# Residual Block Termination (RBT)

A method of dealing with the last block of data in cryptography, which should be encrypted. If the length increase caused by padding methods is undesirable, the data remainder (having a length fractional to the cipher's block size) can be encrypted by XOR'ing it with the prior encrypted data block, encrypted again.

If there is no prior data block (the entire message consists only of a single fractional block) an IV/Initialization Vector* is encrypted and XOR'ed to the fractional block.

This is equivalent to switching to Cipher Block Chaining* mode for a single (the last) block.

Encrypt

```
c[n-1] := E( p[n-1], k )
c[n] := p[n] (+) E( c[n-1], k )
```

Decrypt:

```
p[n-1] := D( c[n-1], k )
p[n] := c[n] (+) E( c[n-1], k )
```

where *p* is a block of plaintext, *D* is the decryption function, *c* is a block of ciphertext, *k* is the key, *E* is the encryption function and *(+)* is the bitwise-addition (XOR) operator

RBT is an alternative to Cipher Text Stealing*.

# Inverse Residual Block Termination (IRBT)

Traditional residual block termination has the sometimes uncomfortable property to require the encryption function to be present in the decryptor.

To mend this, Inverse RBT uses the decrypted second-last block of data, decrypted again, to XOR with the fractional block.

Encrypt:

```
c[n-1] := E( p[n-1], k )
c[n] := p[n] (+) D( p[n-1], k )
```

Decrypt:

```
p[n-1] := D( c[n-1], k )
p[n] := c[n] (+) D( p[n-1], k )
```

where *p* is a block of plaintext, *D* is the decryption function, *c* is a block of ciphertext, *k* is the key, *E* is the encryption function and *(+)* is the bitwise-addition (XOR) operator

# Fast Inverse Residual Block Termination (FIRBT)

If the fact that IRBT needs two decryptions of the second-last data block for decrypting the last, fractional block, is impractical (for example in hardware implementations), and a tweakable cipher or block-dependent keys are used, one could use the value of the second-last ciphertext block (decrypted once by the key/tweak for the last block) to XOR into the last block to de/encrypt that last block.

This puts any complexities into the encryptor and makes the decryptor as straight-forward as possible. Note that this goes at some cost: The cipher algorithm must be able to produce pseudo-random output on keys that differ only slightly, or the key schedule must provide sufficiently different key values for k[n-1] and k[n].

Encrypt:

```
c[n-1] := E( p[n-1], k[n-1] )
c[n] := p[n] (+) D( c[n-1], k[n] )
```

Decrypt:

```
p[n-1] := D( c[n-1], k[n-1] )
p[n] := c[n] (+) D( c[n-1], k[n] )
```

where *p* is a block of plaintext, *D* is the decryption function, *c* is a block of ciphertext, *k* is a block-dependent key (or the key and a block-dependent tweak), *E* is the encryption function and ~~(+)~~ is the bitwise-addition (XOR) operator

Back to: Cryptography*