BS ISO IEC 10116-2015 pdf free download – Information technology — Security techniques — Modes of operation for an n-bit block cipher.
7.4 Avoiding ciphertext expansion7.4.1 Introduction
In order to avoid ciphertext expansion caused by padding it is possible to implement ‘ciphertext stealing ‘.With this method if the final plaintext block is partial then the fewest ‘0’ bits are appended so as to
complete it (i.e., padding method 1 in lSO/IEC 9797-1) and the resulting plaintext is encrypted as above.Any expansion that would be caused by padding bits is avoided because bits of the penultimate
ciphertext block are discarded as they can be recovered from the decryption of the final ciphertext block.
Specifically if m=1 (no interleaving) and the plaintext has been padded so that the rightmost p bits of thefinal plaintext block P, are the ‘o’ padding bits then the rightmost p bits of the penultimate ciphertext blockCq.; are not transmitted but can be recovered as the rightmost p bits of dK(Cq).
NOTE Ciphertext stealing cannot be applied if the number of bits in the plaintext is less than n.7.4.2Three ciphertext stealing variants of CBC
This Standard defines three ciphertext stealing variants (CBC_CS) of CBC mode.All three are variantson the basic CBC encryptionidecryption defined above using padding method 1 in ISO/IEC 9797-1.These CBC-CS variants differ from the basic CBC mode only in how the two ciphertext blocks C-m andC are processed after encryption and before decryption.
Although the CBc_CS variants can be used when the interleave parameter m >1, as noted in clause 7.1,typically m=1 in which case the two ciphertext blocks C-m and C, blocks are the final two ciphertextblocks C., and C. The description below applies only to the case m=1 but can be extrapolated to thecase m>i.
Processing after cBC encryption (ciphertext contraction)
After CBC encryption the ciphertext C |lC2|.…. C1ll Cais contracted (reduced in length) by thenumber p (0 s p<n) of padding bits. lf no padding occurred (p=0) then no contraction occurs but, asspecified below,the third cBc_cs variant still modifies theciphertext by swapping the final twociphertext blocks Co;and Cq:
For all CBc_CS variants define Cq;” :=(n-p)~Cq;. The three CBc_CS variants are defined as follows:
For the first CBc_CS variant the final two ciphertext blocks Cq-; ll Ce are replaced by Cqi ‘ Ce
For the second CBC_cs variant the final two ciphertext blocks C ,ll C。are replaced by C 1lC;*only if the plaintext was padded(otherwise no change is made).
For the third CBc_CS variant the final two ciphertext blocks Cq ll Cq are always replaced byc llCq*.
cBC decryption pre-processing (ciphertext extension)
Before CBC decryption the received contracted ciphertext is extended to a whole number of n-bit blocks.Let the number of bits in the received ciphertext be q=kn+d where 0 s d < n and if d0 then let p=n-d(note in this case that p ≠ O).
lf q> 1 then for all c define Cgi* :=(n-p)~Cq1.
For the first CBc_cs variant
。if d=0 then the received ciphertext is a whole number of n-bit blocks and no pre-processing is required.
oif d>0 then the received ciphertext is not a whole number of n-bit blocks and pre-
processing is required. In this case the rightmost n+d bits of the received ciphertext areparsed into Cg1*llC where Cq*is a d-bit block and C, is an n-bit block, and the n-bitblock Cq1is formed as Cq1*ll(dK(Ca)~ p).
For the second CBC_cs variant
。if d=0 then the received ciphertext is a whole number of n-bit blocks and no preprocessing is required.BS ISO IEC 10116 pdf download.
BS ISO IEC 10116-2015 pdf free download – Information technology — Security techniques — Modes of operation for an n-bit block cipher
Note:
If you can share this website on your Facebook,Twitter or others,I will share more.