
	Where results make sense

Topic: Ciphertext stealing

Related Topics

Block cipher modes of operation

Stream cipher

In the News (Wed 16 Dec 09)

Northern Trust

Marvin Harrison

Peter Chernin

Gary Locke

Match Play

Penelope Cruz

Mickey Rourke

AR Rahman

Danny Boyle

Hugh Jackman

	Decorrelated Accumulating Counter Mode
		Ciphertext stealing can be used for a short block at the end of a message, since the operations applied to each block depend only on the key and the counter state.
		Here, ciphertext stealing may not be possible in a simple fashion; there may be a safe way to do it, but I have not attempted to determine the precise procedure for it at this time.
		As ciphertext stealing is defined for this mode, the length indication will consist of a 121-bit number of whole blocks in the message, followed by a seven-bit number from 0 to 127 of the number of bits in the final partial block; this number will be 0 if no partial block is present.
	www.quadibloc.com /crypto/co040605.htm (2376 words)

	rfc3962
		AES is used with ciphertext stealing to avoid message expansion, and SHA-1 [SHA1] is the associated checksum function.
		Ciphertext stealing is described on pages 195-196 of [AC], and section 8 of [RC5]; it has the advantage that no message expansion is done during encryption of messages of arbitrary sizes as is typically done in CBC mode with padding.
		Ciphertext stealing, as defined in [RC5], assumes that more than one block of plain text is available.
	ietfreport.isoc.org /idref/rfc3962 (2623 words)

	APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C:Algorithm Types and Modes (Site not responding. Last check: 2007-10-14)
		After encrypting the last full block, encrypt the ciphertext again, select the left-most j bits of the encrypted ciphertext, and XOR that with the short block to generate the ciphertext.
		In CBC mode, a single-bit error in the ciphertext affects one block and one bit of the recovered plaintext.
		If a bit is added or lost from the ciphertext stream, then all subsequent blocks are shifted one bit out of position and decryption will generate garbage indefinitely.
	friedo.szm.sk /krypto/AC/ch09/09-03.html (906 words)

	Stream cipher - epnn.org
		In a synchronous stream cipher a stream of pseudo-random digits is generated independently of the plaintext and ciphertext messages, and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt).
		Another approach is to tag the ciphertext with markers at regular points in the output.
		Block ciphers must be used in ciphertext stealing or residual block termination mode to avoid padding, while stream ciphers eliminate this issue by naturally operating on the smallest unit that can be transmitted (usually bytes).
	www.epnn.org /index.php?title=Stream_cipher (1491 words)

	Block cipher modes of operation - Wikipedia, the free encyclopedia
		This is useful for applications that require low latency between the arrival of plaintext and the output of the corresponding ciphertext, such as certain applications of streaming media.
		However, because the plaintext or ciphertext is only used for the final XOR, the block cipher operations may be performed in advance, allowing the final step to be performed in parallel once the plaintext or ciphertext is available.
		For such secure operation, the IV and ciphertext generated by these modes should be authenticated with a secure MAC, which must be checked by the receiver prior to decryption.
	en.wikipedia.org /wiki/Cipher_block_chaining (1970 words)

	Block Cipher Modes for One-Block Messages? (Site not responding. Last check: 2007-10-14)
		Thus, while one could still use the block cipher, either by padding the message to a full block, or by using a stream cipher mode such as counter mode, no technique that sufficiently resembles "ciphertext stealing" to be called a case of it is applicable to such short messages.
		Essentially, the only difference between the complicated-looking "ciphertext stealing" technique depicted in AC and simply enciphering each complete block of the message, and then, if an incomplete block is left unenciphered, enciphering the last 64 bits (or whatever the blocksize is) of the message is that the ciphertext stealing technique avoids alignment problems.
		> >Essentially, the only difference between the complicated-looking >"ciphertext stealing" technique depicted in AC and simply enciphering >each complete block of the message, and then, if an incomplete block >is left unenciphered, enciphering the last 64 bits (or whatever the >blocksize is) of the message is that the ciphertext stealing technique >avoids alignment problems.
	www.ciphersbyritter.com /NEWS4/CTXSTEAL.HTM (2081 words)

