Improved Distinguishing Attack on Rabbit

Yi Lu and Yvo Desmedt

Department of Computer Science University College London, UK

Abstract. Rabbit is a stream cipher using a 128-bit key. It outputs one keystream block of 128 bits each time, which consists of eight sub-blocks of 16 bits. It is among the nalists of ECRYPT Stream Cipher Project (eSTREAM). Rabbit has also been published as informational RFC 4503 with IETF. Prior to us, the research on Rabbit all focused on the bias analysis within one keystream sub-block and the best distinguishing attack has complexity O(2158 ). In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block. To summarize, the largest bias we found out is estimated to be 270.5 . Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2141 ) keystream blocks. Compared with all previous results, it is the best distinguishing attack so far. Furthermore small-scale experiments suggest that our result might be a conservative estimate. Meanwhile, our attack can work by using keystream blocks generated by dierent keys, and so it is not limited by the ciphers requirement that one key cannot be used to produce more than 264 keystream blocks. Keywords: stream cipher, Rabbit, eSTREAM, IETF, RFC, distinguishing attack, bias, linear cryptanalysis.

Introduction

ECRYPT Stream Cipher Project (eSTREAM) is an EU project. It aims to identify a portfolio of promising new stream ciphers. Rabbit [2] is among the nalists. The description of the Rabbit encryption algorithm has also been published [3] as informational RFC 4503 with the Internet Engineering Task Force (IETF), which is the main standardization body for Internet technology. The cipher Rabbit uses a 128-bit key and a 64-bit IV. It outputs one keystream block of 128 bits each time, which consists of eight keystream sub-blocks of 16 bits. Prior to us, the research work from academia [1,6] all focused on bias analysis within one keystream sub-block. The best distinguishing attack [6] has complexity O(2158 ). In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block for a distinguishing
Funded by British Telecommunications under Grant Number ML858284/CT506918. Funded by EPSRC EP/C538285/1, by BT, (as BT Chair of Information Security), and by RCIS (AIST).
M. Burmester et al. (Eds.): ISC 2010, LNCS 6531, pp. 1723, 2011. c Springer-Verlag Berlin Heidelberg 2011

18

Y. Lu and Y. Desmedt

attack on Rabbit (see [8] for references on distinguishing attacks against stream ciphers using linear cryptanalysis). To summarize, the largest bias we found out is estimated to be 270.5 . Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2141 ) keystream blocks. Compared with all previous results [1, 6], it is the best distinguishing attack so far. Furthermore small-scale experiments suggest that our result might be a conservative estimate. Meanwhile, our distinguishing attack can work by using keystream blocks generated by dierent keys, and so it is not limited by the ciphers requirement that one key cannot be used to produce more than 264 keystream blocks.

Review of Rabbit

Rabbit has a key of 128 bits. The internal state consists of eight state variables x0,i , . . . , x7,i and eight counter variables c0,i , . . . , c7,i as well as one counter carry bit 7,i . Each state variable and counter variable have 32 bits. The internal state have 513 bits in total. The eight state variables are updated as follows: x0,i+1 = g0,i + (g7,i 16) + (g6,i 16) x1,i+1 = g1,i + (g0,i 8) + g7,i x2,i+1 = g2,i + (g1,i 16) + (g0,i 16) x3,i+1 = g3,i + (g2,i 8) + g1,i x4,i+1 = g4,i + (g3,i 16) + (g2,i 16) x5,i+1 = g5,i + (g4,i 8) + g3,i x6,i+1 = g6,i + (g5,i 16) + (g4,i 16) x7,i+1 = g7,i + (g6,i 8) + g5,i (1) (2) (3) (4) (5) (6) (7) (8)

where denotes left bit-wise rotation and all additions are computed modulo 232 . The 32-bit temporary variable gj,i is computed by gj,i = (xj,i + cj,i+1 )2 32), for j = 0, . . . , 7. The above squares are computed over ((xj,i + cj,i+1 )2 integers. The 128-bit keystream block si is extracted from the state variables, si [47..32] si [79..64] si [111..96] si
[a..b] [15..0]

