Rabbit (cipher): Difference between revisions

Content deleted Content added

Inline

Latest revision as of 06:33, 27 September 2023

Rabbit is a high-speed stream cipher from 2003. The algorithm and source code was released in 2008 as public domain software.

History[edit]

Rabbit was first presented^[1] in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the eSTREAM project of the ECRYPT network.

Rabbit was designed by Martin Boesgaard, Mette Vesterager, Thomas Pedersen, Jesper Christiansen and Ove Scavenius.

The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page.^[2] It is also described in RFC 4503. Cryptico had patents pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.^[3] Also the website states that the algorithm and implementation is public domain software and offers the source code free for download.^[4]

Functionality[edit]

Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption cost of up to 3.7 cpb on a Pentium 3, and of 9.7 cpb on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.

The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. The mixing function uses a g-function based on arithmetical squaring, and the ARX operations – logical XOR, bit-wise rotation with fixed rotation amounts, and addition modulo 2³².

The g-function used in Rabbit – squaring a 32-bit number to produce a 64-bit number, and then combining the left half and the right half of that square number with xor, to produce a 32-bit result – provides much better results than using the 32 middle bits of that squared number (the middle-square method).^[5]

Security[edit]

Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks.^[6]

A small bias in the output of Rabbit exists,^[7] resulting in a distinguisher with 2²⁴⁷ complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2¹⁵⁸ in 2008,^[8] it is not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2¹²⁸).

References[edit]

^ M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF) Archived 2013-12-11 at the Wayback Machine
^ M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF) Archived 2013-12-11 at the Wayback Machine
^ Rabbit becomes public domain by Erik Zenner (October 6, 2008, archived)
^ The eSTREAM Project - eSTREAM Phase 3 "Intellectual Property : Rabbit has been released into the public domain and may be used freely for any purpose. See announcement."
^ Martin Boesgaard; Mette Vesterager; Thomas Christensen; and Erik Zenner. "The Stream Cipher Rabbit". p. 18.
^ Christophe De Cannière, Joseph Lano, and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)
^ Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. (PDF)
^ Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ([1])

External links[edit]

[1] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF) Archived 2013-12-11 at the Wayback Machine

[2] M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF) Archived 2013-12-11 at the Wayback Machine

[3] Rabbit becomes public domain by Erik Zenner (October 6, 2008, archived)

[4] The eSTREAM Project - eSTREAM Phase 3 "Intellectual Property : Rabbit has been released into the public domain and may be used freely for any purpose. See announcement."

[5] Martin Boesgaard; Mette Vesterager; Thomas Christensen; and Erik Zenner. "The Stream Cipher Rabbit". p. 18.

[6] Christophe De Cannière, Joseph Lano, and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)

[7] Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. (PDF)

[8] Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ([1])

