In [1]:

%matplotlib qt5
import numpy as np
import matplotlib.pyplot as plt
import struct

In [2]:
Sbox = [
    # S1
 [
  0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
  0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
  0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
  0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
  0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
  0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
  0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
  0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
  0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
  0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
  0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
  0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
  0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
  0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
  0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
  0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
 ],
    # S2
 [
  0xe2, 0x4e, 0x54, 0xfc, 0x94, 0xc2, 0x4a, 0xcc, 0x62, 0x0d, 0x6a, 0x46, 0x3c, 0x4d, 0x8b, 0xd1,
  0x5e, 0xfa, 0x64, 0xcb, 0xb4, 0x97, 0xbe, 0x2b, 0xbc, 0x77, 0x2e, 0x03, 0xd3, 0x19, 0x59, 0xc1,
  0x1d, 0x06, 0x41, 0x6b, 0x55, 0xf0, 0x99, 0x69, 0xea, 0x9c, 0x18, 0xae, 0x63, 0xdf, 0xe7, 0xbb,
  0x00, 0x73, 0x66, 0xfb, 0x96, 0x4c, 0x85, 0xe4, 0x3a, 0x09, 0x45, 0xaa, 0x0f, 0xee, 0x10, 0xeb,
  0x2d, 0x7f, 0xf4, 0x29, 0xac, 0xcf, 0xad, 0x91, 0x8d, 0x78, 0xc8, 0x95, 0xf9, 0x2f, 0xce, 0xcd,
  0x08, 0x7a, 0x88, 0x38, 0x5c, 0x83, 0x2a, 0x28, 0x47, 0xdb, 0xb8, 0xc7, 0x93, 0xa4, 0x12, 0x53,
  0xff, 0x87, 0x0e, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8e, 0x37, 0x74, 0x32, 0xca, 0xe9, 0xb1,
  0xb7, 0xab, 0x0c, 0xd7, 0xc4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xd9, 0xb6, 0xb9, 0x11, 0x40,
  0xec, 0x20, 0x8c, 0xbd, 0xa0, 0xc9, 0x84, 0x04, 0x49, 0x23, 0xf1, 0x4f, 0x50, 0x1f, 0x13, 0xdc,
  0xd8, 0xc0, 0x9e, 0x57, 0xe3, 0xc3, 0x7b, 0x65, 0x3b, 0x02, 0x8f, 0x3e, 0xe8, 0x25, 0x92, 0xe5,
  0x15, 0xdd, 0xfd, 0x17, 0xa9, 0xbf, 0xd4, 0x9a, 0x7e, 0xc5, 0x39, 0x67, 0xfe, 0x76, 0x9d, 0x43,
  0xa7, 0xe1, 0xd0, 0xf5, 0x68, 0xf2, 0x1b, 0x34, 0x70, 0x05, 0xa3, 0x8a, 0xd5, 0x79, 0x86, 0xa8,
  0x30, 0xc6, 0x51, 0x4b, 0x1e, 0xa6, 0x27, 0xf6, 0x35, 0xd2, 0x6e, 0x24, 0x16, 0x82, 0x5f, 0xda,
  0xe6, 0x75, 0xa2, 0xef, 0x2c, 0xb2, 0x1c, 0x9f, 0x5d, 0x6f, 0x80, 0x0a, 0x72, 0x44, 0x9b, 0x6c,
  0x90, 0x0b, 0x5b, 0x33, 0x7d, 0x5a, 0x52, 0xf3, 0x61, 0xa1, 0xf7, 0xb0, 0xd6, 0x3f, 0x7c, 0x6d,
  0xed, 0x14, 0xe0, 0xa5, 0x3d, 0x22, 0xb3, 0xf8, 0x89, 0xde, 0x71, 0x1a, 0xaf, 0xba, 0xb5, 0x81
