CODEWITHSUNDEEP
encryptioncryptographycbc-mode
user8863554
user8863554

Reputation: 177

CBC - Cipher-text stealing decryption

The graph shows CBC- with cipher-text stealing and (b) is the block length. The output cipher-text is c1,...,c4 How is the decryption for this graph? I hope that someone can explain it to me with a graph because I checked the explanation in wikipedia and it was confusing to me. enter image description here

Upvotes: 1

Views: 1580

Answers (1)

Andrew Zick
Andrew Zick

Reputation: 603

The key to decrypting the CBC with cipher-text stealing is to remember where we are putting each part of the encrypted plaintext.

The algorithm takes B-A bits from the second-to-last block of ciphertext (that's your C3, and it takes C3') and XORs them with your M4, which has been padded with B-A zeroes. Since it's padded with zeroes, the XOR operation results in C3' effectively being appended to the end of the bits that go into the encryption cipher.

This produces a full size block of ciphertext, which we now put in the C3 position (assuming we are sending all these blocks in a message in order) and the former C3 block (minus the C3' part we chopped off) will go at the end of this message as C4. We want to put it at the end because it's not a full block size, and anyone decrypting this message will read in block size amounts at a time until they reach the end, so a partial block (C3') followed by a full block (C4) would result in an incorrect decryption of the end of the message (unless the decryptor knew exactly how many bits the partial block was).

Here's a diagram ripped from Wikipedia: cbc-stealing-ciphertext-encryption

Now for decryption.

Remember that the result of the XOR operation on the last plaintext block (M4) effectively stored the C3' ciphertext for us. So in order to decrypt the original C3 (which we put part of in the C4 position), we need to get C3' back. We have to decrypt the result of M4 to get this, which we stored in the C3 position!

We take the message's C3, pass it through the decryption cipher, but before we can XOR it, we need to reconstruct the original C3 block, which is the message's C4 || C3' aka the last B-A bits from the result we just got from the decryption cipher.

Now we run the reconstructed, original C3 through the decryption cipher, XOR it with C2 and get M3. We XOR our result from before with this reconstructed C3 and get M4 (after chopping off B-A padding zeroes from the end).

And here's another diagram ripped from Wikipedia: cbc-stealing-ciphertext-decryption

Upvotes: 5

Related Questions