The wikipedia page on the IEEE SISWG debate about LRW says: "[A] general security requirement for any block cipher, regardless of mode of operation, is that no block cipher should be used to encrypt any more data, without changing the key, when the probability of a collision becomes not negligible (see also birthday paradox)."
They must mean output collisions, rather than multiple preimages, but I think some modes will have collisions at a rate which depends on the plaintext (LRW being the obvious example)... but I've never heard of this security requirement before. Excepting the Handbook of Applied Cryptography, which I need to read, does anyone have another reference for this requirement, or others like it? I suppose that NIST might have published something like that in the various publications about block cipher modes, but don't know where to look exactly... -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
pgp39knc2U9V2.pgp
Description: PGP signature
