NSA's new mode of operation broken in less than 24 hours

David G. Koontz koontz at ariolimax.com
Sun Aug 5 02:10:18 EDT 2001

Had me going for a minute.  I had to check 
http://condor.securephone.net/documents/fnbdt_brief.pdf as
well as the dual counter mode description.

I thought dual counter might refer to the two half blocks
found in the FNBDT Counter Mode  (which is instead the counter 
mode described by Lipmaa/Rogaway/Wagner).

Are there any references/urls/notes describing an analysis
of dual counter mode?  I searched web sites and NISTs Mode
of Operation Forum.  The only thing readily apparent is
that it appears to be inspired by the desire to generate
new protocols.  While FNBDT has been said to have been implemented
via wireless IP on notebooks,  I can sympathize with accumulating
overhead - especially in narrowband applications.

"R. A. Hettinga" wrote:
> --- begin forwarded text
> Reply-To: <paulo.barreto at terra.com.br>
> From: "Paulo S. L. M. Barreto" <paulo.barreto at terra.com.br>
> To: <coderpunks at toad.com>
> Subject: NSA's new mode of operation broken in less than 24 hours
> Date: Thu, 2 Aug 2001 22:40:32 -0300
> Sender: owner-coderpunks at toad.com
> NSA has recently convinced NIST to include a new algorithm - something they
> dubbed "Double Counter" mode after 18 months of development - for
> consideration as a possible standard mode of operation for the AES. It's
> described at <http://csrc.nist.gov/encryption/modes/proposedmodes/>, but I
> wouldn't bother reading it now had I not done it already. The new mode seems
> to have been reduced to bits by Phillip Rogaway, David Wagner and others.
> Could it be that the NSA is losing its proverbial cryptologic skills? For
> one can't help but conclude that, if they acted in good faith to provide a
> useful mode, then they did a very poor job, and if they acted otherwise,
> then they quite underestimate current public knowledge in the area.
> Paulo Barreto.

remove "no_spam_" from Reply-to address

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list