I wrote:
The disadvantage
is that the block size is then only 64 bits, so if you encrypt a
substantial fraction of 2^64 blocks (2^67 bytes) using a given key,
there is a chance that duplicate blocks will occur by accident, which
will reveal some plaintext.
This is incorrect; having duplicate blocks occur is a "birthday paradox"
problem and you need only about 2^32 blocks before you have a substantial
chance of getting a duplicate. This is 32 GBytes of data, which might be
approached in some applications, especially in the future.
Hal