= x0,i [15..0] = x2,i [15..0] = x4,i [15..0] = x6,i

[15..0]

x5,i [31..16] x7,i [31..16] x1,i [31..16] x3,i

[31..16]

si [63..48] si [95..80] si [127..112] si

[31..16]

= x0,i [31..16] = x2,i [31..16] = x4,i [31..16] = x6,i

[31..16]

x3,i [15..0] x5,i [15..0] x7,i [15..0] x1,i

[15..0]

st denotes the (a b + 1)-bit string starting from the a-th bit to the b-th bit for a b. The keystream block is then XORed with the plaintext to obtain the ciphertext. For full details of Rabbit, we refer to [2].

Bias Analysis Involving Multiple Keystream Sub-blocks

Prior to our work, the distribution of individual 16-bit keystream sub-block [16j+15..16j] si (j = 0, . . . , 7) was analyzed in [6]. It was shown in [6] that the

Improved Distinguishing Attack on Rabbit

[15..0] [31..16]

19

distribution of one single sub-block si , si can be distinguished with O(2158 ), O(2160 ) samples respectively. In this paper, we are interested in the bias involving multiple sub-blocks of one block si , where the bias of the binary random variable A is dened by Prob[A = 0] Prob[A = 1]. We will use linear approximation to analyze the bias. [0] [32] [64] Let us start with the bias of = si+1 si+1 si+1 . From the keystream generation, we have = x0,i+1 x1,i+1 x2,i+1 x4,i+1 x5,i+1 x7,i+1 . We now compute the bias of x0,i+1 g0,i (g7,i 16)[0] (g6,i 16)[0] ,
[0] [0] [0] [0] [16] [0] [0] [16] [16]

(9)

which is (g0,i +(g7,i 16)+(g6,i 16))[0] g0,i (g7,i 16)[0] (g6,i 16)[0] by (1). It is then clear to see that (9) is equal to constant 0, and so it has the [0] [0] bias 1. Similarly, we know that both x2,i+1 g2,i (g1,i 16)[0] (g0,i 16)[0] and x4,i+1 g4,i (g3,i 16)[0] (g2,i 16)[0] have the bias 1. Next, we want to analyze the bias for x1,i+1 g1,i (g0,i 8)[16] g7,i , which is equal to (g1,i + (g0,i 8) + g7,i )[16] g1,i (g0,i 8)[16] g7,i .
[16] [16] [16] [16] [16] [0] [0]

(10)

It is shown in [8] the bias (10) can be computed assuming that the inputs are uniformly and independently distributed. We use the result of [8] to estimate the bias of (10). We get an estimated bias 21.6 for (10). Experiments have conrmed this. On the other hand, we compute the bias for g0,i (g7,i 16)[0] (g6,i 16)[0] g2,i (g1,i 16)[0] (g0,i 16)[0] g4,i (g3,i 16)[0] (g2,i 16)[0] g1,i (g0,i 8)[16] g7,i g5,i (g4,i 8)[16] g3,i g7,i (g6,i 8)[16] g5,i .
[16] [16] [16] [16] [0] [16] [16] [0] [0]

(11)

Rearranging the terms, we can write (11) in the form of 0 g0,i 1 g1,i 7 g7,i , where the 32-bit j s are 0 = 0x10101, 2 = 0x10001, 4 = 0x101, 6 = 0x10100, 7 = 0x10000 and the others are zeros. Assuming all the gs are independent, we get the bias 272 for (11) by Piling-up Lemma [7]. So, by combining (9), (10) and (11), we obtain our rst keystream bias involving multiple sub-blocks of one block of Rabbit, si+1 si+1 si+1 ,
[0] [32] [64]

(12)

which has bias around 21.63 (272 ) = 277 (for small-scale experimental results see Section 3.1). More generally, we are interested in nding a large bias within one keystream block of the following form M ask0 si+1
[15..0]

