TY - GEN
T1 - Cryptanalysis of rabbit
AU - Lu, Yi
AU - Wang, Huaxiong
AU - Ling, San
PY - 2008
Y1 - 2008
N2 - The stream cipher Rabbit is one candidate to the ECRYPT Stream Cipher Project (eSTREAM) on the third evaluation phase. It has a 128-bit key, 64-bit IV and 513-bit internal state. Currently, only one paper [1] studied it besides a series of white papers by the authors of Rabbit. In [1], the bias of the keystream sub-blocks was studied and a distinguishing attack with the estimated complexity 2247 was proposed based on the largest bias computed. In this paper, we first computed the exact bias of the keystream sub-blocks by Fast Fourier Transform (FFT). Our result leads to the best distinguishing attack with the complexity 2158 so far, in comparison to 2247 in [1]. Meanwhile, our result also indicates that the approximation assumption used in [1] is critical for estimation of the bias and cannot be ignored. Secondly, our distinguishing attack is extended to a multi-frame key-recovery attack, assuming that the relation between part of the internal states of all frames is known. Our attack uses 251.5 frames and the first three keystream blocks of each frame. It takes memory O(232), precomputation O(2 32) and time O(297.5) to recover the keys for all frames. This is the first known key-recovery attack on Rabbit, though the attack assumption is unusually strong. Lastly, as an independent result, we introduced the property of Almost-Right-Distributivity of the bit-wise rotation over the modular addition for our algebraic analysis.This allows to solve the nonlinear yet symmetric equation system more efficiently for our problem.
AB - The stream cipher Rabbit is one candidate to the ECRYPT Stream Cipher Project (eSTREAM) on the third evaluation phase. It has a 128-bit key, 64-bit IV and 513-bit internal state. Currently, only one paper [1] studied it besides a series of white papers by the authors of Rabbit. In [1], the bias of the keystream sub-blocks was studied and a distinguishing attack with the estimated complexity 2247 was proposed based on the largest bias computed. In this paper, we first computed the exact bias of the keystream sub-blocks by Fast Fourier Transform (FFT). Our result leads to the best distinguishing attack with the complexity 2158 so far, in comparison to 2247 in [1]. Meanwhile, our result also indicates that the approximation assumption used in [1] is critical for estimation of the bias and cannot be ignored. Secondly, our distinguishing attack is extended to a multi-frame key-recovery attack, assuming that the relation between part of the internal states of all frames is known. Our attack uses 251.5 frames and the first three keystream blocks of each frame. It takes memory O(232), precomputation O(2 32) and time O(297.5) to recover the keys for all frames. This is the first known key-recovery attack on Rabbit, though the attack assumption is unusually strong. Lastly, as an independent result, we introduced the property of Almost-Right-Distributivity of the bit-wise rotation over the modular addition for our algebraic analysis.This allows to solve the nonlinear yet symmetric equation system more efficiently for our problem.
UR - http://www.scopus.com/inward/record.url?scp=56649098978&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-85886-7_14
DO - 10.1007/978-3-540-85886-7_14
M3 - Conference proceeding contribution
AN - SCOPUS:56649098978
SN - 3540858849
SN - 9783540858843
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 204
EP - 214
BT - Information Security
A2 - Wu, Tzong-Chen
A2 - Lei, Chin-Laung
A2 - Rijmen, Vincent
A2 - Lee, Der-Tsai
PB - Springer, Springer Nature
CY - Berlin
T2 - 11th International Conference on Information Security, ISC 2008
Y2 - 15 September 2008 through 18 September 2008
ER -