Is MCrypt's 8-bit OFB mode secure?

Question

I just stumbled across a Stack Overflow post which points out that the libmcrypt library (notably used in PHP) implements a somewhat unusual set of block cipher modes: it calls the usual CFB and OFB modes, with full-block feedback, "nCFB" and "nOFB" respectively, and implements the CFB-8 mode as just "CFB".

Besides the somewhat unconventional (and potentially confusing) naming convention, there's nothing novel there. However, it turns out that libmcrypt also features an 8-bit shift register variant of OFB mode, called simply "OFB", which is described rather curiously in the documentation:

"OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Insecure (because used in 8bit mode) so it is recommended not to use it. Added just for completeness."

Ignoring the weirdness of a library supporting an encryption mode that its own developers describe as "insecure" and recommend "not to use it", I started wondering — is it really insecure?

It's well known that OFB mode keystream generation is equivalent to encrypting an all-zero message in CFB mode. Thus, if CFB-8 mode is IND-CPA secure (and it is, at least when used with a random IV), so that, in particular, the encryption of an all-zero message cannot be distinguished from a random bitstring, then neither can the XOR of this ciphertext with an arbitrary message. Doesn't that imply that this "OFB-8" mode is IND-CPA secure, too?

Answer 1

Actually, I think I found the answer to my question while writing it, but I'll post it anyway, since it might be interesting to others:

Yes, OFB mode is secure even with 8-bit feedback, at least as long as IVs are chosen randomly.

Specifically, in the paper "New proof for old modes" (IACR Cryptology ePrint Archive, 2008), which I've cited earlier here, Mark Wooding proves the IND-CPA security (and, in fact, a somewhat stronger security property termed ROG-CPA, for "real or garbage" indistinguishability) of both CFB-$n$ and OFB-$n$ modes for any number of feedback bits $n$, provided that either:

1. the IVs are chosen randomly,
2. the IVs are generated by encrypting a deterministic sequence (a "generalized counter") using the block cipher, or
3. the IVs are directly chosen according to a deterministic sequence, and $n$ is no less than the block size of the block cipher used.

(The extra limitation on the feedback size $n$ in the case of a deterministic IV sequence is due to that fact that CFB and OFB modes using less than one cipher block of feedback have some rare "weak IVs" that can produce a low-period keystream. Presumably, a deterministic IV sequence chosen to deliberately avoid such IVs would also be safe.)