Cybersecuritycryptographyblock-cipherpresentlightweight

PRESENT Block Cipher Implementation

Implementation of PRESENT, an ultra-lightweight block cipher designed for resource-constrained devices like RFID tags and IoT sensors.

Date

2024

PRESENT: Ultra-Lightweight Block Cipher

Lab 4 implements PRESENT, one of the most efficient lightweight block ciphers designed specifically for extremely constrained environments such as RFID tags, smart cards, and IoT devices. This project explores the elegant Substitution-Permutation Network (SPN) architecture that balances security and minimal hardware footprint, making PRESENT an ISO/IEC standard for lightweight cryptography.

What is PRESENT?

PRESENT is a symmetric block cipher introduced in 2007 by Andrey Bogdanov, Lars R. Knudsen, and others at the CHES (Cryptographic Hardware and Embedded Systems) conference. It was specifically designed to address the growing need for secure encryption in resource-constrained devices where traditional ciphers like AES would be too expensive in terms of power consumption, chip area, and processing requirements.

The cipher operates on 64-bit blocks and supports key sizes of 80 bits or 128 bits. PRESENT uses a simple yet effective Substitution-Permutation Network structure consisting of 31 rounds, where each round applies three operations: XOR with a round key, substitution through an S-box, and permutation through a P-layer. This design philosophy prioritizes hardware efficiency while maintaining strong security properties against known cryptanalytic attacks.

Block size: 64 bits (8 bytes)
Key sizes: 80 bits or 128 bits
Number of rounds: 31
Structure: Substitution-Permutation Network (SPN)
S-box: 4-bit to 4-bit substitution (16 S-boxes applied in parallel)
P-layer: Bit permutation for diffusion
Hardware-optimized: Requires only 1000-1500 gate equivalents
ISO/IEC 29192-2:2019 standard for lightweight cryptography

Why Lightweight Cryptography?

As the Internet of Things expands, billions of resource-constrained devices need cryptographic protection. Traditional ciphers like AES-128, while secure and efficient on standard computers, require significant resources when implemented in hardware. PRESENT achieves comparable security levels while using approximately 70% less hardware area than AES. This makes it ideal for applications like contactless payment cards, medical implants, sensor networks, and RFID tags where power consumption, physical size, and manufacturing cost are critical constraints.

Technologies Used

PythonBlock CiphersBitwise OperationsSPN NetworksECB ModeCryptanalysisFrequency Analysis

Key Features

Complete PRESENT cipher encryption implementation

PRESENT cipher decryption functionality

Support for both 80-bit and 128-bit keys

S-box substitution layer (16 parallel 4-bit S-boxes)

P-layer permutation for bit diffusion

Round key generation algorithm

Showing 6 of 13 features

Implementation Details

The S-Box: Substitution Layer

The S-box (Substitution Box) is the only non-linear component in PRESENT and provides confusion in the cipher. PRESENT uses a single 4-bit S-box applied 16 times in parallel to the 64-bit state. This means the 64-bit block is divided into 16 nibbles (4-bit chunks), and each nibble is independently substituted using the same S-box lookup table.

The PRESENT S-box was carefully designed with optimal cryptographic properties:

Non-linearity: The S-box is highly non-linear to resist linear cryptanalysis
Differential uniformity: Minimizes probability of differential attacks
Algebraic complexity: High algebraic degree prevents algebraic attacks
Hardware efficiency: Can be implemented with minimal logic gates
Balanced output: Each output bit appears equally often for all inputs

The S-box mapping is defined as a lookup table where input nibble x (0-15) maps to output S[x]. For example, input 0x0 maps to 0xC, input 0x1 maps to 0x5, and so on. This substitution breaks the mathematical relationship between plaintext and ciphertext, making the cipher resistant to linear attacks.

