analysis and implementation of LRW

Victor Duchovni Victor.Duchovni at
Thu Jan 25 15:17:22 EST 2007

On Wed, Jan 24, 2007 at 03:28:50PM -0800, Allen wrote:

> David Wagner wrote:
> [snip]
> >Another possible interpretation of (2) is that if you use LRW to encrypt
> >close to 2^64 blocks of plaintext, and if you are using a 128-bit block
> >cipher, then you have a significant chance of a birthday collision,
> Am I doing the math correctly that 2^64 blocks of 128 bits is 
> 2^32 bytes or about 4 gigs of data? Or am I looking at this the 
> wrong way?

This is quite wrong. 2^64 * 2^4 = 2^68 not 2^32, I don't know where you
lost the factor 2^36, but it sure makes a big difference.


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list