	RFC 3962
		For consistency, ciphertext stealing is always used for the last two blocks of the data to be encrypted, as in [RC5].
		The initial vector carried out from one encryption for use in a subsequent encryption is the next-to-last block of the encryption output; this is the encrypted form of the last plaintext block.
		Ciphertext stealing mode, as it requires no additional padding in most cases, will reveal the exact length of each message being encrypted rather than merely bounding it to a small range of possible lengths as in CBC mode.
	www.apps.ietf.org /rfc/rfc3962.html (3304 words)

	Disk encryption theory - Wikipedia, the free encyclopedia
		Since the ECB mode always encrypts the same plaintext block into the same ciphertext, it reveals data patterns and is thus insecure.
		The basic blocks of the LRW mode (AES cipher and Galois field multiplication) are the same as the ones used in the Galois/Counter Mode (GCM) thus permitting a compact implementation of the universal LRW/XEX/GCM hardware.
		Ciphertext stealing provides support for sectors with size not divisible by block size, for example, 520-byte sectors and 16-byte blocks.
	en.wikipedia.org /wiki/Disk_encryption_theory (1863 words)

	OCB - An Authenticated-Encryption Scheme - Background - Rogaway
		When message M is encrypted in the presence of H, the resulting ciphertext core C has same length as M. There is also generated an n-bit authentication tag Tag, when n is the blocklength of the blockcipher.
		If there were no nonce there would be only one ciphertext for each plaintext and key, and this means that the scheme would necessarily leak information (e.g., is the plaintext for the message just received the same as the plaintext for the previous message received?).
		Once a padding regime is added, say obligatory 10-padding, the length of ciphertexts* will be longer than OCB ciphertexts any time that the message being encrypted is a non-multiple of 16 bytes.
	www.cs.ucdavis.edu /~rogaway/ocb/ocb-faq.htm (4287 words)

	Foil threats--Secure storage on SoCs
		This mode of operation modifies the padding algorithm as sector sizes are not always integer multiples of the block size used in the AES cipher.
		The CTS algorithm is implementing by padding the last plaintext block with the low order bits from the second to last ciphertext block (stealing the ciphertext from the second to last block).
		The last block is encrypted, and then exchanged with the second to last ciphertext block, which is then truncated to the length of the final plaintext block resulting in ciphertext of the same length as the original message size.
	www.embedded.com /shared/printableArticle.jhtml?articleID=192500482 (2123 words)

	Double Counter Double Checksum Mode
		However, an identical initialization vector can also be detected when both plaintext and ciphertext match in two messages, and this can also lead to detection of cases where the state of the two counters is repeated, possibly at a different position in a message.
		Also note that, since the method is intended to protect against forgery, only chosen plaintext attacks, not chosen ciphertext attacks, are available; thus, the secondary counter is applied to the plaintext on input to the block cipher.
		Since the tag field is treated as ciphertext, and is also subject to choice, the use of the two counters is reversed for the tag field, which is otherwise treated as if it were ciphertext.
	www.quadibloc.com /crypto/co040606.htm (4851 words)

	Glossary - OWASP
		In a stream cipher, flipping a bit in the ciphertext flips the corresponding bit in the plaintext.
		An attack on an encryption algorithm where the encryption key for a ciphertext is determined by trying to decrypt with every key until valid plaintext is obtained.
		For example, in a password system, one might keep a dictionary mapping ciphertext pairs in plaintext form to keys for a single plaintext that frequently occurs.
	www.owasp.org /index.php/Category:Glossary (6672 words)

	[No title]
		stealing to handle the possibly partial final block of the message.
		stealing is described on pages 195-196 of [AC], and section 8 of [RC5]; it has the advantage that no message expansion is done during encryption of messages of arbitrary sizes as is typically done in CBC mode with padding.
		stealing is always used for the last two blocks of the data to be encrypted, as in [RC5].
	www.phreak.org /archives/cerias_doc/rfc/authors/rfc3962-diff.html (2852 words)

	Welcome to Syncadia (Site not responding. Last check: 2007-10-14)
		This is not an easy undertaking however, as a separate codebook would have to be built for each key in the keyspace (even for a 64 bit key there are 2^64 different keys and for a block size of 64 bits then each code book would have 2^64 entries).
		For example, in CBC mode, the ciphertext from the previous block of encrypted plaintext is XORed with the plaintext for the current block before encrypting.
		This can be done with random data, but more often ciphertext stealing is performed (CTS, using some of the encrypted plaintext to pad the final block) or alternatively the size of the final block is appended with some random data so that the decryption process knows what is real plaintext and what is padding.
	www.syncadia.com /Symmetric.aspx (1348 words)

