Padding may not always be appropriate. For example, one might wish to store the encrypted data in the same memory buffer that originally contained the plaintext. In that case, the ciphertext must be the same length as the original plaintext. A mode for that purpose is the ciphertext stealing (CTS) mode. Figure 6.12a shows an implementation of this mode.

a. Explain how it works.

b. Describe how to decrypt C_n-1 and C_n.

K K IV P Encrypt C P IV (bb bits) Encrypt (bb bits) ... CN-3 K CN-31 K PN-2 (bb bits) Encrypt PN-2 CN-2 (a) Ciphertext stealing mode CN-2 (bb bits) Encrypt K K PN-1 (bb bits) Encrypt CN-1 (bb bits) PN-1 Encrypt CN K X Encrypt (b) Alternative method Figure 6.12 Block Cipher Modes for Plaintext not a Multiple of Block Size K PN 00...0 Encrypt CN-1 select leftmost j bits PN (j bits) (j bits)