Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
ISC '08 Proceedings of the 11th international conference on Information Security
Improved linear distinguishers for SNOW 2.0
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
Synthetic linear analysis: improved attacks on cubehash and rabbit
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Synthetic linear analysis with applications to CubeHash and Rabbit
Cryptography and Communications
| Hi-index | 0.00 |
Rabbit is a stream cipher using a 128-bit key. It outputs one keystream block of 128 bits each time, which consists of eight sub-blocks of 16 bits. It is among the finalists of ECRYPT Stream Cipher Project (eSTREAM). Rabbit has also been published as informational RFC 4503 with IETF. Prior to us, the research on Rabbit all focused on the bias analysis within one keystream sub-block and the best distinguishing attack has complexity O(2158). In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block. To summarize, the largest bias we found out is estimated to be 2-70.5. Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2141) keystream blocks. Compared with all previous results, it is the best distinguishing attack so far. Furthermore small-scale experiments suggest that our result might be a conservative estimate. Meanwhile, our attack can work by using keystream blocks generated by different keys, and so it is not limited by the cipher's requirement that one key cannot be used to produce more than 264 keystream blocks.