Differential Cryptanalysis of Q
Q is a block cipher based on Rijndael and Serpent, which was submitted as a candidate to the NESSIE project by Leslie McBride. The submission document of Q describes 12 one-round iterative characteristics with probability 2-18 each. On 7 rounds these characteristics have probability 2-126, and the author of Q claims that these are the best 7-round characteristics. We find additional one-round characteristics that can be extended to more rounds. We also combine the characteristics into differentials. We present several differential attacks on the full cipher. Our best attack on the full Q with 128-bit keys (8 rounds) uses 2105 chosen plaintexts and has a complexity of 277 encryptions. Our best attack on the full Q with larger key sizes (9 rounds) uses 2125 chosen ciphertexts, and has a complexity of 296 for 192-bit keys, and 2128 for 256-bit keys.
- Ross Anderson, Eli Biham, Lars Knudsen, Serpent: A proposal for Advanced Encryption Standard, submitted to AES, 1998.Google Scholar
- Eli Biham, Adi Shamir, Differential cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993.Google Scholar
- Joan Daemen, Vincent Rijmen, The block cipher Rijndael, Smart Card Research and Applications, LNCS 1820, J.-J. Quisquater and B. Schneier, Eds., Springer-Verlag, 2000, pp. 288–296.Google Scholar
- Xuejia Lai, James L. Massey, Markov Ciphers and Differential Cryptanalysis, proceedings of EUROCRYPT’91, LNCS 547, pp. 17–38, 1991.Google Scholar
- Leslie ‘Mack’ McBride, Q: A Proposal for NESSIE v2.00, submitted to NESSIE, 2000.Google Scholar