QUAD (cipher)

QUAD (cipher)

Infobox block cipher
name = QUAD


caption =
designers = Côme Berbain, Henri Gilbert and Jacques Patarin
publish date = May 28, 2006 (at Eurocrypt)
derived from =
derived to =
related to =
certification =
key size = 80 bits
structure = multivariate system of quadratic equations
rounds =
cryptanalysis =

In cryptography, the QUAD, cipher is a relatively new Stream_cipher, which was designed with provable security arguments in mind.

Description

QUAD relies on the iteration of a randomly chosen multivariate quadratic system S=(Q1, ..., Qm) of m=kn equations in n unknowns over a finite field GF(q). The keystream generation process simply consists in iterating the three followingsteps in order to produce (k -1)n GF(q) keystream values at each iteration.
*Compute the kn-tuple of GF(q) values S(x) = (Q1(x),..., Qkn(x)) where x is the current value of the internal state;
*Output the sequence (Qn+1(x),..., Qkn(x)) of (k-1)n GF(q) keystream values
*Update the internal state x with the sequence of n GF(q) first generated values (Q1(x),..., Qn(x))

QUAD is a modern stream cipher, i.e. it uses a key and a initialisation value (IV) to produce a keystream sequence. A Key and IV setup is also defined which also rely on multivariate quadratic system.

ecurity

The security of the keystream generation of QUAD is provably reducible to the conjectured intractability of the MQ problem, namely solving a multivariate system of quadratic equations. The first proof was done over field GF(2) for an old-fashioned stream cipher (where the key is the initial state). It was later extended by Berbain and Gilbert in order to take into account the set-up procedure of a modern cipher (with a setup stage deriving the initial state from the key). The security of the whole cipher as a Pseudo Random Function can be related to the conjectured intractability of the MQ problem. The authors also studied the resistance of the cipher against classical attacks.

Parameters recommended

The authors recommend to use a version of QUAD with a 80-bit key, 80-bit IV and an internal state of n = 160 bits. It outputs 160 keystream bits (m = 320) at each iteration until 240 bits of keystream have been produced.

At Eurocrypt 2006, speed reports were presented for QUAD instances with 160-bit state and output block over the fields GF(2), GF(16), and GF(256). These speed reports were part of an analysis of "Efficient Implementations of Multivariate Quadratic Systems" which was published by Berbain, Billet, and Gilbert at SAC 2006. This analysis (which also covers several multivariate public-key schemes as well as the QUAD stream cipher) studied in part the impact of changing the size of the field on the performances without considering the security aspect.

Discussion on parameters

The initial security theorem for QUAD is valid for the field GF(2) only, and recommended parameters does not achieve to get a contradiction with the proof of security. The authors of QUAD who gave the security theorem acknowledged that a break of QUAD at their suggested parameters does not contradict the proof-of-security theorems when they proposed the scheme at Eurocrypt 2006. However it seemed that the authors had considered them as sufficient to provide the desired security level of about 280.

Yang, Chen, Bernstein and Chen studied the security of the different parameter sets in the document "Analysis of Quad" and found some of them very insecure. Their paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XL-Wiedemann to break the GF(256) instance QUAD(256, 20, 20) in approximately 266 Opteron cycles, and to break the underlying hard problem in approximately 245 cycles, which was carried out successfully. However, according to this paper, it would take about 2110 to solve an instance of the QUAD(2,160,160) version recommended by the authors of QUAD using XL-Wiedemann.

The study by Yang et al highlighted the fact that security theorems often rely on reductions with a looseness factor, and when this is taken into account, none of the the parameter sets of the suggested versions are not sufficient to get a contradiction with the proof of security. An instance that will be provably secure would be QUAD(2,320,320), that is, twice as wide as originally proposed.

A security theorem can also be proved for GF(q), albeit with a larger looseness factor; this and extensions of QUAD for more efficient implementations is proposed by Liu et al (see reference "Secure PRNGs from Specialized Polynomial Maps over Any Fq").

References

*
*
*
*
*
*


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Quad — may refer to:Architecture*Quadrangle in architecture, e.g., on a university campus *Quad, a dormitory room or suite housing four residents *Quad Cities, a region which includes the cities of Iowa cities of Bettendorf and Davenport and the… …   Wikipedia

  • Stream cipher — The operation of the keystream generator in A5/1, a LFSR based stream cipher used to encrypt mobile phone conversations. In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher… …   Wikipedia

  • Block cipher — In cryptography, a block cipher is a symmetric key cipher operating on fixed length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128 bit block of plaintext as… …   Wikipedia

  • Dragon (cipher) — Dragon is a stream cipher developed at the Information Security Institute by Ed Dawson, Kevin Chen, Matt Henricksen, William Millan, Leonie Simpson, HoonJae Lee, and SangJae Moon. The cipher is a Phase 3 Focus candidate for the eSTREAM project.… …   Wikipedia

  • NLS (cipher) — In cryptography, NLS is a stream cypher algorithm designed by Gregory Rose, Philip Hawkes, MIchael Paddon, and Miriam Wiggers de Vries. It has been submitted to the eSTREAM Project of the eCRYPT network …   Wikipedia

  • Jacques Patarin — est un cryptologue français né en 1965, ancien élève de l École Centrale (promotion 1987) et actuellement professeur à l université de Versailles Saint Quentin en Yvelines. Thèmes de recherche Jacques Patarin travaille à la fois aux problèmes… …   Wikipédia en Français

  • Multivariate Cryptography — is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over finite fields. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree… …   Wikipedia

  • Multivariate cryptography — is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over finite fields. In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree… …   Wikipedia

  • VEST — High Level Structure of VEST General Designers Sean O Neil First published June 13, 2005 Cipher deta …   Wikipedia

  • Correlation attack — In cryptography, correlation attacks are a class of known plaintext attacks for breaking stream ciphers whose keystream is generated by combining the output of several linear feedback shift registers (called LFSRs for the rest of this article)… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”