What is the eSTREAM 2nd Phase?
During Phase 1, a lot of information related to the submitted stream
ciphers was generated. In Phase 2, we will gradually narrow down the
range of candidates until we arrive at a small portfolio of interesting
and promising proposals.
What do the 2nd Phase categories stand for?
Given the limited time, we have decided to highlight some of the
proposals in Phase 2. This does not mean that other Phase 2 ciphers are
not of interest.
Focus Phase 2: These are designs that eSTREAM finds of particular
interest. We particularly encourage more cryptanalysis and performance
evaluation on these primitives.
Phase 2: These are other designs that eSTREAM wishes to move to the
second phase of the eSTREAM project. Again, we encourage more
cryptanalysis and performance evaluation on these primitives.
Archived: These are designs which eSTREAM will no longer actively
consider for the final portfolio. Perhaps the design strategy or
available documentation is flawed, or the proposal might not offer any
particular advantages when compared to AES.
Are the algorithm allocations for the 2nd Phase fixed?
No. The allocation, including the list of "Focus Ciphers", will be
updated periodically. It is entirely possible that other Phase 2 ciphers
will become "Focus Ciphers", and vice versa. We anticipate making a
second classification towards the end of 2006.
Why are there so many ciphers in the 2nd Phase for Profile
The number of ciphers in Phase 2 for Profile II (HW) is a consequence of
the partial information we currently have to hand for hardware
performance. We anticipate that this will change in the coming months.
For Profile I (SW) the performance issue was much clearer thanks to
testing framework. Software stream ciphers offering no
significant performance advantages over the AES have been archived.
Why are there "broken" ciphers in the 2nd Phase?
As stated at the start, we are using eSTREAM to generate good proposals
and it should not be seen as a competition. We do not wish to loose
interesting stream ciphers that can be improved. Therefore, when
designers have indicated to eSTREAM that they intended to tweak their
proposal, we have allowed these stream ciphers to move to Phase 2, in
some cases even as Focus ciphers. We note, however, that acceptance of a
tweaked version to the second round is conditional on receiving the code
Why are ciphers with IP-coverage not focus ciphers?
Within eSTREAM we have not ruled out submissions covered by IP. However,
given the very limited cryptanalytic time, it was felt that community at
large might be better served if some attention were focused on ciphers
that, at least as the designers are concerned, appear to be
unencumbered. For now, we decided not to put submissions covered by IP
as Focus Ciphers. However, we do not rule out the possibility of
IP-protected proposals appearing as Focus Ciphers in the future, nor do
we rule out the possibility of IP-protected proposals appearing in the
We note that designers can at any time decide to modify their IP
What happens next?
In the table, we have indicated in
red those ciphers that we understand
the designers are tweaking. Authors should address any cryptographic
issues that have been raised about their algorithm during Phase 1. They
should either explain why they believe the attack is not relevant, or
they should tweak their algorithm to resolve the issue. In the latter
case, correct up-to-date documentation, source code, and test vectors
for the tweaked algorithm must be delivered to eSTREAM by June 30th.
After that date, and for the remainder of the project, cryptanalysis
requires algorithm stability. No more tweaks will be accepted.
Authors should send the documentation, source code and test vectors of
their tweaked algorithm to eSTREAM at email@example.com. As far as
eSTREAM knows, the following designers have or are planning to submit a
tweak: ABC, Achterbahn, Decim, Dicing, F-FCSR, Grain, LEX, Mickey, Mosquito,
NLS, Polar Bear, Pomaranch, Py, TSC-3, Yamb, Zk-Crypt.
Authors who propose an unchanged algorithm for Phase 2 should confirm
this. We will then use existing descriptions, code, and test vectors in
While there has been comment that 80-bit security might not be
appropriate for Profile II, eSTREAM still sees value in this key length.
Furthermore, since this was the initial target key-length we will
continue to use it as a benchmark for comparison. However, if they wish,
designers might like to demonstrate flexibility of their cipher design
by proposing variants that take 128-bit keys as well.
On August 1st, 2006, the eSTREAM Phase 2 website will be lauched. This
site will include the new descriptions of the candidates, and whether or
not they have been tweaked. The website of Phase 1 will then be
archived. Of course all documents which are now online will remain
Page maintained by
Joseph Lano and Hongjun Wu. Last updated on March 15, 2007.