Decimal encryption
Hal Finney
hal at finney.org
Wed Aug 27 16:50:01 EDT 2008
Looking a little more closely, I found this paper by Patarin from
Crypto 2005 which describes security bounds for higher round Feistel
constructions:
http://www.springerlink.com/content/gtcabev3ucv8apdu/
As we know, the Luby-Rackoff 4 round construction gives you basically
2^(n/2) security in the number of messages, where n is half the
width of the output (i.e. n is the size of each half in the Feistel
construction). In our case, n = 66, allowing roughly 2^33 or a few
billion messages.
Patarin's analysis shows that we basically have 2^n security against just
chosen plaintext attacks with 4 rounds; just chosen ciphertext attacks
with 7 rounds; and both forms of attacks together with 10 rounds. That
means we could encrypt a full 2^64 messages with full security if we
use 10 rounds.
It also proves that we have 2^(5n/6) security against CPA in 5 rounds,
and against both CPA and CCA in 6 rounds. So if 2^53 encryptions is
enough, then 6 rounds will suffice.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list