Here are the answers.
CBC does require the encryption function to be invertible because to do decryption
we need to use the inverse of the encryption function.
CFB does not, as we saw both encryption and decryption use the encryption function
in the forward direction.
This has advantages--that means there are more possible functions
that we could use for this.
We haven't seen any yet, but soon we'll talk about hash functions,
which could be used as the encryption function for cipher feedback mode.
Neither of them require the IV to be kept secret.
One way to see this is if you look at the structure of the ciphers,
they're using the IV as though it was ciphertext block -1.
All the other ciphertext blocks are visible to the attacker.
So if you think about how it's used, it's used just like another ciphertext block.
There's no security required in keeping the IV secret.
What's important about the IV for both of these
is that it's not reused, that a unique IV is used to avoid the possibility of the same
block encrypted the same way.
The big advantage of cipher feedback mode over cipher-block chaining mode
is this ability to use small message blocks.
We can select the value of s and only encrypt the message in chunks of size s.
This means we can use this mode to turn a block cipher into a stream cipher,
where we're encrypting messages 1 bite at a time, if we wanted to do that.
It's not necessarily the best way to design a stream cipher because we're doing a lot more
work than might be necessary.
This one is maybe a little unfair to ask since we didn't talk about this,
but an important point to make is that neither of these, as we've described them,
provide any strong protection against tampering.
An attacker can modify. The blocks can move blocks around.
The decryption may or may not look like a valid decryption depending on
what the contents are,
but there's no way to easily detect that there's been tampering with either of these modes.
We'll talk about in a future class ways to provide message authenication
that would make it so you can detect when tampering happens.
The final property is that the final ciphertext blocks depend on all of the message blocks.
This is actually true for both.
This turns out to be a property that's very useful for what I'm going to talk about next,
which is cryptographic hash functions.
