Statistical analysis of the key scheduling of the new lightweight block cipher

ABSTRACT


INTRODUCTION
Any cipher is a certain transformation of the plaintext, which depends on the key.Modern block ciphers include a key schedule algorithm to obtain an array of round keys from a secret key and an encryption algorithm.The security of a cipher depends on both algorithms and is judged by the quality and length of the encryption key.According to National Institute of Standards and Technology (NIST) requirements [1], [2], the minimum length of the encryption key should be 112 bits.In block algorithms, the degree of security of encrypted data directly depends on the transformations used and the algorithm for generating round keys (GRK) [3].If the GRK provides a complex dependence of the round keys on the secret key, then many cryptanalysis methods will be inefficient.
Round keys are directly added to the original encryption data to hide the dependency between input and output in a particular round.Therefore, the statistical properties of the key schedule scheme are important for obtaining random ciphertexts in each round [4], [5].When developing an encryption algorithm, it is impossible to test all combinations of master keys.However, there is a strong possibility that deliberate exploration or accidental discovery may reveal some of the secret keys, leading to an unexpected weakening of a cipher [6].Such secret keys are considered weak keys.Thus, the security of a GRK algorithm is just as important as the encryption to eliminate weak keys.Therefore, when developing an encryption algorithm, it is required that round keys are created using a special round key generation algorithm and depend on the values of most bits of the original encryption key [7], [8].
Compared to the requirements for the strength of an encryption algorithm, less attention has been paid in the literature to the requirements for the reliability of a GRK algorithm.Knudsen and Mathiassen [9] indicate that the GRK is secure if all round keys are equally protected.According to Poojari and Nagesh [7], several attacks can use a linear relationship between round key bits.According to the authors, a GRK should have the property of an avalanche effect and all bits of the input keys should have the same effect on the output round keys.Due to this, one can achieve the maximum avalanche effect in round keys.Kelsey et al. [10] show that by excluding linearity in the GRK and providing an avalanche and a strict avalanche effect in round keys, it is possible to prevent attacks on related keys and differential attacks.
May et al. [11] proposes three desirable properties for a GRK, namely a one-way anti-collision function, independence between round and secret keys, and efficient implementation.In [12], an estimate of the independence between the round keys generated by the GRK is presented.The authors have shown that the independence between round keys ensures the resistance of the GRK to a key-dependent attack.
The reliability of the GRK algorithm depends on the functions used to generate round keys.Numerous GRK algorithms are proposed in scientific papers, which use various methods to generate round keys.For example, the block cipher international data encryption algorithm (IDEA) uses a linear function (rotate shift) to generate round keys [13].Similarly, the GRK algorithm of the PRESENT block cipher uses a linear permutation as its main component to generate round keys [14].However, in the PRESENT cipher, a non-linear function (s-box) is only used for a limited number of bits (only the outermost 4 bits).The GRK from the advanced encryption standard (AES) algorithm uses linear and non-linear functions to generate round keys [15].
Sulaiman et al. [16] argue that a quality key schedule should be developed using those transformations that are used in the main part of the cipher.This approach is used for the key schedule of the lightweight Serpent encryption algorithm [17].To evaluate the reliability of the lightweight block cipher (LBC) GRK algorithm, a frequency test was performed, as well as tests of bit independence and bit correlation for high/lowdensity keys.In this article, for comparative studies, the GRK of the PRESENT cipher is considered.
The purpose of the research work is to evaluate the statistical security of the GRK algorithm of the LBC cipher.It includes the study of the cryptographic properties of the output sequence of the round key generation algorithm using statistical tests.If the GRK algorithm produces poor results in statistical tests, then it will certainly not be resistant even to basic attacks [18], [19].

METHOD 2.1. Block encryption algorithm LBC
The LBC algorithm is designed to encrypt 64-bit block-type data with an 80-bit key.LBC encrypts for 20 rounds.Each round includes 4 types of transformation [20]: i) S transformation, ii) RL transformation, iii) L transformation, and iv) K transformation.
During encryption, the original plaintext block is divided into 4 subblocks of 16 bits each.Encryption starts by adding the first 64 bits of the master key to the plain text as shown in Figure 1.Next, round transformations are performed.
Nyssanbayeva et al. [20] provides a detailed description of this encryption algorithm.

