| > >>I think you meant ECB mode? | > | > >No, I meant CBC -- there's a birthday paradox attack to watch out for. | > | > Yep. In fact, there's a birthday paradox problem for all the standard | > chaining modes at around 2^{n/2}. | > | > For CBC and CFB, this ends up leaking information about the XOR of a couple | > plaintext blocks at a time; for OFB and counter mode, it ends up making the | > keystream distinguishable from random. Also, most of the security proofs | > for block cipher constructions (like the secure CBC-MAC schemes) limit the | > number of blocks to some constant factor times 2^{n/2}. | | I'm surprised that no-one has said that ECB mode is "unsafe at any speed". Picking nits, but: ECB mode is "unsafe at any speed" to encrypt an arbitrary data stream. If the data stream is known to have certain properties - e.g., because it has undergone some kind of transform before being fed into ECB - then ECB is as good as any other mode.

After all, CBC is just ECB applied to a datastream transformed through a particular unkeyed XOR operation. There's a paper - by Ron Rivest and others? - that examines this whole issue, and carefully separates the roles of the unkeyed and keyed transformations. (I think this may be the paper where all-or-nothing transforms were introduced.) -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]