Helix is a high-speed stream cipher with a built-in MAC functionality. On a Pentium II CPU it
is about twice as fast as Rijndael or Twofish, and comparable in speed to RC4. The overhead per
encrypted/authenticated message is low, making it suitable for small messages. It is efficient
in both hardware and software, and with some pre-computation can effectively switch keys on a
per-message basis without additional overhead.
Basic security services require both encryption and authentication. This is (almost) always done
using a symmetric cipher—public-key systems are only used to set up symmetric keys—and a Message
Authentication Code (MAC). The AES process provided a number of very good block cipher designs,
as well as a new block cipher standard. The cryptographic community learned a lot during the
selection process about the engineering criteria for a good cipher. AES candidates were compared
in performance and cost in many different implementation settings. We learned more about the
importance of fast rekeying and tiny-memory implementations, the cost of S-boxes and circuitdepth
for hardware implementations, the slowness of multiplication on some platforms, and other
The community also learned about the difference of cryptanalysis in theory versus cryptanalysis
in practice. Many block cipher modes restrict the types of attack that can be performed on the
underlying block cipher. Yet the generally accepted attack model for block ciphers is very
liberal. Any method that distinguishes the block cipher from a random permutation is considered
an attack. Each block cipher operation must protect against all types of attack. The resulting
over-engineering leads to inefficiencies.
Computer network properties like synchronization and error correction have eliminated the
traditional synchronization problems of stream-cipher modes like OFB. Furthermore, stream ciphers
have different implementation properties that restrict the cryptanalyst. They only receive their
inputs once (a key and a nonce) and then produce a long stream of pseudo-random data. A stream
cipher can start with a strong cryptographic operation to thoroughly mix the key and nonce into
a state, and then use that state and a simpler mixing operation to produce the key stream. If the
attacker tries to manipulate the inputs to the cipher he encounters the strong cryptographic
operation. Alternatively he can analyse the key stream, but this is a static analysis only. As
far as we know, static attacks are much less powerful than dynamic attacks. As there are fewer
cryptographic requirements to fulfill, we believe that the key stream generation function can be
made significantly faster, per message byte, than a block cipher can be. Given the suitability of
steam ciphers for many practical tasks and the potential for faster implementations, we believe
that stream ciphers are a fruitful area of research.
Additionally, a stream cipher is often implemented—and from a cryptographic point of view, should
always be implemented—together with a MAC. Encryption and authentication go hand in hand, and
significant vulnerabilities can result if encryption is implemented without authentication.
Outside the cryptographic literature, not using a proper MAC is one of the commonly encountered
errors in stream cipher systems. A stream cipher with built-in MAC is much more likely to be used
correctly, because it provides a MAC without the associated performance penalties.
Helix is a combined stream cipher and MAC function, and directly provides the authenticated
encryption functionality. By incorporating the plaintext into the stream cipher state Helix can
provide the authentication functionality without extra costs.Helix’s design strength is 128 bits,
which means that we expect that no attack on the cipher exists that requires fewer than 2^128
Helix block function evaluations to be carried out. Helix can process data in less than 7 clock
cycles per byte on a Pentium II CPU, more than twice as fast as AES. Helix uses a 256-bit key and
a 128-bit nonce. The key is secret, and the nonce is typically public knowledge. Helix is
optimised for 32-bit platforms; all operations are on 32-bit words.