Key scheduling in encryption algorithms
Let Y be a key of a symmetric block encryption algorithm.Then a key schedule is the system of functions { 1 ,  2 , … ,   }, which allows extending the key Y to r keys  1 , … ,   , where r is the number of rounds of the iterative (round) block cipher.A key schedule is a process of generating a key sequence based on a master key (secret key).The same numerical sequences, so-called round keys, will be used for round encryption procedures [21].

Key schedule in the LBC algorithm
The length of the secret key (master key) of the LBC algorithm is 80 bits.From this secret key, the round keys of the algorithm are generated.The key schedule in the considered algorithm includes several transformations, which are presented in Figure 2.
A master key of 80 bits is divided into 5 subblocks of 16 bits each.In the first step, the bits of the first key subblock are replaced with other bits using the S-box substitution table.The fourth subblock is added with the constant Nr modulo 2.Here Nr is the number of a round, which takes values from 1 to 20.In 6819 the second step, the bits of each subblock rotate left by several positions.This procedure is performed by the function Ri, where i is the number of positions by which the bits of the subblock rotate.As shown in Figure 2, the bits of the first subblock rotate left by 6 positions, the second subblock-by 7, the third subblock-by 8, and the remaining subblocks-by 9 and 10 positions respectively.In the third step, the subblocks are summed by XOR operations with the neighboring right subblock, i.e., the first with the second, the second with the third, and the third with the fourth subblock.In the last step of the transformation, the subblocks rotate left by one position, that is, the entire subblocks are swapped.
After the above transformations, the initial 4 sub-blocks (64 bits) of the sequence of 5 sub-blocks (80 bits) starting from the left are taken and then used as the encryption (decryption) round keys.The 80 bits obtained from the previous transformations will be used as the basis for the next round keys.This process continues until all round encryption keys are received.

Key schedule in the PRESENT algorithm
The PRESENT algorithm can accept keys of either 80 or 128 bits [22].However, this paper will consider key scheduling with 80-bit master keys.The secret 80-bit key is stored in the key register Y and represented as a sequence of bits { 79 ,  78 , … ,  0 }.The first-round key is formed from 64 leftmost bits of the main secret key   = { 63 ,  62 , … ,  0 } consists of the 64 leftmost bits of the current contents of the register Y. So, after the first round we have: Thus, the key register rotates left by 61 positions, then the leftmost four bits are passed through the S-box of the main encryption algorithm.The round_counter value is added to the  19  18  17  16  15 bits from the key register Y.These procedures are repeated 31 times until the last round key is obtained.

Evaluation
This section discusses key schedule estimates in the LBC algorithm.The following data types were selected for testing: high-density key (HDK) sequence, low-density key (LDK) sequence, and random density key (RDK) sequence.The HDK sequence consists mainly of '1' bits and contains only one or two '0' bits.On the contrary, LDK consists mostly of '0' bits and contains only one or two '1' bits.RDK is a random sequence of bits.Such a scheme of initial data was taken from [19].
In this paper, we give an estimate of the quality of the GRK of the LBC algorithm.To compare the results, work was also carried out to evaluate the key schedule of the PRESENT-80 algorithm.All initial data  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol. 13, No. 6, December 2023: 6817-6826 6820 (HDK, LDK, and RDK) are 80 bits long and will serve as a secret key for the GRK of the LBC and PRESENT algorithms.The following tests were used to assess the quality and reliability of the key schedule of the algorithms: frequency test, bit difference between round keys, Hamming weight test, and avalanche effect in round keys.

Frequency test
The focus of the test is on the ratio of zeros and ones for the entire sequence.For numeric key data generated by round keys, the number of 1s and 0s in the sequence should be approximately equal.Thus, the frequency test is the basic NIST test for proving the randomness of numerical sequences in round keys [23], [24].If any GRK fails to produce random round keys, then there is no need to conduct any further tests since they impose more stringent requirements, and the algorithm will certainly not comply with them [19].An estimate in the frequency test can be obtained using formulas (1)-(3).To conduct a frequency test, we perform the following operations [23]: a. Convert the zeros and ones of the input sequence to -1 and +1, respectively, and sum to obtain where   are the bits of the input sequence.b.Calculate test statistics: c. Calculate p-value: where  is the complementary error function.
To estimate the key schedule of both algorithms, we used 10,000 secret keys.All these keys were combined into one file.In each round, the keys are also written to one file.Since the LBC algorithm consists of 20 rounds of encryption, 20 round keys were taken for testing, that is, 20 separate files with a round key in each.To compare the test results, 20 round keys were also taken from the PRESENT algorithm.Each file was individually tested with the frequency test.
The frequency test evaluates the calculated p-value from the input bit sequence.The p-value indicates the probability of obtaining the observed results given that the null hypothesis is true, or the probability of error if the null hypothesis is rejected.Based on the calculated p-value, it is decided that if the p-value is ≥0.01, then the sequence is considered pseudo-random, otherwise it is non-random [23].

