| > > No, I meant CBC -- there's a birthday paradox attack to watch out for. | > > | > | > Yep. In fact, there's a birthday paradox problem for all the standard | > chaining modes at around 2^{n/2}. | > For CBC and CFB, this ends up leaking information about the XOR of a couple | > plaintext blocks at a time; for OFB and counter mode, it ends up making the | > keystream distinguishable from random. Also, most of the security proofs | > for block cipher constructions (like the secure CBC-MAC schemes) limit the | > number of blocks to some constant factor times 2^{n/2}. | > | | It seems that the block size of an algorithm then | is a severe limiting factor. Is there anyway to | expand the effective block size of an (old 8byte) | algorithm, in a manner akin to the TDES trick, | and get an updated 16byte composite that neuters | the birthday trick? Many people have tried to do this. I know of no successes that are really practical. (I've played around with many "obviously good" ideas myself, and have always managed to break them with a little more thought. Everything that gives you the desired security ends up costing much more than twice the cost of the underlying block algorithm for a double-size block.)

The block size appears to be a fairly basic and robust property of block ciphers. There's probably a theorem in there somewhere - probably one of those that isn't hard to prove once you figure out exactly what it ought to say! -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]