PRØST news

June 16, 2015

Added two new documents: the XPX mode by Bart Mennink, which shows the related-key security of PRØST used with COPA, and a document giving proofs of security for PRØST.

February 6, 2105

The PRØST website has a new layout. We hope you like it.

November 4, 2014

Test vectors are now available for the PRØST permutations, including state printouts between each step of the permutation. See DOCS.

October 28, 2014

If you want to cite PRØST in your LaTeX-prepared document, you can now find BiBTeX code for doing so. See DOCS.

August 27, 2014

PRØST was presented at DIAC 2014 and the slides used for this presentation are available at DOCS.

June 25, 2014

An updated version, PRØST v1.1, is now available. This update mainly provides clarifications on the scheme specifications and update notation and minor errors. The full list of changes is included in the updated specification, which can be found at DOCS.


In common to all proposed PRØST parameter sets

The proposed modes of operation for PRØST

Docs and stuff

Document Author Download
PRØST specification documents
Version 1.1 PRØST team PDF
Version 1.0 PRØST team PDF
PRØST security proofs Martin M. Lauridsen PDF
Reference implemenations in C for SUPERCOP The PRØST team SUPERCOP
Python implementation of PRØST permutation Thom Wiggers Github
Test vectors
Source for generating test vectors PRØST team ZIP
PRØST-128 test vectors PRØST team vec 1, vec 2, vec 3
PRØST-256 test vectors PRØST team vec 1, vec 2, vec 3
External cryptanalysis
XPX mode, including related-key security for PRØST with COPA Bart Mennink ePrint report 2015/476
Analysis of ShiftPlanes constants Christof Beierle, Philipp Jovanovic, Martin M. Lauridsen, Gregor Leander, and Christian Rechberger ePrint report 2015/212
Related-key key-recovery on Prøst-OTR Pierre Karpman ePrint report 2015/134
Attack on 8-round PRØST-128 in SEM Yosuke Todo and Kazumaro Aoki Springer
Related-Key Forgeries for PRØST-OTR Christoph Dobraunig, Maria Eichlseder, and Florian Mendel FSE 2015, to appear
On the behaviors of affine equivalent Sboxes regarding differential and linear attacks Anne Canteaut and Joëlle Roué Eurocrypt 2015, to appear
Other documents
Slides for presentation at DIAC 2014 PRØST team PDF
Observations on PRØST and Minalpher Kazumaro Aoki PDF


  author        = {Elif Bilge Kavun and Martin M. Lauridsen and 
	           Gregor Leander and Christian Rechberger and 
	           Peter Schwabe and Tolga Yal\c{c}{\i}n},
  title         = {{Pr\o st}},
  howpublished  = {{CAESAR Proposal}},
  year          = {2014},
  note          = {\url{}}

Test vectors

We have test vectors available for the PRØST-128 and PRØST-256 permutations (see the table above). There are three test vectors in three files for each of the two permutations. The test vectors cover: i) zero input, ii) input of the form 0x00010203... and ii) random input. The source code for generating the files is also available in the table above. Compile with gcc -std=c99 testvec.c proest256.c. To test the 128-bit variant, replace proest256.c and change the include statement in testvec.c.

The PRØST design team

1Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany
2DTU Compute, Technical University of Denmark, Denmark
3Digital Security Group, Radboud University Nijmegen, The Netherlands
4University of Information Science and Technology, Ohrid, Republic of Macedonia