Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Ciphertext stealing
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==General characteristics== Ciphertext stealing is a technique for encrypting [[plaintext]] using a block cipher, without [[Padding (cryptography)|padding]] the message to a multiple of the block size, so the ciphertext is the same size as the plaintext. It does this by altering processing of the last two blocks of the message. The processing of all but the last two blocks is unchanged, but a portion of the ''second''-to-last block's ciphertext is "stolen" to pad the last plaintext block. The padded final block is then encrypted as usual. The final ciphertext, for the last two blocks, consists of the partial penultimate block (with the "stolen" portion omitted) plus the full final block, which are the same size as the original plaintext. Decryption requires decrypting the final block first, then restoring the stolen ciphertext to the penultimate block, which can then be decrypted as usual. In principle any block-oriented [[block cipher mode of operation]] can be used, but stream-cipher-like modes can already be applied to messages of arbitrary length without padding, so they do not benefit from this technique. The common [[block cipher mode of operation|modes of operation]] that are coupled with ciphertext stealing are [[Block cipher mode of operation#ECB|Electronic Codebook]] (ECB) and [[Block cipher mode of operation#CBC|Cipher Block Chaining]] (CBC). Ciphertext stealing for ECB mode requires the plaintext to be longer than one [[block size (cryptography)|block]]. A possible [[workaround]] is to use a stream cipher-like [[block cipher mode of operation]] when the plaintext length is one [[Block size (cryptography)|block]] or less, such as the CTR, CFB or OFB modes. Ciphertext stealing for [[Cipher block chaining|CBC]] mode doesn't necessarily require the plaintext to be longer than one [[block size (cryptography)|block]]. In the case where the plaintext is one block long or less, the [[Initialization vector]] (IV) can act as the prior block of ciphertext. In this case a modified IV must be sent to the receiver. This may not be possible in situations where the IV can not be freely chosen by the sender when the ciphertext is sent (e.g., when the IV is a derived or pre-established value), and in this case ciphertext stealing for CBC mode can only occur in plaintexts longer than one block. To implement CTS encryption or decryption for data of unknown length, the implementation must delay processing (and buffer) the two most recent blocks of data, so that they can be properly processed at the end of the data stream.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)