Bit difference between round keys
The purpose of this test is to identify the complex relationship between round keys [19] by assessing confusion in round keys.Two consecutive round keys are summed by the XOR operation and the total number of 1 s in the resulting vector is calculated.A reliable key schedule provides a bit difference of 50%, which greatly complicates the statistical relationship between the secret key and the round keys.

Hamming weight test
Hernandez-Castro et al. [25] performed a probabilistic metaheuristic search.In doing so, they identified a set of round keys that had very low Hamming weight.In differential cryptanalysis, such keys will be an ideal basis for attacking the encryption algorithm.A perfectly balanced binary sequence of n bits should have a Hamming weight of n/2 [25].
In the LBC algorithm, only the leftmost 64 bits of the key sequence are used for the encryption process in each round, and the remaining bits are not considered during the encryption process.Thus, the Hamming weight of round keys is calculated for these 64 bits.Since, in our case, the value of n is 64, then the ideal value of the Hamming weight for each sequence is n/2=32.The LBC algorithm uses 20 round keys.Therefore, the value of the Hamming weight should be 20 rounds×32 bits=640 bits.This is 50% of the total number of bits.In this test, the same key is used as the secret key for both the LBC algorithm and the Present algorithm, and the Hamming weight for each round key is calculated by ( 4

Avalanche effect in round keys
The avalanche effect (AE) in encryption algorithms estimates the degree to which the ciphertext changes when one-bit changes in the corresponding plaintext or secret key.This test determines the nonlinear characteristics of the transformations used in the proposed algorithm.The best avalanche effect is 50% or more, ensuring that changing any bit of the secret key affects the bits of the ciphertext [26].
The avalanche effect is calculated using (5): where x is the length of the plaintext (ciphertext),   is the i th bit of the ciphertext, and   is the i th bit of the plaintext.The resulting value is converted into a percentage for comparison using (6).
For this criterion, the sequences LDK, HDK, and RDK described in subsection 2.3 were used.At the beginning of testing, based on the selected key, the round keys   ′ .are generated.Then we change one bit of the original key and generate the round keys   ′ .
Where i is the position of the changed bit of the original key and  is the sequential number of the round.Using the formula (5), we find the values of  for each round.In each iteration, we change the next bit of the original key and find new values of .This method was used to study the round keys of the LBC and PRESENT-80 algorithms.

Frequency test
The results of the frequency test are considered to be the decisive factor for the key sequence generated by the GRK of the encryption algorithm.If the key sequence passes the frequency test, then the round keys are considered random.Otherwise, there is no need to perform other statistical tests.
A set of 10,000 random secret keys was used to test the GRK of both studied algorithms.The key sequences generated by the GRK of the LBC and PRESENT algorithms pass the frequency test.Since the GRK input data were random, the generated round key sequences were also random.This indicates that the GRK of the LBC and PRESENT algorithms generate key sequences that are close to random.
Table 1 shows the pass rate of 20 round keys obtained from random secret sequences using the GRK of the algorithms under study.The average p-value of the LBC algorithm is ~0.58, while that of the PRESENT algorithm is ~0.46.These results show that if the secret key is random, then a good frequency can be achieved using round keys.

Bit difference between round keys
As in other algorithms, in LBC round keys are summed with round data modulo 2 (XOR operation).Therefore, if the round keys are pseudo-random, then the encrypted data, when summed with such keys, will be less predictable and more random.The test evaluates the average value of the bit difference for random secret keys.For testing, three types of sequences for the secret key were used: LDK, HDK, and RDK.50 secret keys of each type were chosen.  2 and 3 show the percentage of bit differences between two consecutive round keys generated by the LBC GRK and the PRESENT GRK, respectively.As the results of the study show, for the LBC algorithm, the average value of the differences of the round keys of three types is approximately the same: LDK-49.32%,HDK-49.97%, and RDK-50.41%.At the same time, the PRESENT algorithm has these results: LDK-33.05%,HDK-34.44%, and RDK-49.87%.With keys of the LDK type, the percentage of bit difference ranges from 39% to 51% for the LBC algorithm and from 11% to 52% for the PRESENT algorithm.A good result was shown by keys of the RDK type: from 49% to 51% for both algorithms.Ideally, the bit difference between round keys should be at least 50%.Weak bit changes in the initial rounds can help attackers predict the keys of previous rounds and gain access to the secret key. Figure 3 shows the average percentage bit differences between the generated round keys of the LBC and PRESENT algorithms.

