In [2]:
import numpy as np

## Task 1
Implement the encryptor for a simplified AES-like cipher with the parameters given in the previous slides and the following substitution function:
    $$f : y_j(j): 2v_i(j) \mod  p, \ j$$

In [3]:
def subkey_generator_default(key):

    k_1 = [key[0],key[2],key[4],key[6]] 
    k_2 = [key[0],key[1],key[2],key[3]] 
    k_3 = [key[0],key[3],key[4],key[7]] 
    k_4 = [key[0],key[3],key[5],key[6]] 
    k_5 = [key[0],key[2],key[5],key[7]] 
    k_6 = [key[2],key[3],key[4],key[5]] 

    return [k_1, k_2, k_3, k_4, k_5, k_6]

def subkey_sum(k_i,w,p):

    k_inter = k_i+k_i
    k = np.array(k_inter)

    return (w + k)%p

In [4]:
 
def timesTwo(v,p):

    return np.multiply(v,2)%p

def transposition(y):

    return np.array([y[0],y[1],y[2],y[3],y[7],y[6],y[5],y[4]])

def linear(z, p):

    z_matrix = z.reshape(2,4)

    param_matrix = np.matrix([[2,5],[1,7]])
    
    w_matrix = np.dot(param_matrix,z_matrix)%p

    w_array = np.asarray(w_matrix).flatten()
    return w_array
        




In [5]:
def encryption(u,k,p,round,substitution,transposition=transposition,subkey_sum=subkey_sum,linear=linear, subkey_generator=subkey_generator_default):

    k_list = subkey_generator(k)

    for i in range (round):
        
        #print("round : ",i)
        v = subkey_sum(k_list[i],u,p)         
        #print("post subkey_sum",v)
        y = substitution(v,p)
        #print("post timesTwo",y)
        z = transposition(y)
        #print("post transpo",z)
        if i == round-1:
            x = subkey_sum(k_list[i+1],z,p)
            break
        u = linear(z, p)
        #print("post linear", u)
        
    return x

In [6]:
u = np.array([1,0,0,0,0,0,0,0])
k = np.array([1,0,0,0,0,0,0,0])
p=11
r = 5

x = encryption(u,k,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear=linear,
               subkey_generator=subkey_generator_default)

print(x)


[4 0 0 9 7 0 0 3]


## Task 2
Implement the decryptor for this simplified AES-like cipher. Note that decryption is performed by the inverse blocks in reverse order. Therefore, you have to implement the inverse of each function used to encrypt the message (subkey sum, substitution, transposition and linear), taking into consideration that all the operations must be done in the field $\mathbb{F} = GF(p)$.

In [7]:
def inv_timesTwo(v,p):
    mul_inv = pow(2,-1,p)
    return np.multiply(v,mul_inv)%p


def inv_transposition(y):
    return np.array([y[0],y[1],y[2],y[3],y[7],y[6],y[5],y[4]])


def inv_subkey_sum(k_i,w,p):

    k_inter = k_i+k_i
    k = np.array(k_inter) #list

    return (w - k)%p

#Calcolo dell'inversa della matrice modulo p
def inv_matrix(m, p):
    det = round(np.linalg.det(m))
    m_ast = np.linalg.inv(m)

    m_tilda = m_ast*det

    det_inv = pow(det, -1, p)

    m_inv = np.round(m_tilda * det_inv).astype(int) % p

    return m_inv

def inv_linear(z, p):
    z_matrix = z.reshape(2, 4)

    param_matrix = np.array([[2, 5], [1, 7]])

    #Calcolo dell'inversa della matrice modulo p
    param_matrix_inv = inv_matrix(param_matrix, p)

    w_matrix = np.dot(param_matrix_inv, z_matrix) % p

    w_array = np.asarray(w_matrix, dtype=int).flatten()

    return w_array


def decryption(x,k,p,round, inv_substitution, inv_transposition, inv_subkey_sum, inv_linear, subkey_generator):
    k_list = subkey_generator(k)

    for i in range(round,-1,-1):
        #print("round : ", i)
        z = inv_subkey_sum(k_list[i],x,p)            #v = u - k
        #print("post subkey_sum",z)
        if i == 0:
            x = z
            break
        elif i != round:
            w = inv_linear(z, p)
            #print("post linear", w)
        else:
            w = z
        y = inv_transposition(w)
        #print("post transpo",y)
        x = inv_substitution(y,p)
        #print("post timesTwo",x)
        
    return x

Test for inv_linear

In [8]:
a = linear(np.array([1,2,3,5,4,6,4,8]), p)  #change the array to test
print(a)
b = inv_linear(a, p)
print(b)

