There was a 4-round [SPN][1] implemented in python with 64-bit key and block sizes. We were given 65536 pairs of random plaintexts and corresponding ciphertexts encrypted with a single key. The task was to find the key.
The P-box used in the cipher was a pretty standard transposition, the weak part was the S-box. Our attack followed the great [tutorial][2] on Linear Cryptanalysis. It was possible to find probabilistically biased linear expressions on the input and output bits of the S-box. We used the following script for this part: