### What Do the Values in the DDT Represent?

Each entry in the DDT tells us how often a specific output difference results from a given input difference. Here's what the table shows:

#### Rows: 
Represent different input differences, $\Delta X$. These are differences between two input values to the S-box.
#### Columns: 
Represent different output differences, $\Delta Y$. These are differences between the corresponding output values from the S-box.
#### Values: 
The entries in the table represent the number of occurrences where a particular output difference $\Delta Y$ is produced by a specific input difference $\Delta X$.

#### In simple terms:
The table helps us figure out, "If I apply a specific difference to the input (ΔX), how often does it result in a particular difference in the output (ΔY)?"

### How Are the Values in the DDT Calculated?
To build a difference distribution table for an S-box, we follow these steps:

#### Input Differences ($\Delta X$):
First, consider all possible input differences $\Delta X$. These differences are computed as $\Delta X = X_1 \oplus X_2$, where $X_1$ and $X_2$ are two different inputs to the S-box, and $\oplus$ is the XOR operation.

#### Output Differences ($\Delta Y$):
For each input pair $(X_1, X_2)$ that corresponds to an input difference $\Delta X$, pass the values through the S-box. This gives two outputs, $Y_1 = S(X_1)$ and $Y_2 = S(X_2)$.
Compute the output difference as $\Delta Y = Y_1 \oplus Y_2$.

#### Filling the DDT:
For each pair of $\Delta X$ (input difference) and $\Delta Y$ (output difference), count how many times this particular input difference results in the corresponding output difference.

Each entry in the DDT is the count of occurrences for the combination of input difference $\Delta X$ and output difference $\Delta Y$.


In [4]:
import numpy as np
import random
import pandas as pd

In [45]:
import random

def generate_sbox():
    sbox = list(range(16))  
    random.shuffle(sbox)    
    return sbox

sbox = generate_sbox()
print("Our randomly generated s-box:", sbox) 



Our randomly generated s-box: [5, 4, 3, 8, 15, 9, 2, 1, 14, 11, 6, 7, 12, 13, 0, 10]


In [46]:
# S-box lookup function for the inputs corresponding output 
def sbox_lookup(value):
    return sbox[value]  # return the output(y)

# Function to compute the DDT
def compute_ddt():
    ddt = np.zeros((16, 16), dtype=int)  # 16 input differences x 16 output differences

    for x1 in range(16):
        for x2 in range(16):
                delta_x = x1 ^ x2  # input difference (XOR)
                y1 = sbox_lookup(x1)
                y2 = sbox_lookup(x2)
                delta_y = y1 ^ y2  # output difference (XOR)

                ddt[delta_x, delta_y] += 1  # Increment count in the table 

    return ddt


In [47]:
# Convert DDT to DataFrame for visualization. This helps us see our table. 
ddt = compute_ddt()

ddt_df = pd.DataFrame(ddt, columns=[f'Output {hex(i)}' for i in range(16)],
                      index=[f'Input {hex(i)}' for i in range(16)])

print("Difference Distribution Table (DDT):")
display(ddt_df) 

Difference Distribution Table (DDT):


Unnamed: 0,Output 0x0,Output 0x1,Output 0x2,Output 0x3,Output 0x4,Output 0x5,Output 0x6,Output 0x7,Output 0x8,Output 0x9,Output 0xa,Output 0xb,Output 0xc,Output 0xd,Output 0xe,Output 0xf
Input 0x0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
Input 0x1,0,6,0,2,0,2,2,0,0,0,2,2,0,0,0,0
Input 0x2,0,0,0,0,0,0,2,2,4,0,0,0,6,2,0,0
Input 0x3,0,0,0,0,0,0,2,2,0,2,0,2,0,6,2,0
Input 0x4,0,2,2,0,0,0,4,0,0,2,2,0,0,4,0,0
Input 0x5,0,0,2,2,0,0,0,4,0,0,2,2,4,0,0,0
Input 0x6,0,4,0,0,0,2,0,2,0,0,4,0,2,0,2,0
Input 0x7,0,0,0,0,4,0,2,2,0,0,2,6,0,0,0,0
Input 0x8,0,0,2,2,2,2,0,0,0,0,0,4,0,0,0,4
Input 0x9,0,2,2,0,2,2,0,0,2,0,2,0,0,0,4,0


In [12]:

sbox = [5, 4, 3, 8, 15, 9, 2, 1, 14, 11, 6, 7, 12, 13, 0, 10]
#permutation = [1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15, 4, 8, 12, 16] but python uses zero-based indexing so ofcourse we take that into consideration or else we would get a negative shift eror
permutation = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15]

""" # hex S-box values to binary 
sbox_bin = [format(x, '04b') for x in sbox]
 """
# Key mixing function
def key_mixing(data, key):
    return data ^ key #key mixing is simply the XOR of the 16 bit data and 16 bit round key