 ],
    # inverse S1
 [
  0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
  0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
  0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
  0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
  0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
  0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
  0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
  0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
  0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
  0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
  0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
  0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
  0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
  0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
  0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
  0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
 ],
    # inverse S2
 [
  0x30, 0x68, 0x99, 0x1b, 0x87, 0xb9, 0x21, 0x78, 0x50, 0x39, 0xdb, 0xe1, 0x72, 0x09, 0x62, 0x3c,
  0x3e, 0x7e, 0x5e, 0x8e, 0xf1, 0xa0, 0xcc, 0xa3, 0x2a, 0x1d, 0xfb, 0xb6, 0xd6, 0x20, 0xc4, 0x8d,
  0x81, 0x65, 0xf5, 0x89, 0xcb, 0x9d, 0x77, 0xc6, 0x57, 0x43, 0x56, 0x17, 0xd4, 0x40, 0x1a, 0x4d,
  0xc0, 0x63, 0x6c, 0xe3, 0xb7, 0xc8, 0x64, 0x6a, 0x53, 0xaa, 0x38, 0x98, 0x0c, 0xf4, 0x9b, 0xed,
  0x7f, 0x22, 0x76, 0xaf, 0xdd, 0x3a, 0x0b, 0x58, 0x67, 0x88, 0x06, 0xc3, 0x35, 0x0d, 0x01, 0x8b,
  0x8c, 0xc2, 0xe6, 0x5f, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1e, 0xe5, 0xe2, 0x54, 0xd8, 0x10, 0xce,
  0x7a, 0xe8, 0x08, 0x2c, 0x12, 0x97, 0x32, 0xab, 0xb4, 0x27, 0x0a, 0x23, 0xdf, 0xef, 0xca, 0xd9,
  0xb8, 0xfa, 0xdc, 0x31, 0x6b, 0xd1, 0xad, 0x19, 0x49, 0xbd, 0x51, 0x96, 0xee, 0xe4, 0xa8, 0x41,
  0xda, 0xff, 0xcd, 0x55, 0x86, 0x36, 0xbe, 0x61, 0x52, 0xf8, 0xbb, 0x0e, 0x82, 0x48, 0x69, 0x9a,
  0xe0, 0x47, 0x9e, 0x5c, 0x04, 0x4b, 0x34, 0x15, 0x79, 0x26, 0xa7, 0xde, 0x29, 0xae, 0x92, 0xd7,
  0x84, 0xe9, 0xd2, 0xba, 0x5d, 0xf3, 0xc5, 0xb0, 0xbf, 0xa4, 0x3b, 0x71, 0x44, 0x46, 0x2b, 0xfc,
  0xeb, 0x6f, 0xd5, 0xf6, 0x14, 0xfe, 0x7c, 0x70, 0x5a, 0x7d, 0xfd, 0x2f, 0x18, 0x83, 0x16, 0xa5,
  0x91, 0x1f, 0x05, 0x95, 0x74, 0xa9, 0xc1, 0x5b, 0x4a, 0x85, 0x6d, 0x13, 0x07, 0x4f, 0x4e, 0x45,
  0xb2, 0x0f, 0xc9, 0x1c, 0xa6, 0xbc, 0xec, 0x73, 0x90, 0x7b, 0xcf, 0x59, 0x8f, 0xa1, 0xf9, 0x2d,
  0xf2, 0xb1, 0x00, 0x94, 0x37, 0x9f, 0xd0, 0x2e, 0x9c, 0x6e, 0x28, 0x3f, 0x80, 0xf0, 0x3d, 0xd3,
  0x25, 0x8a, 0xb5, 0xe7, 0x42, 0xb3, 0xc7, 0xea, 0xf7, 0x4c, 0x11, 0x33, 0x03, 0xa2, 0xac, 0x60
 ]
]

