Designs, Codes and Cryptography

, Volume 73, Issue 3, pp 997–1022 | Cite as

Full analysis of PRINTcipher with respect to invariant subspace attack: efficient key recovery and countermeasures

  • Stanislav BulyginEmail author
  • Michael Walter
  • Johannes Buchmann


In this paper we investigate the invariant property of PRINTcipher initially discovered by Leander et al. in their CRYPTO 2011 paper. We provide a complete study of the attack and show that there exist 64 families of weak keys for PRINTcipher–48 and as many as 115,669 for PRINTcipher–96. Moreover, we show that searching the weak key space may be substantially sped up by splitting the search process into two consecutive steps. We show that for many classes of weak keys, key recovery can be done with very small time complexity in the chosen/known plaintext scenario. In fact, at least \(2^{45}\) weak keys can be recovered in less than 10 s per key on a single PC. Still, effective countermeasures exist against the attack. On the methodological level, the method of finding all weak key families has value on its own. It is based on Mixed Integer Linear Programming and can be adapted to solving other interesting problems on similar ciphers.


PRINTcipher Invariant coset attack Mixed integer linear programming Weak keys Chosen plaintext attack Key recovery 

Mathematics Subject Classification

94A60 68P25 90C10 



The first author is supported by the German Science Foundation (DFG) Grant BU 630/22-1. The second author is supported in part by the NSF Grant CNS-1117936. We thank anonymous referees for their numerous valuable comments. The authors are also thankful to Yue Sun and especially to Gregor Leander for useful discussions and to Mohamed Ahmed Abdelraheem for providing a C implementation of PRINTcipher that was used in the implementation of the attacks.