In each round, after XORing the state with the round key, all 16 nibbles undergo S-box substitution simultaneously. This parallel application makes hardware implementation extremely efficient while providing strong confusion properties across the entire 64-bit block.

present_sbox.py

# PRESENT S-box definition
# Maps 4-bit input (0x0 to 0xF) to 4-bit output
sbox = [0xC, 0x5, 0x6, 0xB, 0x9, 0x0, 0xA, 0xD,
        0x3, 0xE, 0xF, 0x8, 0x4, 0x7, 0x1, 0x2]

# Inverse S-box for decryption
# If sbox[i] = j, then sbox_inv[j] = i
sbox_inv = [0x5, 0xE, 0xF, 0x8, 0xC, 0x1, 0x2, 0xD,
            0xB, 0x4, 0x6, 0x3, 0x0, 0x7, 0x9, 0xA]

def apply_sbox(state):
    """
    Apply S-box substitution to 64-bit state.

    The 64-bit state is divided into 16 nibbles (4-bit chunks).
    Each nibble is substituted using the S-box lookup table.

    Args:
        state: 64-bit integer representing the cipher state

    Returns:
        64-bit integer after S-box substitution
    """
    output = 0

    # Process each of the 16 nibbles
    for i in range(16):
        # Extract the i-th nibble (4 bits) from the state
        # Nibble 0 is the rightmost (least significant) 4 bits
        nibble = (state >> (i * 4)) & 0xF

        # Substitute using S-box
        substituted_nibble = sbox[nibble]

        # Place the substituted nibble back into the output
        # at the same position
        output |= (substituted_nibble << (i * 4))

    return output

def apply_sbox_inv(state):
    """
    Apply inverse S-box for decryption.

    Uses the inverse S-box to reverse the substitution.
    This is needed for decryption to undo the encryption.

    Args:
        state: 64-bit integer representing the cipher state

    Returns:
        64-bit integer after inverse S-box substitution
    """
    output = 0

    for i in range(16):
        nibble = (state >> (i * 4)) & 0xF
        substituted_nibble = sbox_inv[nibble]
        output |= (substituted_nibble << (i * 4))

    return output

# Example: Apply S-box to a single nibble
input_nibble = 0xA  # Input: 10 (decimal)
output_nibble = sbox[input_nibble]
print(f"S-box[0x{input_nibble:X}] = 0x{output_nibble:X}")  # Output: 0xD (13)

# Example: Apply S-box to full 64-bit state
state = 0x0123456789ABCDEF
encrypted_state = apply_sbox(state)
print(f"Original: 0x{state:016X}")
print(f"After S-box: 0x{encrypted_state:016X}")

# Verify inverse
decrypted_state = apply_sbox_inv(encrypted_state)
print(f"After inverse S-box: 0x{decrypted_state:016X}")
print(f"Matches original: {state == decrypted_state}")

Code Explanation

The S-box is implemented as a simple lookup table. The apply_sbox function processes the 64-bit state by extracting each 4-bit nibble, substituting it through the S-box, and reconstructing the output. The inverse S-box reverses this operation for decryption. This design achieves maximum hardware efficiency while providing strong non-linearity.

The P-Layer: Permutation for Diffusion

The P-layer (Permutation Layer) provides diffusion in PRESENT by rearranging the bit positions of the 64-bit state. While the S-box provides confusion by substituting values, the P-layer ensures that changes propagate throughout the entire block quickly. This is essential for the avalanche effect: a single bit change in the input should affect approximately half the output bits after a few rounds.

PRESENT uses a bit permutation where bit i moves to position P(i). The permutation is carefully designed such that the output bits of one S-box in one round are distributed across different S-boxes in the next round. This optimal diffusion ensures that after just a few rounds, each output bit depends on every input bit.

