Ciphertext stealing

In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the cost of slightly increased complexity.

The common modes of operation that are coupled with ciphertext stealing are Electronic Codebook (ECB) and Cipher Block Chaining (CBC).

Ciphertext stealing for ECB mode requires the plaintext to be longer than one block.

Ciphertext stealing for CBC mode doesn't necessarily require the plaintext to be longer than one block.

This may not be possible in situations where the IV can not be freely chosen by the sender when the ciphertext is sent (e.g., when the IV is a derived or pre-established value), and in this case ciphertext stealing for CBC mode can only occur in plaintexts longer than one block.

The ciphertext bits are the same in all cases, just transmitted in a different order, so the choice has no security implications; it is purely one of implementation convenience.

In order to maintain compatibility with the non-stealing modes, option CS2 performs this swap only if the amount of stolen ciphertext is non-zero, i.e. the original message was not a multiple of the block size.

In CBC, there is already interaction between processing of different adjacent blocks, so CTS has less conceptual impact in this mode.

ECB Encryption Steps for CTS
CipherText Stealing (CTS) on CBC, encryption mode
CipherText Stealing (CTS) on CBC, encryption mode
CipherText Stealing (CTS) on CBC, decryption mode
CipherText Stealing (CTS) on CBC, decryption mode