- Rabbit (cipher)
Rabbit is a high-speed
stream cipher first presented [M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 ( [http://www.cryptico.com/Files/filer/rabbit_fse.pdf PDF] )] in February 2003 at the 10th FSE workshop. In May 2005, it was submitted to theeSTREAM project of theECRYPT network.Rabbit was designed by
Martin Boesgaard ,Mette Vesterager ,Thomas Pedersen , Jesper Christiansen andOve Scavenius .Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher.
The authors of the cipher have provided a full set of cryptanalytic white papers on the
Cryptico home page [M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. ( [http://www.cryptico.com/files/filer/rabbit_sasc_final.pdf PDF] )] . It is also described in RFC 4503. Cryptico haspatent ed the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses.Security
Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks [Christophe De Cannière, Joseph Lano, and
Bart Preneel , "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. ( [http://www.ecrypt.eu.org/stream/papersdir/040.pdf PDF] )] .While a small bias in the output of Rabbit exists [Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. ( [http://www.ecrypt.eu.org/stream/papersdir/2006/058.pdf PDF] )] , resulting in a distinguisher with 2247 complexity discovered by Jean-Philippe Aumasson in December 2006, it's not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2128).
References
External links
* [http://www.cryptico.com Cryptico homepage]
* [http://www.ietf.org/rfc/rfc4503.txt?number=4503 Rabbit RFC]
* [http://www.ecrypt.eu.org/stream/rabbitp2.html eSTREAM page on Rabbit]
Wikimedia Foundation. 2010.