[0 1 4 6 7 0 9 6]
[1 2 3 5 4 6 4 8]


In [9]:
u = np.array([1,0,0,0,0,0,0,0])
x = encryption(u,k,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear=linear,
               subkey_generator=subkey_generator_default)
                
u = decryption(x,k,p,r, 
               inv_substitution=inv_timesTwo,
               inv_transposition=inv_transposition,
               inv_subkey_sum=inv_subkey_sum,
               inv_linear=inv_linear,
               subkey_generator=subkey_generator_default)
print(u)

[1 0 0 0 0 0 0 0]


Other tests for decryption

In [10]:
a = np.array([1,8,3,6,8,6,9,10]) #change plaintext to test
b = np.array([1,0,4,0,3,0,2,0]) #change key to test
c = encryption(a,b,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear=linear,
               subkey_generator=subkey_generator_default)

print(c)
d = decryption(c,b,p,r, 
               inv_substitution=inv_timesTwo,
               inv_transposition=inv_transposition,
               inv_subkey_sum=inv_subkey_sum,
               inv_linear=inv_linear,
               subkey_generator=subkey_generator_default)
print(d)

[ 8  6  1 10  4  8 10  2]
[ 1  8  3  6  8  6  9 10]


## Task 3
Identify the overall linear relationship for this simplified AES-like cipher, that is find the
matrices $A ∈ F^{(ℓ_x × ℓ_k)}$ and $B ∈ F^{(ℓ_x × ℓ_u)}$ such that
$$x = E(k, u) = Ak + Bu \mod p$$
with all operations in the field $\mathbb{F} = GF(p)$.

In [11]:
def linear_relationship(substitution = timesTwo, p = 11, r = 5):  #pass the encryption function as a parameter
    k_a = np.eye(8, dtype=int)
    e_a = np.zeros(8, dtype=int)
    A = np.empty((8,0), dtype=int)

    e_b = np.eye(8, dtype=int)
    k_b = np.zeros(8, dtype=int)
    B = np.empty((8,0), dtype=int)

    #k = e_j, u = 0
    for i in range(8):

        encrypted_value = encryption(e_a, np.asarray(k_a[i]), p, r,
                                    substitution=substitution,
                                    transposition=transposition,
                                    subkey_sum=subkey_sum,
                                    linear=linear,
                                    subkey_generator=subkey_generator_default)
        A = np.hstack((A, encrypted_value.reshape(-1, 1)))
        #print(encrypted_value)
        #print(k_a[i])
    #print(A)

    for i in range(8):

        encrypted_value = encryption(np.asarray(e_b[i]),k_b,p,r,
                                    substitution=substitution,
                                    transposition=transposition,
                                    subkey_sum=subkey_sum,
                                    linear=linear,
                                    subkey_generator=subkey_generator_default)
        B = np.hstack((B, encrypted_value.reshape(-1, 1)))


    #print(B)

    return A, B

In [12]:
u = np.array([1,0,0,0,0,0,0,0])
k = np.array([1,0,0,0,0,0,0,0])

x = encryption(u,k,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear=linear,
               subkey_generator=subkey_generator_default)

A, B = linear_relationship()

#print(A)
#print(B)
print((np.dot(A,k) + np.dot(B,u))%p)
print(np.all(x == (np.dot(A,k) + np.dot(B,u))%p))

[4 0 0 9 7 0 0 3]
True


In [13]:
u_1 = np.array([1,2,0,4,0,0,4,0]) #change plaintext to test
k_1 = np.array([0,0,0,0,0,0,0,1]) #change key to test

x = encryption(u_1,k_1,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear=linear,
               subkey_generator=subkey_generator_default)

A, B = linear_relationship()

print(A)
print(B)

print(x)
print((np.dot(A,k_1) + np.dot(B,u_1))%p)

print(x == (np.dot(A,k_1) + np.dot(B,u_1))%p)

[[ 9  0  1  6  0  0  1 10]
 [ 0  8  6  2  2  9  0  0]
 [ 0  6  0  8  3 10  0  0]
 [ 6  0  0  8  0  1  6  6]
 [ 2  0  1 10  0  0  1  3]
 [ 0  1  8  4  9  6  0  0]
 [ 0 10  0  5  7  6  0  0]
 [ 3  0  0  1  0  1  4  8]]
[[6 0 0 3 3 0 0 0]
 [0 6 3 0 0 3 0 0]
 [0 3 6 0 0 0 3 0]
 [3 0 0 6 0 0 0 3]
 [5 0 0 0 4 0 0 8]
 [0 5 0 0 0 4 8 0]
 [0 0 5 0 0 8 4 0]
 [0 0 0 5 8 0 0 4]]
[6 1 7 0 8 9 5 6]
[6 1 7 0 8 9 5 6]
[ True  True  True  True  True  True  True  True]


