Talk:Residual block termination

From Wikipedia, the free encyclopedia

I don't understand this, and I've been a professional cryptologist in my time. I think what's being described is something like this:

P = P_0 | P_1 | P_{n-1} | P_n

where P_0, P_1, P_{n-1} are the block size in length, and P_n is short

• C_0 = E_k(IV XOR P_0)
• C_i+1 = E_k(C_i XOR P_i+1) where i = 0 .. n-2
• C_n = P_n XOR truncate(|P_n|, E_k(C_{n-1}))

ie a weird mixture of CBC and CFB, but the wording is too vague for me to be sure, can anyone confirm?

Does this mode have a proof of security? It seems like it should be possible to provide one at least for chosen-plaintext attacks, so long as IVs are randomly generated after the entire plaintext is known, but really it's time CBC and variants were put out to pasture since they have basically no advantages over CTR mode.

[edit] Seems weak method

As far as I understood this scheme, I afraid that the known ciphertext attack is possible to recover last partial plaintext block. Can anyone clarify it???