---------- Forwarded message ---------- Date: 11 Aug 2001 00:43:19 GMT From: David Wagner <daw@mozart.cs.berkeley.edu> To: coderpunks@toad.com Newsgroups: isaac.lists.coderpunks Subject: Re: NSA's new mode of operation broken in less than 24 hours Since I saw some discussion of NSA's Dual Counter Mode here: The analysis Pompiliu Donescu, Virgil Gligor, and I did on their mode is now available online. See below for more information. Pompiliu Donescu, Virgil D. Gligor, and David Wagner, ``A Note on NSA's Dual Counter Mode of Encryption,'' preliminary version, August 5, 2001. http://www.cs.berkeley.edu/~daw/papers/dcm-prelim.ps Abstract. We show that both variants of the Dual Counter Mode of encryption (DCM) submitted for consideration as an AES mode of operation to NIST by M. Boyle and C. Salter of the NSA are insecure with respect to both secrecy and integrity in the face of chosen-plaintext attacks. We argue that DCM cannot be easily changed to satisfy its stated performance goal and be secure. Hence repairing DCM does not appear worthwhile.