Q (cipher)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
DesignersLeslie McBride
First publishedNovember 2000
Derived fromAES, Serpent
Cipher detail
Key sizes128, 192, or 256 bits
Block sizes128 bits
StructureSubstitution–permutation network
Rounds8 or 9
Best public cryptanalysis
A linear attack succeeds with 98.4% probability using 297 known plaintexts.[1]

In cryptography, Q is a block cipher invented by Leslie McBride. It was submitted to the NESSIE project, but was not selected.

The algorithm uses a key size of 128, 192, or 256 bits. It operates on blocks of 128 bits using a substitution–permutation network structure. There are 8 rounds for a 128-bit key and 9 rounds for a longer key. Q uses S-boxes adapted from Rijndael (also known as AES) and Serpent. It combines the nonlinear operations from these ciphers, but leaves out all the linear transformations except the permutation.[2] Q also uses a constant derived from the golden ratio as a source of "nothing up my sleeve numbers".

Q is vulnerable to linear cryptanalysis; Keliher, Meijer, and Tavares have an attack that succeeds with 98.4% probability using 297 known plaintexts.[1]


  1. ^ a b L. Keliher, H. Meijer, and S. Tavares (12 September 2001). High probability linear hulls in Q. Proceedings of Second Open NESSIE Workshop. Surrey, England. Retrieved 2018-09-13.CS1 maint: multiple names: authors list (link)
  2. ^ Eli Biham, Vladimir Furman, Michal Misztal, Vincent Rijmen (11 February 2001). Differential Cryptanalysis of Q. 8th International Workshop on Fast Software Encryption (FSE 2001). Yokohama: Springer-Verlag. pp. 174–186. doi:10.1007/3-540-45473-X_15.CS1 maint: multiple names: authors list (link)