----- "Jonathan Katz" <[EMAIL PROTECTED]> wrote:
> But he probably wants an encryption scheme, not a cipher. Jon, I'm not sure I understand what you mean. If I am reading his message correctly, the original poster seems to be asking for a format-preserving encryption over a domain with 10^40 elements. Format-preserving, it seems to me, implies [a family of keyed] functions that are one-to-one and deterministic. In other words, the best security we can hope for is a PRP on that domain, and this is what B-R gives, starting from a PRP over a "somewhat larger" domain. In this setting, what is the difference between an encryption scheme and a cipher? > Also, correct me if I am wrong, but Black and Rogaway's > approach is not efficient for large domains. But if you use > their approach for small domains then you open yourself up to > dictionary attacks. I think the dependency depends on the amount by which the domain of the constructed PRP is smaller than the domain of the starting PRP. A 133-bit B-R would indeed be inefficient to construct from a 256-bit block cipher like Rijndael, and one would need a different starting point; but these could be constructed using a Feistel of appropriate size. Is the dictionary attack problem any more severe than for any other PRP over a small domain? The best one can hope for is a security guarantee for a number of queries approaching the size of the domain -- or to ensure that in practical deployment access to the encryption and decryption functionality is constrained. Yours -- Hovav. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]