	BitCrypt Technical Information (Site not responding. Last check: 2007-10-14)
		For byte-oriented modes, the plaintext or ciphertext can be processed one byte at a time (by use of internal buffering if necessary).
		The amount of data that must be buffered by the cipher implementation is increased when ciphertext stealing is used (specifically, up to two blocks can be buffered, for both encryption and decryption).
		If the total length of plaintext or ciphertext, excluding IV, is less than or equal to one block when doFinal is called, a BadPaddingException will be thrown.
	bitcrypt.byethost9.com /technical_information.htm (1646 words)

	Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption
		His attack requires a single ciphertext, and a number of oracle queries proportional to the number of bytes in the padded message.
		The lesson here is that none of these modes is trying to prevent an adversary from manipulating the ciphertext, and the fact there exist attacks against a wide variety of padding schemes and encryption schemes based on manipulation of the ciphertext should be no great surprise.
		In fact, the only valid ciphertexts he will be able to produce are (with overwhelming probability) repetitions of those he's seen generated as legitimate traffic.
	www.cs.colorado.edu /~jrblack/papers/padding.html (6099 words)

	Ciphertext stealing - Wikipedia, the free encyclopedia (via CobWeb/3.1 planetlab2.netlab.uky.edu) (Site not responding. Last check: 2007-10-14)
		2.2.3.2 CBC ciphertext stealing decryption using a standard CBC interface
		[edit] CBC ciphertext stealing encryption using a standard CBC interface
		[edit] CBC ciphertext stealing decryption using a standard CBC interface
	en.wikipedia.org.cob-web.org:8888 /wiki/Ciphertext_stealing (1398 words)

	Crypto Archives: Re: OAEP before symmetric encryption ?
		CBC recovers from ciphertext transmission errors the remaining data
		Ciphertext stealing is a sort of clever way to swap
		that plaintext is passed with some ciphertext, and the ciphertext need
	archives.neohapsis.com /archives/crypto/1999-q4/0512.html (568 words)

	Amazon.com: "ciphertext stealing": Key Phrase page (Site not responding. Last check: 2007-10-14)
		See all pages with references to ciphertext stealing.
		Figure 9.1 is an alternative, called ciphertext stealing [402].
		Pr, _, is the last full plaintext block and Pn is the final, short, plaintext block.
	www.amazon.com /phrase/ciphertext-stealing (502 words)

	CTC: Symmetric Ciphers
		Having finished with the cipher, the context is disposed of, with heap storage being wiped and deallocated.
		If the mode being used requires whole blocks to be encrypted, then this routine manages the ciphertext stealing required to satisfy it.
		If the mode is known not to require ciphertext stealing, and only in these circumstances, buf can be NULL.
	www.bifroest.demon.co.uk /ctc/manuals/cipher.htm (801 words)

	[No title]
		It takes the previous ciphertext block and performs an XOR operation with the current plaintext block before it is encrypted to produce the next ciphertext block.
		The beginning of the ciphertext block will also always be the same.
		If there are duplicate blocks in the plaintext, there will be duplicate ciphertext blocks.
	rd1.net /owasp/Insecure_Storage.ppt (1008 words)

	Re: Ciphertext Stealing (via CobWeb/3.1 planetlab2.netlab.uky.edu) (Site not responding. Last check: 2007-10-14)
		"Residual Block Processing with Ciphertext Stealing" is used by IEEE 802.16 for encrypting partial blocks after CBC mode.
		-------- Original Message -------- Subject: RE: Ciphertext Stealing From: "Elliott, Robert (Server Storage)" Date: Mon, December 12, 2005 7:17 pm To: How does this compare to what I've drawn here (I took the CTS slides from an internal presentation of mine, and added some LRW CTS ones concurrently with your emails)?
		I think this still has the weakness that you can flip bits in the previous cipherblock (what you call C[I] to affect known bits in plaintext P[I+1].
	grouper.ieee.org.cob-web.org:8888 /groups/1619/email/msg00472.html (395 words)

Try your search on: Qwika (all wikis)