The PRINCE Challenge

The Background

The idea behind this competition is that industry certainly cares about cryptanalysis. However, compared to academia, the focus is much more to practical attacks. Now, defining what practical means is not always easy and thus often not very concrete.

We will make it more concrete

The task of this competition is to find practical attacks on round-reduced version of the block cipher PRINCE. Here practical means that the data complexity is limited and that we actually want to see the secret key as a result of the attack - thus running time and memory must also be in practical ranges.

The Algorithm

The block cipher PRINCE is the result of a cooperation between the Technical University Denmark (DTU), NXP Semiconductors and the Ruhr University Bochum. It is a block cipher with 64-bit block size and 128-bit key and 12 layers of S-boxes. The rounds are symmetrically arranged around a linear layer in the middle.

The paper describing the algorithm has been published at ASIACRYPT 2012, a full version is available here. Furthermore, to simplify the work and to rule out any potential confusion we will provide a reference C implementation here which allows in particular to set the number of rounds to be processed (coming soon).

The Challenges

The challenges come in two flavors, one in the known plaintext setting and the other in the chosen plaintext setting. For each setting there are 5 challenges which differ by the number of rounds to be attacked.

Setting 1: Given 220 chosen plaintexts/cipher texts

Setting 2: Given 230 known plaintexts

For the second setting, we will provide (large!) files with plaintexts/cipher text pairs upon request (

Winners of Round 1

Winners of Round 2

Winners of Round 3


If you have a successful attack submit the technical report/paper/code/keys explaining the attack to

The attack procedure must become clear from your submission, submitting a key only is not a valid submission. All submissions before the deadline will be considered.

The committee will evaluate the submissions and might give bonus points for even lower data complexities and bonus points for interesting observations used in the attack. If attacks with identical complexities are submitted the prizes might be distributed among the winning participants.

The committee will make a short description of the winning attack(s) public on this website.


There are (for now) two rounds of the competition planned. Depending on how things evolve this is subject to change. In particular we might add additional rounds later.

The Prizes

There are two categories of prizes.


For all the above settings we provide Belgian chocolate and/or Belgian beers. Details and quantities depend on budget, travel, and taste.

Money Prizes

For real breaks there will be real prizes. To qualify for those, the attack has to meet additional criteria. Namely: The prizes are:

The Rules

The submitter/submitters hereby consent to all decisions of the committee regarding the selection or non-selection of this submission. The submitter/submitters acknowledge that the committee decisions reflect the collective expert judgments of the committee members and are not subject to appeal.


Existing Cryptanalysis

Besides the initial cryptanalysis in the original paper, quite a lot of work has been published on PRINCE already. We provide a list of papers we are aware of here (if you know of/are an author of an article we missed, please let us know)