From: Paulo Barreto Subject: Re: MMB? Maybe not... Date: 9 Jun 1996 00:36:06 +0300 I've written about this to Bruce Schneier, but he's seemingly in Peru by now. I had already read that, but here are some comments: 1. "MMB is dead [402]". Reference [402] is J. Daemen's doctoral thesis, and he does NOT deem MMB dead at all (take a look at ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/daemen/thesis). There's more: Daemen believes the modular multiplication coefficients DO provide resistance against linear cryptanalysis, although they were tailored to DC. In my opinion, MMB is dead only in the sense that no implementation has been widely available. 2. "Eli Biham has an effective chosen-key attack [160]". Daemen quotes this personal communication too (hmm, why has it never been published?) and suggests a very simple way to get rid of it (it's similar to the trick to eliminate the weak keys of IDEA). 3. The errata to the 1st edition of AC says explicitly that MMB has been broken. This may be a reference to Biham's attack, as that claim is not repeated in the 2nd edition. At last, what does "broken" mean anyway? Suppose Biham's attack reduces the complexity of cryptanalyzing MMB from 2^128 to, say, 2^112. Would you say MMB has been broken or simply weakened? Well, I know it's a bit too early to do this, but here's my MMB implementation. It's rather informal, but good for demonstration purposes. It's completely public domain (and provided AS IS, without any warranty, you know :-) Have fun!