In [3]:
from Crypto.Cipher import Salsa20
from scipy import stats
import random
from numpy.random import Generator
from randomgen import HC128
from pytrivium import Trivium
import time


def bitstring_to_bytes(s):
    v = int("1"+s, 2)
    b = bytearray()
    while v:
        b.append(v & 0xff)
        v >>= 8
    b.pop()
    return bytes(b[::-1])

def byte_xor(ba1, ba2):
    return bytes([_a ^ _b for _a, _b in zip(ba1, ba2)])

def generate_binary_string(n):
    return ''.join(str(random.randint(0, 1)) for _ in range(n))

def flip_bit(string, index):
    if string[index] == 1:
        return string[:index] + "0" + string[index + 1:]
    else:
        return string[:index] + "1" + string[index + 1:]


In [10]:
key_length=128
# The plaintext should consist of pure 0s to retrieve the keystream
plaintext = bitstring_to_bytes("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
manybits=bitstring_to_bytes("")
for i in range(2**10):
    manybits = manybits+plaintext
# We want to keep the nonce constant so that no additional paramethers are introduced
nonce_string = "0000000000000000000000000000000000000000000000000000000000000000"
nonce = bitstring_to_bytes(nonce_string)

In [11]:
def compute_higher_order_derivative(cipher_name = "salsa", order=20, plaintext=plaintext, random_start=True):
    if random_start:
        starting_string=generate_binary_string(key_length-order)
    else:
        starting_string="".zfill(key_length-order)
    sum_string=bitstring_to_bytes("".zfill(key_length))
    for i in range(2**order):
        binary_ending = f'{i:0{order}b}'
        secret = bitstring_to_bytes(starting_string+binary_ending)
        if cipher_name == "salsa":
            cipher = Salsa20.new(key=secret,nonce=nonce)
            msg =  cipher.encrypt(plaintext)
        elif cipher_name == "hc128":
            # The key is a 256-bit integer that contains both the key (lower 128 bits) and initial values (upper 128-bits) for the HC-128 cipher
            seed = nonce_string+nonce_string
            hc_key = int(seed+starting_string+binary_ending, 2)
            hc128 = HC128(key=hc_key)
            gen = Generator(hc128)
            msg = gen.bytes(16)
        elif cipher_name == "trivium":
            trivium = Trivium()
            iv = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
            # Key length for trivium is 80 bits so we skip the first 6 bytes
            key=secret[6:]
            trivium.initialize(key,iv)
            trivium.update(16)
            output = trivium.finalize()
            pad=""
            for i in output:
                pad += "{:08b}".format(i)
            msg = bitstring_to_bytes(pad)
        else:
            raise ValueError("not a supported cipher")
        sum_string = byte_xor(sum_string, msg)
    #print(sum_string)
    binary_string = "{:08b}".format(int(sum_string.hex(),16))
    #print(binary_string)
    #print("hamming weight is: "+str(binary_string.count('1')/len(binary_string)))
    return binary_string

In [12]:
def compute_higher_order_derivative_for_index(cipher_name = "salsa", plaintext=manybits, random_start=False, index_set=[1]):
    order = len(index_set)
    if random_start:
        starting_string=generate_binary_string(key_length)
    else:
        starting_string="".zfill(key_length)
    sum_string=bitstring_to_bytes("".zfill(len(plaintext)))

    
    #compute S(0):
    secret = bitstring_to_bytes(starting_string)
    if cipher_name == "salsa":
        cipher = Salsa20.new(key=secret,nonce=nonce)
        msg =  cipher.encrypt(plaintext)
    elif cipher_name == "hc128":
        # The key is a 256-bit integer that contains both the key (lower 128 bits) and initial values (upper 128-bits) for the HC-128 cipher
        seed = nonce_string+nonce_string
        hc_key = int(seed+starting_string, 2)
        hc128 = HC128(key=hc_key)
        gen = Generator(hc128)
        msg = gen.bytes(len(manybits))
    elif cipher_name == "trivium":
        trivium = Trivium()
        iv = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
        # Key length for trivium is 80 bits so we skip the first 6 bytes
        key=secret[6:]
        trivium.initialize(key,iv)
        trivium.update(len(manybits))
        output = trivium.finalize()
        pad=""
        for i in output:
            pad += "{:08b}".format(i)
        msg = bitstring_to_bytes(pad)
    else:
        raise ValueError("not a supported cipher")
    sum_string = byte_xor(sum_string, msg)
    
