NSA's new mode of operation broken in less than 24 hours

R. A. Hettinga rah at shipwright.com
Sat Aug 11 14:14:25 EDT 2001

--- begin forwarded text

To: coderpunks at toad.com
Path: not-for-mail
From: daw at mozart.cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.coderpunks
Subject: Re: NSA's new mode of operation broken in less than 24 hours
Date: 11 Aug 2001 00:43:19 GMT
Organization: University of California, Berkeley
Lines: 16
Distribution: isaac
NNTP-Posting-Host: mozart.cs.berkeley.edu
NNTP-Posting-Date: 11 Aug 2001 00:43:19 GMT
Originator: daw at mozart.cs.berkeley.edu (David Wagner)
Sender: owner-coderpunks at toad.com

Since I saw some discussion of NSA's Dual Counter Mode here:
The analysis Pompiliu Donescu, Virgil Gligor, and I did on their
mode is now available online.  See below for more information.

Pompiliu Donescu, Virgil D. Gligor, and David Wagner,
``A Note on NSA's Dual Counter Mode of Encryption,''
preliminary version, August 5, 2001.

We show that both variants of the Dual Counter Mode of encryption
(DCM) submitted for consideration as an AES mode of operation to NIST
by M. Boyle and C. Salter of the NSA are insecure with respect to both
secrecy and integrity in the face of chosen-plaintext attacks.  We argue
that DCM cannot be easily changed to satisfy its stated performance goal
and be secure. Hence repairing DCM does not appear worthwhile.

--- end forwarded text

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list