Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Ciphertext stealing
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Ciphertext stealing mode description== In order to encrypt or decrypt data, use the standard [[block cipher mode of operation]] on all but the last two blocks of data. The following steps describe how to handle the last two blocks of the plaintext, called ''P''<sub>''n''β1</sub> and ''P''<sub>''n''</sub>, where the length of ''P''<sub>''n''β1</sub> equals the block size of the cipher in bits, ''B''; the length of the last block, ''P''<sub>''n''</sub>, is ''M'' bits; and ''K'' is the key that is in use. ''M'' can range from 1 to ''B'', inclusive, so ''P''<sub>''n''</sub> could possibly be a complete block. The CBC mode description also makes use of the ciphertext block just previous to the blocks concerned, ''C''<sub>''n''β2</sub>, which may in fact be the IV if the plaintext fits within two blocks. For this description, the following functions and operators are used: * Head (data, ''a''): returns the first ''a'' bits of the 'data' string. * Tail (data, ''a''): returns the last ''a'' bits of the 'data' string. * Encrypt (''K'', data): use the underlying block cipher in encrypt mode on the 'data' string using the key ''K''. * Decrypt (''K'', data): use the underlying block cipher in decrypt mode on the 'data' string using the key ''K''. * [[XOR]]: Bitwise Exclusive-OR. Equivalent to bitwise addition without use of a carry bit. * ||: Concatenation operator. Combine the strings on either side of the operator. * 0<sup>''a''</sup>: a string of ''a'' 0 bits. ===ECB ciphertext stealing=== Ciphertext stealing in ECB mode introduces an inter-block dependency within the last two blocks, resulting in altered error propagation behavior for the last two blocks. ====ECB encryption steps (see figure) ==== [[Image:CTS ECB Encryption.png|frame|right|ECB Encryption Steps for CTS]] # ''E''<sub>''n''β1</sub> = Encrypt (''K'', ''P''<sub>''n''β1</sub>). Encrypt ''P''<sub>''n''β1</sub> to create ''E''<sub>''n''β1</sub>. This is equivalent to the behavior of standard ECB mode. # ''C''<sub>''n''</sub> = Head (''E''<sub>''n''β1</sub>, ''M''). Select the first ''M'' bits of ''E''<sub>''n''β1</sub> to create ''C''<sub>''n''</sub>. The final ciphertext block, ''C''<sub>''n''</sub>, is composed of the leading ''M'' bits of the second-to-last ciphertext block. In all cases, the last two blocks are sent in a different order than the corresponding plaintext blocks. # ''D''<sub>''n''</sub> = ''P''<sub>''n''</sub> || Tail (''E''<sub>''n''β1</sub>, ''B''β''M''). Pad ''P''<sub>''n''</sub> with the low order bits from ''E''<sub>''n''β1</sub>. # ''C''<sub>''n''β1</sub> = Encrypt (''K'', ''D''<sub>''n''</sub>). Encrypt ''D''<sub>''n''</sub> to create ''C''<sub>''n''β1</sub>. For the first ''M'' bits, this is equivalent to what would happen in ECB mode (other than the ciphertext ordering). For the last ''B''β''M'' bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of ''E''<sub>''n''β1</sub> in step 2). ====ECB decryption steps==== # ''D''<sub>''n''</sub> = Decrypt (''K'', ''C''<sub>''n''β1</sub>). Decrypt ''C''<sub>''n''β1</sub> to create ''D''<sub>''n''</sub>. This undoes step 4 of the encryption process. # ''E''<sub>''n''β1</sub> = ''C''<sub>''n''</sub> || Tail (''D''<sub>''n''</sub>, ''B''β''M''). Pad ''C''<sub>''n''</sub> with the extracted ciphertext in the tail end of ''D''<sub>''n''</sub> (placed there in step 3 of the ECB encryption process). # ''P''<sub>''n''</sub> = Head (''D''<sub>''n''</sub>, ''M''). Select the first ''M'' bits of ''D''<sub>''n''</sub> to create ''P''<sub>''n''</sub>. As described in step 3 of the ECB encryption process, the first ''M'' bits of ''D''<sub>''n''</sub> contain ''P''<sub>''n''</sub>. We queue this last (possibly partial) block for eventual output. # ''P''<sub>''n''β1</sub> = Decrypt (''K'', ''E''<sub>''n''β1</sub>). Decrypt ''E''<sub>''n''β1</sub> to create ''P''<sub>''n''β1</sub>. This reverses encryption step 1. ====ECB ciphertext stealing error propagation==== A bit error in the transmission of ''C''<sub>''n''β1</sub> would result in the block-wide corruption of both ''P''<sub>''n''β1</sub> and ''P''<sub>''n''</sub>. A bit error in the transmission of ''C''<sub>''n''</sub> would result in the block-wide corruption of ''P''<sub>''n''β1</sub>. This is a significant change from ECB's error propagation behavior. ===CBC ciphertext stealing=== In CBC, there is already interaction between processing of different adjacent blocks, so CTS has less conceptual impact in this mode. Error propagation is affected. ====CBC encryption steps==== # ''X''<sub>''n''β1</sub> = ''P''<sub>''n''β1</sub> XOR ''C''<sub>''n''β2</sub>. Exclusive-OR ''P''<sub>''n''β1</sub> with the previous ciphertext block, ''C''<sub>''n''β2</sub>, to create ''X''<sub>''n''β1</sub>. This is equivalent to the behavior of standard CBC mode. # ''E''<sub>''n''β1</sub> = Encrypt (''K'', ''X''<sub>''n''β1</sub>). Encrypt ''X''<sub>''n''β1</sub> to create ''E''<sub>''n''β1</sub>. This is equivalent to the behavior of standard CBC mode. # ''C''<sub>''n''</sub> = Head (''E''<sub>''n''β1</sub>, ''M''). Select the first ''M'' bits of ''E''<sub>''n''β1</sub> to create ''C''<sub>''n''</sub>. The final ciphertext block, ''C''<sub>''n''</sub>, is composed of the leading ''M'' bits of the second-to-last ciphertext block. In all cases, the last two blocks are sent in a different order than the corresponding plaintext blocks. # ''P'' = ''P''<sub>''n''</sub> || 0<sup>''B''β''M''</sup>. Pad ''P''<sub>''n''</sub> with zeros at the end to create ''P'' of length ''B''. The zero padding in this step is important for step 5. # ''D''<sub>''n''</sub> = ''E''<sub>''n''β1</sub> XOR ''P''. Exclusive-OR ''E''<sub>''n''β1</sub> with ''P'' to create ''D''<sub>''n''</sub>. For the first ''M'' bits of the block, this is equivalent to CBC mode; the first ''M'' bits of the previous block's ciphertext, ''E''<sub>''n''β1</sub>, are XORed with the ''M'' bits of plaintext of the last plaintext block. The zero padding of ''P'' in step 4 was important, because it makes the XOR operation's effect on the last ''B''β''M'' bits equivalent to copying the last ''B''β''M'' bits of ''E''<sub>''n''β1</sub> to the end of ''D''<sub>''n''</sub>. These are the same bits that were stripped off of ''E''<sub>''n''β1</sub> in step 3 when ''C''<sub>''n''</sub> was created. # ''C''<sub>''n''β1</sub> = Encrypt (''K'', ''D''<sub>''n''</sub>). Encrypt ''D''<sub>''n''</sub> to create ''C''<sub>''n''β1</sub>. For the first ''M'' bits, this is equivalent to what would happen in CBC mode (other than the ciphertext ordering). For the last ''B''β''M'' bits, this is the second time that these data have been encrypted under this key (It was already encrypted in the production of ''E''<sub>''n''β1</sub> in step 2). ====CBC decryption steps==== # ''D''<sub>''n''</sub> = Decrypt (''K'', ''C''<sub>''n''β1</sub>). Decrypt ''C''<sub>''n''β1</sub> to create ''D''<sub>''n''</sub>. This undoes step 6 of the encryption process. # ''C'' = ''C''<sub>''n''</sub> || 0<sup>''B''β''M''</sup>. Pad ''C''<sub>''n''</sub> with zeros at the end to create a block ''C'' of length ''B''. We are padding ''C''<sub>''n''</sub> with zeros to help in step 3. # ''X''<sub>''n''</sub> = ''D''<sub>''n''</sub> XOR ''C''. Exclusive-OR ''D''<sub>''n''</sub> with ''C'' to create ''X''<sub>''n''</sub>. Looking at the first ''M'' bits, this step has the result of XORing ''C''<sub>''n''</sub> (the