Ian Goldberg (iang@CS.Berkeley.EDU)
21 Mar 1998 19:54:04 GMT
In article <19980320130216.29596@eskimo.com>,
Wei Dai <weidai@eskimo.com> wrote:
>Can someone explain to me how ciphertext stealing works in CBC mode (i.e.
>as an alternative to padding)? My copy of the Dr. Dobb's Crypto CD seems
>to be missing the crucial illustration on this topic from _Applied
>Cryptography_ second edition.
I don't have my AC in front of me, but I have some notes I had sketched
on this for something a while ago, so someone correct me if I'm off by
one or something.
Let P_0, P_1, ..., P_n be plaintext blocks. P_0 through P_{n-1} are
each 8 bytes long (or whatever the block size is), and P_n is between 1 and 8
bytes long. (Actually, I think you can use either 1-8 or 0-7 here; the
difference is in how messages that are multiples of 8 bytes get encrypted.)
Let k be the length of P_n. Append 8-k bytes of 0 to the message and
encrypt with CBC. Swap the last two blocks, and truncate the (new) last block
to k bytes.
- Ian
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:09 ADT