    #compute derivatives:
    for i in index_set:
        starting_string = flip_bit(starting_string, i)
        secret = bitstring_to_bytes(starting_string)
        if cipher_name == "salsa":
            cipher = Salsa20.new(key=secret,nonce=nonce)
            msg =  cipher.encrypt(plaintext)
        elif cipher_name == "hc128":
            # The key is a 256-bit integer that contains both the key (lower 128 bits) and initial values (upper 128-bits) for the HC-128 cipher
            seed = nonce_string+nonce_string
            hc_key = int(seed+starting_string, 2)
            hc128 = HC128(key=hc_key)
            gen = Generator(hc128)
            msg = gen.bytes(len(manybits))
        elif cipher_name == "trivium":
            trivium = Trivium()
            iv = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
            # Key length for trivium is 80 bits so we skip the first 6 bytes
            key=secret[6:]
            trivium.initialize(key,iv)
            trivium.update(len(manybits))
            output = trivium.finalize()
            pad=""
            for i in output:
                pad += "{:08b}".format(i)
            msg = bitstring_to_bytes(pad)
        else:
            raise ValueError("not a supported cipher")
        sum_string = byte_xor(sum_string, msg)
    #print(sum_string)
    binary_string = "{:08b}".format(int(sum_string.hex(),16))
    #print(binary_string)
    #print("hamming weight is: "+str(binary_string.count('1')/len(binary_string)))
    return binary_string

In [71]:
hamming_weight_list=[]

#Compute all 4th derivatives:
start_time = time.time()
for i1 in range(63):
    print(i1)
    print(time.time()-start_time)
    start_time = time.time()
    for i2 in range(i1+1,64):
        for i3 in range(i2+64,127):
            for i4 in range(i3+1,128):
                indexes = []
                indexes.append(i1)
                indexes.append(i2)
                indexes.append(i3)
                indexes.append(i4)
                derivative=compute_higher_order_derivative_for_index(index_set=indexes)
                hamming_weight_list.append(derivative.count('1'))

0
0.0005519390106201172
1
81.65836501121521
2
78.67479681968689
3
74.8856132030487
4
70.4138560295105
5
67.23764610290527
6
63.10336995124817
7
59.63830304145813
8
57.255685329437256
9
53.82084512710571
10
50.848116874694824
11
48.481127977371216
12
45.34651803970337
13
42.76273202896118
14
40.24995017051697
15
37.917283058166504
16
35.57143998146057
17
33.45926880836487
18
31.281540870666504
19
29.33746600151062
20
27.367171049118042
21
25.612011909484863
22
23.874861001968384
23
22.107681035995483
24
20.63237500190735
25
19.106926918029785
26
17.660054922103882
27
16.29603672027588
28
15.004519939422607
29
13.770428895950317
30
12.650298833847046
31
11.554445028305054
32
10.569141149520874
33
9.60408616065979
34
8.643974781036377
35
7.878286838531494
36
7.05820107460022
37
6.342311859130859
38
5.645080089569092
39
5.020050764083862
40
4.43256402015686
41
3.9293150901794434
42
3.4220528602600098
43
2.9687788486480713
44
2.5640859603881836
45
2.1981430053710938
46
1.8891232013702393
47

In [73]:
sum(hamming_weight_list) / len(hamming_weight_list)

8191.959263854425

In [13]:
hamming_weight_list=[]

#Compute all 4th derivatives:
start_time = time.time()
for i1 in range(63):
    print(i1)
    print(time.time()-start_time)
    start_time = time.time()
    for i2 in range(i1+1,64):
        for i3 in range(i2+64,127):
            for i4 in range(i3+1,128):
                indexes = []
                indexes.append(i1)
                indexes.append(i2)
                indexes.append(i3)
                indexes.append(i4)
                derivative=compute_higher_order_derivative_for_index(cipher_name= "hc128", index_set=indexes)
                hamming_weight_list.append(derivative.count('1'))
sum(hamming_weight_list) / len(hamming_weight_list)

