Phelix is a high-speed

stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream ( keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystrea ...

with a built-in single-pass

message authentication code In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authentication, authenticating and Data integrity, integrity-checking a message. In other words, it is used t ...

(MAC) functionality, submitted in 2004 to the

eSTREAM eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primiti ...

contest by

Doug Whiting Doug is a male personal name (or, depending on which definition of "personal name" one uses, part of a personal name). It is sometimes a given name (or "first name"), but more often it is a hypocorism (affectionate variation of a personal name) whi ...

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...

Stefan Lucks Stefan Lucks is a researcher in the fields of communications security and cryptography. Lucks is known for his attack on Triple DES, and for extending Lars Knudsen's Square attack to Twofish, a cipher outside the Square family, thus generalisi ...

, and Frédéric Muller. The cipher uses only the operations of addition modulo 2³²,

exclusive or Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ (on ...

, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.

Performance

Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight

cycles per byte Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over t ...

on modern

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

-based processors. FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:

Helix

Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by

Niels Ferguson Niels T. Ferguson (born 10 December 1965, Eindhoven) is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protoco ...

, John Kelsey,

, and

Tadayoshi Kohno Tadayoshi Kohno is an American professor in the fields of data and computer security. He is the Associate Director of Diversity, Equity, Inclusion & Access, and Professor of Computer Science & Engineering at the Paul G. Allen School of Computer Sc ...

; Phelix adds 128 bits to the internal state. In 2004, Frédéric Muller published two attacks on Helix. The first has a complexity of 2⁸⁸ and requires 2¹² adaptive

chosen-plaintext A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems''. ...

words, but requires nonces to be reused.

Souradyuti Paul Souradyuti Paul (born 1976) is an Indian cryptologist. Formerly a member of COSIC, he is currently working as an associate professor at Indian Institute of Technology Bhilai and a Guest Researcher for the National Institute of Standards and Tec ...

and

Bart Preneel Bart Preneel (born 15 October 1963 in Leuven, Belgium) is a Belgium, Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group. He was the president of the International Association for Crypt ...

later showed that the number of adaptive

words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve

differential equations of addition In cryptography, differential equations of addition (DEA) are one of the most basic equations related to differential cryptanalysis that mix additions over two different groups (e.g. addition modulo 232 and addition over GF(2)) and where input and ...

. In a later development,

and

showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 2^35.64 CP's. Muller's second attack on Helix is a

distinguishing attack In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to s ...

that requires 2¹¹⁴ words of chosen plaintext. Phelix's design was largely motivated by Muller's differential attack.

Security

Phelix was selected as a Phase 2 Focus Candidate for both Profile 1 and Profile 2 by the

project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis. Phelix was not advanced to Phase 3, largely because of Wu and Preneel's key-recovery attack noted below that becomes possible when the prohibition against reusing a nonce is violated. The first

cryptanalytic Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic secu ...

paper on Phelix was a

chosen-key distinguishing attack In cryptography, a known-key distinguishing attack is an attack model against symmetric ciphers, whereby an attacker who knows the key can find a structural property in cipher, where the transformation from plaintext to ciphertext is not random. T ...

, published in October 2006. Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors. A second

paper on Phelix titled "Differential Attacks against Phelix" was published on 26 November 2006 by Hongjun Wu and

. The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper shows that if the cipher is used incorrectly (nonces reused), the key of Phelix can be recovered with about 2³⁷ operations, 2³⁴ chosen nonces and 2^38.2 chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix. The authors of the differential attack express concern that each plaintext word affects the

keystream In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message (the ciphertext). The "characters" in the keystream can be bit The bit is the most basic ...

without passing through (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure of Helix and Phelix. The authors conclude that they consider Phelix to be insecure.

References

* D. Whiting, B. Schneier, S. Lucks, and F. Muller
Phelix: Fast Encryption and Authentication in a Single Cryptographic Primitive
(includes source code) * T. Good, W. Chelton, M. Benaissa: Review of stream cipher candidates from a low resource hardware perspectiv
(PDF)
* Yaser Esmaeili Salehani, Hadi Ahmadi: A Chosen-key Distinguishing Attack on Phelix, submitted to eSTREAM ithdrawn 2006-10-14* Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks and Tadayoshi Kohno, Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive,

Fast Software Encryption The International Association for Cryptologic Research (IACR) is a non-profit scientific organization that furthers research in cryptology and related fields. The IACR was organized at the initiative of David Chaum at the CRYPTO '82 conference. ...

- FSE 2003, pp330–346. * Frédéric Muller, Differential Attacks against the Helix Stream Cipher, FSE 2004, pp94–108. *

and

, Solving Systems of Differential Equations of Addition, ACISP 2005.
Full version
*

and

, Near Optimal Algorithms for Solving Differential Equations of Addition With Batch Queries, Indocrypt 2005.
Full version

External links

"Differential Attacks against Phelix" by Hongjun Wu and Bart Preneel

"Differential Attacks against the Helix Stream Cipher" by Frédéric Muller
{{Cryptography navbox , stream Stream ciphers