The permutation formula is P(i) = (i mod 16) × 4 + floor(i / 16), where i ranges from 0 to 63. This mathematical formula ensures:

Optimal diffusion: Output bits from each S-box spread to different S-boxes
Hardware efficiency: Can be implemented as simple wire crossings
Invertibility: The permutation can be easily reversed for decryption
No fixed points: No bit remains in the same position (except by mathematical coincidence)
Full avalanche: After 2-3 rounds, changing one bit affects the entire state

In hardware, the P-layer costs almost nothing—it's just wires connecting different positions. In software, it requires bit extraction and reconstruction, but the simple mathematical formula makes it very efficient. The P-layer is applied after the S-box in each of the 31 rounds (except the final round, where it's omitted).

present_player.py

def generate_permutation_table():
    """
    Generate PRESENT P-layer permutation table.

    The permutation moves bit i to position P(i) where:
    P(i) = (i mod 16) * 4 + floor(i / 16)

    Returns:
        List of 64 integers representing bit permutation
    """
    p_table = []
    for i in range(64):
        p_i = ((i % 16) * 4) + (i // 16)
        p_table.append(p_i)
    return p_table

# Generate permutation and inverse permutation tables
p_layer = generate_permutation_table()
p_layer_inv = [0] * 64

# Create inverse permutation: if p_layer[i] = j, then p_layer_inv[j] = i
for i in range(64):
    p_layer_inv[p_layer[i]] = i

def apply_permutation(state):
    """
    Apply P-layer permutation to 64-bit state.

    Rearranges bits according to the permutation table to achieve
    optimal diffusion across S-boxes in subsequent rounds.

    Args:
        state: 64-bit integer representing the cipher state

    Returns:
        64-bit integer after bit permutation
    """
    output = 0

    # For each bit position in the output
    for i in range(64):
        # Get the bit from the original position specified by p_layer[i]
        # and place it at position i in the output
        bit = (state >> p_layer[i]) & 1
        output |= (bit << i)

    return output

def apply_permutation_inv(state):
    """
    Apply inverse P-layer permutation for decryption.

    Reverses the bit permutation to undo the P-layer operation.

    Args:
        state: 64-bit integer representing the cipher state

    Returns:
        64-bit integer after inverse permutation
    """
    output = 0

    for i in range(64):
        bit = (state >> p_layer_inv[i]) & 1
        output |= (bit << i)

    return output

# Example: Demonstrate P-layer diffusion
# Set only bit 0
state = 0x0000000000000001  # Only bit 0 is set

print("Demonstrating P-layer diffusion:")
print(f"Original state:     {state:064b}")

# Apply permutation
permuted = apply_permutation(state)
print(f"After P-layer:      {permuted:064b}")
print(f"Bit 0 moved to position: {p_layer[0]}")

# Show how output bits from one S-box spread
state_after_sbox = 0x000000000000000F  # One S-box output (4 bits set)
permuted_spread = apply_permutation(state_after_sbox)
print(f"\nS-box output:       {state_after_sbox:064b}")
print(f"After P-layer:      {permuted_spread:064b}")
print("Notice how the 4 consecutive bits spread across different S-box positions")

# Verify inverse
recovered = apply_permutation_inv(permuted)
print(f"\nAfter inverse P-layer: {recovered:064b}")
print(f"Matches original: {state == recovered}")

Code Explanation

The P-layer implementation uses pre-computed permutation tables for efficiency. The apply_permutation function extracts each bit from its original position and places it in the new position according to the permutation table. The bit extraction uses bitwise AND with 1, and bit placement uses bitwise OR with left shift. The inverse permutation reverses this operation for decryption.

ECB Mode Implementation

Electronic Codebook (ECB) is the simplest block cipher mode of operation. It divides the plaintext into fixed-size blocks and encrypts each block independently using the same key. For PRESENT with its 64-bit block size, this means processing data in 8-byte chunks.

In ECB mode, each 64-bit plaintext block is encrypted to produce a 64-bit ciphertext block using the PRESENT cipher with the provided key. The same plaintext block always encrypts to the same ciphertext block (with the same key), which is both a feature and a weakness of ECB mode.

