Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 CPB on a Pentium 3, and of 9.7 CPB on an ARM7. However, the cipher also turns out to be very fast and compact in hardware.
The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on a strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. The mixing function uses a g-function based on arithmetical squaring, and the ARX operations -- logical XOR, bit-wise rotation with hard-wired rotation amounts, and addition modulo 232.
The g-function used in Rabbit -- squaring a 32-bit number to produce a 64-bit number, and then combining the left half and the right half of that square number with xor, to produce a 32-bit result -- provides much better results than using the 32 middle bits of that square number (the middle-square method).
The authors of the cipher have provided a full set of cryptanalytic white papers on the Cryptico home page. It is also described in RFC 4503. Cryptico had patents pending for the algorithm and for many years required a license fee for commercial use of the cipher which was waived for non-commercial uses. However, the algorithm was made free for any use on October 6, 2008.
Rabbit claims 128-bit security against attackers whose target is one specific key. If, however, the attacker targets a large number of keys at once and does not really care which one he breaks, then the small IV size results in a reduced security level of 96 bit. This is due to generic TMD trade-off attacks.
A small bias in the output of Rabbit exists, resulting in a distinguisher with 2247 complexity discovered by Jean-Philippe Aumasson in December 2006. Even though this distinguisher was improved to 2158 in 2008, it's not a threat to Rabbit's security because its complexity is significantly higher than the brute-force of the key space (2128).
- M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius. Rabbit: A High-Performance Stream Cipher. Proc. FSE 2003. Springer LNCS 2887, pp. 307-329 (PDF)
- Martin Boesgaard; Mette Vesterager; Thomas Christensen; and Erik Zenner. "The Stream Cipher Rabbit". p. 18.
- M. Boesgaard, T. Pedersen, M. Vesterager, E. Zenner. The Rabbit Stream Cipher - Design and Security Analysis. Proc. SASC 2004. (PDF)
- Christophe De Cannière, Joseph Lano, and Bart Preneel, "Comments on the Rediscovery of Time Memory Data Tradeoffs", 2005. (PDF)
- Jean-Philippe Aumasson, "On a bias of Rabbit", Proc. SASC 2007. (PDF)
- Yi Lu, Huaxiong Wang, San Ling, "Cryptanalysis of Rabbit", Proc. ISC 2008 ()