A limitation to Cipher Block Chaining (CBC) mode, as specified in NIST Special Publication 800-38A, is that the plaintext input must consist of a sequence of blocks. Ciphertext stealing is a padding method in which the required padding bits are "stolen" from the penultimate ciphertext block. This addendum to SP 800-38A specifies three variants of CBC mode with ciphertext stealing. These variants, which differ only in the ordering of the ciphertext bits, can encrypt any input whose bit length is greater than or equal to the block size. Unlike conventional padding methods, these variants do not expand the length of the data.
Cited By
- Huang Z, Lai J, Chen W, Au M, Peng Z and Li J (2019). Simulation-based selective opening security for receivers under chosen-ciphertext attacks, Designs, Codes and Cryptography, 87:6, (1345-1371), Online publication date: 1-Jun-2019.
- Heuer F and Poettering B Selective Opening Security from Simulatable Data Encapsulation Proceedings, Part II, of the 22nd International Conference on Advances in Cryptology --- ASIACRYPT 2016 - Volume 10032, (248-277)
- Rogaway P, Wooding M and Zhang H The security of ciphertext stealing Proceedings of the 19th international conference on Fast Software Encryption, (180-195)
Recommendations
Differential attack on nine rounds of the SEED block cipher
The SEED block cipher has a 128-bit block length, a 128-bit user key and a total number of 16 rounds. It is an ISO international standard. In this letter, we describe two 7-round differentials with a trivially larger probability than the best previously ...