John Kelsey wrote:

From: "Steven M. Bellovin" <[EMAIL PROTECTED]>

No, I meant CBC -- there's a birthday paradox attack to watch out for.

Yep. In fact, there's a birthday paradox problem for all the standard chaining modes at around 2^{n/2}.

For CBC and CFB, this ends up leaking information about the XOR of a couple plaintext blocks at a time; for OFB and counter mode, it ends up making the keystream distinguishable from random. Also, most of the security proofs for block cipher constructions (like the secure CBC-MAC schemes) limit the number of blocks to some constant factor times 2^{n/2}.

It seems that the block size of an algorithm then is a severe limiting factor. Is there anyway to expand the effective block size of an (old 8byte) algorithm, in a manner akin to the TDES trick, and get an updated 16byte composite that neuters the birthday trick?

Hypothetically, by say having 2 keys and running
2 machines in parallel to generate a 2x blocksize.

(I'm just thinking of this as a sort of mental challenge,
although over on the OpenPGP group we were toying
with the idea of adding GOST, but faced the difficulty
of its apparent age/weakness.)


News and views on what matters in finance+crypto:

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to