M ask1 si+1

[31..16]

M ask7 si+1

[127..112]

(13)

where M ask0 , . . . , M ask7 have 16 bits and the dot operation denotes an inner product. Note that we have just analyzed the bias corresponding to M ask0 =

20

Y. Lu and Y. Desmedt

M ask2 = M ask4 = 1 and the other M askj s are zeros. By checking the state update function (1) - (8), we heuristically expect dependency between the addend terms in (13) when each M askj is xed to be zero or a given value M ask. Thus, in this section, we will consider M ask0 , . . . , M ask7 taking values in the set {0, M ask} only, where the xed M ask has 16 bits. We use the above method to analyze the biases of (13) for all possible M ask0 , . . . , M ask7 {0, M ask} and M ask = 0x1. It turned out that when M ask0 = M ask2 = M ask5 = M ask7 = M ask and M ask1 = M ask3 = M ask4 = [0] [32] [80] [112] M ask6 = 0, si+1 si+1 si+1 si+1 has the largest bias 272 . When we analyze the above bias, we consider the 0-th bit of the keystream sub-blocks (ie, M ask = 0x1). Similarly, we looked at the j-th (j = 1, . . . , 15) bit of each keystream sub-block and computed the corresponding biases. For each xed M ask = 1 j (j = 2, . . . , 15), the largest bias is achieved when M ask0 = M ask2 = M ask5 = M ask7 = M ask and M ask1 = M ask3 = M ask4 = M ask6 = 0. The estimated biases of the keystream bit M ask [15..0] [47..32] [95..80] [127..112] si+1 M ask si+1 M ask si+1 M ask si+1 , are shown in Table 1 for M ask = 0x1, 0x2, . . . , 0x8000. We can see from Table 1 that when M ask = 0x1 the absolute value of the bias (corresponding to the keystream bit [0] [32] [80] [112] si+1 si+1 si+1 si+1 ) is the largest 272 . Note that when j = 1, our analysis shows that the corresponding bit is unbiased (denoted by X in Table 1). 3.1 Experimental Results

Due to the requirement of a large amount of keystream output, it is not feasible to verify the bias of the distinguisher (13). Our experiments have been focused on verifying the bias of M ask0 si+1
[15..0]

M ask1 si+1

[31..16]

M ask7 si+1

[127..112]

(14)

0 g0,i 1 g1,i 7 g7,i

with corresponding i s mentioned before. We did experiments to test the bias of (14) as follows. For each bias, we choose 238 initial states randomly with uniform distribution. First, we use our 238 samples to compute the empirical bias of (14). Second, if | | 216 , we construct a distinguisher to verify it as follows. We divide 238 samples into m = 2 238 frames of 2 samples each. We compute the number (denoted by n) of frames such that the number of zeros (resp. ones) is strictly larger than the number of ones (resp. zeros) in the frame, if is positive (resp. negative). If n is signicantly higher than m , which indicates that the distinguisher 2 works, we can conrm the empirical bias . If not or if | | < 216 , we give up and decide that the corresponding bias is too small to be tested by experiments. The reason to verify as above is due to a well-known fact in coding theory, that is, if the bias of the bit A is , then we can successfully distinguish the distribution of randomly and uniformly chosen 2 samples of A from uniform distribution with probability of success higher than 1 . 2

Improved Distinguishing Attack on Rabbit Table 1. Estimated bias of the keystream bit M ask si+1 M ask si+1 [95..80] [127..112] M ask si+1 with M ask = 1 j (j=0,1,. . . ,15) si+1
[15..0] [47..32]

21

M ask

j 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 log2 |bias| -72 X -79 -79 -80 -79 -79 -76 -77 -75 -80 -80 -77 -77 -77 -80 Table 2. Comparison of experiment results estimates in corresponding to Table 1 on the biases of (14) with our theoretical

j 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 log2 | | -5 X -11 -10 -10 -10 -10 -10 -10 -10 -10 -10 -10 -10 -10 -10 log2 | | -6 X -14 -13 -13 -13 -13 -13 -13 -13 -13 -13 -13 -13 -13 -13