## Task 4
From a known plaintext/ciphertext pair $(u, x)$, implement a linear cryptanalysis KPA against this cipher by computing 
$$k = A^{−1}(x − Bu) \mod p$$ 
with all operations in the field $\mathbb{F} = GF(p)$

In [14]:
def linear_KPA(A,B,u,x):
    A_inv = inv_matrix(A, p)
    k = np.dot(A_inv, (x - np.dot(B,u))) % p
    return k

In [15]:
A,B = linear_relationship()
u = np.array([1,0,0,7,0,0,0,0]) #change plaintext to test
k = np.array([1,0,0,3,0,0,5,7]) #change key to test
x = encryption(u,k,p,r,
               substitution=timesTwo,
               transposition=transposition,
               subkey_sum=subkey_sum,
               linear = linear,
               subkey_generator=subkey_generator_default)

print(x)
key = linear_KPA(A,B,u,x)

print(key)


[8 6 2 4 8 1 4 7]
[1 0 0 3 0 0 5 7]


In [16]:
import ast
A, B = linear_relationship()
with open('KPAdataQ/KPApairsQ_linear.txt', 'r') as file_in:
    with open('KPAdataQ/KPAkeysQ_linear.txt', 'w') as file_out:
        first = True
        correct = True
        for line in file_in:
            u_str, x_str = line.split('\t')
            u = np.array(ast.literal_eval(u_str.strip()))
            x = np.array(ast.literal_eval(x_str.strip()))
            print(u, x)
            k = linear_KPA(A, B, u, x)
            if first:
                k_first = k
                first = False
            elif not np.array_equal(k, k_first):
                print("**ERROR: Different k**")
                correct = False
                break
        if correct:
            print("**SUCCESS: All k are the same**")
            print(k)
            file_out.write(str(k.tolist()) + '\n')

[5 9 9 9 2 5 9 1] [ 2 10  8  9 10  0 10  7]
[9 9 2 0 5 9 5 4] [8 1 9 9 0 6 2 9]
[5 1 1 9 6 2 9 0] [3 6 2 6 7 3 1 2]
[5 7 3 4 5 9 8 0] [7 3 7 9 3 9 8 2]
[3 4 9 4 2 6 5 9] [8 5 3 8 9 2 2 3]
**SUCCESS: All k are the same**
[ 9  1  4  3 10  6  2  1]


## Task 5
implement the encryptor for a simplified AES-like cipher with the parameters given in the previous slides and the substitution function described by the following table
|$v_i(j)$|0|1|2|3|4|5|6|7|8|9|10|
|--------|-|-|-|-|-|-|-|-|-|-|--|
|$y_i(j)$|0|2|4|8|6|10|1|3|5|7|9|

where $j ∈ \{1, . . . , ℓ\}$

In [17]:
def custom_substitution_number(v):
    if(v == 0):
        return 0
    if(v == 1):
        return 2
    if(v == 2):
        return 4
    if(v == 3):
        return 8
    if(v == 4):
        return 6
    if(v == 5):
        return 10
    if(v == 6):
        return 1
    if(v == 7):
        return 3
    if(v == 8):
        return 5
    if(v == 9):
        return 7
    if(v == 10):
        return 9
    
def custom_substitution(v,p):
    sub_v = np.zeros(8, dtype=int)
    for i in range(8):
        sub_v[i] = custom_substitution_number(v[i])
    return sub_v


In [18]:
n_sample = 10000
for _ in range(n_sample):
    #genero vettore random
    v = np.random.randint(0, 11, 8)
    #applico la substitution
    sub = custom_substitution(v, p)
    #stampo il vettore e la rispettiva substitution
    print(f"v: {v} \t sub: {sub}")


