SSH Birthday attacks on 64-bit block ciphers (SWEET32)

Legacy block ciphers having a block size of 64 bits are vulnerable to a practical collision attack when used in CBC
mode. The security of a block cipher is often reduced to the key size k: the best attack should
be the exhaustive search of the key, with complexity 2 to the power of k. However, the block size n is also an
important security parameter, defining the amount of data that can be encrypted under the same key. This is
particularly important when using common modes of operation: we require block ciphers to be secure with up to 2 to
the power of n queries, but most modes of operation (e.g. CBC, CTR, GCM, OCB, etc.) are unsafe with more than 2
to the power of half n blocks of message (the birthday bound). With a modern block cipher with 128-bit blocks such
as AES, the birthday bound corresponds to 256 exabytes. However, for a block cipher with 64-bit blocks, the birthday
bound corresponds to only 32 GB, which is easily reached in practice. Once a collision between two cipher blocks
occurs it is possible to use the collision to extract the plain text data.