In [3]:
HW=[
0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8
]

In [4]:
with open('./trace.bin', 'rb') as f:
    data = f.read()
f.close()
    
wave_cnt = 65536
time_cnt = 10340
time_float = time_cnt * 4

In [5]:
trace = []

for i in range(0, time_float * 256, time_float): 
    subtrace = []
    subdata = data[ i : i + time_float ] # 파형 하나
    
    if len(subdata) < time_float:
        continue
    
    # bytes to float, 0~1000번째 시점만 (1라운드 전력)
    # unpack 리턴 = 튜플 : (float,)
    for j in range(0, 4000, 4):
        float_data = struct.unpack('f', subdata[ j : j + 4 ])
        subtrace.append(float_data[0]) 
    
    trace.append(subtrace)

In [6]:
print(len(trace))
print(len(trace[0]))
print(len(trace[-1]))

256
1000
1000


In [7]:
def correlation(NP_trace, Ham):
    # NP_trace : 전력 (numpy) = W, Ham : hamming weight (numpy)
    n = len(NP_trace)
    Sum_Wi = sum(NP_trace) # sigma Wi
    Sum_Wi2 = sum(NP_trace ** 2) # sigma Wi^2
    Sum_WiH = 0 # sigma WiHi,R
    Sum_H = sum(Ham) # sigma Hi,R
    Sum_H2 = sum(Ham ** 2) #sigma Hi,R^2
    
    WH = [0 for _ in range(n)]
    for i in range(n):
        WH[i] = NP_trace[i] * Ham[i]
    
    Sum_WiH = sum(WH)
    
    return ( (n * Sum_WiH) - (Sum_Wi * Sum_H) ) / ( (((n * Sum_Wi2) - (Sum_Wi ** 2)) ** 0.5) * (((n * Sum_H2) - (Sum_H ** 2)) ** 0.5) )

In [8]:
def DiffusionLayer(output_idx, Z):
    # Diffusion Layer 진행 후 값 리턴
    # Z : input이 되는 Z값 (list 형태로)
    
    result = 0
    
    if output_idx == 0 or output_idx == 5 or output_idx == 11 or output_idx == 14: 
        T = Z[3] ^ Z[4] ^ Z[9] ^ Z[14]
        
        if output_idx == 0:
            result = Z[6] ^ Z[8] ^ Z[13] ^ T
        elif output_idx == 5:
            result = Z[1] ^ Z[10] ^ Z[15] ^ T
        elif output_idx == 11:
            result = Z[2] ^ Z[7] ^ Z[12] ^ T
        elif output_idx == 14:
            result = Z[0] ^ Z[5] ^ Z[11] ^ T
    
    if output_idx == 1 or output_idx == 4 or output_idx == 10 or output_idx == 15:
        T = Z[2] ^ Z[5] ^ Z[8] ^ Z[15]
        
        if output_idx == 1:
            result = Z[7] ^ Z[9] ^ Z[12] ^ T
        elif output_idx == 4:
            result = Z[0] ^ Z[11] ^ Z[14] ^ T
        elif output_idx == 10:
            result = Z[3] ^ Z[6] ^ Z[13] ^ T
        elif output_idx == 15:
            result = Z[1] ^ Z[4] ^ Z[10] ^ T
    
    if output_idx == 2 or output_idx ==  7 or output_idx == 9 or output_idx == 12:
        T = Z[1] ^ Z[6] ^ Z[11] ^ Z[12]
        
        if output_idx == 2:
            result = Z[4] ^ Z[10] ^ Z[15] ^ T
        elif output_idx == 7:
            result = Z[3] ^ Z[8] ^ Z[13] ^ T
        elif output_idx == 9:
            result = Z[0] ^ Z[5] ^ Z[14] ^ T
        elif output_idx == 12:
            result = Z[2] ^ Z[7] ^ Z[9] ^ T
    
    if output_idx == 3 or output_idx == 6 or output_idx == 8 or output_idx == 13:
        T = Z[0] ^ Z[7] ^ Z[10] ^ Z[13]
        
        if output_idx == 3:
            result = Z[5] ^ Z[11] ^ Z[14] ^ T
        elif output_idx == 6:
            result = Z[2] ^ Z[9] ^ Z[12] ^ T
        elif output_idx == 8:
            result = Z[1] ^ Z[4] ^ Z[15] ^ T
        elif output_idx == 13:
            result = Z[3] ^ Z[6] ^ Z[8] ^ T
    
    return result

In [9]:
"""
Const = (K7 >>> 62) ^ (K6 >>> 31) ^ K5 ^ (K4 >>> 93)
rotate : 128bit를 로테이션 하는 것
"""

k4 = 0x4da3486bf42e1be4d600fee1eededd16
k5 = 0x2fde076b07580c8ffe85b089052d495d
k6 = 0xf0248fa75e8fdfe085684997b6f5c1a1
k7 = 0x0f19787a9bfae64ebe51d5845102f8b3

def rotate_right(num, bits):
    return (num >> bits) | ((num << (128-bits)) & 0xffffffffffffffffffffffffffffffff)

