# Phelix

**Phelix**is a high-speedstream cipher with a built-in single-passmessage authentication code (MAC) functionality, submitted in 2004 to theeSTREAM contest byDoug Whiting ,Bruce Schneier ,Stefan Lucks , andFrédéric Muller . The cipher uses only the operations of addition modulo 2^{32},exclusive or , and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.**Performance**Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight cycles/byte on modern

x86 -based processors. FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:**Helix**Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by

Niels Ferguson ,Doug Whiting ,Bruce Schneier , John Kelsey,Stefan Lucks , andTadayoshi Kohno ; Phelix adds 128 bits to the internal state.In 2004, Muller published two attacks on Helix. The first has a complexity of 2

^{88}and requires 2^{12}adaptivechosen-plaintext words, but requires nonces to be reused.Souradyuti Paul andBart Preneel later showed that the number of adaptivechosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solvedifferential equations of addition . In a later development,Souradyuti Paul andBart Preneel showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 2^{35.64}CP's. Muller's second attack on Helix is a distinguishing attack that requires 2^{114}words of chosen plaintext.Phelix's design was largely motivated by Muller's differential attack.

**Security**Phelix has been selected as Phase 2 Focus Candidate for both Profile 1 and Profile 2 by the

eSTREAM project. The authors of Phelix classify the cipher as an experimental design in its specifications. The authors advise that Phelix should not be used until it had received additional cryptanalysis.A first cryptanalytic paper on Phelix paper titled "A Chosen-key Distinguishing Attack on Phelix" was published in October 2006 by Yaser Esmaeili Salehani and Hadi Ahmadi. Doug Whiting has reviewed the attack and notes that while the paper is clever, the attack unfortunately relies on incorrect assumptions concerning the initialisation of the Phelix cipher. This paper was subsequently withdrawn by its authors.

A second cryptanalytic paper on Phelix titled "Differential Attacks against Phelix" was published on the 26th of November 2006 by Hongjun Wu and

Bart Preneel . The paper is based on the same attacks assumption as the Differential Attack against Helix. The paper claims that the key of Phelix can be recovered with about 2^{37}operations, 2^{34}chosen nonces and 2^{38.2}chosen plaintext words. The computational complexity of the attack is much less than that of the attack against Helix.The authors of the differential attack express concern that each plaintext word affects the

keystream without passing though (what they consider to be) sufficient confusion and diffusion layers. They claim this is an intrinsic weakness in the structure Helix and Phelix. The authors conclude that they consider Phelix to be insecure.**References*** D. Whiting, B. Schneier, S. Lucks, and F. Muller, [

*http://www.schneier.com/paper-phelix.html Phelix: Fast Encryption and Authentication in a Single Cryptographic Primitive*] (includes source code)

* T. Good, W. Chelton, M. Benaissa: Review of stream cipher candidates from a low resource hardware perspective [https://www.cosic.esat.kuleuven.ac.be/ecrypt/stream/papersdir/2006/016.pdf (PDF)]

* Yaser Esmaeili Salehani, Hadi Ahmadi: A Chosen-key Distinguishing Attack on Phelix, submitted to eSTREAM [*http://www.ecrypt.eu.org/stream/papersdir/2006/053.pdf (PDF)*]

* Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks and Tadayoshi Kohno, Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive,Fast Software Encryption - FSE 2003, pp330–346 [*http://www.macfergus.com/helix/helix.pdf (PDF)*] .

* Frédéric Muller, Differential Attacks against the Helix Stream Cipher, FSE 2004, pp94–108.

*Souradyuti Paul andBart Preneel , Solving Systems of Differential Equations of Addition, ACISP 2005. [*http://www.cosic.esat.kuleuven.be/publications/article-566.pdf Full version*] (PDF )

*Souradyuti Paul andBart Preneel , Near Optimal Algorithms for Solving Differential Equations of Addition With Batch Queries,Indocrypt 2005. [*http://www.cosic.esat.kuleuven.be/publications/article-587.pdf Full version*] (PDF )**External links*** [

*http://www.ecrypt.eu.org/stream/phelix.html eStream page on Phelix*]

* [*http://www.ecrypt.eu.org/stream/papersdir/2006/056.pdf "Differential Attacks against Phelix" by Hongjun Wu and Bart Preneel*]

*Wikimedia Foundation.
2010.*

### Look at other dictionaries:

**Phelix**— – высокоскоростной поточный шифр, использующий одноразовый код аутентичности сообщения. Шифр был представлен на конкурсе eSTREAM в 2004 году. Авторами являются Брюс Шнайер, Дуг Уитинг, Стефан Люкс и Фредерик Мюллер. Агоритм содержит операции… … Википедия**Phelix**— steht für: ein Hochgeschwindigkeits Chip, siehe Phelix (Chip) Phelix als Abkürzung steht für: Petawatt High Energy Laser for Heavy Ion Experiments, ein Hochenergie und Hochleistungs Lasersystem Physical Electricity Index, Stromindex an der… … Deutsch Wikipedia**Petawatt High Energy Laser for Heavy Ion Experiments**— Logo der Hochenergie Laseranlage Weltweiter Vergleich von PHELIX mit anderen Hochenergie Lasersystemen … Deutsch Wikipedia**Шнайер, Брюс**— Брюс Шнайер Bruce Schneier … Википедия**Stream cipher**— The operation of the keystream generator in A5/1, a LFSR based stream cipher used to encrypt mobile phone conversations. In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher… … Wikipedia**Differential-linear attack**— Introduced by Martin Hellman and Susan K. Langford in 1994, the differential linear attack is a mix of both linear cryptanalysis and differential cryptanalysis. The attack utilises a differential characteristic over part of the cipher with a… … Wikipedia**VEST**— High Level Structure of VEST General Designers Sean O Neil First published June 13, 2005 Cipher deta … Wikipedia**LULI**— Laboratoire pour l Utilisation des Lasers IntensesLULI [ [http://www.luli.polytechnique.fr LULI webpage] ] is a scientific research laboratory specialised in the study of plasmas generated by laser matter interaction at high intensities and thei … Wikipedia**Donya Fiorentino**— Infobox Person name = Donya Fiorentino birth name = Donya Marlette Fiorentino birth date = birth date and age|1967|11|10 birth place = Key Largo, Florida spouse = David Fincher (1990 1995) Gary Oldman (1997 2001) children = Phelix Imogen Fincher… … Wikipedia**Facility for Antiproton and Ion Research**— Logo des GSI Helmholtzzentrums für Schwerionenforschung Das GSI Helmholtzzentrum für Schwerionenforschung in Darmstadt Arheilgen ist eine Großforschungseinrichtung, die 1969 als Gesellschaft für Schwerionenforschung (GSI) gegründet wurde, um… … Deutsch Wikipedia