tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd(4) ciphers



On Mon, Sep 30, 2013 at 07:22:21AM +0000, Taylor R Campbell wrote:
>

> (c) has 256-bit blocks, so we don't need to worry about birthday
> bounds for 128-bit block ciphers on multi-terabyte disks; and

IIRC, the probability of collisions with k values of N is approximated
by k^2/2N.  So, for, say a one terabyte disk and a 128 bit block size
we would get:

        k = 2^40 (bytes) / 16 == 2^36 (ciphertext blocks)
        N = 2^128

        k^2 = 2^72
        2N  = 2^129

        k^2/2N = 2^-57

Those are not bad odds.  For a petabyte disk, however, it could start
to be a concern:

        (2^46)^2/2^129 == 2^-37

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


Home | Main Index | Thread Index | Old Index