# S-box substitution function
def sbox_subs(data):
    # Split 16-bit data into four 4-bit blocks and apply S-box. Because we are using four 4x4 S-box.
    substituted_data = 0
    for i in range(4):
        # Extract 4-bit block
        block = (data >> (12 - 4 * i)) & 0xF #this right shifts our targeted 4 bits to the rightmost postion, the "& 0xF" then isolates these 4 rightmost bits and stores it in block
        # Substitute using S-box and shift to position
        substituted_data |= (sbox[block] << (12 - 4 * i)) # sbox[block] gets the 4 input bits corresponding output bits, after substitution it is left shifted back into its original positon. 
    return substituted_data 

# Permutation function
def permute(data):
    # Permute the 16 bits based on the permutation table
    permuted_data = 0
    for i in range(16):
        # Get the bit at the current position by right shifting it all the way to the LSB and masking the rest of the bits
        bit = (data >> (15 - i)) & 1
        # Place it in the new position as defined by the permutation table by left shifting it back towards its new position
        permuted_data |= (bit << (15 - permutation[i]))
    return permuted_data

""" # Test perm funtion to ensure it works
data = 0xAC3F  # 0b1010110000111111

# Apply permutation
permuted_result = permute(data)

# Print result in binary and hex for clarity
print(f"Input (binary): {bin(data)[2:].zfill(16)}")
print(f"Permuted (binary): {bin(permuted_result)[2:].zfill(16)}")
print(f"Permuted (hex): {hex(permuted_result)}") """

# SPN encryption function
def spn_encrypt(plaintext, round_keys):
    # Initial key mixing with round key 1
    data = key_mixing(plaintext, round_keys[0])
    
    # 3 rounds of key mixing, S-box, and permutation. from 1 to 3 inclusively and range does not include 4.
    for round_num in range(1, 4):
        # S-box substitution
        data = sbox_subs(data)
        
        # Permutation 
        data = permute(data)
        
        # Key mixing for next round
        data = key_mixing(data, round_keys[round_num])

    # Final round (no permutation, just final key mixing after S-box)
    data = sbox_subs(data)
    data = key_mixing(data, round_keys[4])  # Final key mixing with round key 5
    
    return data #this returns the ciphertext

# Example SPN encryption
plaintext = 0x1234  # 16-bit plaintext example
round_keys = [0x1A2B, 0x3C4D, 0x5E6F, 0x7890, 0xABCD]  # 5 round keys (16-bit each)

# Encrypt the plaintext
ciphertext = spn_encrypt(plaintext, round_keys)
print(f"Ciphertext as hexidecimal: {format(ciphertext, '04X')}") #print in hexidecimal
print(f"Ciphertext as decimal: {ciphertext}") #print as decimal 
print(f"Ciphertext as binary: {format(ciphertext, '016b')}") # print in binary 

Ciphertext as hexidecimal: DAF3
Ciphertext as decimal: 56051
Ciphertext as binary: 1101101011110011


In [25]:
import random
import os

# Function to generate 5,000 chosen plaintext pairs with a specified difference ( our input difference ∆P is 0000 0000 1011 0000)
def generate_plaintext_pairs(diff=0x0006, count=5000, filename='chosen_plaintexts.txt'):
    if os.path.exists(filename):
        print(f"File '{filename}' already exists. Loading plaintext pairs from this file.")
        return load_plaintext_pairs_from_file(filename)  # If the file exists, do not generate new plaintexts. We just want to generate it once and use the same plaintexts multiple times later. 

    # Generate 5000 random 16-bit plaintexts
    plaintext_pairs = []
    for _ in range(count):
        p1 = random.getrandbits(16)  # Generate random 16-bit plaintext
        p2 = p1 ^ diff  # Create pair with the difference
        plaintext_pairs.append((p1, p2))
    
    # Save plaintext pairs to file
    with open(filename, 'w') as f:
        for p1, p2 in plaintext_pairs:
            f.write(f"{p1:04X} {p2:04X}\n")  # Save in hex 
    print(f"Generated {count} chosen plaintext pairs with difference {diff:#06X} and saved to '{filename}'.")
    
    return plaintext_pairs

# Function loads plaintext pairs from file (if already generated/ file exists)
def load_plaintext_pairs_from_file(filename='chosen_plaintexts.txt'):
    with open(filename, 'r') as f:
        plaintext_pairs = [(int(line[:4], 16), int(line[5:], 16)) for line in f]
    return plaintext_pairs

# Function encrypts pairs and return corresponding ciphertexts
def encrypt_plaintext_pairs(plaintext_pairs, round_keys):
    ciphertext_pairs = []
    for p1, p2 in plaintext_pairs:
        c1 = spn_encrypt(p1, round_keys)
        c2 = spn_encrypt(p2, round_keys)
        ciphertext_pairs.append((c1, c2))
    return ciphertext_pairs

# Save ciphertext pairs to file
def save_ciphertext_pairs_to_file(ciphertext_pairs, filename='ciphertext_pairs.txt'):
    with open(filename, 'w') as f:
        for c1, c2 in ciphertext_pairs:
            f.write(f"{c1:04X} {c2:04X}\n")  # Save in hex 
    print(f"Saved {len(ciphertext_pairs)} ciphertext pairs to '{filename}'.")

