Cryptanalysis of Rabbit

Quantified Score

Visualization

Abstract

The stream cipher Rabbit is one candidate to the ECRYPT Stream Cipher Project (eSTREAM) on the third evaluation phase. It has a 128-bit key, 64-bit IV and 513-bit internal state. Currently, only one paper [1] studied it besides a series of white papers by the authors of Rabbit. In [1], the bias of the keystream sub-blocks was studied and a distinguishing attack with the estimated complexity 2247was proposed based on the largest bias computed.In this paper, we first computed the exact bias of the keystream sub-blocks by Fast Fourier Transform (FFT). Our result leads to the best distinguishing attack with the complexity 2158so far, in comparison to 2247in [1]. Meanwhile, our result also indicates that the approximation assumption used in [1] is criticalfor estimation of the bias and cannot be ignored. Secondly, our distinguishing attack is extended to a multi-frame key-recovery attack, assuming that the relation between part of the internal states of all frames is known. Our attack uses 251.5frames and the first three keystream blocks of each frame. It takes memory O(232), precomputation O(232) and time O(297.5) to recover the keys for all frames. This is the first known key-recovery attack on Rabbit, though the attack assumption is unusually strong. Lastly, as an independent result, we introduced the property of Almost-Right-Distributivity of the bit-wise rotation over the modular addition for our algebraic analysis.This allows to solve the nonlinear yet symmetric equation system more efficiently for our problem.