v: [ 5  9  9  0  6  0  1 10] 	 sub: [10  7  7  0  1  0  2  9]
v: [9 4 6 0 8 6 8 7] 	 sub: [7 6 1 0 5 1 5 3]
v: [4 5 1 5 2 3 1 2] 	 sub: [ 6 10  2 10  4  8  2  4]
v: [ 6  2  3  1  0  3 10  6] 	 sub: [1 4 8 2 0 8 9 1]
v: [ 5  1  0 10  7  9  3  0] 	 sub: [10  2  0  9  3  7  8  0]
v: [ 6 10  3  4  6  3  1  3] 	 sub: [1 9 8 6 1 8 2 8]
v: [4 5 2 2 4 3 8 0] 	 sub: [ 6 10  4  4  6  8  5  0]
v: [ 2  6 10  9  6  4  6  7] 	 sub: [4 1 9 7 1 6 1 3]
v: [ 2  9  2 10  7  1  1  2] 	 sub: [4 7 4 9 3 2 2 4]
v: [2 6 9 7 7 6 4 0] 	 sub: [4 1 7 3 3 1 6 0]
v: [6 3 0 9 2 2 2 3] 	 sub: [1 8 0 7 4 4 4 8]
v: [4 4 6 4 9 3 2 7] 	 sub: [6 6 1 6 7 8 4 3]
v: [ 1  4 10  0  5  0  3  0] 	 sub: [ 2  6  9  0 10  0  8  0]
v: [5 6 8 3 6 0 9 0] 	 sub: [10  1  5  8  1  0  7  0]
v: [ 7  1  1  1 10  6  1  8] 	 sub: [3 2 2 2 9 1 2 5]
v: [ 0  2  6 10  0  5  3 10] 	 sub: [ 0  4  1  9  0 10  8  9]
v: [ 4 10  6 10  6  6 10  5] 	 sub: [ 6  9  1  9  1  1  9 10]
v: [ 5  7  4  0  4  0 10  2] 	 sub: [10  3  6  0  6  0  9  4]
v: [4 8 5 6 

In [19]:
u = np.array([1,0,0,0,0,0,0,0])
k = np.array([1,0,0,0,0,0,0,0])
p=11
r = 5

print(encryption(u,k,p,r,
                 substitution=custom_substitution,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator=subkey_generator_default
                 ))

[9 0 0 0 5 0 0 6]


## Task 6
Linear cryptanalysis of a “nearly linear” cipher

In [20]:
def identity_substitution(v,p):
    return v

In [21]:
def approx_linear_substitution(x, a, b, p):
    a_inv = pow(a, -1, p)
    alpha = (-a_inv * b) % p
    return (alpha * x) % p


In [22]:
p = 11
rel = []
for a in range(1, p):
    for b in range(1, p):
        count = 0
        for v in range(p):
            real = custom_substitution_number(v)
            approx = approx_linear_substitution(v, a, b, p)
            
            if real == approx:
                count += 1
        prob = count / p
        delta = abs(prob - 1/p)
        rel.append((a, b, delta))
rel.sort(key=lambda x: x[2], reverse=True)

for r in rel:
    print(r)


(1, 9, 0.7272727272727273)
(2, 7, 0.7272727272727273)
(3, 5, 0.7272727272727273)
(4, 3, 0.7272727272727273)
(5, 1, 0.7272727272727273)
(6, 10, 0.7272727272727273)
(7, 8, 0.7272727272727273)
(8, 6, 0.7272727272727273)
(9, 4, 0.7272727272727273)
(10, 2, 0.7272727272727273)
(1, 1, 0.09090909090909091)
(1, 4, 0.09090909090909091)
(2, 2, 0.09090909090909091)
(2, 8, 0.09090909090909091)
(3, 1, 0.09090909090909091)
(3, 3, 0.09090909090909091)
(4, 4, 0.09090909090909091)
(4, 5, 0.09090909090909091)
(5, 5, 0.09090909090909091)
(5, 9, 0.09090909090909091)
(6, 2, 0.09090909090909091)
(6, 6, 0.09090909090909091)
(7, 6, 0.09090909090909091)
(7, 7, 0.09090909090909091)
(8, 8, 0.09090909090909091)
(8, 10, 0.09090909090909091)
(9, 3, 0.09090909090909091)
(9, 9, 0.09090909090909091)
(10, 7, 0.09090909090909091)
(10, 10, 0.09090909090909091)
(1, 2, 0.0)
(1, 3, 0.0)
(1, 5, 0.0)
(1, 6, 0.0)
(1, 7, 0.0)
(1, 8, 0.0)
(1, 10, 0.0)
(2, 1, 0.0)
(2, 3, 0.0)
(2, 4, 0.0)
(2, 5, 0.0)
(2, 6, 0.0)
(2, 9, 0.0)
(2, 10,

