Re: [P1619-2] another P1619.2 question: the EME2 mix function
> 1. There should be some information in the text of the standard about
> the security vs. the amount of data encrypted.
If memory serves, we included some text like that in the 1619.0
standard. I'm not sure about the need to include it in every standard.
For example do all the NIST mode-of-operation documents include such
> 2. In the Bibliography section there is no reference to EME2, so the
> user cannot find security proofs, further information. The similarities
> and differences from the referenced EME* need to be noted.
There is no difference. I think that at some point Matt said that IEEE
rules do not allow a "*" in the name of a mode, which is why we changed
the name to EME2.
> 3. If all wide encryption modes, which are constructed from 128-bit
> block ciphers, have similar inherent limits, it has to be told;
Not all modes are subject to such birthday-type attacks, only the fast
ones. For example, you can use a 7-round Fiestel to convert a 128-bit
cipher to a 256-bit cipher (without really losing anything in terms of
security). Then you can use the resulting 256-bit cipher in something
like EME. The result will be maybe four times more expensive than doing
EME with a 128-bit cipher, but will not be subject to 2^64 attacks.
Personally speaking, I was never convinced by the arguments claiming
that these birthday-type attacks have real-world significance. Maybe
when the storage density increases by another factor of a million or