|First published||November 2000|
|Derived from||AES, Serpent|
|Key sizes||128, 192, or 256 bits|
|Block sizes||128 bits|
|Rounds||8 or 9|
|Best public cryptanalysis|
|A linear attack succeeds with 98.4% probability using 297 known plaintexts.|
The algorithm uses a key size of 128, 192, or 256 bits. It operates on blocks of 128 bits using a substitution-permutation network structure. There are 8 rounds for a 128-bit key and 9 rounds for a longer key. Q uses S-boxes adapted from Rijndael (also known as AES) and Serpent. It combines the nonlinear operations from these ciphers, but leaves out all the linear transformations except the permutation. Q also uses a constant derived from the golden ratio as a source of "nothing up my sleeve numbers".
- L. Keliher, H. Meijer, and S. Tavares (12 September 2001). High probability linear hulls in Q. Proceedings of Second Open NESSIE Workshop. Surrey, England. Retrieved 2018-09-13.
- Eli Biham, Vladimir Furman, Michal Misztal, Vincent Rijmen (11 February 2001). Differential Cryptanalysis of Q. 8th International Workshop on Fast Software Encryption (FSE 2001). Yokohama: Springer-Verlag. pp. 174&ndash, 186. Retrieved 2018-09-13.