In [23]:
def approx_sub(x,p):
    sub_x = np.zeros(8, dtype=int)
    a = 2
    b = 7
    a_inv = pow(a, -1, p)
    alpha = (-a_inv * b) % p
    for i in range(len(x)):
        sub_x[i] = (alpha * x[i]) % p
    return sub_x

In [24]:
n_samples = 50000
count = 0
tried = set()

for _ in range(n_samples):
    v = np.random.randint(0, p, 8)
    while tuple(v) in tried:
        v = np.random.randint(0, p, 8)
    tried.add(tuple(v))
    real = custom_substitution(v,p)
    approx = approx_sub(v, p)
    print(f"v:\t{v} \nreal:\t{real} \napprox:\t{approx}\n\n")
    if np.all(real == approx):
        count += 1
prob = count / n_samples
print(prob)

v:	[3 5 8 7 9 5 8 7] 
real:	[ 8 10  5  3  7 10  5  3] 
approx:	[ 6 10  5  3  7 10  5  3]


v:	[ 5  5  3  1  9 10  7  1] 
real:	[10 10  8  2  7  9  3  2] 
approx:	[10 10  6  2  7  9  3  2]


v:	[ 7  1 10 10  0  3  2  9] 
real:	[3 2 9 9 0 8 4 7] 
approx:	[3 2 9 9 0 6 4 7]


v:	[ 2  7  5  6  9  4  7 10] 
real:	[ 4  3 10  1  7  6  3  9] 
approx:	[ 4  3 10  1  7  8  3  9]


v:	[ 3 10  8  7  0  5  8  3] 
real:	[ 8  9  5  3  0 10  5  8] 
approx:	[ 6  9  5  3  0 10  5  6]


v:	[0 7 7 3 3 7 8 7] 
real:	[0 3 3 8 8 3 5 3] 
approx:	[0 3 3 6 6 3 5 3]


v:	[1 0 4 5 2 3 5 5] 
real:	[ 2  0  6 10  4  8 10 10] 
approx:	[ 2  0  8 10  4  6 10 10]


v:	[ 7 10  6  9  0  5  9  3] 
real:	[ 3  9  1  7  0 10  7  8] 
approx:	[ 3  9  1  7  0 10  7  6]


v:	[ 9  7 10  6  8  9  5  5] 
real:	[ 7  3  9  1  5  7 10 10] 
approx:	[ 7  3  9  1  5  7 10 10]


v:	[0 5 6 5 7 1 7 5] 
real:	[ 0 10  1 10  3  2  3 10] 
approx:	[ 0 10  1 10  3  2  3 10]


v:	[ 9  9  2  7  3  2  8 10] 
real:	[7 7 4 3 8 4 5 9] 
approx:	[7 7 4 3 6 

In [25]:
def gen_data(substitution, n_samples = 10000, size = 8, p = 11, r = 5):
    data = []
    for _ in range(n_samples):
        u = np.random.randint(0, p, size)
        k = np.random.randint(0, p, size)

        x = encryption(u,k,p,r,
                    substitution=substitution,
                    transposition=transposition,
                    subkey_sum=subkey_sum,
                    linear=linear,
                    subkey_generator=subkey_generator_default
                    )
        data.append((k, u, x))
    return data

def evaluate_approximation(A, B, data, p=11):
    count = 0
    for k, u, x in data:
        if np.all((np.dot(A,k) + np.dot(B,u))%p == x):
            count += 1
    return count / len(data)

In [26]:
data_real = gen_data(custom_substitution, n_samples = 50000)

In [29]:
A, B = linear_relationship(approx_sub)
print(f"{A}\n{B}")

prob = evaluate_approximation(A, B, data_real, p=11)
print(f"Probability of success: {prob:.6f}")
if prob > 1/pow(p,8):
    print("**SUCCESS: The approximation is valid**")
else:
    print("**ERROR: The approximation is not valid**")

[[ 9  0  1  6  0  0  1 10]
 [ 0  8  6  2  2  9  0  0]
 [ 0  6  0  8  3 10  0  0]
 [ 6  0  0  8  0  1  6  6]
 [ 2  0  1 10  0  0  1  3]
 [ 0  1  8  4  9  6  0  0]
 [ 0 10  0  5  7  6  0  0]
 [ 3  0  0  1  0  1  4  8]]
[[6 0 0 3 3 0 0 0]
 [0 6 3 0 0 3 0 0]
 [0 3 6 0 0 0 3 0]
 [3 0 0 6 0 0 0 3]
 [5 0 0 0 4 0 0 8]
 [0 5 0 0 0 4 8 0]
 [0 0 5 0 0 8 4 0]
 [0 0 0 5 8 0 0 4]]
Probability of success: 0.000340
**SUCCESS: The approximation is valid**


