--- [EMAIL PROTECTED] wrote: > The birthday paradox says, that choosing k entries > (with repetitions) from n different ones gives a > collision with the approximate probability > 3 k^2 / (2n).
Actually, the birthday paradox says that it is likely that you will find a collision after 2**(n/2) querries to n-bit oracle. Hence, the attacker's advantage is q**2/2**n, which must be < 1. This is the upper bound. For LRW, this bound is three times lower. Therefore, we take (q**2)/3, which gives us (2**64**2)/3 = ~2**62.2**2 The _upper_ bound for LRW is therefore ~2**62.2 querries (blocks). The _lower_ bound cannot be determined. Therefore, ~2**39 appears to be based on hand waving. If you disagree, then where did 10^-9 come from? How do you explain this value? What is it based on? Why not 10^-10? How is it substantiated? If AES-LRW was specified to be usable only for not more "than a few dozen terabytes of data" then it would soon be useless. Regards, Ian Malik __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com