Paper 2012/085

Study of the invariant coset attack on PRINTcipher: more weak keys with practical key recovery

Stanislav Bulygin and Michael Walter


In this paper we investigate the invariant property of PRINTcipher first discovered by Leander et al. in their CRYPTO 2011 paper. We provide a thorough study and show that there exist 64 families of weak keys for PRINTcipher--48 and many more for PRINTcipher--96. Moreover, we show that searching the weak key space may be substantially sped up by splitting the search into two consecutive steps. We show that for many classes of weak keys key recovery can be done in a matter of minutes in the chosen/known plaintext scenario. In fact, at least $2^{45}$ weak keys can be recovered in less than 20 minutes per key on a single PC using only a few chosen and one known plaintext(s). We provide detailed treatment of the methods and put them in a more general context that opens new interesting directions of research for PRESENT-like ciphers.

Note: Section 3.3 on finding sizes of weak key families and key recovery complexity is substantially revised; data for PRINTcipher-96 is added.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
PRINTcipherinvariant coset attackmixed integer linear programmingweak keyschosen plaintext attackkey recovery
Contact author(s)
Stanislav Bulygin @ cased de
2012-05-15: revised
2012-02-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Stanislav Bulygin and Michael Walter},
      title = {Study of the invariant coset attack on PRINTcipher: more weak keys with practical key recovery},
      howpublished = {Cryptology ePrint Archive, Paper 2012/085},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.