# A Sponge-Based Key Expansion Scheme for Modern Block Ciphers

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. Motivation

- The main key should not be directly used as part of the sub-key sequence;
- Every sub-key should be sufficiently difficult to derive from any other sub-key, including the one happening before and after it in the sequence.

#### 1.2. Contribution

#### 1.3. Related Works

#### 1.4. Acronyms

## 2. Symmetric Block Ciphers

- All three operations are very fast, usually taking small number of cycles on various CPU architectures. This causes software implementations of such ciphers to be very efficient.
- Not only is the time of their execution low but also constant. This means that ciphers built out of them are naturally immune to side-channel attacks based on the time of execution of certain parts of code [13].
- Since the ciphers use only basic operations, they are often very easy to implement and analyze.

## 3. Sponge Construction

- 1.
- Set all b bits of internal state to 0.
- 2.
- Divide input data into chunks of r bits: ${I}_{0}$, ${I}_{1}$, up to ${I}_{k}$ for selected k.
- 3.
- For each chunk of input data perform the absorbing procedure:
- (a)
- Apply the input chunk to the first r bits of internal state through the XOR operation,
- (b)
- Apply the f function to the internal state.

- 4.
- After all input has been absorbed by the sponge, start squeezing out the output:
- (a)
- Append first r bits of the state to the output,
- (b)
- Apply the f function to the internal state.

- 5.
- Stop after all necessary output has been squeezed out.

## 4. Sponge-Based Key Expansion

- 1.
- Initialization: Set 96 bits of internal state to 0.
- 2.
- Absorbing:
- (a)
- Absorb a word of input $K\left[i\right]$ through a XOR operation with the first 32 bits of the state
- (b)
- Apply 4 iterations of the f function to the internal state;

Repeat until all of the key material has been absorbed (4 times). - 3.
- Mixing: Apply 24 iterations of the f function
- 4.
- Squeezing:
- (a)
- Apply 12 iterations of the f function to the internal state;
- (b)
- Squeeze an output word ${S}_{k}\left[j\right]$, by saving first 32 bits of the internal state.

Repeat until all of the sub-keys have been squeezed out.

#### The f Function

- 1.
- Four bytes which form the string IJON (in ASCII encoding) were interpreted as a 32-bit floating point number. In addition to the number itself, its square root and second power were calculated. This resulted in a total of three floating point values.
- 2.
- All three values from previous step were reinterpreted as unsigned integers. The following procedure was performed on each of them;
- (a)
- The integer was multiplied by itself, generating a 64-bit value;
- (b)
- The upper and lower halves of the result from previous step were XORed together to make a 32-bit number;
- (c)
- This number then served as input to the next iteration of the procedure, for a total of 128 iterations;

- 3.
- The result of the last iteration of the procedure became the output of the entire algorithm. Since procedure was performed on three integers, it resulted in three constants: ${C}_{1}$, ${C}_{2}$ and ${C}_{3}$.

## 5. IJON Cipher

#### 5.1. Encryption Algorithm

- 1.
- Plaintext ${P}_{t}$ contains 128 bits of data and serves as an input to the algorithm.
- 2.
- Split ${P}_{t}$ into 4 words of 32 bits each.
- 3.
- Perform ten steps on the words of the state. Each step has 8 sub-keys K assigned from the sequence generated by the key expansion.
- (a)
- Combine four first sub-keys with the words of the state using XOR.
- (b)
- Apply the S-BOX S twice in parallel to the state.
- (c)
- Combine four last sub-keys.
- (d)
- Perform the second application of S-BOXes.
- (e)
- Apply the P-BOX P.

- 4.
- The output of the last step is the resulting ciphertext ${C}_{t}$.

#### 5.2. Decryption Algorithm

- 1.
- Ciphertext ${C}_{t}$ contains 128 bits of encrypted data and serves as the input to the algorithm.
- 2.
- Split ${C}_{t}$ into 4 words of 32 bits each.
- 3.
- Perform ten reverse steps on the words of the state. Each step has 8 sub-keys K assigned from the sequence generated by the key expansion.
- (a)
- Apply the inverse P-BOX ${P}^{-1}$ to reverse the mixing of bits.
- (b)
- Apply the inverse S-BOX ${S}^{-1}$ twice in parallel to the state.
- (c)
- Combine four last sub-keys with the words of the state using XOR.
- (d)
- Apply the inverse S-BOX again.
- (e)
- Combine the four first sub-keys with the state.

- 4.
- The output of the last decryption step is the resulting plaintext ${P}_{t}$.

## 6. Security Considerations

#### 6.1. Key Size and Block Size

#### 6.2. Side-Channel Attacks

#### 6.3. Slide Attack

#### 6.4. Construction of Encryption

#### 6.5. Randomness of Key Expansion

#### 6.5.1. Methodology

- 1.
- Frequency (monobit) test
- 2.
- Frequency test within a block
- 3.
- Runs test
- 4.
- Test for the longest run of ones in a block
- 5.
- Binary matrix rank test
- 6.
- Discrete Fourier transform (spectral) test
- 7.
- Non-overlapping template matching test
- 8.
- Overlapping template matching test
- 9.
- Maurer’s “Universal Statistical” test
- 10.
- Linear complexity test
- 11.
- Serial test
- 12.
- Approximate entropy test
- 13.
- Cumulative sums (cusum) test
- 14.
- Random excursions test
- 15.
- Random excursions variant test

#### 6.5.2. Test Results

- Max Diff—applicable only to the monobit test, it is the maximal absolute difference between expected and actual number of ones in the sequence. The percentage in the brackets is given in relation to the expected value (100% = 1280 bits).
- Success rate—number of samples from the given set that successfully passed a given test. Percentage in brackets is in relation to the number of samples in the set.
- Min/Max/Avg P—respectively minimal, maximal and average value of P among all samples, both successful and failing. The p-value has to be greater than $0.01$ to pass a test.

