On Wed, 27 Aug 2008, Hovav Shacham wrote:

----- "Jonathan Katz" <[EMAIL PROTECTED]> wrote:

But he probably wants an encryption scheme, not a cipher.

Jon, I'm not sure I understand what you mean.
If I am reading his message correctly, the original poster seems
to be asking for a format-preserving encryption over a domain
with 10^40 elements. Format-preserving, it seems to me, implies
[a family of keyed] functions that are one-to-one and
deterministic. In other words, the best security we can hope for
is a PRP on that domain, and this is what B-R gives, starting
from a PRP over a "somewhat larger" domain.
In this setting, what is the difference between an encryption
scheme and a cipher?

Yes, I can see this might cause confusion.
Just to clarify: I had emailed the original poster off-line and he
told me that he was willing to use other information already being
sent in the clear as a non-repeating IV. Given this, secure (and, in
particular, non-deterministic) encryption is possible.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]