The second advantage of CFB relates to block padding. It is easy and
natural in CFB to handle messages which are not a multiple of the cipher
block length (8 bytes for the early ciphers). You simply truncate the
ciphertext so it is the same length as the plaintext, and apply the same
rule in reverse for decryption.
I know that CFB can encode one byte (or even one bit) at a time, rather
than waiting for the whole block or requiring a multiple of the blocksize.
But in PGP the step is performed on a size that's equal to the block size.
Are you saying that for the last block, you can change that to a size equal
to how much you have left? I don't think that was clear in the OpenPGP
spec section 12. It says it loads BlockSize at a time until the plaintext
is used up, implying that the "given plaintext" is a multiple of the
I see that it will work, though: step 12 consumes the remainder of the
plaintext if there are ferwer than BS octets remaining, and it never has to
encode again so the truncation doesn't matter when decoding.
An issue with the document (I'm reading bis-07): step 12 includes "the
process is repeated...". It doesn't say "this process" means steps 10
through 12 (only 10 must contain n*BS+3 etc instead of BS+3, etc.). And is
that really part of step 12?