Const = rotate_right(k7, 62) ^ rotate_right(k6, 31) ^ k5 ^ rotate_right(k4, 93)

print(hex(Const))
print(len(hex(Const)))
# 찍어보니 32자리 hex : 0 추가 안해도 됨

Con = []
st = hex(Const)

for i in range(2,len(hex(Const)),2):
        s = '0x'
        s += st[i:i+2]
        Con.append(int(s, base=16))
        
print(Con)
print(len(Con))

0x1a020d1f131d0602090906100d0c0017
34
[26, 2, 13, 31, 19, 29, 6, 2, 9, 9, 6, 16, 13, 12, 0, 23]
16


In [10]:
"""
# case1
K1_14 = 0b01100111
N14 = 0b11001110
K1_15 = 0b00101111
N15 = 0b11000111
"""

# case4
K1_14 = 0b11100111
N14 = 0b01001110
K1_15 = 0b10101111
N15 = 0b01000111

def rotate_left(num, bits):
    return ((num << bits) & 0xffffffffffffffffffffffffffffffff) | (num >> (128-bits))

P = ((K1_14 << 8) | K1_15) ^ rotate_left(k5, 12)
P14 = (P >> 8) & 0b11111111
P15 = P & 0b11111111

print(P14, P15)

# case1, case2 일 때 P14, P15 는 다른 값

53 82


In [11]:
def find_x0(x0, Con, P14, P15):
    x1 = x0 ^ (Con[14] >> 4) ^ (P14 >> 4) ^ (P15 & 0b1111)
    y1 = x1 ^ (Con[15] & 0b1111) ^ (P15 & 0b1111)
    y0 = x0 ^ (Con[14] & 0b1111) ^ (P14 & 0b1111)
    return x0, y0, x1, y1

In [12]:
"""
case2
K1_14 = 0b01100111
N14 = 0b11001110
K1_15 = 0b10101111
N15 = 0b01000111

P = ((K1_14 << 8) | K1_15) ^ rotate_left(k5, 12)
P14 = (P >> 8) & 0b11111111
P15 = P & 0b11111111

x0, y0, x1, y1 결과는 동일 
"""
case = []

# x0는 4bit
for i in range(16):
    x0, y0, x1, y1 = find_x0(i, Con, P14, P15)
    case.append([x0,y0,x1,y1])
    
print(case)

[[0, 5, 1, 4], [1, 4, 0, 5], [2, 7, 3, 6], [3, 6, 2, 7], [4, 1, 5, 0], [5, 0, 4, 1], [6, 3, 7, 2], [7, 2, 6, 3], [8, 13, 9, 12], [9, 12, 8, 13], [10, 15, 11, 14], [11, 14, 10, 15], [12, 9, 13, 8], [13, 8, 12, 9], [14, 11, 15, 10], [15, 10, 14, 11]]


In [13]:
def find_W0(x0, y0, x1, y1, Con):
    w0 = (x0 << 4) | y0
    w1 = (x1 << 4) | y1
    w2 = Con[0] ^ w0
    w3 = Con[1] ^ w1
    w4 = Con[2] ^ w2
    w5 = Con[3] ^ w3
    w6 = Con[4] ^ w4
    w7 = Con[5] ^ w5
    w8 = Con[6] ^ w6
    w9 = Con[7] ^ w7
    w10 = Con[8] ^ w8
    w11 = Con[9] ^ w9
    w12 = Con[10] ^ w10
    w13 = Con[11] ^ w11
    w14 = Con[12] ^ w12
    w15 = Con[13] ^ w13
    
    W0 = [w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15]
    return W0

In [14]:
k5shift = rotate_left(k5, 12)
k5shift_15 = k5shift & 0b11111111
k5shift_14 = (k5shift >> 8) & 0b11111111

for idx in range(16):
    x0, y0, x1, y1 = case[idx]
    W0 = find_W0(x0, y0, x1, y1, Con)
    
    print(W0)
    
    # ek1 = W0 ^ (K5 <<< 12) ^ (W0 <<< 12)
    w0shift15 = ((W0[0] & 0b1111) << 4) | (W0[1] >> 4)
    
    ek1_15 = W0[15] ^ k5shift_15 ^ w0shift15
    
    w0shift14 = ((W0[15] & 0b1111) << 4) | (W0[0] >> 4)
    
    ek1_14 = W0[14] ^ k5shift_14 ^ w0shift14
    
    if ek1_15 == K1_15 and ek1_14 == K1_14:
        print("yes")

