Improved Distinguishing Attack on Rabbit.
In: Burmester, M and Tsudik, G and Magliveras, S and Ilic, I, (eds.)
(pp. 17 - 23).
Rabbit is a stream cipher using a 128-bit key. It outputs one keystream block of 128 bits each time, which consists of eight sub-blocks of 16 bits. It is among the finalists of ECRYPT Stream Cipher Project (eSTREAM). Rabbit has also been published as informational RFC 4503 with IETF. Prior to us, the research on Rabbit all focused on the bias analysis within one keystream sub-block and the best distinguishing attack has complexity O(2(158)).In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block. To summarize, the largest bias we found out is estimated to be 2(-70.5). Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2(141)) keystream blocks. Compared with all previous results, it is the best distinguishing attack so far. Furthermore small-scale experiments suggest that our result might be a conservative estimate. Meanwhile, our attack can work by using keystream blocks generated by different keys, and so it is not limited by the cipher's requirement that one key cannot be used to produce more than 2(64) keystream blocks.
|Title:||Improved Distinguishing Attack on Rabbit|
|Event:||13th Information Security Conference|
|Location:||Florida Atlantic Univ, Math Sci Dept, Ctr Cryptol & Informat Seur, Boca Raton, FL|
|Dates:||2010-10-25 - 2010-10-28|
|Keywords:||stream cipher, Rabbit, eSTREAM, IETF, RFC, distinguishing attack, bias, linear cryptanalysis|
|UCL classification:||UCL > School of BEAMS
UCL > School of BEAMS > Faculty of Engineering Science
Archive Staff Only