Bit errors in ciphertext cause isolated bit errors in plaintext (no propagation)
  • Requires a unique Initialization Vector (IV) for each session to avoid keystream reuse

Evolution Across Releases

Rel-8 Initial

Initial inclusion of OFB mode definitions in 3GPP security algorithm specifications such as 35.205 and 35.909. Established OFB as a standardized mode of operation for the testing and specification of 3GPP cryptographic algorithms, providing a reference for algorithm design evaluation.

TS 35.205TS 35.909

Defining Specifications

SpecificationTitle
TS 35.205 3GPP TR 35.205
TS 35.909 3GPP TR 35.909