Rabbit (cipher): Difference between revisions
Erik Zenner (talk | contribs) Updated eStream link, added RFC info. |
Added the distinguishing attack and TMD TO references, fixed the rest of them. |
||
| Line 1: | Line 1: | ||
'''Rabbit''' is a high-speed [[stream cipher]] first presented in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the [[eSTREAM]] project of the [[ECRYPT]] network. |
'''Rabbit''' is a high-speed [[stream cipher]] first presented<ref>M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 ([http://www.cryptico.com/Files/filer/rabbit_fse.pdf PDF])</ref> in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the [[eSTREAM]] project of the [[ECRYPT]] network. |
||
Rabbit was designed by [[Martin Boesgaard]], [[Mette Vesterager]], [[Thomas Pedersen]], [[Jesper Christiansen (CS)|Jesper Christiansen]] and [[Ove Scavenius]]. |
Rabbit was designed by [[Martin Boesgaard]], [[Mette Vesterager]], [[Thomas Pedersen]], [[Jesper Christiansen (CS)|Jesper Christiansen]] and [[Ove Scavenius]]. |
||
Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware. |
Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware. |
||
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. |
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. |
||
The authors of the cipher have provided a full set of cryptanalytic white papers on the [[Cryptico]] home page. It is also described in [[Request_for_Comments|RFC]] 4503. Cryptico has [[patent]]ed the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses. |
The authors of the cipher have provided a full set of cryptanalytic white papers on the [[Cryptico]] home page<ref>M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. ([http://www.cryptico.com/files/filer/rabbit_sasc_final.pdf PDF])</ref>. It is also described in [[Request_for_Comments|RFC]] 4503. Cryptico has [[patent]]ed the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses. |
||
== |
== Security == |
||
Rabbit claims 128-bit security while supporting only 128-bit keys and 64-bit nonces. Such ciphers are inherently vulnerable<ref>Christophe De Cannière, Joseph Lano and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. ([http://www.ecrypt.eu.org/stream/papersdir/040.pdf PDF])</ref> to TMD trade-off attacks with complexity lower than the brute-force. While a small bias in its output resulting in a distinguishing attack<ref>Jean-Philippe Aumasson, "On a bias of Rabbit", 2004. ([http://www.ecrypt.eu.org/stream/papersdir/2006/058.pdf PDF])</ref> with 2<sup>247</sup> complexity was discovered by Jean-Philippe Aumasson in December 2006, this attack is not valid because its complexity is significantly higher than the brute-force of the key space (2<sup>128</sup>). |
|||
* M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 ([http://www.cryptico.com/Files/filer/rabbit_fse.pdf PDF]) |
|||
== References == |
|||
<div class="references-small"> |
|||
*M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. ([http://www.cryptico.com/files/filer/rabbit_sasc_final.pdf PDF]) |
|||
<references/> |
|||
</div> |
|||
== External links == |
== External links == |
||
Revision as of 19:14, 4 December 2006
Rabbit is a high-speed stream cipher first presented[1] in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to the eSTREAM project of the ECRYPT network.
Rabbit was designed by Martin Boesgaard, Mette Vesterager, Thomas Pedersen, Jesper Christiansen and Ove Scavenius.
Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher.
The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page[2]. It is also described in RFC 4503. Cryptico has patented the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses.
Security
Rabbit claims 128-bit security while supporting only 128-bit keys and 64-bit nonces. Such ciphers are inherently vulnerable[3] to TMD trade-off attacks with complexity lower than the brute-force. While a small bias in its output resulting in a distinguishing attack[4] with 2247 complexity was discovered by Jean-Philippe Aumasson in December 2006, this attack is not valid because its complexity is significantly higher than the brute-force of the key space (2128).
References
- ^ M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF)
- ^ M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF)
- ^ Christophe De Cannière, Joseph Lano and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)
- ^ Jean-Philippe Aumasson, "On a bias of Rabbit", 2004. (PDF)