Advantages and Limitations of ECB Mode:

Simplicity: Easy to implement and understand
Parallelizable: Blocks can be encrypted/decrypted independently
No error propagation: Corruption in one block doesn't affect others
Random access: Any block can be decrypted without decrypting others
Pattern leakage: Identical plaintext blocks produce identical ciphertext
Not semantically secure: Same plaintext always produces same ciphertext
Vulnerable to block manipulation: Blocks can be reordered or replaced

The ECB wrapper handles file I/O, converts data to 64-bit blocks, applies PRESENT encryption or decryption to each block, and writes the output. Padding is applied to the last block if necessary to ensure all blocks are exactly 64 bits.

ecb.py

#!/usr/bin/env python3
# ECB wrapper for PRESENT block cipher

from present import *
import argparse

nokeybits = 80
blocksize = 64

def ecb(infile, outfile, key, mode):
    """
    Electronic Codebook (ECB) mode implementation.
    Processes files in 64-bit blocks using the PRESENT cipher.

    Args:
        infile: Path to input file
        outfile: Path to output file
        key: Path to key file containing hex-encoded key
        mode: 'e' for encryption, 'd' for decryption
    """
    # Read the key from file
    with open(key, 'r') as key_file:
        key_hex = key_file.read().strip()
        # Convert hex string to integer
        # Key must be 80 bits (20 hex digits) or 128 bits (32 hex digits)
        key_int = int(key_hex, 16)

    # Read input file in binary mode
    with open(infile, 'rb') as f:
        data = f.read()

    # Convert data to list of 64-bit blocks
    blocks = []
    for i in range(0, len(data), 8):
        # Read 8 bytes (64 bits) at a time
        block_data = data[i:i+8]

        # Pad the last block if necessary with null bytes
        # This ensures all blocks are exactly 64 bits
        if len(block_data) < 8:
            block_data = block_data + b'\x00' * (8 - len(block_data))

        # Convert bytes to 64-bit integer (big-endian)
        # Big-endian: most significant byte first
        block_int = int.from_bytes(block_data, byteorder='big')
        blocks.append(block_int)

    # Process blocks based on mode
    processed_blocks = []
    if mode == 'e':  # Encryption
        for block in blocks:
            # Encrypt each block independently
            encrypted_block = present(block, key_int)
            processed_blocks.append(encrypted_block)
    elif mode == 'd':  # Decryption
        for block in blocks:
            # Decrypt each block independently
            decrypted_block = present_inv(block, key_int)
            processed_blocks.append(decrypted_block)
    else:
        raise ValueError("Mode must be 'e' for encryption or 'd' for decryption")

    # Convert processed blocks back to bytes
    output_data = b''
    for block in processed_blocks:
        # Convert 64-bit integer back to 8 bytes (big-endian)
        block_bytes = block.to_bytes(8, byteorder='big')
        output_data += block_bytes

    # Write output file in binary mode
    with open(outfile, 'wb') as f:
        f.write(output_data)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description='Block cipher using ECB mode with PRESENT.'
    )
    parser.add_argument('-i', dest='infile', help='input file')
    parser.add_argument('-o', dest='outfile', help='output file')
    parser.add_argument('-k', dest='keyfile', help='key file')
    parser.add_argument('-m', dest='mode', help='mode (e/d)')

    args = parser.parse_args()
    infile = args.infile
    outfile = args.outfile
    keyfile = args.keyfile
    mode = args.mode

    # Call the ECB function
    ecb(infile, outfile, keyfile, mode)

Code Explanation

The ECB implementation reads the key from a hex file and converts it to an integer. The input file is read as binary data and divided into 64-bit (8-byte) blocks. Each block is converted to an integer using big-endian byte order. For encryption mode, each block is independently encrypted using present(block, key). For decryption, present_inv(block, key) is used. The last block is zero-padded if needed. After processing, all blocks are converted back to bytes and written to the output file. This demonstrates the core principle of ECB: independent, deterministic block-by-block encryption.

