Phelix
Encyclopedia
Phelix is a high-speed stream cipher
with a built-in single-pass message authentication code
(MAC) functionality, submitted in 2004 to the eSTREAM
contest by Doug Whiting, Bruce Schneier
, Stefan Lucks
, and Frédéric Muller. The cipher uses only the operations of addition modulo 232, exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce
, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.
on modern x86-based processors.
FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:
, Doug Whiting, Bruce Schneier
, John Kelsey
, Stefan Lucks
, and Tadayoshi Kohno; Phelix adds 128 bits to the internal state.
In 2004, Muller published two attacks on Helix. The first has a complexity of 288 and requires 212 adaptive chosen-plaintext words, but requires nonces to be reused. Souradyuti Paul
and Bart Preneel
later showed that the number of adaptive chosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve differential equations of addition
. In a later development, Souradyuti Paul
and Bart Preneel
showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 235.64 CP's. Muller's second attack on Helix is a distinguishing attack that requires 2114 words of chosen plaintext.
Phelix's design was largely motivated by Muller's differential attack.
project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis. Phelix was not advanced to Phase 3, largely because of Wu and Preneel
's key-recovery attack noted below that becomes possible when the prohibition against reusing a nonce is violated.
A first cryptanalytic
paper on Phelix paper titled "A Chosen-key Distinguishing Attack on Phelix" was published in October 2006 by Yaser Esmaeili Salehani and Hadi Ahmadi. Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors.
A second cryptanalytic
paper on Phelix titled "Differential Attacks against Phelix" was published on the 26th of November 2006 by Hongjun Wu and Bart Preneel
. The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper claims that the key of Phelix can be recovered with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix.
The authors of the differential attack express concern that each plaintext word affects the keystream
without passing through (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure of Helix and Phelix. The authors conclude that they consider Phelix to be insecure.
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
with a built-in single-pass message authentication code
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
(MAC) functionality, submitted in 2004 to the eSTREAM
ESTREAM
eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project was...
contest by Doug Whiting, Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
, Stefan Lucks
Stefan Lucks
Stefan Lucks is a researcher in the fields of communications security and cryptography. Lucks is known for his attack on Triple DES, and for extending Lars Knudsen's Square attack to Twofish, a cipher outside the Square family, thus generalising the attack into integral cryptanalysis...
, and Frédéric Muller. The cipher uses only the operations of addition modulo 232, exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce
Cryptographic nonce
In security engineering, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused...
, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.
Performance
Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight cycles per byteCycles per byte
Cycles per byte is a unit of measurement which indicates the number of clock cycles a microprocessor will perform per byte of data processed in an algorithm. It is commonly used as a partial indicator of real-world performance in cryptographic functions....
on modern x86-based processors.
FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:
Xilinx Chip | Slices | FPGA Mbit/s | Gate Equiv Estimate | Implementation Description |
---|---|---|---|---|
XC2S100-5 | 1198 | 960.0 | 20404 | (A) full-round 160-bit design, as per developers paper |
XC2S100-5 | 1077 | 750.0 | 18080 | (B) half-round 160-bit design |
XC2S30-5 | 264 | 3.2 | 12314 | (C) 32-bit data path |
Helix
Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by Niels FergusonNiels Ferguson
Niels T. Ferguson is a Dutch cryptographer and consultant who currently works for Microsoft. He has worked with others, including Bruce Schneier, designing cryptographic algorithms, testing algorithms and protocols, and writing papers and books...
, Doug Whiting, Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
, John Kelsey
John Kelsey (cryptanalyst)
John Kelsey is a cryptographer currently working at NIST. His research interests include cryptanalysis and design of symmetric cryptography primitives , analysis and design of cryptographic protocols, cryptographic random number generation, electronic voting, side-channel attacks on cryptography...
, Stefan Lucks
Stefan Lucks
Stefan Lucks is a researcher in the fields of communications security and cryptography. Lucks is known for his attack on Triple DES, and for extending Lars Knudsen's Square attack to Twofish, a cipher outside the Square family, thus generalising the attack into integral cryptanalysis...
, and Tadayoshi Kohno; Phelix adds 128 bits to the internal state.
In 2004, Muller published two attacks on Helix. The first has a complexity of 288 and requires 212 adaptive chosen-plaintext words, but requires nonces to be reused. Souradyuti Paul
Souradyuti Paul
Souradyuti Paul is an Indian cryptologist . Formerly a member of COSIC, he is currently working as a Guest Researcher for the National Institute of Standards and Technology in the United States...
and Bart Preneel
Bart Preneel
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....
later showed that the number of adaptive chosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve differential equations of addition
Differential equations of addition
In cryptography, differential equations of addition are one of the most basic equations related to differential cryptanalysis that mix additions over two different groups In cryptography, differential equations of addition (DEA) are one of the most basic equations related to differential...
. In a later development, Souradyuti Paul
Souradyuti Paul
Souradyuti Paul is an Indian cryptologist . Formerly a member of COSIC, he is currently working as a Guest Researcher for the National Institute of Standards and Technology in the United States...
and Bart Preneel
Bart Preneel
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....
showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 235.64 CP's. Muller's second attack on Helix is a distinguishing attack that requires 2114 words of chosen plaintext.
Phelix's design was largely motivated by Muller's differential attack.
Security
Phelix was selected as a Phase 2 Focus Candidate for both Profile 1 and Profile 2 by the eSTREAMESTREAM
eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project was...
project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis. Phelix was not advanced to Phase 3, largely because of Wu and Preneel
Bart Preneel
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....
's key-recovery attack noted below that becomes possible when the prohibition against reusing a nonce is violated.
A first cryptanalytic
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
paper on Phelix paper titled "A Chosen-key Distinguishing Attack on Phelix" was published in October 2006 by Yaser Esmaeili Salehani and Hadi Ahmadi. Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors.
A second cryptanalytic
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
paper on Phelix titled "Differential Attacks against Phelix" was published on the 26th of November 2006 by Hongjun Wu and Bart Preneel
Bart Preneel
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....
. The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper claims that the key of Phelix can be recovered with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix.
The authors of the differential attack express concern that each plaintext word affects the keystream
Keystream
In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message ....
without passing through (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure of Helix and Phelix. The authors conclude that they consider Phelix to be insecure.