Hamming weight test
Round keys with low Hamming weights can be helpful in differential cryptanalysis attacks, as discussed earlier.For testing, again, 50 secret keys of each of the three types were selected: LDK, HDK, and RDK.Based on these secret keys, round keys were generated.For each key, the Hamming weight was calculated using (4).The results obtained are shown in Table 4.With the LDK and HDK keys, the LBC algorithm deviates from the optimal value of the Hamming weight by only 1.49% and 1.31%, while the PRESENT algorithm deviates much more -19.74%and 19.75%, respectively.With RDK keys, both algorithms take approximately the same values as shown in Table 4.It can be seen from the results that the LBC algorithm generates round keys with the Hamming weight from 48% to 50% for any type of secret key as shown in Figure 4.

Avalanche effect in round keys
To test the avalanche effect in round keys, one key of each of the HDK, LDK, and RDK types was selected.First, round keys were generated from the master key using the GRK.In the second step, we changed the first bit of the master key and again generated round keys.The resulting two groups of round 6823 keys were compared using ( 5), but here we were looking for the difference between the bits of the two groups of round keys.In each next step, the next bit of the master key was changed.In this way, indicators of the avalanche effect were calculated for each changed bit position of the master key.The test was carried out for each of the two algorithms separately.According to the test results, the avalanche indicator of the round keys of the LBC algorithm averaged ≈37%, while the same indicator of the PRESENT algorithm averaged ≈2%.The average values of the avalanche effect are shown in Table 5.Table 5 shows that the avalanche effect in the round keys of the PRESENT algorithm is very low.This is because the non-linear transformation in the key schedule of this algorithm has very little effect on the bits of the key sequence.In the key schedule of the PRESENT algorithm, only the 4 extreme bits of the key sequence pass through the S-box (substitution table) in each round.Besides, beats 15 to 19 are added to the round number.This process also reduces the influence of the key sequence on the avalanche effect.In the LBC algorithm, the S-box operates on 16 bits in each round, and after rotate shifts, each block passes through the S-box.Therefore, the avalanche effect of this algorithm is higher than that of the PRESENT algorithm as shown in Figures 5, 6  In this test, we calculated avalanche effect values only for round keys.In [19], the same test was carried out together with the original text.Obviously, with such tests, the avalanche rate will be higher than that of tests for round keys.

CONCLUSION
This study aims to investigate the security impact of existing key scheduling procedures in the lightweight LBC and PRESENT symmetric block cipher algorithms.The results show that the GRK of the LBC algorithm demonstrates good statistical performance.The PRESENT algorithm GRK provides random round keys only when the secret key is random, but the LBC key schedule provides round key randomness for low-density keys, high-density keys, and random secret keys.The key sequence generated by the GRK of the LBC algorithm has completely passed the frequency test.The average value of the percent differences in bits between the generated round keys of the LBC algorithm is approximately 50%, which proves the good quality of the key schedule.The Hamming weight of the round keys of the algorithm is also within the normal range.The indicators of the avalanche effect of the round keys of the LBC algorithm had an average value of ≈37%.This means that the key schedule of the LBC algorithm is provided with a sufficient level of security for the encryption algorithm itself.
Int J Elec & Comp Eng ISSN: 2088-8708  Statistical analysis of the key scheduling of the new lightweight block cipher (Nursulu Kapalova)

Figure 1 .Figure 2 .
Figure 1.General scheme of the LBC algorithm encryption process Statistical analysis of the key scheduling of the new lightweight block cipher (Nursulu Kapalova) 6821

Figure 3 .
Figure 3. Average values of the percentage of bit differences between the generated round keys of the LBC and PRESENT algorithms , and 7.

Table 1 .
Average p-value of round keys

Table 2 .
Results of calculating the differences between the round keys of the LBC algorithm

Table 3 .
Results of calculating the differences between the round keys of the PRESENT algorithm

Table 4 .
Average value of the Hamming weight of round keys Figure 4. Average values of the Hamming weight of the LDK type round keys  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol. 13, No. 6, December 2023: 6817-6826 6824

Table 5 .
Average values of the avalanche effect of round keys