block cipher modes and collisions

[Travis H.]

The wikipedia page on the IEEE SISWG debate about LRW says:

"[A] general security requirement for any block cipher, regardless of
mode of operation, is that no block cipher should be used to encrypt
any more data, without changing the key, when the probability of a
collision becomes not negligible (see also birthday paradox)."

They must mean output collisions, rather than multiple preimages,
but I think some modes will have collisions at a rate which depends
on the plaintext (LRW being the obvious example)... but I've never
heard of this security requirement before.  Excepting the Handbook
of Applied Cryptography, which I need to read, does anyone have
another reference for this requirement, or others like it?

I suppose that NIST might have published something like that
in the various publications about block cipher modes, but don't
know where to look exactly...
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070124/26050130/attachment.pgp>