Breaking ECB: Pattern Extraction Attack

ECB mode has a critical security weakness: identical plaintext blocks always encrypt to identical ciphertext blocks. This property leaks structural information about the plaintext, even without knowing the encryption key. This vulnerability is most dramatically demonstrated with image encryption, where the visual structure of the image remains visible in the ciphertext - famously illustrated by the "ECB penguin" where an encrypted penguin image still shows the penguin's outline.

Why ECB Leaks Patterns:

Deterministic mapping: Same plaintext block → same ciphertext block
No chaining: Each block is encrypted independently
Pattern preservation: Repeating patterns in plaintext create repeating patterns in ciphertext
Frequency analysis: Block frequency in ciphertext matches plaintext frequency
No diffusion across blocks: Changes in one block don't affect others
Structure visibility: High-level structure and boundaries remain visible

The Attack Strategy:

When a bitmap image (PBM format) is encrypted with ECB mode, we can extract the image structure without decrypting the actual data or knowing the key. The attack works by recognizing that in a binary (black and white) image, there are only two possible plaintext block types: blocks of white pixels (often represented as 0) and blocks of black pixels (often represented as 1). By analyzing the frequency of ciphertext blocks, we can deduce which ciphertext block corresponds to which plaintext value.

For example, in an image with a white background, the "all white" plaintext block will appear very frequently. In the ciphertext, whichever ciphertext block appears most frequently likely corresponds to the white background. By mapping the most common ciphertext block to 0 and other blocks to 1, we can reconstruct the image structure and reveal the visual content without ever decrypting the data.

extract.py

#!/usr/bin/env python3
# ECB plaintext extraction demonstrating ECB mode weakness

import argparse
from collections import defaultdict

def parse_pbm_header(headerfile):
    """
    Step 1: Parse the header of the PBM file.

    PBM (Portable Bitmap) format structure:
    - Line 1: Magic number (P1 for ASCII, P4 for binary)
    - Line 2: Comment (optional, starts with #)
    - Line 3: Width and height (space-separated integers)
    - Line 4+: Image data (binary digits 0 and 1)

    Returns:
        tuple: (magic_number, width, height)
    """
    with open(headerfile, 'r') as f:
        lines = f.readlines()

    # Parse header lines
    magic_number = lines[0].strip()  # P1
    width, height = map(int, lines[2].strip().split())  # 640 480

    print(f"Parsed header: {magic_number}, {width}x{height}")
    return magic_number, width, height

def decrypt_structure_by_patterns(infile, width, height):
    """
    Step 2: Decrypt structure by analyzing repeating patterns in the encrypted file.

    This is the core of the ECB attack. We exploit the fact that:
    - Identical plaintext blocks → identical ciphertext blocks
    - Image likely has large uniform areas (background)
    - Most common ciphertext block = most common plaintext block

    Args:
        infile: Path to encrypted file
        width: Image width in pixels
        height: Image height in pixels

    Returns:
        tuple: (image_blocks, block_to_bit mapping)
    """
    # Read encrypted data
    with open(infile, 'rb') as f:
        encrypted_data = f.read()

    # Convert encrypted data to 64-bit blocks
    # Each PRESENT block is 64 bits = 8 bytes
    blocks = []
    for i in range(0, len(encrypted_data), 8):
        block_data = encrypted_data[i:i+8]
        # Pad the last block if necessary
        if len(block_data) < 8:
            block_data = block_data + b'\x00' * (8 - len(block_data))
        # Convert to 64-bit integer (big-endian)
        block_int = int.from_bytes(block_data, byteorder='big')
        blocks.append(block_int)

    # Calculate expected number of blocks for the image data
    # Each block encrypts 64 bits of plaintext
    # Image has width * height pixels = width * height bits
    # Therefore: expected_blocks = (width * height) / 64
    expected_blocks = (width * height) // 64