first ''M'' bits of the encryption process' ''E''<sub>''n''β1</sub>) with the (now decrypted) ''P''<sub>''n''</sub> XOR Head (''E''<sub>''n''β1</sub>, ''M'') (see steps 4-5 of the encryption process). In other words, we have CBC decrypted the first ''M'' bits of ''P''<sub>''n''</sub>. Looking at the last ''B''β''M'' bits, this recovers the last ''B''β''M'' bits of ''E''<sub>''n''β1</sub>. # ''P''<sub>''n''</sub> = Head (''X''<sub>''n''</sub>, ''M''). Select the first ''M'' bits of ''X''<sub>''n''</sub> to create ''P''<sub>''n''</sub>. As described in step 3, the first ''M'' bits of ''X''<sub>''n''</sub> contain ''P''<sub>''n''</sub>. We queue this last (possibly partial) block for eventual output. # ''E''<sub>''n''β1</sub> = ''C''<sub>''n''</sub> || Tail (''X''<sub>''n''</sub>, ''B''β''M''). Append the tail (''B''β''M'') bits of ''X''<sub>''n''</sub> to ''C''<sub>''n''</sub> to create ''E''<sub>''n''β1</sub>. As described in step 3, ''E''<sub>''n''β1</sub> is composed of all of ''C''<sub>''n''</sub> (which is ''M'' bits long) appended with the last ''B''β''M'' bits of ''X''<sub>''n''</sub>. We reassemble ''E''<sub>''n''β1</sub> (which is the same ''E''<sub>''n''β1</sub> seen in the encryption process) for processing in step 6. # ''X''<sub>''n''β1</sub> = Decrypt (''K'', ''E''<sub>''n''β1</sub>). Decrypt ''E''<sub>''n''β1</sub> to create ''X''<sub>''n''β1</sub>. This reverses encryption step 2. ''X''<sub>''n''β1</sub> is the same as in the encryption process. # ''P''<sub>''n''β1</sub> = ''X''<sub>''n''β1</sub> XOR ''C''<sub>''n''β2</sub>. Exclusive-OR ''X''<sub>''n''β1</sub> with the previous ciphertext block, ''C''<sub>''n''β2</sub>, to create ''P''<sub>''n''β1</sub>. Finally, we reverse the XOR step from step 1 of the encryption process. ====CBC implementation notes==== For CBC ciphertext stealing, there is a clever (but opaque) method of implementing the described ciphertext stealing process using a standard CBC interface. Using this method imposes a performance penalty in the decryption stage of one extra block decryption operation over what would be necessary using a dedicated implementation. =====CBC ciphertext stealing encryption using a standard CBC interface===== # Pad the last partial plaintext block with 0. # Encrypt the whole padded plaintext using the standard CBC mode. # Swap the last two ciphertext blocks. # Truncate the ciphertext to the length of the original plaintext. [[Image:CipherText Stealing (CTS) on CBC, encryption mode.svg|center|CipherText Stealing (CTS) on CBC, encryption mode]] =====CBC ciphertext stealing decryption using a standard CBC interface===== # ''D''<sub>''n''</sub> = Decrypt (''K'', ''C''<sub>''n''β1</sub>). Decrypt the second-to-last ciphertext block using ECB mode. # ''C''<sub>''n''</sub> = ''C''<sub>''n''</sub> || Tail (''D''<sub>''n''</sub>, ''B''β''M''). Pad the ciphertext to the nearest multiple of the block size using the last ''B''β''M'' bits of block cipher decryption of the second-to-last ciphertext block. # Swap the last two ciphertext blocks. # Decrypt the (modified) ciphertext using the standard CBC mode. # Truncate the plaintext to the length of the original ciphertext. [[Image:CipherText Stealing (CTS) on CBC, decryption mode.svg|center|CipherText Stealing (CTS) on CBC, decryption mode]] ====CBC ciphertext stealing error propagation==== A bit error in the transmission of ''C''<sub>''n''β1</sub> would result in the block-wide corruption of both ''P''<sub>''n''β1</sub> and ''P''<sub>''n''</sub>. A bit error in the transmission of ''C''<sub>''n''</sub> would result in a corresponding bit error in ''P''<sub>''n''</sub>, and in the block-wide corruption of ''P''<sub>''n''β1</sub>.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)