# Understanding Cryptography by Christof Paar and Jan Pelzl - Chapter 5 Solutions - Ex5.4

- 1 min- Return to index
- Exercise 5.1
- Exercise 5.2
- Exercise 5.3
- Exercise 5.4
- Exercise 5.5
- Exercise 5.6
- Exercise 5.7
- Exercise 5.8
- Exercise 5.9
- Exercise 5.10
- Exercise 5.11
- Exercise 5.12

## Exercise 5.4

Keeping the IV secret in OFB mode does not make an exhaustive key search more complex. Describe how we can perform a brute-force attack with unknown IV. What are the requirements regarding plaintext and ciphertext?

### Solution

*I haven’t yet verified this solution independently. If you spot any mistakes, please leave a comment in the Disqus box at the bottom of the page.*

For our chosen plaintext/ciphertext pairs, we can derive the keystream they were encrypted with via XOR. This means that we know what input was given to the cryptographic primitive for all blocks except the first block (since the keystream becomes the IV of the next block). This means that we can try to brute force a key that produces the keystream from the known inputs. This is completely equivalent to brute forcing a cipher in CBC mode. The IV can be derived by decrypting the first block’s keystream when you’ve reached a high degree of confidence that your brute forced key isn’t a false positive.

The reasoning behind this is the same as for Ex 5.2 - parts 3 and 4.

As with the CBC example, the complexity is exactly the same as if the IV is known, but the level of confidence is as if you have one less ciphertext/plaintext pair than you do.