Rabbit (cipher)

From Wikipedia, the free encyclopedia

Rabbit is a high-speed stream cipher from 2003. The algorithm and source code was released in 2008 as public domain software.

History[]

Rabbit was first presented[1] in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the eSTREAM project of the ECRYPT network.

Rabbit was designed by , , , and .

The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page.[2] It is also described in RFC 4503. Cryptico had patents pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.[3] Also the website states that the algorithm and implementation is public domain software and offers the source code free for download.[4]

Functionality[]

Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 CPB on a Pentium 3, and of 9.7 CPB on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.

The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. The mixing function uses a g-function based on arithmetical squaring, and the ARX operations -- logical XOR, bit-wise rotation with hard-wired rotation amounts, and addition modulo 232.

The g-function used in Rabbit -- squaring a 32-bit number to produce a 64-bit number, and then combining the left half and the right half of that square number with xor, to produce a 32-bit result -- provides much better results than using the 32 middle bits of that square number (the middle-square method).[5]

Security[]

Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks.[6]

A small bias in the output of Rabbit exists,[7] resulting in a distinguisher with 2247 complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2158 in 2008,[8] it's not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2128).

References[]

  1. ^ M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF) Archived 2013-12-11 at the Wayback Machine
  2. ^ M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF) Archived 2013-12-11 at the Wayback Machine
  3. ^ Rabbit becomes public domain by Erik Zenner (October 6, 2008, archived)
  4. ^ The eSTREAM Project - eSTREAM Phase 3 "Intellectual Property : Rabbit has been released into the public domain and may be used freely for any purpose. See announcement."
  5. ^ Martin Boesgaard; Mette Vesterager; Thomas Christensen; and Erik Zenner. "The Stream Cipher Rabbit". p. 18.
  6. ^ Christophe De Cannière, Joseph Lano, and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)
  7. ^ Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. (PDF)
  8. ^ Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ([1])

External links[]

Retrieved from ""