Phelix
| General | |
|---|---|
| Designers | Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller |
| First published | 2004 |
| Cipher detail | |
| Key sizes | 256 bits |
| Speed | 8 cycles per byte on modern x86-based processors (claimed) |
| Best public cryptanalysis | |
| All known attacks are computationally infeasible when the cipher is used properly. If nonces are reused, a differential attack breaks the cipher with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words. | |
Phelix is a high-speed stream cipher with a built-in single-pass message authentication code (MAC) functionality, submitted in 2004 to the eSTREAM contest by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller. The cipher uses only the operations of addition modulo 232, exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.
Phelix is optimised for 32-bit platforms. The authors state that it can achieve up to eight cycles per byte on modern x86-based processors.
FPGA Hardware performance figures published in the paper "Review of stream cipher candidates from a low resource hardware perspective" are as follows:
Phelix is a slightly modified form of an earlier cipher, Helix, published in 2003 by Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, and Tadayoshi Kohno; Phelix adds 128 bits to the internal state.
In 2004, Muller published two attacks on Helix. The first has a complexity of 288 and requires 212 adaptive chosen-plaintext words, but requires nonces to be reused. Souradyuti Paul and Bart Preneel later showed that the number of adaptive chosen-plaintext words of Muller's attack can be reduced by a factor of 3 in the worst case (a factor of 46.5 in the best case) using their optimal algorithms to solve differential equations of addition. In a later development, Souradyuti Paul and Bart Preneel showed that the above attack can also be implemented with chosen plaintexts (CP) rather than adaptive chosen plaintexts (ACP) with data complexity 235.64 CP's. Muller's second attack on Helix is a distinguishing attack that requires 2114 words of chosen plaintext.
...
Wikipedia