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

@@ Line 1: / Line 1: @@
+{{Short description|Stream cipher}}
-'''Rabbit''' is a high-speed [[stream cipher]] first presented<ref>M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 ([http://www.cryptico.com/Files/filer/rabbit_fse.pdf PDF])</ref> in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the [[eSTREAM]] project of the [[ECRYPT]] network.
+'''Rabbit''' is a high-speed [[stream cipher]] from 2003. The algorithm and [[source code]] was released in 2008 as [[public domain software]].
+== History ==
-Rabbit was designed by [[Martin Boesgaard]], [[Mette Vesterager]], [[Thomas Pedersen (CS)|Thomas Pedersen]], [[Jesper Christiansen (CS)|Jesper Christiansen]] and [[Ove Scavenius]].
+''Rabbit'' was first presented<ref>M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 ([http://www.cryptico.com/images/pages/rabbit_fse.pdf PDF]) {{webarchive|url=https://web.archive.org/web/20131211141149/http://www.cryptico.com/images/pages/rabbit_fse.pdf |date=2013-12-11 }}</ref> in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the [[eSTREAM]] project of the [[ECRYPT]] network.
+Rabbit was designed by Martin Boesgaard, Mette Vesterager, Thomas Pedersen, Jesper Christiansen and Ove Scavenius.
-Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 [[Cycles per byte|CPB]] on a Pentium 3, and of 9.7 [[Cycles per byte|CPB]] on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
+The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page.<ref>M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. ([http://www.cryptico.com/images/pages/rabbit_sasc_final.pdf PDF]) {{webarchive|url=https://web.archive.org/web/20131211141248/http://www.cryptico.com/images/pages/rabbit_sasc_final.pdf |date=2013-12-11 }}</ref> It is also described in RFC 4503. Cryptico had [[patent]]s pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.<ref>[https://web.archive.org/web/20090630021733/http://www.ecrypt.eu.org/stream/phorum/read.php?1,1244 Rabbit becomes public domain] by Erik Zenner (October 6, 2008, archived)</ref> Also the website states that the algorithm and implementation is [[public domain software]] and offers the [[source code]] free for download.<ref>[http://www.ecrypt.eu.org/stream/rabbitpf.html The eSTREAM Project - eSTREAM Phase 3] ''"Intellectual Property : Rabbit has been released into the public domain and may be used freely for any purpose. See announcement."''</ref>
-The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no [[substitution box|S-boxes]] or lookup tables are required to implement the cipher.
+== Functionality ==
-The authors of the cipher have provided a full set of cryptanalytic white papers on the [[Cryptico]] home page.<ref>M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. ([http://www.cryptico.com/files/filer/rabbit_sasc_final.pdf PDF])</ref> It is also described in RFC 4503. Cryptico had [[patent]]s pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.<ref>http://www.ecrypt.eu.org/stream/phorum/read.php?1,1244</ref>
+Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption cost of up to 3.7&nbsp;[[Cycles per byte|cpb]] on a Pentium 3, and of 9.7&nbsp;cpb on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
+The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no [[substitution box|S-boxes]] or lookup tables are required to implement the cipher. The mixing function uses a g-function based on arithmetical squaring, and the [[block cipher#Operations|ARX operations]] – logical XOR, bit-wise rotation with fixed rotation amounts, and addition modulo 2<sup>32</sup>.
+The g-function used in Rabbit – squaring a 32-bit number to produce a 64-bit number, and then combining the left half and the right half of that square number with xor, to produce a 32-bit result – provides much better results than using the 32 middle bits of that squared number (the [[middle-square method]]).<ref>Martin Boesgaard; Mette Vesterager; Thomas Christensen; and Erik Zenner. [http://www.ecrypt.eu.org/stream/p3ciphers/rabbit/rabbit_p3.pdf "The Stream Cipher Rabbit"]. p. 18.</ref>
 == Security ==
+Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced [[security level]] of 96 bit. This is due to generic TMD trade-off attacks.<ref>Christophe De Cannière, Joseph Lano, and [[Bart Preneel]], "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. ([http://www.ecrypt.eu.org/stream/papersdir/040.pdf PDF])</ref>
+A small bias in the output of Rabbit exists,<ref>Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. ([http://www.ecrypt.eu.org/stream/papersdir/2006/058.pdf PDF])</ref> resulting in a distinguisher with 2<sup>247</sup> complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2<sup>158</sup> in 2008,<ref>Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ([https://doi.org/10.1007%2F978-3-540-85886-7_14])</ref> it is not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2<sup>128</sup>).
-Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks.<ref>Christophe De Cannière, Joseph Lano, and [[Bart Preneel]], "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. ([http://www.ecrypt.eu.org/stream/papersdir/040.pdf PDF])</ref>
-A small bias in the output of Rabbit exists,<ref>Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. ([http://www.ecrypt.eu.org/stream/papersdir/2006/058.pdf PDF])</ref> resulting in a distinguisher with 2<sup>247</sup> complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2<sup>158</sup> in 2008,<ref>Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ([http://www.springerlink.com/content/v08j73lk864w4n0v/?p=f52e90f574ea49c798295f816fc7cc49&pi=13])</ref> it's not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2<sup>128</sup>).
 == References ==
+{{Reflist|30em}}
-{{Reflist}}
 == External links ==
-* [http://www.cryptico.com Cryptico homepage]
 * [http://www.ietf.org/rfc/rfc4503.txt?number=4503 Rabbit RFC]
 * [http://www.ecrypt.eu.org/stream/rabbitpf.html eSTREAM page on Rabbit]
@@ Line 27: / Line 31: @@
 [[Category:Stream ciphers]]
+[[Category:Public-domain software with source code]]
-[[de:Rabbit (Algorithmus)]]
-[[pl:Rabbit]]
-[[ru:Rabbit]]