  1. 1.
    Abdelraheem M.A., Leander G., Zenner E.: Differential cryptanalysis of round-reduced PRINTcipher: Computing roots of permutations. In: Joux A. (ed.) FSE 2011. Lecture Notes in Computer Science, vol. 6733, pp. 1–17. Springer, Berlin (2011).Google Scholar
  2. 2.
    Agren, M., Johansson, T.: Linear cryptanalysis of PRINTcipher—trails and samples everywhere. In: Bernstein D.J., Chatterjee S. (eds.) INDOCRYPT 2011. Lecture Notes in Computer Science, vol. 7107, pp. 114–133. Springer, Berlin (2011).Google Scholar
  3. 3.
    Bard G.V.: Algebraic cryptanalysis, Springer, Dordrecht (2009).Google Scholar
  4. 4.
    Bogdanov A.: On unbalanced Feistel networks with contracting MDS diffusion. Des. Codes Cryptogr. 59(1–3), 35–58 (2011).Google Scholar
  5. 5.
    Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT—An ultra-lightweight block cipher. In: Pailier P., Verbauwhede I. (eds.) CHES 2007. Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, Berlin (2007).Google Scholar
  6. 6.
    Borghoff J., Knudsen L.R., Stolpe M.: Bivium as a mixed-integer linear programming problem. In: IMA International Conference on Cryptography and Coding. Lecture Notes in Computer Science, vol. 5921, pp. 133–152. Springer, Berlin (2009).Google Scholar
  7. 7.
    Bogdanov A., Knezević M., Leander G., Toz D., Varici K., Verbauwhede I.: SPONGENT: A lightweight hash function. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 312–325. Springer, Berlin (2011).Google Scholar
  8. 8.
    Borghoff J., Canteaut A., Gneysu T., Kavun E.B., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalcin T.: PRINCE—A low-latency block cipher for pervasive computing applications: Extended Abstract. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, pp. 208–225. Springer, Berlin (2012).Google Scholar
  9. 9.
    Bulygin S., Buchmann J.: Algebraic cryptanalysis of the round-reduced and side channel analysis of the full PRINTcipher-48. In: Lin D., Tsudik G., Wang X. (eds.) CANS 2011. Lecture Notes in Computer Science, vol. 7092, pp. 54–75. Springer, Berlin (2011).Google Scholar
  10. 10.
    Bulygin S., Walter M.: Study of the invariant coset attack on PRINTcipher: More weak keys with practical key recovery. (2012). Accessed 15 June 2013.
  11. 11.
    Bulygin S., Walter M., Buchmann J.: Many weak keys for PRINTcipher: Fast key recovery and countermeasures. In: Dawson E. (ed.) CT-RSA 2013. Lecture Notes in Computer Science, vol. 7779, pp. 189–206. Springer, Berlin (2013).Google Scholar
  12. 12.
    Cid C., Murphy S., Robshaw M.: Algebraic Aspects of the Advanced Encryption Standard. Springer, New York (2006).Google Scholar
  13. 13.
    de Canniére C., Dunkelman O., Knezević M.: KATAN and KTANTAN : A family of small and efficient hardware-oriented block ciphers. In: Clavier C., Gaj K. (eds.) CHES 2009. Lecture Notes in Computer Science, vol. 5747, pp. 272–288. Springer, Berlin (2009).Google Scholar
  14. 14.
    Guo J., Peyrin T., Poschmann A., Robshaw M.: The LED block cipher. In: Preneel B., Takagi T. (eds.) CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 326–341. Springer, Berlin (2011).Google Scholar
  15. 15.
    Karakoc F., Demirci H., Harmanci A.E.: Combined differential and linear cryptanalysis of reduced-round PRINTcipher. In: Miri A., Vaudenay S. (eds.) SAC 2011. Lecture Notes in Computer Science, vol. 7118, pp. 169–184. Springer, Berlin (2012).Google Scholar
  16. 16.
    Knudsen L., Leander G., Poschmann A., Robshaw M.J.B.: PRINTcipher: A block cipher for IC-printing. In: Mangard S., Standaert F.-X. (eds.) CHES 2010. Lecture Notes in Computer Science, vol. 6225, pp. 16–32. Springer, Berlin (2010).Google Scholar
  17. 17.
    Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E.: A cryptanalysis of PRINTcipher: The invariant subspace attack. In: Rogaway P. (ed.) CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 206–221. Springer, Berlin (2011).Google Scholar
  18. 18.
    Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu C.-K., Yung M., Lin D. (eds.) Inscypt 2011. Lecture Notes in Computer Science, vol. 7537, pp. 57–76. Springer, Berlin (2011).Google Scholar
  19. 19.
    Stein S.W., et al.: SAGE mathematics software. The Sage Development Team. (2008). Accessed 15 June 2013.
  20. 20.
    Walter M., Bulygin S., Buchmann J.: Optimizing guessing strategies for algebraic cryptanalysis with applications to EPCBC. In: Kutylowski M.,Yung M. (eds.) Lecture Notes in Computer Science. Springer, Berlin (2012).Google Scholar
  21. 21.
    Wu W., Zhang L.: LBlock: A lightweight block cipher. In: Lopez J., Tsudik G. (eds.) ACNS 2011. Lecture Notes in Computer Science, vol. 6715, pp. 327–344. Springer, Berlin (2011).Google Scholar
  22. 22.
    Yap H., Khoo K., Poschmann A., Henricksen M.: EPCBC—A block cipher suitable for electronic product code encryption. In: Lin D., Tsudik G., Wang X. (eds.) Lecture Notes in Computer Science, vol. 7092, pp. 76–97 Springer, Berlin (2011).Google Scholar
  23. 23.
    Zhao X., Wang T., Guo S.: Fault propagate pattern based DFA on SPN structure block ciphers using bitwise permutation, with application to PRESENT and PRINTcipher. (2011). Accessed 15 June 2013.

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Stanislav Bulygin
    • 2
    • 1
    Email author
  • Michael Walter
    • 3
  • Johannes Buchmann
    • 1
  1. 1.Department of Computer ScienceTechnische Universität DarmstadtDarmstadtGermany
  2. 2.KOBIL System GmbHWormsGermany
  3. 3.Department of Computer Science and EngineeringUniversity of California, San DiegoLa JollaUSA

Personalised recommendations