> > However, I believe it is not statistically > > possible for an attacker to identify such a collision, > > Of course there is. A collision is just as fatal, no matter what you > use to process the I component.
Sorry, I forgot to say how you identify collisions: If you encrypt (X,I) to get Z and encrypt (X',I') to get Z', then the condition X xor X' = Z xor Z' identifies a collision (with good probability). For those who like math equations, assuming that all the ciphers there are replaced with truly random functions, you have for every specific pair (X,I) != (X',I') Pr[collision] = 1/2^128 Pr[X xor X' = Z xor Z' | collision] = 1 Pr[X xor X' = Z xor Z' | no collision] = 1/2^128 This means that Pr[X xor X' = Z xor Z'] ~ 2/2^128, and therefore Pr[collision | X xor X' = Z xor Z'] = Pr[collision and X xor X' = Z xor Z'] / Pr[X xor X' = Z xor Z'] ~ (1/2^128) / (2/2^128) = 1/2 (compared to the a-priory probability of collision which is 1/2^128).