In [None]:
A, B = linear_relationship(approx_sub)
with open('KPAdataQ/KPApairsQ_nearly_linear.txt', 'r') as file_in:
    for line in file_in:
        u_str, x_str = line.split('\t')
        u = np.array(ast.literal_eval(u_str.strip()))
        x = np.array(ast.literal_eval(x_str.strip()))
        #print(u, x)
        k_hat = linear_KPA(A, B, u, x)

        print(k_hat)

[2 4 8 9 0 3 1 9]
[6 7 8 6 0 9 2 3]
[ 2  8  9  7  1 10 10  1]
[ 2  7  4  5 10  0  2  2]
[ 7  4  3  0  0  3 10  8]


so now we have 5 different keys but we know that all the pairs have been encrypted with the same key so let's construct the key starting from an aggregate key

In [None]:
from collections import Counter
from itertools import combinations, product


# ----- Funzione per aggregare le chiavi tramite voto per ogni coordinata -----
def aggregate_keys(keys, p=11):
    n_candidates, key_length = keys.shape
    aggregated = []
    for i in range(key_length):
        col = keys[:, i]
        cnt = Counter(col)
        mode, freq = cnt.most_common(1)[0]
        aggregated.append(mode)
    return np.array(aggregated) % p


# ----- Funzione per generare chiavi vicine alla chiave aggregata -----
def generate_neighbor_keys(k_candidate, delta, p):
    n = len(k_candidate)
    offsets = list(range(-delta, delta+1))
    neighbor_keys = []
    # Il prodotto cartesiano produce 3^n candidati (per n=8, 6561 candidati)
    for diff in product(offsets, repeat=n):
        candidate = (k_candidate + np.array(diff)) % p
        neighbor_keys.append(candidate)
    return neighbor_keys

# Qui delta è il numero di elementi diversi da k_candidate
def generate_neighbor_keys_2(k_candidate, delta, p):
    n = len(k_candidate)
    neighbor_keys = []

    # Seleziona delta indici da modificare
    for indices in combinations(range(n), delta):
        # Genera tutte le possibili variazioni per gli indici selezionati
        for variations in product(range(p), repeat=delta):
            # Crea una copia della chiave candidata
            new_key = k_candidate.copy()
            # Applica le variazioni agli indici selezionati
            for idx, variation in zip(indices, variations):
                new_key[idx] = variation
            # Aggiungi la nuova chiave alla lista
            neighbor_keys.append(new_key % p)

    return neighbor_keys


# ----- Funzione di test: verifica se una chiave candidata cifra u in x correttamente -----
def test_key(candidate_key, plaintexts, ciphertexts, p, r):
    for u, expected_x in zip(plaintexts, ciphertexts):
        x_candidate = encryption(u, candidate_key, p, r,
                                      substitution=custom_substitution,  # substitution reale
                                      transposition=transposition,
                                      subkey_sum=subkey_sum,
                                      linear=linear,
                                      subkey_generator=subkey_generator_default)
        if not np.all(x_candidate == expected_x):
            return False
    return True

def searh_key(neighbor_keys, plaintexts, ciphertexts, p=11, r=5):
    found_key = None
    for candidate in neighbor_keys:
        if test_key(candidate, plaintexts, ciphertexts, p, r):
            found_key = candidate
            break

    return found_key

In [38]:
keys = np.array([
    [2, 4, 8, 9, 0, 3, 1, 9],
    [6, 7, 8, 6, 0, 9, 2, 3],
    [2, 8, 9, 7, 1, 10, 10, 1],
    [2, 7, 4, 5, 10, 0, 2, 2],
    [7, 4, 3, 0, 0, 3, 10, 8]
])

aggregated_key = aggregate_keys(keys, p=11)
print("Chiave aggregata:", aggregated_key)

# Genera chiavi vicine
neighbor_keys = generate_neighbor_keys(aggregated_key, delta=2, p=11)
#print(neighbor_keys[:5])
print("Numero di chiavi candidate generate:", len(neighbor_keys))

plaintexts = [
    np.array([3,0,9,1,4,6,10,5]),
    np.array([10,2,4,7,0,8,4,8]),
    np.array([4,9,7,2,8,3,3,0]),
    np.array([2,0,7,9,1,0,6,6]),
    np.array([9,10,3,8,5,5,9,10])
]

ciphertexts = [
    np.array([6,5,1,1,3,6,5,8]),
    np.array([2,3,2,10,7,3,1,0]),
    np.array([0,0,10,3,5,5,0,2]),
    np.array([6,10,7,0,7,10,4,2]),
    np.array([7,7,8,5,9,1,6,6])
]

k =searh_key(neighbor_keys, plaintexts, ciphertexts)
print("Chiave trovata:", k)