# Example
round_keys = generate_round_keys()  # Generate or load 5 random round keys

#1: Generate plaintext pairs with input difference ∆P
plaintext_pairs = generate_plaintext_pairs()

#2: Encrypt the pairs
ciphertext_pairs = encrypt_plaintext_pairs(plaintext_pairs, round_keys)

#3: Save ciphertext pairs to file
save_ciphertext_pairs_to_file(ciphertext_pairs)

# Print first few pairs to verify
for i in range(10):
    print(f"Plaintext Pair: {plaintext_pairs[i][0]:016b} -> {plaintext_pairs[i][1]:016b}")
    print(f"Ciphertext Pair: {ciphertext_pairs[i][0]:016b} -> {ciphertext_pairs[i][1]:016b}\n")


Round key file 'round_keys.txt' already exists. Loading keys from this file.
File 'chosen_plaintexts.txt' already exists. Loading plaintext pairs from this file.
Saved 5000 ciphertext pairs to 'ciphertext_pairs.txt'.
Plaintext Pair: 1110000000101001 -> 1110000000101111
Ciphertext Pair: 0110001010001001 -> 0110111101011100

Plaintext Pair: 0101010100011101 -> 0101010100011011
Ciphertext Pair: 0100010111100010 -> 1110010110101000

Plaintext Pair: 0100011101111110 -> 0100011101111000
Ciphertext Pair: 1111011010001101 -> 1111000001101000

Plaintext Pair: 0101011110111100 -> 0101011110111010
Ciphertext Pair: 1010001110000000 -> 1010001110001101

Plaintext Pair: 0111110001110100 -> 0111110001110010
Ciphertext Pair: 1001101001100111 -> 1001101010010100

Plaintext Pair: 1101111000011111 -> 1101111000011001
Ciphertext Pair: 1001010100100111 -> 1010101011110000

Plaintext Pair: 0100111011110001 -> 0100111011110111
Ciphertext Pair: 1100011110110001 -> 1000011110110110

Plaintext Pair: 01100100110

In [44]:
# Load ciphertext pairs
def load_ciphertext_pairs(filename):
    with open(filename, 'r') as file:
        ciphertext_pairs = [
            tuple(line.strip().split()) for line in file.readlines()
        ]
    return [(int(c1, 16), int(c2, 16)) for c1, c2 in ciphertext_pairs]

# original S-box
sbox = [5, 4, 3, 8, 15, 9, 2, 1, 14, 11, 6, 7, 12, 13, 0, 10]

# inverse S-box
inverse_sbox = [0] * 16  # Initialize array(same length as original, 16)
for i in range(16):
    inverse_sbox[sbox[i]] = i

# Reverse S-box
def reverse_sbox(bits):
    return inverse_sbox[bits]

# This function will do parial decryption by checking if a candidate key byte is correct based on our best differential characteristics(leading to input of last round 0001 for sbox43 and sbox 44)
#It will then increment the candidate key byte count for matches
def count_key_matches(ciphertext_pairs, candidate_key_byte):
    match_count = 0
    for c1, c2 in ciphertext_pairs:
        # XOR difference of ciphertext pair
        delta_c = c1 ^ c2
        if (delta_c & 0xFF00) == 0:  # Check if first 8 bits are zero
            # Extract last byte of c1 and c2
            c1_last_byte = c1 & 0xFF
            c2_last_byte = c2 & 0xFF
            
            # XOR first 4 bits of c1_last_byte with the first 4 bits of candidate_key_byte. same with last 4 bits. 
            u4_1_part1 = (c1_last_byte >> 4) ^ (candidate_key_byte >> 4)  # First 4 bits
            u4_1_part2 = (c1_last_byte & 0xF) ^ (candidate_key_byte & 0xF)  # Last 4 bits
            
            # XOR first 4 bits of c2_last_byte with first 4 bits of candidate_key_byte. same with last 4 bits. 
            u4_2_part1 = (c2_last_byte >> 4) ^ (candidate_key_byte >> 4)  # First 4 bits
            u4_2_part2 = (c2_last_byte & 0xF) ^ (candidate_key_byte & 0xF)  # Last 4 bits

