Discussion On Parameters
The initial security theorem for QUAD is valid for the field GF(2) only, and recommended parameters does not achieve to get a contradiction with the proof of security. The authors of QUAD who gave the security theorem acknowledged that a break of QUAD at their suggested parameters does not contradict the proof-of-security theorems when they proposed the scheme at Eurocrypt 2006. However it seemed that the authors had considered them as sufficient to provide the desired security level of about 280.
Yang, Chen, Bernstein and Chen studied the security of the different parameter sets in the document "Analysis of Quad" and found some of them very insecure. Their paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XL-Wiedemann to break the GF(256) instance QUAD (256, 20, 20) in approximately 266 Opteron cycles, and to break the underlying hard problem in approximately 245 cycles, which was carried out successfully. However, according to this paper, it would take about 2110 to solve an instance of the QUAD(2,160,160) version recommended by the authors of QUAD using XL-Wiedemann.
The study by Yang et al. highlighted the fact that security theorems often rely on reductions with a looseness factor, and when this is taken into account, none of the parameter sets of the suggested versions are not sufficient to get a contradiction with the proof of security. An instance that will be provably secure would be QUAD(2,320,320), that is, twice as wide as originally proposed.
A security theorem can also be proved for GF(q), albeit with a larger looseness factor; this and extensions of QUAD for more efficient implementations is proposed by Liu et al. (see reference "Secure PRNGs from Specialized Polynomial Maps over Any Fq").
Read more about this topic: QUAD (cipher)
Famous quotes containing the words discussion on, discussion and/or parameters:
“My companion and I, having a minute’s discussion on some point of ancient history, were amused by the attitude which the Indian, who could not tell what we were talking about, assumed. He constituted himself umpire, and, judging by our air and gesture, he very seriously remarked from time to time, “you beat,” or “he beat.””
—Henry David Thoreau (1817–1862)
“What chiefly distinguishes the daily press of the United States from the press of all other countries is not its lack of truthfulness or even its lack of dignity and honor, for these deficiencies are common to the newspapers everywhere, but its incurable fear of ideas, its constant effort to evade the discussion of fundamentals by translating all issues into a few elemental fears, its incessant reduction of all reflection to mere emotion. It is, in the true sense, never well-informed.”
—H.L. (Henry Lewis)
“What our children have to fear is not the cars on the highways of tomorrow but our own pleasure in calculating the most elegant parameters of their deaths.”
—J.G. (James Graham)