The Rabbit Stream Cipher

The Number Crunchers

Sharif Hdairis Andrew Hoffman Nelson Powell The Rabbit Cipher • Rabbit Components o Stream Cipher o 128 bit Key o 64 bit Initialization Vector (IV) o 513 bits of internal data

• Performance o 128 ciphered bits per iteration o 3.7 CPB on Pentium III

• Authors already analyzed o DIEHARD o NIST o ENT Top Level Diagram Random Data Program

• FileDriver.java o User Interface . Command Line Driven o Modes of Operation . Key Only Verification . Key + IV Verification . File Encryption . Key Stream Generation

• RabbitCipher.java o Implements the StreamCipher Interface o Capabilities . Encryption . Decryption . Verification PRN Help Screen usage: FileDriver [-k] [-i] [-r ] [[ -e ]|[ -s ]]

Options: (order matters) -k, -K : Key Test only mode

-i, -I : Key and IV Test only mode

keyFile: Key and IV. the 16 (key only) or 24 (key + iv) hexadecimal bytes, encoded as a string, used initialize the cipher.

-r, -R : Override the number of init rounds (Default = 4) rounds : Number of initialization rounds

-e, -E : Encrypt a data file specified by the following argument srcFile: Binary file to encrypt

-s, -S : Specify the number of PRNG bytes to generate (the cipher's keystream) prngLen: desired size of output file

OutFile: File storing the encrypted data from the srcFile, or the desired amount of PRNG output

Test Vectors

• Test Vectors o Used for both Verification and Tests o RFC 4503: Appendix A and B o eStream Vectors rabbit_p3source.zip . eStream Disclaimer (Section 2.2)

• Test Vector Files o Hexadecimal Data using ASCII Representation . Use 2 ASCII Characters per Byte . Case Insensitive . '0x' Assumed

example: Key Bytes IV Bytes 00 01 02 03 04 05 06 A0 B2 B4 D5 FF FF DE 1F 77 99 F1 20 55 AA BB 11 00 Test Suite Description

TestU01 will be used: • More flexible than DIEHARD.

• Tests examine data in more than one block size.

• Tests use larger data samples, giving more accurate results.

• Test parameters are tunable.

Test U01 composition

Many types of modules:

• u-modules: uniform RNGs

• s-modules: statistical tests

• b-modules: predefined battery of tests

• f-modules: family of generators special u-module, "ufile", will generate random numbers by reading bytes from a file. Statistical Tests

Predefined batteries will be used: General Purpose SmallCrush (20sec) Crush (1hr) BigCrush (8hrs)

Binary Files Alphabit (Hardware) Rabbit PseudoDIEHARD FIPS_140_2 (NIST) Initial Test Results Specific Test Results

significance 4 Rounds 3 Rounds 2 Rounds 1 Round 0 Round threshold

1% 22 16 30 18 34

.1% 3 2 1 0 1

Count of p values exceeding both 1% and .1% limits by # rounds

K=0's K=0's K=1's K=1's K=0's K=Rand IV=0's IV=1's IV=0's IV=1's IV=Rand IV=Rand

1% 18 26 20 15 19 22

.1% 2 3 0 1 0 1

Count of p values exceeding both 1% and .1% limits by Key&IV value Results Analysis

• The number of p-values <= 0.01 exceeds 1% of the observed total number of p-values.

• Rabbit should be secure with just 2 rounds, therefore we perform a chi- squared test on data from rounds 2-4.

• At 1% significance threshold, observed chi-squared p-value for the failures in rounds 2, 3 and 4 is 0.0000.

• Likelihood of non-uniformity is very high, and has been proven in [9].

• Due to the non-uniformity, the effects of the number of rounds are difficult to isolate, if they exist at all.

• Much larger datasets (100s - 1000s of test vectors instead of 6) may be necessary to isolate the effect of rounds. Reference Analysis

• Rabbit Authors performed linear analysis o Claims state variables have periodicity of 2215 o Claims no correlation attack for sequences < 264 Bytes o NIST, DIEHARD, and ENT showed NO weaknesses

• Bias Studies o [9] studies bias of key stream due to

. On average G32 contains more 1's than 0's . Leads to distinguisher of 2247 o [15] studies bias of sub-blocks of keystream 128-bit blocks . Lead to distinguishing attack of 2141

• Others focus on Fault Analysis o Fault analysis of the modular additions [14] . O(232) operations to recover internal state . Leads to key extraction References

[4] eCrypt Source Code and Test Vectors, http://www.ecrypt.eu.org/stream/p3ciphers/rabbit/rabbit_p3source.zip[5] Anonymous, Rabbit Stream Cipher Algorithm Specification, http://www.cryptico.com/images/pages/WP_Rabbit_Specification.pdf, Cryptico A/S, 2005

[8] Unknown, Second Degree Approximations of the g-Function, http://www.cryptico.com/images/pages/wp_second_degree_approx.pdf, Cryptico A/S, 2003

[9] Jean-Philipe Aumasson, On a bias of Rabbit, http://sasc.crypto.rub.de/files/sasc2007_316.pdf,

[10] Y. Lu, H. Wang, and S. Ling, Cryptanalysis of Rabbit, Information Security 11th International Conference, ISC 2008, Taipei, Taiwan, September 15-18, 2008. Proceedings

[11] A. Kircanski, A. M. Youssef, Differential Fault Analysis of Rabbit, Selected Areas in Cryptography 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13-14, 2009, Revised Selected Papers

[12] P. L’Ecuyer, R. Simard, TestU01, http://www.iro.umontreal.ca/~simardr/testu01/guideshorttestu01.pdf, Universit´e de Montr´eal, D´epartement d’Informatique et de Recherche Op´erationnelle, August 2009

[13] Lütfü Tarkan ÖLÇÜOĞLU, , Analysis of Rabbit Cipher, http://www3.iam.metu.edu.tr/iam/images/6/6a/Tarkanolcuogluterm.pdf, Middle East Technical University, Institute of Applied Mathematics, Jan 2009

[14] A. Berzati, C. Canovas-Dumas, L. Goubin, Fault Analysis of Rabbit: Toward a Secret Key Leakage, Lecture Notes in Computer Science, 2009, Volume 5922, Progress in Cryptography - INDOCRYPT 2009, pp. 72-87

[15] Y. Lu, Y. Desmedt, Improved Distinguishing Attack on Rabbit, Lecture Notes in Computer Science 2011, Volume 6531, Information Security, pp. 17-23 Lessons Learned

• Cipher implementation language should be selected with test suite consideration in mind • Test vectors are not perfect, neither are the actual specifications. • Perform full length dry-runs of the test suite to avoid data consumption surprises. • We learned how to use a statistical test suite for randomness, appreciate the role they fulfill. • Never trust the source you download to be bug free on your platform. Future Work

• Run DIEHARD, NIST, and ENT to verify authors' claims

• Use a C implementation with TestU01 to be able to run more iterations of a given test, this allows the elimination of suspicious p-values.

• Increase the number of test vectors from 6 to 1000s in order to help isolate the effect of the number of rounds, or use a different analysis technique for that purpose. Questions