            # do reverse S-box transformation for each part of U4
            u4_1_1 = reverse_sbox(u4_1_part1)
            u4_1_2 = reverse_sbox(u4_1_part2)
            u4_2_1 = reverse_sbox(u4_2_part1)
            u4_2_2 = reverse_sbox(u4_2_part2)

            # Match condition: XOR of both halves(c1 and c2) after partial decryption must be 0001 (0x01)
            if (u4_1_1 ^ u4_2_1) == 0x01 and (u4_1_2 ^ u4_2_2) == 0x01:
                match_count += 1 #increment the match count for this candidate_key_byte

    return match_count


# Brute force all possible bytes for the final round key(256 posibilities) and return list of top 5 highest matches. First will be the correct key.  
def decrypt_final_key_byte(ciphertext_pairs):
    results = []
    total_pairs = len(ciphertext_pairs)
    for candidate_key_byte in range(256):  
        frequency = count_key_matches(ciphertext_pairs, candidate_key_byte)
        probability = frequency / total_pairs
        results.append((candidate_key_byte, frequency, probability))
    
    # Sort results by frequency in descending order
    results.sort(key=lambda x: x[1], reverse=True)
    return results[:5]  # highest 5 

# Load ciphertext pairs and decrypt for the byte of the final round key 
ciphertext_pairs = load_ciphertext_pairs('ciphertext_pairs_one.txt')
top_candidates = decrypt_final_key_byte(ciphertext_pairs)

# Display results
print("Partial Round Key | Frequency | Probability")
for key_byte, frequency, probability in top_candidates:
    print(f"0x{key_byte:02X}            | {frequency}        | {probability:.4f}")

Partial Round Key | Frequency | Probability
0x07            | 168        | 0.0336
0x04            | 67        | 0.0134
0x0C            | 65        | 0.0130
0x0D            | 65        | 0.0130
0xA7            | 65        | 0.0130


As you can see from the displayed table, the highest probability is $0.0336$ for partial round key : $0x07$. This was for the ciphertext (ciphertext_pairs_one.txt) that my partner (Person 1) generated without my knowledge of his round keys. I determine $0x07$ to be the alleged key byte. Below is a step by step explanation of my attack.

## Differential Cryptanalysis of Final Round Key Byte

In this attack, I utilized differential cryptanalysis to deduce the final byte of the encryption key. My approach is based on analyzing the XOR difference $\Delta C$ of ciphertext pairs and testing candidate key bytes to identify the most probable value used in the final round. This needed to match the input difference of our last round of S-boxs determined by our best differential characteristic. 

### 1. Ciphertext Pair Loading and Filtering

I began by loading pairs of ciphertexts $(C_1, C_2)$ and computed their XOR difference:  
  $$\Delta C = C_1 \oplus C_2$$  
For each pair, I selected pairs where the first 8 bits of $\Delta C$ were zero (i.e., $(\Delta C\& 0xFF00) = 0$).

### 2. Partial Decryption

For each candidate key byte, $K_{\text{byte}}$, I conducted a partial decryption of the last byte of $C_1$ and $C_2$. Each byte was split into two 4-bit halves to match the structure of S-boxes $S_{43}$ and $S_{44}$.

- **First Half**: I XORed the first 4 bits of the last byte of $C_1$ with the first 4 bits of $K_{\text{byte}}$, producing $U_{4,1}$ then ran it through the inverse $S_{43}$:  
  $$U_{4,1} = \text{S}^{-1}\left(\left(\text{first 4 bits of } C_1\right) \oplus \left(\text{first 4 bits of } K_{\text{byte}}\right)\right)$$

- **Second Half**: I XORed the last 4 bits of $C_1$ with the last 4 bits of $K_{\text{byte}}$, producing $U_{4,2}$ then ran it through the inverse $S_{44}$ (note all S-boxs have the same structure so simply applied the same inverse_sbox function):  
  $$U_{4,2} = \text{S}^{-1}\left(\left(\text{last 4 bits of } C_1\right) \oplus \left(\text{last 4 bits of } K_{\text{byte}}\right)\right)$$

This process was repeated for $C_2$, yielding $U'_{4,1}$ and $U'_{4,2}$ for the first and second halves, respectively.

### 3. Differential Matching Condition

I checked if the XOR differences between these values matched the expected value from our best differential characteristic($0001$ or $0x01$):  
  $$U_{4,1} \oplus U'_{4,1} = 0x01 \quad \text{and} \quad U_{4,2} \oplus U'_{4,2} = 0x01$$  
If both conditions held, I incremented the count as a match for $K_{\text{byte}}$.

### 4. Result Analysis

For each $K_{\text{byte}}$, I calculated the frequency of matches and determined the probability. Finally, I sorted the candidate bytes by frequency and selected the top 5 most likely values, with the highest frequency representing the most probable(alleged) key byte.
