> Although I have no problems with having the this discussion > on the mailing list, I will object to having it in the > standard itself. Standards are not an appropriate medium for > this type of discussion. Counting "how many bits are leaked > after 2^64 blocks" may be an amusing past-time, but in my > view it is utterly irrelevant for anyone wanting to actually > use the standard.
I disagree. The draft standard spends time talking about how LWR is better than some other methods. It is only reasonable for it to also spell out any limitations that is has as well. The standard should have a limitations section. For example, it may be approporate in the limitations section to suggest that a single key should not be used to encrypt more than 2^64 blocks if in fact leaking occurs after 2^64 blocks. > (I will spare you the back-of-an-envelope > calculation of how long does it take to send 2^64 blocks over > a 100 Gbit/sec link.) I think this argument is not very relivant. There was a time when 2^32 block was considered huge and 2^48 blocks was and impossibly large size. chongo () /\oo/\
