Talk:Residual block termination

I don't understand this, and I've been a professional cryptologist in my time. I think what's being described is something like this:

P = P_0 | P_1 | P_{n-1} | P_n

where P_0, P_1, P_{n-1} are the block size in length, and P_n is short


 * C_0 = E_k(IV XOR P_0)
 * C_i+1 = E_k(C_i XOR P_i+1) where i = 0 .. n-2
 * C_n = P_n XOR truncate(|P_n|, E_k(C_{n-1}))

ie a weird mixture of CBC and CFB, but the wording is too vague for me to be sure, can anyone confirm?

Does this mode have a proof of security? It seems like it should be possible to provide one at least for chosen-plaintext attacks, so long as IVs are randomly generated after the entire plaintext is known, but really it's time CBC and variants were put out to pasture since they have basically no advantages over CTR mode.


 * I'd say you understood the algorithm description correctly. I'd also say it's secure against CPA: Final block of CBC mode with a random IV behaves like a PRF, and it gets transformed into another pseudo-random block through the last encryption, which is used as a pseudo-random key stream for the remaining bytes.


 * Advantages of CBC over CTR? Think of group communication with shared keys. You don't want to reuse nonces. (You may use a randomized variant of CTR mode taking a random IV, though.) Also think of disk encryption applications with static IVs. (Well, there's better modes for that now, admitted.)


 * Nageh (talk) 23:02, 21 May 2010 (UTC)

Seems weak method
As far as I understood this scheme, I afraid that the known ciphertext attack is possible to recover last partial plaintext block. Can anyone clarify it???


 * Known ciphertext attacks? :)) Maybe you wanted to say chosen ciphertext attacks? But these are possible for CBC mode just as well. Nageh (talk) 17:16, 21 May 2010 (UTC)