Chiave aggregata: [2 4 8 9 0 3 2 9]
Numero di chiavi candidate generate: 390625
Chiave trovata: None


## Task 7
implement the encryptor for a simplified AES-like cipher with the following parameters: $\mathcal{K} = \mathbb{F}^{\ell_k}, \ell_k = 4$

ECC...

In [245]:
def subkey_generator_task_7(key):

    k_1 = [key[0],key[1],key[2],key[3]]
    k_2 = [key[0],key[1],key[3],key[2]]
    k_3 = [key[1],key[2],key[3],key[0]]
    k_4 = [key[0],key[3],key[1],key[2]]
    k_5 = [key[2],key[3],key[0],key[1]]
    k_6 = [key[1],key[3],key[0],key[2]]

    return [k_1,k_2,k_3,k_4,k_5,k_6]

def mod_inv(v, p):
    
    x =[]

    for num in v:
        if(num != 0):
            x.append((2*pow(num, -1, p))%p) # Calcola l'inverso di x modulo p e lo moltiplica per 2
        else:
            x.append(0)


    return np.array(x) 

def substitution_task_7(x,p):
    x= x.tolist()
    return mod_inv(x, p)
    

In [246]:
u= np.array([1,0,0,0,0,0,0,0])
k=np.array([1,0,0,0])

p= 11

print(encryption(u,k,p,r,
                 substitution=substitution_task_7,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator = subkey_generator_task_7))

[5 0 3 2 5 2 1 1]


## Task 8

Implement a “meet-in-the-middle” attack see against the concatenation of two
instances of the non linear simplified AES-like cipher defined in Task 7, with different keys
$k^′, k^{′′}$, respectively.

In [227]:
def double_enc(u, k1, k2, p, r):
    u2 = encryption(u,k1,p,r,
                 substitution=substitution_task_7,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator = subkey_generator_task_7)
    
    x = encryption(u2,k2,p,r,
                 substitution=substitution_task_7,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator = subkey_generator_task_7)
    return x

In [249]:
def inv_substitution_task_7(x,p):
    inv_x = []
    x = x.tolist()
    for elem in x:
        if elem == 0:
            inv_x.append(0)
        elif elem % 2 == 0:
            inv_x.append(pow((elem//2), -1, p))
        else:
            inv_x.append(pow(((elem+11)//2), -1, p))
    return np.array(inv_x)  

Test for `inv_substitution_task_7()`

In [251]:
a = np.array([1,2,3,4,5,6,7,8,9,10])
sub_a = substitution_task_7(a,11)
print(sub_a)
inv_sub_a = inv_substitution_task_7(sub_a,11)
print(inv_sub_a)
print(np.all(a == inv_sub_a)) 

[ 2  1  8  6  7  4  5  3 10  9]
[ 1  2  3  4  5  6  7  8  9 10]
True


test decryption

In [258]:
u = np.array([1,0,0,0,0,0,0,0])
k = np.array([1,0,0,0])
p = 11
r = 5

x = encryption(u,k,p,r,
                 substitution=substitution_task_7,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator = subkey_generator_task_7)

u_test = decryption(x,k,p,r,
                 inv_substitution=inv_substitution_task_7,
                 inv_transposition=inv_transposition,
                 inv_subkey_sum=inv_subkey_sum,
                 inv_linear=inv_linear,
                 subkey_generator = subkey_generator_task_7)

print(u_test)
print(np.all(u == u_test))

[1 0 0 0 0 0 0 0]
True


In [313]:
def generate_unique_random_arrays(n_samples=10000, key_size=4, p=11):
    unique_arrays = set()   #set to not admit duplicates
    while len(unique_arrays) < n_samples:
        #convert to tuple to make it hashable
        new_array = tuple(np.random.randint(0, p, key_size))
        unique_arrays.add(new_array)
    return [np.array(arr) for arr in unique_arrays]


def forward_step(u1,keys, p=11,r = 5):
    fs = []
    for k1 in keys:
        x1 = encryption(u1,k1,p,r,
                 substitution=substitution_task_7,
                 transposition=transposition,
                 subkey_sum=subkey_sum,
                 linear=linear,
                 subkey_generator = subkey_generator_task_7)
        fs.append((k1, x1))
        fs_sorted = sorted(fs, key=lambda item: tuple(item[1]))
    return fs_sorted