0
0.00030684471130371094
1
72.03764200210571
2
69.09187197685242
3
66.09536576271057
4
62.570844888687134
5
59.32691192626953
6
56.20441031455994
7
53.4792320728302
8
50.90479588508606
9
47.975090980529785
10
45.505404233932495
11
43.007274866104126
12
40.643646001815796
13
38.291061878204346
14
36.18950700759888
15
33.894001960754395
16
31.90683889389038
17
29.91854500770569
18
28.33913278579712
19
26.489931106567383
20
24.866230964660645
21
22.85475516319275
22
21.29646110534668
23
19.840567111968994
24
18.440162181854248
25
17.07784867286682
26
15.7698392868042
27
14.574666976928711
28
13.416430234909058
29
12.33929705619812
30
11.484503984451294
31
10.365754842758179
32
9.409240007400513
33
8.587095022201538
34
7.771438837051392
35
7.011746168136597
36
6.30237603187561
37
5.65648889541626
38
5.088011026382446
39
4.500114917755127
40
3.9777300357818604
41
3.5034258365631104
42
3.0651111602783203
43
2.6631650924682617
44
2.2976016998291016
45
1.9694619178771973
46
1.6807501316070557


8192.007448599787

In [21]:
hamming_weight_list=[]

#Compute all 4th derivatives:
start_time = time.time()
for i1 in range(39):
    print(i1)
    print(time.time()-start_time)
    start_time = time.time()
    for i2 in range(i1+1,40):
        for i3 in range(i2+40,79):
            for i4 in range(i3+1,80):
                indexes = []
                indexes.append(i1)
                indexes.append(i2)
                indexes.append(i3)
                indexes.append(i4)
                derivative=compute_higher_order_derivative_for_index(cipher_name= "trivium", index_set=indexes)
                hamming_weight_list.append(derivative.count('1'))
sum(hamming_weight_list) / len(hamming_weight_list)

0
0.00040411949157714844
1
139.8700737953186
2
129.17481327056885
3
117.77825284004211
4
108.38704204559326
5
99.66946792602539
6
91.30518388748169
7
83.54683208465576
8
76.64131307601929
9
69.56693911552429
10
62.84859299659729
11
56.68680119514465
12
51.03964900970459
13
45.75220513343811
14
40.8437397480011
15
36.26547574996948
16
32.092292070388794
17
28.250874042510986
18
24.698779106140137
19
21.521480798721313
20
18.549108028411865
21
15.940445184707642
22
13.544342041015625
23
11.37662386894226
24
9.499834775924683
25
7.798187017440796
26
6.367954969406128
27
5.071183681488037
28
3.9884049892425537
29
3.091446876525879
30
2.3208158016204834
31
1.6716818809509277
32
1.1719820499420166
33
0.7802681922912598
34
0.48825979232788086
35
0.27972412109375
36
0.14003515243530273
37
0.05617380142211914
38
0.014289140701293945


511.6852276093611

In [14]:
def find_avarage_hamming_weight(cipher_name = "salsa", max_order=10, plaintext=plaintext):
    hamming_list=[]
    for order in range(max_order):
        sum_string=bitstring_to_bytes("".zfill(key_length))
        starting_string="".zfill(key_length)
        for i in range(order):
            
            

IndentationError: expected an indented block (2995219220.py, line 2)

In [16]:
results = []
# Number of samples for chi-squared test is recommended to be greater than 13
for i in range(20):
    results.append(compute_higher_order_derivative(cipher_name="trivium",order = 10, random_start=False))
hamming_weights=map(lambda x:x.count('1'),results)
stats.chisquare(list(hamming_weights))

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000

Power_divergenceResult(statistic=0.0, pvalue=1.0)

In [7]:
results = []
# Number of samples for chi-squared test is recommended to be greater than 13
for i in range(20):
    results.append(compute_higher_order_derivative(cipher_name="salsa",order = 25))
hamming_weights=map(lambda x:x.count('1'),results)
stats.chisquare(list(hamming_weights))

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19


Power_divergenceResult(statistic=10.139904610492849, pvalue=0.9494097592189479)

In [9]:
results = []
# Number of samples for chi-squared test is recommended to be greater than 13
for i in range(20):
    results.append(compute_higher_order_derivative(cipher_name="hc128",order = 25))
hamming_weights=map(lambda x:x.count('1'),results)
stats.chisquare(list(hamming_weights))

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19


Power_divergenceResult(statistic=9.87692307692308, pvalue=0.9559167318711057)