    # Take only the blocks that correspond to the image data
    # (Ignore any padding or metadata blocks)
    image_blocks = blocks[:expected_blocks]

    print(f"Total blocks in encrypted file: {len(blocks)}")
    print(f"Image data blocks: {len(image_blocks)}")

    # FREQUENCY ANALYSIS ATTACK
    # Analyze ECB patterns: identical ciphertext blocks indicate identical plaintext
    # Create a mapping of ciphertext blocks to their positions
    block_positions = defaultdict(list)
    for i, block in enumerate(image_blocks):
        block_positions[block].append(i)

    # Sort blocks by frequency (most common first)
    sorted_blocks = sorted(
        block_positions.items(),
        key=lambda x: len(x[1]),
        reverse=True
    )

    print(f"Number of unique ciphertext blocks: {len(block_positions)}")
    for i, (block, positions) in enumerate(sorted_blocks[:5]):  # Show top 5
        print(f"  Block {i+1}: 0x{block:016X} appears {len(positions)} times")

    # Map ciphertext blocks to binary values based on frequency
    # ASSUMPTION: Most common block represents background (0)
    # Less common blocks represent foreground/content (1)
    block_to_bit = {}
    for i, (block, positions) in enumerate(sorted_blocks):
        # Assign 0 to the most common block (likely background)
        # Assign 1 to all other blocks (likely foreground)
        block_to_bit[block] = 0 if i == 0 else 1

    print(f"Mapped most common block (appears {len(sorted_blocks[0][1])} times) to bit: 0")
    print(f"Mapped {len(sorted_blocks)-1} other blocks to bit: 1")

    return image_blocks, block_to_bit

def reconstruct_binary_matrix(image_blocks, block_to_bit, width, height):
    """
    Step 3: Reconstruct the image as a binary matrix based on block repetition.

    Each ciphertext block has been mapped to a bit (0 or 1).
    Since each block encrypts 64 bits of plaintext, we need to
    expand each block back to 64 bits using our mapping.

    However, for simplicity in pattern extraction, we treat each
    block as representing a single pattern unit rather than 64 individual bits.

    Args:
        image_blocks: List of ciphertext blocks
        block_to_bit: Mapping from ciphertext block to binary value
        width: Image width in pixels
        height: Image height in pixels

    Returns:
        str: Binary string representing the reconstructed image
    """
    # Convert blocks back to binary string
    # For pattern extraction, we map each block to a single bit pattern
    # that represents whether it's background (0) or foreground (1)
    binary_string = ""

    # Each block represents 64 bits of the image
    for block in image_blocks:
        bit_value = block_to_bit[block]
        # Expand this to 64 bits (since each block encrypts 64 bits)
        binary_string += str(bit_value) * 64

    # Ensure we have exactly width * height bits
    image_bits = binary_string[:width * height]

    print(f"Reconstructed binary matrix: {len(image_bits)} bits")
    print(f"Expected bits: {width * height}")

    return image_bits

def output_pbm_file(outfile, magic_number, width, height, image_bits):
    """
    Step 4: Output the result into a .pbm file.

    PBM format output:
    - Header with magic number, dimensions
    - Binary image data (0s and 1s)

    Args:
        outfile: Output file path
        magic_number: PBM magic number (P1 or P4)
        width: Image width in pixels
        height: Image height in pixels
        image_bits: Binary string of image data
    """
    with open(outfile, 'w') as f:
        # Write header
        f.write(f"{magic_number}\n")
        f.write(f"#img\n")
        f.write(f"{width} {height}\n")

        # Write image data (binary string of 0s and 1s)
        f.write(image_bits)

    print(f"Successfully output PBM file to: {outfile}")

def extract(infile, outfile, headerfile):
    """
    Main extraction function demonstrating ECB mode vulnerability.

    This attack works because:
    1. ECB encrypts each block independently
    2. Same plaintext block → same ciphertext block
    3. Frequency analysis reveals which ciphertext corresponds to which plaintext
    4. We can reconstruct the image structure without the key!

