{"id":50487034,"url":"https://github.com/systemslibrarian/crypto-lab-biham-lens","last_synced_at":"2026-06-01T23:03:35.181Z","repository":{"id":349886859,"uuid":"1203188203","full_name":"systemslibrarian/crypto-lab-biham-lens","owner":"systemslibrarian","description":"Browser-based demo of differential cryptanalysis — the attack co-invented by Eli Biham and Adi Shamir (Israel, 1990) that broke DES. Live attack on a toy SPN cipher, DDT visualization, and the story of how Biham used his own attack to design Serpent.","archived":false,"fork":false,"pushed_at":"2026-04-08T00:58:44.000Z","size":110,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-08T02:26:05.392Z","etag":null,"topics":["adi-shamir","block-cipher","browser-demo","cryptanalysis","crypto-compare","cryptography","des","difference-distribution-table","differential-cryptanalysis","eli-biham","s-box","serpent","spn-cipher","typescript","vite"],"latest_commit_sha":null,"homepage":"https://systemslibrarian.github.io/crypto-lab-biham-lens/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/systemslibrarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-06T20:06:11.000Z","updated_at":"2026-04-08T00:58:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/systemslibrarian/crypto-lab-biham-lens","commit_stats":null,"previous_names":["systemslibrarian/crypto-lab-biham-lens"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/systemslibrarian/crypto-lab-biham-lens","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-biham-lens","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-biham-lens/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-biham-lens/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-biham-lens/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/systemslibrarian","download_url":"https://codeload.github.com/systemslibrarian/crypto-lab-biham-lens/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-biham-lens/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33797128,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adi-shamir","block-cipher","browser-demo","cryptanalysis","crypto-compare","cryptography","des","difference-distribution-table","differential-cryptanalysis","eli-biham","s-box","serpent","spn-cipher","typescript","vite"],"created_at":"2026-06-01T23:03:31.142Z","updated_at":"2026-06-01T23:03:35.172Z","avatar_url":"https://github.com/systemslibrarian.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# crypto-lab-biham-lens\n\n**Differential Cryptanalysis in the Browser** — An interactive demonstration of the breakthrough cryptanalytic technique that fundamentally changed our understanding of cipher security.\n\n**[▶ Live Demo](https://systemslibrarian.github.io/crypto-lab-biham-lens/)**\n\n---\n\n## What It Is\n\n**Differential cryptanalysis** is a chosen-plaintext attack on block ciphers that exploits statistical biases in how plaintext differences propagate through encryption to recover key material. Co-invented by Eli Biham and Adi Shamir in 1990, it fundamentally transformed cryptography by proving that large key sizes and block sizes alone do not guarantee security — the underlying mathematical structure must be carefully designed. This demo implements the attack on a simplified 4-round SPN (Substitution-Permutation Network) cipher, demonstrating how observed differences between ciphertext pairs can betray the last round's subkey through biased differential characteristics.\n\n## When to Use It\n\nDifferential cryptanalysis is relevant as a cryptanalytic tool in these scenarios:\n\n- **Red-team cipher evaluation**: When assessing the strength of a new block cipher design, differential cryptanalysis is one of the first attacks to attempt; success indicates weak S-box selection or insufficient rounds. DES fell to this attack on 8 rounds out of 16.\n- **Historical cipher analysis**: When reverse-engineering or analyzing older ciphers (pre-1990 designs) lacking differential resistance, this attack can break much of the cipher's strength faster than brute force.\n- **Threshold security analysis**: When you have known or chosen encryption oracle access, differential attacks require far fewer queries than exhaustive key search—roughly 500–1000 ciphertext pairs for a toy cipher, versus 2^128 queries for brute force.\n- **Academic cryptanalysis**: For understanding how modern cipher designs (AES, Serpent, ChaCha) harden against this and related attacks through strong S-boxes and high round counts.