However, the birthday paradox indicates that after accumulating several blocks equal to the square root of the total number possible, there will be an approximately 50% chance of two or more being the same, which would start to leak information about the message contents.
Thus even when used with a proper encryption mode (e.g. CBC or OFB), only 232 × 8 B = 32 GB of data can be safely sent under one key.
[citation needed] In practice a greater margin of security is desired, restricting a single key to the encryption of much less data — say a few hundred megabytes.
At one point that seemed like a fair amount of data, but today it is easily exceeded.
Consequently, AES candidates were required to support a block length of 128 bits (16 bytes).