Cryptanalysis of the full MMB block cipher

Abstract

The block cipher MMB was designed by Daemen, Govaerts and Vandewalle, in 1993, as an alternative to the IDEA block cipher. We exploit and describe unusual properties of the modular multiplication in , which lead to a differential attack on the full 6-round MMB cipher (both versions 1.0 and 2.0). Further contributions of this paper include detailed square and linear cryptanalysis of MMB. Concerning differential cryptanalysis (DC), we can break the full MMB with 2118 chosen plaintexts, 295.91 6-round MMB encryptions and 264 counters, effectively bypassing the cipher's countermeasures against DC. For the square attack, we can recover the 128-bit user key for 4-round MMB with 234 chosen plaintexts, 2 126.32 4-round encryptions and 264 memory blocks. Concerning linear cryptanalysis, we present a key-recovery attack on 3-round MMB requiring 2114.56 known-plaintexts and 2126 encryptions. Moreover, we detail a ciphertext-only attack on 2-round MMB using 2 93.6 ciphertexts and 293.6 parity computations. These attacks do not depend on weak-key or weak-subkey assumptions, and are thus independent of the key schedule algorithm. © 2009 Springer-Verlag Berlin Heidelberg.