\n- **When NOT to use it**: Differential cryptanalysis does not apply to ciphers with provably strong S-box differential properties, ciphers with 30+ rounds of diffusion, or scenarios without chosen-plaintext access; in those cases, exhaustive key search or other attacks are more practical.\n\n## Live Demo\n\nThe interactive browser demo at the link above lets you collect ciphertext pairs from a toy 4-round SPN cipher and run a real last-round key recovery attack. You choose plaintext differences, collect ~500 ciphertext pairs corresponding to those differences, and the demo analyzes the statistical bias in the resulting pairs to recover the last round's 8-bit subkey. The demo includes visualizations of how differences propagate through S-box substitution and bit permutation, interactive exploration of the Difference Distribution Table (DDT), and a historical timeline of the attack's discovery and impact.\n\n## What Can Go Wrong\n\nReal failure modes and pitfalls in differential cryptanalysis and its defense:\n\n- **Weak S-box selection**: DES's S-boxes were hardened against differential attacks in secret by the NSA in the 1970s; many S-box designs without this care exhibit high-probability differentials, allowing attacks with fewer than 500 pairs. The max DDT entry of DES is 8, while poorly designed S-boxes can have DDT entries of 12 or more.\n- **Insufficient rounds**: Each round of proper diffusion increases the minimum number of pairs required exponentially; DES with only 8 rounds is breakable by differential attacks in hours, while full 16-round DES requires impractically many pairs. Serpent uses 32 rounds specifically to guarantee immunity.\n- **Biased round key schedule**: If the round subkeys are derived deterministically from a master key with low entropy or poor diffusion, recovering one subkey may leak information about others, amplifying the attack. The attack assumes subkeys are independent for each round.\n- **Implementation padding and oracle feedback**: If the target cipher implementation returns detailed error information (e.g., \"decryption failed at S-box stage 2\"), an attacker can narrow the search before the cryptanalysis step, reducing pairs needed further. Constant-time implementations resist such leakage.\n- **Statistical correlation in pair collection**: If the ciphertext pairs are not collected uniformly at random (e.g., due to a biased pseudorandom number generator), the observed differential bias may be distorted, leading to incorrect key recovery or spurious high-ranking candidates.\n\n## Real-World Usage\n\nSystems and standards that must resist differential cryptanalysis or use concepts derived from it:\n\n- **DES (1977)**: The NSA hardened DES's S-boxes in secret to resist differential attacks; this was confirmed only in 1993 by Don Coppersmith, decades after Biham and Shamir's public discovery. Modern software implementations are still used for legacy compatibility, making them targets for differential attacks on reduced-round variants.\n- **SERPENT cipher (1998)**: Co-designed by Eli Biham himself, Serpent uses 32 rounds (extreme redundancy) and carefully selected S-boxes to be provably immune to differential cryptanalysis even if the attacker has access to all round subkeys. It lost the AES competition to Rijndael but remains a reference design for differential-resistant ciphers.\n- **Advanced Encryption Standard (AES / Rijndael, 2001)**: The winning AES design includes a strong S-box with minimal DDT entries (max 4) and multiple diffusion layers (MixColumns) per round to guarantee that differential characteristics cannot reach the final round with practical probability over 10 rounds of encryption.\n- **SPECK and SIMON (NSA, 2013)**: These lightweight block ciphers for IoT devices are analyzed extensively for differential properties; the NSA's published security arguments include differential cryptanalysis proofs, confirming that round counts and S-box properties provide resistance.\n- **NIST Post-Quantum Cryptography Standards (2022–present)**: While primarily focused on lattice and code-based systems, standardization bodies explicitly evaluate lattice-based and permutation-based candidates for resistance to known attacks including differential-like statistical analysis, extending the lessons of differential cryptanalysis to post-quantum era.\n\n---\n\n*\"So whether you eat or drink or whatever you do, do it all for the glory of God.\" — 1 Corinthians 10:31*","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-biham-lens","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-biham-lens","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-biham-lens/lists"}