def backward_step(x2, keys, p = 11, r = 5):
    bs = []
    for k2 in keys:
        u2 = decryption(x2,k2,p,r,
                 inv_substitution=inv_substitution_task_7,
                 inv_transposition=inv_transposition,
                 inv_subkey_sum=inv_subkey_sum,
                 inv_linear=inv_linear,
                 subkey_generator = subkey_generator_task_7)
        bs.append((k2, u2))
        bs_sorted = sorted(bs, key=lambda item: tuple(item[1]))
    return bs_sorted


def meet_in_the_middle(u, x, k1s, k2s, p=11, r=5):
    #k1s = generate_unique_random_arrays(n_sample, key_size, p)
    #k2s = generate_unique_random_arrays(n_sample, key_size, p)
    keys = []
    fs = forward_step(u, k1s, p, r)
    bs = backward_step(x, k2s, p, r)

    for k1, x1 in fs:
        for k2, u2 in bs:
            if np.array_equal(x1, u2):
                keys.append((k1, k2))
    return keys

In [315]:
u = np.array([1,0,0,0,0,0,0,0])
k1 = np.array([1,2,3,4])
k2 = np.array([5,6,7,8])
p = 11
r = 5

x = double_enc(u, k1, k2, p, r)
print(x)

k1s = generate_unique_random_arrays()
k2s = generate_unique_random_arrays()

guess_keys = meet_in_the_middle(u, x, k1s, k2s)
print(guess_keys)

[7 7 9 1 6 7 1 7]
[(array([6, 2, 2, 7]), array([6, 4, 5, 1])), (array([0, 5, 6, 4]), array([9, 5, 2, 0]))]


In [318]:
import ast

with open('KPAdataQ/KPApairsQ_non_linear.txt', 'r') as file_in:
    with open('KPAdataQ/KPAkeysQ_non_linear.txt', 'w') as file_out:
        first = True
        correct = True
        #first generate the keys to ensure to find the same keys
        k1s = generate_unique_random_arrays()
        k1s = generate_unique_random_arrays()

        for line in file_in:
            u_str, x_str = line.split('\t')
            u = np.array(ast.literal_eval(u_str.strip()))
            x = np.array(ast.literal_eval(x_str.strip()))
            print(u, x)
            guess_keys = meet_in_the_middle(u, x, k1s,k2s)
            print(guess_keys)
            '''if k1 is None:
                print("**ERROR: No keys found**")
                correct = False
                break
            if first:
                k1_first = k1
                k2_first = k2
                first = False
            #elif not equal keys
            elif not np.array_equal(k1, k_first):
                print("**ERROR: Different keys**")
                print("k1", k1)
                print("k1_first", k1_first)
                print("k2", k2)
                print("k2_first", k2_first)
                correct = False
                break
        if correct:
            print("**SUCCESS: All k are the same**")'''
            file_out.write(str(guess_keys) + '\n')

[ 7 10  7  6  4  6  3  4] [ 8  2  4  1  6 10  3  2]
[(array([0, 7, 2, 4]), array([ 2,  9, 10,  7]))]
[ 4  5  5 10  2  3  6  5] [ 5  8 10  0  6  3  1  4]
[(array([0, 7, 2, 4]), array([ 2,  9, 10,  7]))]
[2 6 9 0 4 0 6 5] [ 8  2  0  1  9  6 10  7]
[(array([ 1,  7, 10,  9]), array([5, 5, 0, 0])), (array([0, 7, 2, 4]), array([ 2,  9, 10,  7]))]
[8 2 6 5 9 7 3 3] [4 9 6 8 2 7 7 3]
[(array([0, 3, 1, 2]), array([8, 4, 2, 8])), (array([0, 7, 2, 4]), array([ 2,  9, 10,  7])), (array([7, 2, 6, 0]), array([5, 6, 4, 3]))]
[ 2 10  3  1  3  8  7  7] [8 8 2 2 5 2 5 0]
[(array([0, 7, 2, 4]), array([ 2,  9, 10,  7]))]


In [316]:
u = np.array([1,0,0,0,0,0,0,0])
k1 = np.array([0, 5, 6, 4])
k2 = np.array([9, 5, 2, 0])
p = 11
r = 5
x = double_enc(u, k1, k2, p, r)
print(x)

[7 7 9 1 6 7 1 7]
