John Kelsey wrote:

From: "Steven M. Bellovin" <[EMAIL PROTECTED]>

`No, I meant CBC -- there's a birthday paradox attack to watch out for.`

Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.

`For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.`

It seems that the block size of an algorithm then
is a severe limiting factor. Is there anyway to
expand the effective block size of an (old 8byte)
algorithm, in a manner akin to the TDES trick,
and get an updated 16byte composite that neuters
the birthday trick?

Hypothetically, by say having 2 keys and running
2 machines in parallel to generate a 2x blocksize.

(I'm just thinking of this as a sort of mental challenge,
although over on the OpenPGP group we were toying
with the idea of adding GOST, but faced the difficulty
of its apparent age/weakness.)

iang

--
News and views on what matters in finance+crypto:
http://financialcryptography.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]