On Sun, 14 Apr 1996, Perry E. Metzger wrote:
At least partially broken, yes. I've forgotten the details. I believe they were discussed at Eurocrypt. It may be that with the full number of rounds that no one yet has a cryptanalysis but I don't recall and it doesn't particularly matter from my perspective.
It doesn't make much sense to condemn an iterated cipher based on attacks on reduced-round versions. Any such cipher becomes weak if you use sufficiently few rounds. Conversely, many broken ciphers become secure if you use sufficiently many rounds (in which case they also become too slow to be useful). I don't think there are currently any public attacks that seriously affect the security of Blowfish. On the other hand, if you ask cryptographers what they would use if they were not concerned with efficiency, I think most of them would say triple DES. Wei Dai