From: Paulo Barreto <pbarreto@uninet.com.br>
Subject: Re: MMB? Maybe not...
Date: 9 Jun 1996 00:36:06 +0300

I've written about this to Bruce Schneier, but he's seemingly in Peru by now.
I had already read that, but here are some comments:

1. "MMB is dead [402]".
Reference [402] is J. Daemen's doctoral thesis, and he does NOT deem MMB
dead at all (take a look at
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/daemen/thesis).  There's more:
Daemen believes the modular multiplication coefficients DO provide
resistance against linear cryptanalysis, although they were tailored to DC.
In my opinion, MMB is dead only in the sense that no implementation has been
widely available.

2. "Eli Biham has an effective chosen-key attack [160]".
Daemen quotes this personal communication too (hmm, why has it never been
published?) and suggests a very simple way to get rid of it (it's similar to
the trick to eliminate the weak keys of IDEA).

3. The errata to the 1st edition of AC says explicitly that MMB has been
broken.  This may be a reference to Biham's attack, as that claim is not
repeated in the 2nd edition.  

At last, what does "broken" mean anyway?  Suppose Biham's attack reduces the
complexity of cryptanalyzing MMB from 2^128 to, say, 2^112.  Would you say
MMB has been broken or simply weakened?

Well, I know it's a bit too early to do this, but here's my MMB
implementation.  It's rather informal, but good for demonstration purposes.
It's completely public domain (and provided AS IS, without any warranty, you
know :-)

Have fun!