World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0000883596
Reproduction Date:

Title: Phelix  
Author: World Heritage Encyclopedia
Language: English
Subject: Stream cipher, VEST, WikiProject Cryptography, Niels Ferguson, Differential-linear attack
Collection: Broken Stream Ciphers, Stream Ciphers
Publisher: World Heritage Encyclopedia


Designers Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller
First published 2004
Cipher detail
Key sizes 256 bits
Speed 8 cycles per byte on modern x86-based processors (claimed)
Best public cryptanalysis
All known attacks are computationally infeasible when the cipher is used properly. If nonces are reused, a differential attack breaks the cipher with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words.

Phelix is a high-speed stream cipher with a built-in single-pass message authentication code (MAC) functionality, submitted in 2004 to the eSTREAM contest by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller. The cipher uses only the operations of addition modulo 232, exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.


  • Performance 1
  • Helix 2
  • Security 3
  • References 4
  • External links 5


Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight cycles per byte on modern x86-based processors.

FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:

Xilinx Chip Slices FPGA Mbit/s Gate Equiv Estimate Implementation Description
XC2S100-5 1198 960.0 20404 (A) full-round 160-bit design, as per developers paper
XC2S100-5 1077 750.0 18080 (B) half-round 160-bit design
XC2S30-5 264 3.2 12314 (C) 32-bit data path


Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, and Tadayoshi Kohno; Phelix adds 128 bits to the internal state.

In 2004, Muller published two attacks on Helix. The first has a complexity of 288 and requires 212 adaptive chosen-plaintext words, but requires nonces to be reused. Souradyuti Paul and Bart Preneel later showed that the number of adaptive chosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve differential equations of addition. In a later development, Souradyuti Paul and Bart Preneel showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 235.64 CP's. Muller's second attack on Helix is a distinguishing attack that requires 2114 words of chosen plaintext.

Phelix's design was largely motivated by Muller's differential attack.


Phelix was selected as a Phase 2 Focus Candidate for both Profile 1 and Profile 2 by the eSTREAM project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis. Phelix was not advanced[1] to Phase 3, largely because of Wu and Preneel's key-recovery attack[2] noted below that becomes possible when the prohibition against reusing a nonce is violated.

The first cryptanalytic paper on Phelix was a chosen-key distinguishing attack, published in October 2006.[3] Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors.

A second cryptanalytic paper on Phelix titled "Differential Attacks against Phelix" was published on the 26th of November 2006 by Hongjun Wu and Bart Preneel. The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper shows that if the cipher is used incorrectly (nonces reused), the key of Phelix can be recovered with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix.

The authors of the differential attack express concern that each plaintext word affects the keystream without passing through (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure of Helix and Phelix. The authors conclude that they consider Phelix to be insecure.


  • D. Whiting, B. Schneier, S. Lucks, and F. Muller, Phelix: Fast Encryption and Authentication in a Single Cryptographic Primitive (includes source code)
  • T. Good, W. Chelton, M. Benaissa: Review of stream cipher candidates from a low resource hardware perspective (PDF)
  • Yaser Esmaeili Salehani, Hadi Ahmadi: A Chosen-key Distinguishing Attack on Phelix, submitted to eSTREAM [withdrawn 2006-10-14]
  • Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks and Tadayoshi Kohno, Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive, Fast Software Encryption - FSE 2003, pp330–346.
  • Frédéric Muller, Differential Attacks against the Helix Stream Cipher, FSE 2004, pp94–108.
  • Souradyuti Paul and Bart Preneel, Solving Systems of Differential Equations of Addition, ACISP 2005. Full version (PDF)
  • Souradyuti Paul and Bart Preneel, Near Optimal Algorithms for Solving Differential Equations of Addition With Batch Queries, Indocrypt 2005. Full version (PDF)
  1. ^ "eSTREAM Short Report on the End of the Second Phase"
  2. ^ "Differential-Linear Attacks against the Stream Cipher Phelix"
  3. ^ Yaser Esmaeili Salehani, Hadi Ahmadi (2006). "A Chosen-key Distinguishing Attack on Phelix". 

External links

  • eStream page on Phelix
  • "Differential Attacks against Phelix" by Hongjun Wu and Bart Preneel
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.