Fault Analysis of Rabbit: Toward a Secret Key Leakage

  • Alexandre Berzati
  • Cécile Canovas-Dumas
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5922)


Although Differential Fault Analysis (DFA) led to powerful applications against public key [15] and secret key [12] cryptosystems, very few works have been published in the area of stream ciphers.

In this paper, we present the first application of DFA to the software eSTREAM candidate Rabbit that leads to a full secret key recovery. We show that by modifying modular additions of the next-state function, 32 faulty outputs are enough for recovering the whole internal state in time \(\mathcal{O}\left( 2^{34}\right)\) and extracting the secret key. Thus, this work improves the previous fault attack against Rabbit both in terms of computational complexity and fault number.


Stream cipher Rabbit fault attacks carry analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cryptico A/S. Algebraic analysis of Rabbit. White paper (2003)Google Scholar
  2. 2.
    Cryptico A/S. Analysis of the key setup function in Rabbit. White paper (2003)Google Scholar
  3. 3.
    Cryptico A/S. Hamming weights of the g-function. White paper (2003)Google Scholar
  4. 4.
    Cryptico A/S. Periodic properties of Rabbit. White paper (2003)Google Scholar
  5. 5.
    Cryptico A/S. Second degree approximations of the g-function. White paper (2003)Google Scholar
  6. 6.
    Cryptico A/S. Security analysis of the IV-setup for Rabbit. White paper (2003)Google Scholar
  7. 7.
    Aumasson, J.P.: On a Bias of Rabbit. In: State of the Art of Stream Ciphers (SASC 2007) (2007)Google Scholar
  8. 8.
    Bao, F., Deng, R.H., Jeng, A., Narasimhalu, A.D., Ngair, T.: Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults. In: Lomas, M., Christianson, B. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. Cryptology ePrint Archive, Report 2004/100 (2004)Google Scholar
  10. 10.
    Berzati, A., Canovas, C., Castagnos, G., Debraize, B., Goubin, L., Gouget, A., Paillier, P., Salgado, S.: Fault Analysis of Grain-128. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2009). IEEE Computer Society, Los Alamitos (2009)Google Scholar
  11. 11.
    Biham, E., Granboulan, L., Nguyen, P.: Impossible Fault Analysis of RC4 and Differential Analysis of RC4. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 359–367. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Boesgaard, M., Vesterager, M., Christiensen, T., Zenner, E.: The stream cipher Rabbit. eStream Report 2005/024, the ECRYPT stream cipher project (2005)Google Scholar
  14. 14.
    Boesgaard, M., Vesterager, M., Pedersen, T., Christiansen, J., Scavenius, O.: Rabbit: A High-Performance Stream Cipher. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 307–329. Springer, Heidelberg (2003)Google Scholar
  15. 15.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  16. 16.
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  18. 18.
    Dusart, P., Letourneux, G., Vivolo, O.: Differential Fault Analysis on AES. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003)Google Scholar
  19. 19.
    Giraud, C.: A survey on fault attacks. In: CARDIS 2004. Smart Card Research and Advanced Applications, vol. IV, pp. 159–176 (2004)Google Scholar
  20. 20.
    Gomulkiewicz, M., Kutilwoski, M., Wlaz, P.: Synchronization Fault Analysis for Breaking A5/1. In: Nikoletseas, S.E. (ed.) WEA 2005. LNCS, vol. 3503, pp. 415–427. Springer, Heidelberg (2005)Google Scholar
  21. 21.
    Hoch, J., Shamir, A.: Fault Analysis of Stream Ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)Google Scholar
  22. 22.
    Hojsik, M., Rudolf, B.: Differential Fault Analysis of Trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Kirkanski, A., Youssef, A.M.: Differential Fault Analysis of Rabbit. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 200–217. Springer, Heidelberg (2009)Google Scholar
  24. 24.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)Google Scholar
  25. 25.
    Skorobogatov, S.P.: Optically Enhanced Position-Locked Power Analysis. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 61–75. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Skorobogatov, S.P., Andersson, R.J.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM Conference on Computer Security (CCS 2004), pp. 92–97. ACM, New York (2004)CrossRefGoogle Scholar
  28. 28.
    Yi, L., Huaxiong, W., Ling, S.: Cryptanalysis of Rabbit. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 204–214. Springer, Heidelberg (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alexandre Berzati
    • 1
    • 2
  • Cécile Canovas-Dumas
    • 1
  • Louis Goubin
    • 2
  1. 1.CEA-LETI/MINATECGrenoble Cedex 9France
  2. 2.Versailles Saint-Quentin-en-Yvelines UniversityVersailles CedexFrance

Personalised recommendations