PRØST news

June 16, 2015

Added two new documents: the XPX mode by Bart Mennink, which shows the related-key security of PRØST used with COPA, and a document giving proofs of security for PRØST.

February 6, 2105

The PRØST website has a new layout. We hope you like it.

November 4, 2014

Test vectors are now available for the PRØST permutations, including state printouts between each step of the permutation. See DOCS.

October 28, 2014

If you want to cite PRØST in your LaTeX-prepared document, you can now find BiBTeX code for doing so. See DOCS.

August 27, 2014

PRØST was presented at DIAC 2014 and the slides used for this presentation are available at DOCS.

June 25, 2014

An updated version, PRØST v1.1, is now available. This update mainly provides clarifications on the scheme specifications and update notation and minor errors. The full list of changes is included in the updated specification, which can be found at DOCS.

Features

In common to all proposed PRØST parameter sets

Straight-forward bit-sliced implementation
Even naïve implementations are constant-time
Very cheap countermeasures due to 4-bit S-Box, compared to ARX- or AES-based designs
Fast and compact in software on a wide range of platforms
Fast, compact and energy-efficient low-latency implementation in hardware

The proposed modes of operation for PRØST

Based on a large, cryptographically secure permutation. This is arguably the simplest way to build primitives for symmetric-key cryptography. This means no nasty key-scheduling algorithms.
Based on a single permutation. This means that questions pertaining to security using different permutations are out the window!

Docs and stuff

Document	Author	Download
PRØST specification documents
Version 1.1	PRØST team	PDF
Version 1.0	PRØST team	PDF
PRØST security proofs	Martin M. Lauridsen	PDF
Implementations
Reference implemenations in C for SUPERCOP	The PRØST team	SUPERCOP
Python implementation of PRØST permutation	Thom Wiggers	Github
Test vectors
Source for generating test vectors	PRØST team	ZIP
PRØST-128 test vectors	PRØST team	vec 1, vec 2, vec 3
PRØST-256 test vectors	PRØST team	vec 1, vec 2, vec 3
External cryptanalysis
XPX mode, including related-key security for PRØST with COPA	Bart Mennink	ePrint report 2015/476
Analysis of ShiftPlanes constants	Christof Beierle, Philipp Jovanovic, Martin M. Lauridsen, Gregor Leander, and Christian Rechberger	ePrint report 2015/212
Related-key key-recovery on Prøst-OTR	Pierre Karpman	ePrint report 2015/134
Attack on 8-round PRØST-128 in SEM	Yosuke Todo and Kazumaro Aoki	Springer
Related-Key Forgeries for PRØST-OTR	Christoph Dobraunig, Maria Eichlseder, and Florian Mendel	FSE 2015, to appear
On the behaviors of affine equivalent Sboxes regarding differential and linear attacks	Anne Canteaut and Joëlle Roué	Eurocrypt 2015, to appear
Other documents
Slides for presentation at DIAC 2014	PRØST team	PDF
Observations on PRØST and Minalpher	Kazumaro Aoki	PDF

BiBTeX

@misc{proest:2014,
  author        = {Elif Bilge Kavun and Martin M. Lauridsen and 
	           Gregor Leander and Christian Rechberger and 
	           Peter Schwabe and Tolga Yal\c{c}{\i}n},
  title         = {{Pr\o st}},
  howpublished  = {{CAESAR Proposal}},
  year          = {2014},
  note          = {\url{http://proest.compute.dtu.dk}}
}

Test vectors

We have test vectors available for the PRØST-128 and PRØST-256 permutations (see the table above). There are three test vectors in three files for each of the two permutations. The test vectors cover: i) zero input, ii) input of the form 0x00010203... and ii) random input. The source code for generating the files is also available in the table above. Compile with gcc -std=c99 testvec.c proest256.c. To test the 128-bit variant, replace proest256.c and change the include statement in testvec.c.