Rabbit is a stream cipher using a 128-bit key. It outputs one keystream block of 128 bits each time, which consists of eight sub-blocks of 16 bits. It is among the finalists of ECRYPT Stream Cipher Project (eSTREAM). Rabbit has also been published as informational RFC 4503 with IETF. Prior to us, the research on Rabbit all focused on the bias analysis within one keystream sub-block and the best distinguishing attack has complexity O(2158).
In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block. To summarize, the largest bias we found out is estimated to be 2-70.5. Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2141) keystream blocks. Compared with all previous results, it is the best distinguishing attack so far. Furthermore small-scale experiments suggest that our result might be a conservative estimate. Meanwhile, our attack can work by using keystream blocks generated by different keys, and so it is not limited by the cipher's requirement that one key cannot be used to produce more than 264 keystream blocks.
[1]
Kaisa Nyberg,et al.
Improved Linear Distinguishers for SNOW 2.0
,
2006,
FSE.
[2]
Martin Boesgaard,et al.
The Stream Cipher Rabbit
,
2005
.
[3]
Martin Boesgaard,et al.
A Description of the Rabbit Stream Cipher Algorithm
,
2006,
RFC.
[4]
Mitsuru Matsui,et al.
Linear Cryptanalysis Method for DES Cipher
,
1994,
EUROCRYPT.
[5]
Huaxiong Wang,et al.
Cryptanalysis of Rabbit
,
2008,
ISC.
[6]
Gerhard Goos,et al.
Fast Software Encryption
,
2001,
Lecture Notes in Computer Science.