[131808] in cryptography@c2.net mail archive
Re: Decimal encryption
daemon@ATHENA.MIT.EDU ("Hal Finney")
Wed Aug 27 18:48:34 2008
To: cryptography@metzdowd.com
Date: Wed, 27 Aug 2008 13:50:01 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
Looking a little more closely, I found this paper by Patarin from
Crypto 2005 which describes security bounds for higher round Feistel
constructions:
http://www.springerlink.com/content/gtcabev3ucv8apdu/
As we know, the Luby-Rackoff 4 round construction gives you basically
2^(n/2) security in the number of messages, where n is half the
width of the output (i.e. n is the size of each half in the Feistel
construction). In our case, n = 66, allowing roughly 2^33 or a few
billion messages.
Patarin's analysis shows that we basically have 2^n security against just
chosen plaintext attacks with 4 rounds; just chosen ciphertext attacks
with 7 rounds; and both forms of attacks together with 10 rounds. That
means we could encrypt a full 2^64 messages with full security if we
use 10 rounds.
It also proves that we have 2^(5n/6) security against CPA in 5 rounds,
and against both CPA and CCA in 6 rounds. So if 2^53 encryptions is
enough, then 6 rounds will suffice.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
