**Phelix** is a high-speed stream cipher with a built-in single-pass message authentication code (MAC) functionality, submitted in 2004 to the eSTREAM contest by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller. The cipher uses only the operations of addition modulo 2^{32}, exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly. The operation of the keystream generator in A5/1, a LFSR-based stream cipher used to encrypt mobile phone conversations. ...
A cryptographic message authentication code (MAC) is a short piece of information used to authenticate a message. ...
eSTREAM is a project to identify new stream ciphers that might become suitable for widespread adoption, organised by the EU ECRYPT network. ...
Bruce Schneier Bruce Schneier (born January 15, 1963) is an American cryptographer, computer security specialist, and writer. ...
Stefan Lucks is a cryptographer and cryptanalyst most well known for his attack on Triple DES, and for extending Lars Knudsens Square attack to Twofish a cipher outside the Square family, thus founding integral cryptanalysis. ...
Exclusive disjunction (usual symbol xor) is a logical operator that results in true if one of the operands (not both) is true. ...
In security engineering, a nonce is a number used once. ...
## Performance
Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight cycles/byte on modern x86-based processors. x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ...
FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows: Xilinx Chip | Slices | FPGA Mbit/s | Gate Equiv Estimate | Implementation Description | XC2S100-5 | 1198 | 960.0 | 20404 | (A) full-round 160-bit design, as per developers paper | XC2S100-5 | 1077 | 750.0 | 18080 | (B) half-round 160-bit design | XC2S30-5 | 264 | 3.2 | 12314 | (C) 32-bit data path | ## Helix Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, and Tadayoshi Kohno; Phelix adds 128 bits to the internal state. Niels Ferguson is a Dutch cryptographic engineer and consultant. ...
Bruce Schneier Bruce Schneier (born January 15, 1963) is an American cryptographer, computer security specialist, and writer. ...
John Kelsey is a cryptographer currently working at NIST. His research interests include cryptanalysis and design of symmetric cryptography primitives (block ciphers, stream ciphers, cryptographic hash functions, MACs), analysis and design of cryptographic protocols, cryptographic random number generation, electronic voting, side-channel attacks on cryptography implementations, and anonymizing communications systems. ...
Stefan Lucks is a cryptographer and cryptanalyst most well known for his attack on Triple DES, and for extending Lars Knudsens Square attack to Twofish a cipher outside the Square family, thus founding integral cryptanalysis. ...
In 2004, Muller published two attacks on Helix. The first has a complexity of 2^{88} and requires 2^{12} adaptive chosen-plaintext words, but requires nonces to be reused. Souradyuti Paul and Bart Preneel later showed that the number of adaptive chosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve differential equations of addition. In a later development, Souradyuti Paul and Bart Preneel showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 2^{35.64} CP's. Muller's second attack on Helix is a distinguishing attack that requires 2^{114} words of chosen plaintext. A chosen plaintext attack is any form of cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. ...
Souradyuti Paul in an Indian cryptologist (PhD, 2006, Catholic University of Leuven). ...
Bart Preneel is a Belgian cryptographer and cryptanalyst. ...
A chosen plaintext attack is any form of cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. ...
In cryptography, differential equations of addition (DEA) are the most basic equations related to differential cryptanalysis that mix additions over two different groups (e. ...
Souradyuti Paul in an Indian cryptologist (PhD, 2006, Catholic University of Leuven). ...
Bart Preneel is a Belgian cryptographer and cryptanalyst. ...
Phelix's design was largely motivated to provide protection against Muller's differential attack.
## Security Phelix has been selected as Phase 2 Focus Candidate for both Profile 1 and Profile 2 by the eSTREAM project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis. eSTREAM is a project to identify new stream ciphers that might become suitable for widespread adoption, organised by the EU ECRYPT network. ...
A first cryptanalytic paper on Phelix paper titled "A Chosen-key Distinguishing Attack on Phelix" was published in October 2006 by Yaser Esmaeili Salehani and Hadi Ahmadi. Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors. Cryptanalysis (from the Greek kryptÃ³s, hidden, and analÃ½ein, to loosen or to untie) is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. ...
A second cryptanalytic paper on Phelix titled "Differential Attacks against Phelix" was published on the 26th of November 2006 by Hongjun Wu and Bart Preneel. The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper claims that the key of Phelix can be recovered with about 2^{37} operations, 2^{34} chosen nonces and 2^{38.2} chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix. Cryptanalysis (from the Greek kryptÃ³s, hidden, and analÃ½ein, to loosen or to untie) is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. ...
Bart Preneel is a Belgian cryptographer and cryptanalyst. ...
The authors of the differential attack express concern that each plaintext word affects the keystream without passing though (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure Helix and Phelix. The authors conclude that they consider Phelix to be insecure. In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a cleartext message to produce an encrypted message (the ciphertext). ...
## References - D. Whiting, B. Schneier, S. Lucks, and F. Muller, Phelix: Fast Encryption and Authentication in a Single Cryptographic Primitive (includes source code)
- T. Good, W. Chelton, M. Benaissa: Review of stream cipher candidates from a low resource hardware perspective (PDF)
- Yaser Esmaeili Salehani, Hadi Ahmadi: A Chosen-key Distinguishing Attack on Phelix, submitted to eSTREAM (PDF)
- Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks and Tadayoshi Kohno, Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive, Fast Software Encryption - FSE 2003, pp330–346 (PDF).
- Frédéric Muller, Differential Attacks against the Helix Stream Cipher, FSE 2004, pp94–108.
- Souradyuti Paul and Bart Preneel, Solving Systems of Differential Equations of Addition, ACISP 2005. Full version (PDF)
- Souradyuti Paul and Bart Preneel, Near Optimal Algorithms for Solving Differential Equations of Addition With Batch Queries, Indocrypt 2005. Full version (PDF)
Fast Software Encryption, often abbreviated FSE, is a workshop for cryptography research, focussed on symmetric-key cryptography with an emphasis on fast, practical techniques, as opposed to theory. ...
Souradyuti Paul in an Indian cryptologist (PhD, 2006, Catholic University of Leuven). ...
Bart Preneel is a Belgian cryptographer and cryptanalyst. ...
PDF is an abbreviation with several meanings: Portable Document Format Post-doctoral fellowship Probability density function There also is an electronic design automation company named PDF Solutions. ...
Souradyuti Paul in an Indian cryptologist (PhD, 2006, Catholic University of Leuven). ...
Bart Preneel is a Belgian cryptographer and cryptanalyst. ...
Indocrypt (also INDOCRYPT) is an annual international cryptography conference held each December since 2000 in India. ...
PDF is an abbreviation with several meanings: Portable Document Format Post-doctoral fellowship Probability density function There also is an electronic design automation company named PDF Solutions. ...
## External links |