[5, 20, 31, 22, 18, 9, 1, 20, 7, 22, 14, 31, 8, 15, 5, 3]
yes
[20, 5, 14, 7, 3, 24, 16, 5, 22, 7, 31, 14, 25, 30, 20, 18]
yes
[39, 54, 61, 52, 48, 43, 35, 54, 37, 52, 44, 61, 42, 45, 39, 33]
yes
[54, 39, 44, 37, 33, 58, 50, 39, 52, 37, 61, 44, 59, 60, 54, 48]
yes
[65, 80, 91, 82, 86, 77, 69, 80, 67, 82, 74, 91, 76, 75, 65, 71]
yes
[80, 65, 74, 67, 71, 92, 84, 65, 82, 67, 91, 74, 93, 90, 80, 86]
yes
[99, 114, 121, 112, 116, 111, 103, 114, 97, 112, 104, 121, 110, 105, 99, 101]
yes
[114, 99, 104, 97, 101, 126, 118, 99, 112, 97, 121, 104, 127, 120, 114, 116]
yes
[141, 156, 151, 158, 154, 129, 137, 156, 143, 158, 134, 151, 128, 135, 141, 139]
yes
[156, 141, 134, 143, 139, 144, 152, 141, 158, 143, 151, 134, 145, 150, 156, 154]
yes
[175, 190, 181, 188, 184, 163, 171, 190, 173, 188, 164, 181, 162, 165, 175, 169]
yes
[190, 175, 164, 173, 169, 178, 186, 175, 188, 173, 181, 164, 179, 180, 190, 184]
yes
[201, 216, 211, 218, 222, 197, 205, 216, 203, 218, 194, 211, 196, 195, 201, 207]
yes
[216, 201,

In [15]:
c1 = '0x517cc1b727220a94fe13abe8fa9a6ee0'
c2 = '0x6db14acc9e21c820ff28b1d5ef5de2b0'
c3 = '0xdb92371d2126e9700324977504e8c90e'

C1 = []
C2 = []
C3 = []

for i in range(2, len(c1), 2):
    s = '0x'
    s += c1[i:i+2]
    C1.append(int(s, base=16))
    
    s = '0x'
    s += c2[i:i+2]
    C2.append(int(s, base=16))
    
    s = '0x'
    s += c3[i:i+2]
    C3.append(int(s, base=16))
    
print(C1)
print(C2)
print(C3)


[81, 124, 193, 183, 39, 34, 10, 148, 254, 19, 171, 232, 250, 154, 110, 224]
[109, 177, 74, 204, 158, 33, 200, 32, 255, 40, 177, 213, 239, 93, 226, 176]
[219, 146, 55, 29, 33, 38, 233, 112, 3, 36, 151, 117, 4, 232, 201, 14]


In [16]:
# x0를 찾자

for idx in range(16):
    x0, y0, x1, y1 = case[idx]
    W0 = find_W0(x0, y0, x1, y1, Con)
    
    # KR = 0
    W = []
    for i in range(16):
        W.append(W0[i] ^ C1[i])
    
    for i in range(16):
        W[i] = Sbox[i % 4][W[i]]
    
    W1 = []
    for i in range(16):
        W1.append(DiffusionLayer(i, W))
        
    W0_ = '0x'
    W1_ = '0x'
    for i in range(16):
        s0 = hex(W0[i])[2:]
        s1 = hex(W1[i])[2:]
        if len(s0) == 1:
            s0 = '0' + s0
        if len(s1) == 1:
            s1 = '0' + s1
        
        W0_ += s0
        W1_ += s1
    
    W0_ = int(W0_, base=16)
    W1_ = int(W1_, base=16)
    
    W1rotate = rotate_right(W1_, 31)
    
    if k5 == (W0_ ^ W1rotate):
        print(x0)
        print(W0)

6
[99, 114, 121, 112, 116, 111, 103, 114, 97, 112, 104, 121, 110, 105, 99, 101]


In [17]:
MK = '0x'
W0 = [99, 114, 121, 112, 116, 111, 103, 114, 97, 112, 104, 121, 110, 105, 99, 101]

for n in W0:
    s = hex(n)[2:]
    if len(s) == 1:
        s = '0' + s
    MK += s

print(MK)

0x63727970746f6772617068796e696365
