IV

2.16 Padding may not always be appropriate. For example, one might wish to store the

encrypted data in the same memory buffer that originally contained the plaintext. In

that case, the ciphertext must be the same length as the original plaintext. A mode for

that purpose is the ciphertext stealing (CTS) mode. Figure 2.12a shows an implemen-

tation of this mode.

P₁

K→Encrypt

K

C₁

P₁

IV (bb bits)

Encrypt

C₁

(bb bits)

...

CN-3

CN-3-

... K

K-

PN-2

Encrypt

PN-2

(bb bits)

(+)

CN-2

(a) Ciphertext stealing mode

Encrypt

CN-2

(bb bits)

KEncrypt

PN-1

(bb bits)

KEncrypt

PN-1.

CN-1

(bb bits)

CN X

K

KEncrypt

(b) Alternative method

Figure 2.12 Block Cipher Modes for Plaintext not a Multiple of Block Size

PN 00...0

Encrypt

CN-1

Select

leftmost

j bits

PN

(j bits)

CN

(j bits)