What is the weakness of OFB in 8bit mode?

Question

I'm currently trying to understand the difference between "regular" OFB with full-block feedback and OFB with 8-bit feedback and, in this context, the difference between this two modes regarding security.

Please correct me if I am wrong: Given an example using AES256 and a blocksize of 128 bytes, the general procedure would be the following:

          IV     _____________
          |      |           |
          v      |           v
Key -> AES-256   | Key -> AES-256
          |______|           |____....
          |                  |
          v                  v
    P -> xor           P -> xor
          |                  |
          v                  v
          C                  C

With full-block feedback, I would get a 128 byte long output from the first AES block, which would then be XORed with 128 bytes of plaintext, which would result in 128 bytes of cipher text.

When using OFB in 8-bit mode, only the first 8-bit of the plaintext would be XORed with the first 8-bit from the output of the first AES block.

The main difference I can see is that it would take longer to encrypt / decrypt the plaintext since it would need more iterations, but what exactly is the problem regarding security?

The main reason for this question is this Post.

Answer 1

As explained in note 7.24 of the Handbook of Applied Cryptography, the weakness is that using less than a full block of feedback means that the algorithm will use, on average, a shorter cycle; and since OFB generates a key-dependent stream which is to be XORed with the data to encrypt, you really do not want to cycle, because that would put you in the position of the infamous two-times pad.

Now the average cycle length would still be around 2⁶⁴ bytes for a 128-bit block cipher like AES, so this should not be a really serious practical issue (2⁶⁴ bytes is still quite huge, counted in millions of terabytes). Yet this is sufficient to declare that OFB is always inferior to CTR mode. Since OFB with 8-bit feedback is also quite slower than CTR, there is no good reason to use it.