Editing Ciphertext stealing (section)

==Ciphertext format==
There are several different ways to arrange the ciphertext for transmission.  The ciphertext bits are the same in all cases, just transmitted in a different order, so the choice has no security implications; it is purely one of implementation convenience.

The numbering here is taken from Dworkin, who describes them all.  The third is the most popular, and described by [[Joan Daemen|Daemen]] and [[Bruce Schneier|Schneier]]; Meyer describes a related, but incompatible scheme (with respect to bit ordering and key use).<!-- More details requested; is it CS1 or CS2?-->

===CS1===
Arguably the most obvious way to arrange the ciphertext is to transmit the truncated penultimate block, followed by the full final block.  This is not convenient for the receiver for two reasons:
# The receiver must decrypt the final block first in any case, and
# This results in the final block not being [[Data structure alignment|aligned]] on a natural boundary, complicating hardware implementations.

This does have the advantage that, if the final plaintext block happens to be a multiple of the block size, the ciphertext is identical to that of the original mode of operation without ciphertext stealing.

===CS2===
It is often more convenient to swap the final two ciphertext blocks, so the ciphertext ends with the full final block, followed by the truncated penultimate block.  This results in naturally aligned ciphertext blocks.

In order to maintain compatibility with the non-stealing modes, option CS2 performs this swap only if the amount of stolen ciphertext is non-zero, i.e. the original message was not a multiple of the block size.

This maintains natural alignment, and compatibility with the non-stealing modes, but requires treating the cases of aligned and unaligned message size differently.

===CS3===
The most popular alternative swaps the final two ciphertext blocks unconditionally.  This is the ordering used in the descriptions below.