We rst did experiments to test the bias of (14) for our rst keystream bias (12). Our experiments shows that is around 24.2 , while our previous estimate is around 24.8 . In Table 2, we give our experiment results on the biases of (14) in corresponding to Table 1 and compare with our theoretical estimates , where X in the second row indicates that our experiments are unable to test the bias. It turned out that our theoretical estimated biases are conservatively smaller than the experiment results except for the case j = 1.

Finding a Larger Bias within One Keystream Block

In this section, we consider the general form of M askj s for the bit (13), which can take arbitrary values of 16 bits individually. Let M ask0 = a1 b1 , M ask2 = a2 b2 , M ask4 = a3 b3 , M ask6 = a4 b4 , M ask1 = a5 b5 , M ask3 = a6 b6 , M ask5 = a7 b7 , M ask7 = a8 b8 , where aj s and bj s each have 8 bits and aj bj denotes concatenation of aj and bj here. Given M askj s, we can express aforementioned 32-bit i s in terms of these 8-bit aj s and bj s as follows, 0 = a2 a5 b8 a3 b2 b5 a1 a6 b3 a8 b1 b6 1 = a2 a3 a4 b2 b3 b4 a5 a6 a8 b5 b6 b8 2 = a3 a6 b5 a4 b3 b6 a2 a7 b4 a5 b2 b7 3 = a1 a3 a4 b1 b3 b4 a5 a6 a7 b5 b6 b7 4 = a4 a7 b6 a1 b4 b7 a3 a8 b1 a6 b3 b8 5 = a1 a2 a4 b1 b2 b4 a6 a7 a8 b6 b7 b8 6 = a1 a8 b7 a2 b1 b8 a4 a5 b2 a7 b4 b5 7 = a1 a2 a3 b1 b2 b3 a5 a7 a8 b5 b7 b8 (15) (16) (17) (18) (19) (20) (21) (22)

where denotes the concatenation of strings. Let us rst see how to nd out the largest bias of all 0 g0,i 7 g7,i . Let denote the absolute value of the maximum bias for g. We computed all the biases of g. The largest bias

22

Y. Lu and Y. Desmedt

27.1 is achieved with the linear mask 0x6060606. Let n denote the maximum cardinality of the set {j : j = 0} over all possible 8-bit aj s and bj s except the all zero aj s and bj s. By Piling-up Lemma, we give a not-so-tight upper-bound for the bias of 0 g0,i 7 g7,i by 8n 27.1(8n) . (23)

