ON GUESS AND DETERMINE ANALYSIS OF RABBIT

Abstract

Rabbit is a stream cipher proposed by M. Boesgaard et al., and has been selected into the final portfolio after three evaluation phases of the ECRYPT Stream Cipher Project (eSTREAM). So far only a few papers studied its security besides a series of white papers by the designers of Rabbit. Recently we presented a new idea to evaluate the security of a word-oriented stream cipher algorithm from a smaller data granularity instead of its original data granularity and applied it successfully to the stream cipher SOSEMANUK. In this work we apply the same idea to the Rabbit algorithm and analyze its security in resistance against the guess and determine attack from the view point of byte units. As a result, we present two new approaches of solving all xj,t+1' s and gj,t' s from the next-state function and the extraction scheme of Rabbit, whose complexities are 2166 and 2140.68 respectively, which are dramatically lower than those proposed by Lu et al. (2192 and 2174 resp.) at ISC 2008. Finally based on the above new results we propose a byte-based guess and determine attack on Rabbit, which only needs a small segment of known keystream to recover the whole internal state of Rabbit with time complexity 2242. Though the complexity of our attack is far higher than that of a brute force (2128), we believe that some new techniques adopted in this paper are of interest for future work on Rabbit.