Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Introduction to Algorithms
Fast computation of large distributions and its cryptographic applications
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Fault Analysis of Rabbit: Toward a Secret Key Leakage
INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Improved distinguishing attack on rabbit
ISC'10 Proceedings of the 13th international conference on Information security
Hardware framework for the rabbit stream cipher
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
A critique of some chaotic-map and cellular automata-based stream ciphers
ASIAN'09 Proceedings of the 13th Asian conference on Advances in Computer Science: information Security and Privacy
Synthetic linear analysis with applications to CubeHash and Rabbit
Cryptography and Communications
Hi-index | 0.00 |
The stream cipher Rabbit is one candidate to the ECRYPT Stream Cipher Project (eSTREAM) on the third evaluation phase. It has a 128-bit key, 64-bit IV and 513-bit internal state. Currently, only one paper [1] studied it besides a series of white papers by the authors of Rabbit. In [1], the bias of the keystream sub-blocks was studied and a distinguishing attack with the estimated complexity 2247was proposed based on the largest bias computed.In this paper, we first computed the exact bias of the keystream sub-blocks by Fast Fourier Transform (FFT). Our result leads to the best distinguishing attack with the complexity 2158so far, in comparison to 2247in [1]. Meanwhile, our result also indicates that the approximation assumption used in [1] is criticalfor estimation of the bias and cannot be ignored. Secondly, our distinguishing attack is extended to a multi-frame key-recovery attack, assuming that the relation between part of the internal states of all frames is known. Our attack uses 251.5frames and the first three keystream blocks of each frame. It takes memory O(232), precomputation O(232) and time O(297.5) to recover the keys for all frames. This is the first known key-recovery attack on Rabbit, though the attack assumption is unusually strong. Lastly, as an independent result, we introduced the property of Almost-Right-Distributivity of the bit-wise rotation over the modular addition for our algebraic analysis.This allows to solve the nonlinear yet symmetric equation system more efficiently for our problem.