We now discuss how to compute n. Dene the row vector U = (0x1000000, 0x10000, 0x100, 1) and column vector V = (a1 , . . . , a8 , b1 , . . . , b8 )T . We write 0 g0,i 7 g7,i as 7 (U Aj V )gj,i , where Aj s denote matrices of size j=0 4 16 with binary entries for j = 0, . . . , 7 and A0 , . . . , A7 can be deduced from (15),. . . ,(22) respectively. Given k 8, if there exist k dierent Aj1 , . . . , Ajk {A0 , . . . , A7 } such that the linear system Aji V = 0 with i = 1, . . . , k. has nontrivial solution(s) V (ie. it has more than one solution), then we know n = k is a possible solution. The non-trivial solution(s) exist(s) when the rank of the matrix (Aj1 , Aj2 , . . . , Ajk )T with size 4k 16 is strictly less than 16. As we want to nd the maximum n, we can try all possible k in the decreasing order starting from 8, until we encounter such a matrix of rank less than 16. Note that when k 3, the corresponding matrix always has the rank strictly less than 16. Therefore, we are sure that n 3. Our computation showed that n = 4, where the minimum matrix rank is 14. Therefore, by (23), we know a not-so-tight upper-bound 228.4 for the bias of 0 g0,i 7 g7,i . The above idea can be used to nd the largest bias of 0 g0,i 7 g7,i . We will illustrate with a concrete example below. Our computation found out that with k = 4, A = (A0 , A1 , A3 , A4 )T has rank 14. It means that by using two variable a , b , the 16 variables aj s and bj s can be fully determined: a3 = a4 = a7 = b 1 = b 7 = a , a1 = a5 = a6 = b 3 = b 4 = b 8 = b , a2 = a8 = b 2 = b 5 = b 6 = a b . And we can write 0 g0,i 7 g7,i as (a b a b a ) g0,i (a b a b a b b ) g1,i (b a a a ) g3,i (a b a a b b ) g4,i . (24) Then we just try all 8-bit a , b , and compute the bias for (24). It turned out that when a = b = 0x50 (resp. a = b = 0x60) the bias is the largest 250 (resp. 250 ). This search method can be tried for all possible Aj1 , . . . , Ajk {A0 , . . . , A7 } with all k such that the rank of (Aj1 , Aj2 , . . . , Ajk )T is less than 16. The largest bias of all 0 g0,i 7 g7,i , which we found, is approximately 244 . Finding a Larger Bias. We rst used the idea in Section 3 to compute the biases of those M aski s whose corresponding 0 g0,i 7 g7,i has the largest bias, where M aski s can take arbitrary values. We were not able to nd any larger bias than introduced in Section 3. Then, we tried those M aski s whose corresponding 0 g0,i 7 g7,i has a bias larger than 272 . The largest [47..32] [79..64] [111..96] bias our search has found out is 0x606 si+1 0x606 si+1 0x606 si+1 70.5 with the bias approximately 2 . As done in Section 3.1, we did experiments to verify the corresponding bias of (14): our theoretical estimate for the bias

Improved Distinguishing Attack on Rabbit

23

of (14) is around 220 ; in contrast, the experiments showed that the bias is much stronger 213 . This implies we have a distinguishing attack on Rabbit with complexity O(2141 ), assuming independence between the keystream blocks of Rabbit. Compared with the best previous attack [6] which only considered the bias within one sub-block, we have improved the attack by a factor of O(217 ).

Conclusion

In this paper, we use the linear cryptanalysis method to study the bias of Rabbit involving multiple sub-blocks of one keystream block. The largest bias we found out is estimated to be 270.5 . Assuming independence between the keystream blocks of Rabbit, we have a distinguishing attack on Rabbit requiring O(2141 ) keystream blocks. Compared with all previous results [1, 6], it is the best distinguishing attack so far. Furthermore, small-scale experiments suggest that our result might be a conservative estimate.

References
1. Aumasson, J.P.: On a bias of Rabbit. In: SASC 2007 (2007), http://www.ecrypt.eu.org/stream/papersdir/2007/033.pdf 2. Boesgaard, M., Vesterager, M., Christensen, T., Zenner, E.: The stream cipher Rabbit. The ECRYPT stream cipher project, http://www.ecrypt.eu.org/stream/ 3. Boesgaard, M., Vesterager, M., Zenner, E.: A description of the Rabbit stream cipher algorithm. RFC 4503 (May 2006), http://www.ietf.org/rfc/rfc4503.txt?number=4503 4. Cryptico A/S. Algebraic analysis of rabbit. White paper (2003) 5. Cryptico A/S. Hamming weights of the g-function. White paper (2003) 6. Lu, Y., Wang, H., Ling, S.: Cryptanalysis of Rabbit. In: Wu, T., Lei, C., Rijmen, V., Lee, D. (eds.) ISC 2008. LNCS, vol. 5222, pp. 204214. Springer, Heidelberg (2008) 7. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386397. Springer, Heidelberg (1994) 8. Nyberg, K., Walln, J.: Improved linear distinguishers for SNOW 2.0. In: Robshaw, e M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 144162. Springer, Heidelberg (2006)