Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 CPB on a Pentium 3, and of 9.7 CPB on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher.
The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page. It is also described in RFC 4503. Cryptico had patents pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.
Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks.
A small bias in the output of Rabbit exists, resulting in a distinguisher with 2247 complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2158 in 2008, it's not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2128).
- M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF)
- M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF)
- Christophe De Cannière, Joseph Lano, and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)
- Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. (PDF)
- Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ()