Re: cgd(4) ciphers

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: cgd(4) ciphers
From: "Roland C. Dowdeswell" <elric%imrryr.org@localhost>
Date: Wed, 2 Oct 2013 18:28:46 +0100

On Mon, Sep 30, 2013 at 07:22:21AM +0000, Taylor R Campbell wrote:
>

> (c) has 256-bit blocks, so we don't need to worry about birthday
> bounds for 128-bit block ciphers on multi-terabyte disks; and

IIRC, the probability of collisions with k values of N is approximated
by k^2/2N.  So, for, say a one terabyte disk and a 128 bit block size
we would get:

        k = 2^40 (bytes) / 16 == 2^36 (ciphertext blocks)
        N = 2^128

        k^2 = 2^72
        2N  = 2^129

        k^2/2N = 2^-57

Those are not bad odds.  For a petabyte disk, however, it could start
to be a concern:

        (2^46)^2/2^129 == 2^-37

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

References:
- cgd(4) ciphers
  - From: Taylor R Campbell

Prev by Date: Re: cgd(4) ciphers
Next by Date: Re: cgd(4) ciphers
Previous by Thread: root-on-cgd (was: cgd(4) ciphers)
Indexes:

Home | Main Index | Thread Index | Old Index