    The 4-step process:
    1. Parse PBM header to get image dimensions
    2. Analyze ciphertext block frequencies
    3. Map most common blocks to background, others to foreground
    4. Reconstruct and output the image structure
    """
    print("=== Step 1: Parse PBM Header ===")
    magic_number, width, height = parse_pbm_header(headerfile)

    print("\n=== Step 2: Decrypt Structure by Analyzing Patterns ===")
    print("Performing frequency analysis on ciphertext blocks...")
    image_blocks, block_to_bit = decrypt_structure_by_patterns(infile, width, height)

    print("\n=== Step 3: Reconstruct Binary Matrix ===")
    image_bits = reconstruct_binary_matrix(image_blocks, block_to_bit, width, height)

    print("\n=== Step 4: Output PBM File ===")
    output_pbm_file(outfile, magic_number, width, height, image_bits)

    print(f"\nExtraction complete!")
    print(f"Image dimensions: {width}x{height}")
    print(f"Total bits written: {len(image_bits)}")
    print(f"\nThe image structure has been recovered WITHOUT knowing the key!")
    print(f"This demonstrates why ECB mode should NEVER be used for structured data.")

    return True

if __name__=="__main__":
    parser = argparse.ArgumentParser(
        description='Extract PBM image pattern from ECB-encrypted file.'
    )
    parser.add_argument('-i', dest='infile', help='input file, PBM encrypted format')
    parser.add_argument('-o', dest='outfile', help='output PBM file')
    parser.add_argument('-hh', dest='headerfile', help='known header file')

    args = parser.parse_args()
    infile = args.infile
    outfile = args.outfile
    headerfile = args.headerfile

    print('Reading encrypted file from: %s' % infile)
    print('Reading header file from: %s' % headerfile)
    print('Writing extracted image to: %s' % outfile)
    print()

    success = extract(infile, outfile, headerfile)

Code Explanation

The extraction attack exploits ECB's deterministic nature through a 4-step process: (1) Parse the PBM header to get image dimensions, (2) Read the encrypted file and divide it into 64-bit blocks, then perform frequency analysis using a defaultdict to count how many times each unique ciphertext block appears, (3) Map the most frequent ciphertext block to 0 (background) and all others to 1 (foreground) - this works because images typically have large uniform areas, (4) Reconstruct the binary image by replacing each ciphertext block with its mapped bit value and output as a PBM file. The attack succeeds without knowing the encryption key because ECB preserves patterns: identical plaintext blocks always produce identical ciphertext blocks. This demonstrates why ECB mode is fundamentally insecure for any data with patterns or structure, such as images, documents, or databases. Modern cipher modes like CBC, CTR, or GCM solve this by chaining blocks together or using initialization vectors, ensuring identical plaintext blocks encrypt to different ciphertext blocks.

Challenges

Correctly implementing bitwise permutations, ensuring proper key scheduling, handling 64-bit block operations efficiently, debugging subtle bit-manipulation errors, understanding the tradeoffs of ECB mode, exploiting ECB pattern leakage through frequency analysis.

Outcome & Impact

Successfully implemented PRESENT cipher with correct S-box and P-layer operations, achieved encryption/decryption matching test vectors, implemented ECB mode wrapper for file encryption, demonstrated ECB vulnerability by extracting image patterns without the key.

How I Grew

Mastered Substitution-Permutation Network (SPN) architecture

Learned principles of lightweight cryptography design

Developed expertise in bitwise operations and manipulation

Understood S-box substitution for confusion

Learned P-layer permutation for optimal diffusion

Gained insights into block cipher modes of operation

Understood ECB mode advantages and critical security limitations

Learned frequency analysis attacks on block ciphers

Demonstrated why ECB mode leaks structural information

Gained practical experience in cryptanalysis and cipher mode vulnerabilities

Learned to balance security and performance in resource-constrained contexts

All Projects Learn More About Me