Live Differential Attack
A real chosen-plaintext differential attack on the 4-round toy SPN cipher: we exploit a high-probability differential to recover the last round subkey.
Cipher setup
Active S-box: Weak (toy) change →
Master key K: 0x5A69
Last round subkey K₄ (hidden from attacker):
Reproducibility
Same seed → identical pair stream → reproducible bias chart.
Step 1: Choose Plaintext Difference
Step 1½: Target Differential
We attack the last round by guessing K₄, partially decrypting, and counting how many pairs hit the difference we expect just before the last S-box.
Click derive to sample the cipher and find the peak 3-round differential.
Step 2: Collect Ciphertext Pairs
0 pairs collected. Need ~500 for reliable recovery.
Step 3: Run Attack
Ready to analyze pairs.
Differential vs. Brute Force
The toy cipher is small enough that brute force is competitive. The win scales: on real ciphers a differential characteristic can save you tens of bits of search.
| Cipher | Brute force (key search) | Differential cost | Reference |
|---|---|---|---|
| Toy SPN (16-bit key, this demo) | 2¹⁶ ≈ 65 536 | — | K₄ alone is 8 bits |
| DES (56-bit) | 2⁵⁶ ≈ 7.2 × 10¹⁶ | 2⁴⁷ ≈ 1.4 × 10¹⁴ | Biham & Shamir 1991 |
| AES-128 | 2¹²⁸ | no usable characteristic | Daemen & Rijmen 2002 |
Operations performed by the most recent attack: 0
Differential Trace
Two plaintexts P₁ and P₂ flow through every sub-stage of the cipher. The colored bar on each row is the XOR difference at that point. Watch the difference not change on XOR-K rows, get scrambled by S-box rows, and relocate on permute rows.
Stage 0 of 11.
S-box Analysis
The S-box is the only non-linear component of the cipher. Its differential properties determine whether the cipher falls to a differential attack — swap it below to feel the difference.
Swapping resets the cipher, clears collected pairs, and recomputes the DDT.
S-box Substitution
Input (outer number) → Output (colored square)
Difference Distribution Table (DDT)
Rows: Input Difference • Columns: Output Difference • Counts out of 16 input pairs
S-box Strength Assessment
Historical Impact: Differential Cryptanalysis
Differential cryptanalysis was the cryptanalytic breakthrough of the late 20th century.
Eli Biham
Affiliation: Technion — Israel Institute of Technology
Co-inventor of differential cryptanalysis. Later designed Serpent cipher to resist his own technique.
Adi Shamir
Affiliation: Weizmann Institute of Science, Israel
Co-inventor of differential cryptanalysis. Legendary cryptographer and co-founder of RSA cryptosystem.
Timeline of Discovery
Original Paper:
Eli Biham and Adi Shamir. "Differential Cryptanalysis of DES-like Cryptosystems." Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991.
Why Serpent Survived: Defense Against Differential Cryptanalysis
Eli Biham designed Serpent specifically to be immune to differential cryptanalysis and other attacks he had discovered.
Cipher Defense Comparison
| Property | DES (1977) | AES (2001) | Serpent (1998) |
|---|---|---|---|
| S-box Max DDT | 8 | 4 | 4 |
| Rounds | 16 | 10/12/14 | 32 |
| Differential Reach | 8 rounds | Beyond attack | Beyond attack |
| Design Philosophy | Proven secure (classified) | Resistant to known attacks | Hardened by attack inventor |
Portfolio Thread: A Cipher's Journey
This demo is part of a series exploring cipher design and cryptanalysis:
- biham-lens (you are here) — Attack-side: differential cryptanalysis
- iron-serpent — Defense-side: Serpent cipher designed to defeat differential attacks
- dead-sea-cipher — Historical failures: why ciphers break
- shamir-gate — The mind of Adi Shamir: RSA, differential cryptanalysis, secret sharing