---------- Forwarded message ----------
Date: 11 Aug 2001 00:43:19 GMT
From: David Wagner <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Newsgroups: isaac.lists.coderpunks
Subject: Re: NSA's new mode of operation broken in less than 24 hours
Since I saw some discussion of NSA's Dual Counter Mode here:
The analysis Pompiliu Donescu, Virgil Gligor, and I did on their
mode is now available online. See below for more information.
Pompiliu Donescu, Virgil D. Gligor, and David Wagner,
``A Note on NSA's Dual Counter Mode of Encryption,''
preliminary version, August 5, 2001.
http://www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps
Abstract.
We show that both variants of the Dual Counter Mode of encryption
(DCM) submitted for consideration as an AES mode of operation to NIST
by M. Boyle and C. Salter of the NSA are insecure with respect to both
secrecy and integrity in the face of chosen-plaintext attacks. We argue
that DCM cannot be easily changed to satisfy its stated performance goal
and be secure. Hence repairing DCM does not appear worthwhile.
