In my cryptography class, the instructor suggested that in order to give the attacker a minimal advantage of $1/2^{32}$, we have to change the key after $2^{48}$ blocks are encrypted.
It seems that the advantage of $1/2 ^{32}$ is somewhat arbitrarily chosen, and I'm not sure where that comes from. Can anyone explain the reasoning of why this is chosen and when it should be higher or lower than $1/2^{32}$?
My class notes:
CBC: CPA Analysis
$q = $ # of messages encrypted with key $k$
AES uses 128 bit blocks
$L$ = length of the max messageFor every adversary $A$ that attacks cbc encryption, there is a PRP adversary $B$ with
$$ Adv[A,E_{cbc}] \leq 2 · Adv[B, E_{prp}] + \overbrace{2 · q^2· L^2 / |X|}^{\text{error term}}$$
So CBC is only secure as long as $q^2·L^2 \ll |X|$.
Example
The error term = $q ^ 2 · L^2 / |X| < 1/2 ^{32}$
AES: $|X| = 2^{128}$ (bits per block) So after $2^{48}$ AES blocks the key needs to be changed.
DES: $|X| = 2^64 \Rightarrow q·L < 2 ^{16}$
Also, the instructor said that DES needed a new key after $2^{16}$ blocks, and he said that means every .5 MB of data requires a change. This is the formula he wrote down, Is this correct? $2^{16} · 8 = 1/2$ MB.
