Cryptography Reference
In-Depth Information
ciphertext
C
n
C
n
C'
DES
DES
P
n
C'
plaintext
Figure 5.4:
Ciphertext stealing in ECB mode.
To this end, Daeman [Daeman] developed so-called
ciphertext stealing
in
1995. I will explain this method for use only with the simple ECB mode
(Figure 5.4): the last plaintext block,
P
n
, is shortened; let it be 11 bits long.
We truncate the left 11 bits from the
last
ciphertext block
but one
(denoted
C
n
in the figure) and use them as the
last
ciphertext block. We append the
remaining bits (
C
in Figure 5.4) to
P
n
on the right-hand side and obtain a
full plaintext block, and use its cipher as the
last
ciphertext block
but one
.
This means that the last, short plaintext block 'steals' some ciphertext from the
previous step, hence the name of this clever method.
Together with the CBC mode, ciphertext stealing is almost identical, except
that
C
is not appended to
P
n
. It suffices to use zero bits to pad
P
n
to the full
block length — thanks to XORing with the previous ciphertext block ('
C
n
|
C
'
in Figure 5.4),
C
appears nevertheless as if it were appended to
P
n
before the
encryption.
From the programming point of view, ciphertext stealing is less cumbersome
than the simple padding mentioned at the beginning of this section: we always
have to have the last ciphertext block but one readily stored since we don't
know in advance which plaintext block will be the last one. Moreover, the
natural sequence of the ciphertext blocks is broken up in the last step.
