Breaking Ciphers and Building Trust: A Journey Through Differential Cryptanalysis and CFB Mode
How a university assignment reveals the delicate balance between security and usability in modern cryptography
The Assignment That Made Me Rethink Everything
Last week, I completed an assignment that fundamentally changed how I think about encryption. The task? Implement a differential cryptanalysis attack on 1-round S-AES, then build a working 4-bit Cipher Feedback (CFB) mode system supporting three different ciphers.
On paper, it sounds academic. In practice, it's like learning locksmithing by picking your own locks—humbling, illuminating, and slightly terrifying.
Part 1: The Art of Breaking Things to Understand Them
What is Differential Cryptanalysis?
Imagine you have a black box that encrypts messages. You don't know the key, but you can choose any plaintext and see the corresponding ciphertext. Differential cryptanalysis asks a simple question: How do differences between two plaintexts affect differences between their ciphertexts?
The attack works like this:
Choose a fixed difference ΔP (say, 0x2000 in hex)
Generate random plaintext pairs: (P, P ⊕ ΔP)
Encrypt them under a hidden key
Guess the last round key by looking for patterns in how differences propagate
javascript
// The core insight: XOR differences behave predictably through S-boxes if ((w1 ^ w2) === inputDiff) { score[k1]++; // This K1 candidate might be the real key }
Why This Matters in the Real World
DES's Demise: Differential cryptanalysis was discovered in the late 1980s but kept secret by IBM and the NSA. When it became public in 1990, it spelled trouble for DES. The algorithm's 56-bit key suddenly looked much weaker. This directly led to the AES competition.
Modern Relevance: While AES resists differential attacks, many proprietary algorithms don't. Smart cards, IoT devices, and legacy systems often use custom ciphers that haven't been publicly vetted. Differential cryptanalysis is the first tool attackers reach for—and the first test any new cipher must pass.
The Lesson: Never roll your own crypto. The math is deeper than it looks.
Part 2: CFB Mode - When Stream Meets Block
What is CFB Mode?
Cipher Feedback mode turns a block cipher into a stream cipher. Instead of encrypting plaintext directly, you encrypt a shift register and XOR the result with plaintext:
text
Encryption: Cᵢ = Pᵢ ⊕ E(Iᵢ) where Iᵢ₊₁ = Cᵢ
Decryption: Pᵢ = Cᵢ ⊕ E(Iᵢ) with the same Iᵢ₊₁ = Cᵢ
My implementation worked with 4-bit nibbles, supporting:
Additive cipher:
E(x) = (x + key) mod 16Affine cipher:
E(x) = (a·x + b) mod 16(requires odda)S-DES: A full 8-bit block cipher truncated to 4 bits
Why CFB Matters in the Real World
Streaming Data: You can't encrypt a video stream or network packet with ECB mode—block boundaries don't align with message boundaries. CFB processes data byte-by-byte (or nibble-by-nibble), making it ideal for:
Real-time communications (VoIP, video conferencing)
Network protocols (TLS records use a form of feedback mode)
Disk encryption (where sector alignment matters)
Error Recovery: Unlike CBC mode, CFB allows recovery from bit errors after one block. If a ciphertext byte gets corrupted, only that byte and the next one are affected—perfect for unreliable channels.
No Padding Required: Block ciphers need padding to fill the last block. CFB eliminates this entirely, saving bandwidth and avoiding padding oracle attacks.
The Big Picture: What This Assignment Reveals
Cryptography is a Two-Faced Discipline: The same mathematics that protects your bank account can break it. Differential cryptanalysis was developed by attackers, but it's now used by defenders to validate ciphers. Every secure system today was once probed by these same techniques.
Modes of Operation Are as Important as the Cipher: AES is unbreakable? Not if you use ECB mode (the infamous Penguin problem). The assignment forced me to understand that the mode determines how the cipher behaves—stream vs. block, error propagation, parallelizability, random access.
Real-World Constraints Drive Real-World Design: Why 4-bit CFB? Because real embedded systems have 4-bit microcontrollers. Why S-DES? Because it's teachable—full AES would obscure the concepts in complexity. The principles scale:
| Concept | Assignment Scale | Real World Scale |
|---|---|---|
| Block cipher | S-AES (16-bit) | AES-256 (128-bit) |
| Differential attack | 2^16 key space | 2^128 key space |
| CFB feedback | 4-bit nibbles | 128-bit blocks |
- There's No Perfect Security, Only Practical Security My differential attack recovered a 16-bit key in milliseconds. Scale that to 128-bit AES, and you'd need 2^112 times more computation—far beyond any plausible attack. But the breakthrough insight is the same.
What I Learned That Textbooks Don't Teach
The Propaganda vs. The Practice: Textbooks present cryptography as mathematical magic. The assignment showed me it's really about patterns. Differential cryptanalysis works because S-boxes aren't perfect—they have biases. Every cipher has them. The question is whether they're exploitable.
Small Scale, Big Lessons: Breaking 1-round S-AES is trivial. But the skill of thinking about differences rather than absolute values—that's what carries over to analyzing real protocols.
Implementation Matters: My CFB mode has a subtle bug if you look closely (the feedback register updates differently for high and low nibbles). In production, such a bug would be catastrophic. This is why we use audited libraries, not homegrown crypto.
The Takeaway
This assignment wasn't about S-AES or 4-bit CFB. It was about understanding the attack mindset—how an adversary thinks—and the engineering mindset—how to build systems that resist those attacks.
Differential cryptanalysis teaches you to see patterns where others see noise. CFB mode teaches you to adapt block ciphers to messy real-world data. Together, they reveal the beautiful tension at the heart of information security:
We break things so we can build things that cannot be broken.
And sometimes, we build things just to watch them break—because that's how we learn.
The complete implementation is available on Cypttoolkit and GitHub