## 7. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Tufail, S.; Parvez, I.; Batool, S.; Sarwat, A. A Survey on Cybersecurity Challenges, Detection, and Mitigation Techniques for the Smart Grid. Energies
**2021**, 14, 5894. [Google Scholar] [CrossRef] - Alghassab, M. Analyzing the Impact of Cybersecurity on Monitoring and Control Systems in the Energy Sector. Energies
**2022**, 15, 218. [Google Scholar] [CrossRef] - Jain, N.; Chauhan, S.S. Novel Approach Transforming Stream Cipher to Block Cipher. In Proceedings of the 2021 International Conference on Technological Advancements and Innovations (ICTAI), Tashkent, Uzbekistan, 10–12 November 2021; pp. 182–187. [Google Scholar]
- Di Matteo, S.; Baldanzi, L.; Crocetti, L.; Nannipieri, P.; Fanucci, L.; Saponara, S. Secure Elliptic Curve Crypto-Processor for Real-Time IoT Applications. Energies
**2021**, 14, 4676. [Google Scholar] [CrossRef] - Rodinko, M.; Oliynykov, R. Comparing Performances of Cypress Block Cipher and Modern Lighweight Block Ciphers on Different Platforms. In Proceedings of the 2019 IEEE International Scientific-Practical Conference Problems of Infocommunications, Science and Technology (PIC S&T), Kyiv, Ukraine, 8–11 October 2019; pp. 113–116. [Google Scholar]
- Alasaad, A.; Alghafis, A. Key-Dependent S-box Scheme for Enhancing the Security of Block Ciphers. In Proceedings of the 2019 2nd International Conference on Signal Processing and Information Security (ICSPIS), Dubai, United Arab Emirates, 30–31 October 2019; pp. 1–4. [Google Scholar]
- Rukhin, A.; Soto, J.; Nechvatal, J.; Smid, M.; Barker, E.; Leigh, S.; Levenson, M.; Vangel, M.; Banks, D.; Heckert, A.; et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications; National Institute of Standards & Technology: Gaithersburg, MD, USA, 2010. [Google Scholar]
- Xu, Y.; Zhao, M.; Liu, H. Design an irreversible key expansion algorithm based on 4D memristor chaotic system. Eur. Phys. J. Spec. Top.
**2022**. [Google Scholar] [CrossRef] - Liu, H.; Wang, X.; Li, Y. Cryptanalyze and design strong S-Box using 2D chaotic map and apply to irreversible key expansion. arXiv
**2021**, arXiv:2111.05015. [Google Scholar] - Zhao, M.; Liu, H. Construction of a Nondegenerate 2D Chaotic Map with Application to Irreversible Parallel Key Expansion Algorithm. Int. J. Bifurc. Chaos
**2022**, 32, 2250081. [Google Scholar] [CrossRef] - Matsui, M. Linear Cryptanalysis Method for DES Cipher. In Proceedings of the Advances in Cryptology— EUROCRYPT’93; Helleseth, T., Ed.; Springer: Berlin/Heidelberg, Germany, 1994. [Google Scholar]
- Luby, M.; Rackoff, C. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput.
**1988**, 17, 373–386. [Google Scholar] [CrossRef] - Kocher, P.C. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Proceedings of the Advances in Cryptology—CRYPTO’96; Koblitz, N., Ed.; Springer: Berlin/Heidelberg, Germany, 1996; pp. 104–113. [Google Scholar]
- Bertoni, G.; Daemen, J.; Peeters, M.; Van Assche, G. Cryptographic Sponge Functions. 2011. Available online: https://keccak.team/files/CSF-0.1.pdf (accessed on 8 September 2022).
- Dworkin, M. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions; Federal Inf. Process. Stds. (NIST FIPS); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2015. [Google Scholar]
- Dinu, D.; Perrin, L.; Udovenko, A.; Velichkov, V.; Großschädl, J.; Biryukov, A. Design Strategies for ARX with Provable Bounds: Sparx and LAX. In Proceedings of the Advances in Cryptology—ASIACRYPT 2016; Cheon, J.H., Takagi, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; pp. 484–513. [Google Scholar]
- Daemen, J.; Rijmen, V. The Wide Trail Design Strategy. In Proceedings of the Cryptography and Coding; Honary, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 222–238. [Google Scholar]
- Beierle, C.; Biryukov, A.; Cardoso dos Santos, L.; Großschädl, J.; Perrin, L.; Udovenko, A.; Velichkov, V.; Wang, Q. Alzette: A 64-Bit ARX-box. In Proceedings of the Advances in Cryptology—CRYPTO 2020; Micciancio, D., Ristenpart, T., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 419–448. [Google Scholar]
- Sawka, M. Reference Implementation of the IJON Block Cipher. 2021. Available online: https://github.com/msaw328/ijon (accessed on 8 September 2022).
- Biryukov, A.; Wagner, D. Slide Attacks. In Proceedings of the Fast Software Encryption; Knudsen, L., Ed.; Springer: Berlin/Heidelberg, Germany, 1999; pp. 245–259. [Google Scholar]

Acronym | Meaning |
---|---|

AES | Advanced Encryption Standard |

ARX | Add-Rotate-XOR |

ASCII | American Standard Code for Information Interchange |

CPU | Central Processing Unit |

CSPRNG | Cryptographically Secure Pseudo-Random Number Generator |

DES | Data Encryption Standard |

LEA | Lightweight Encryption Algorithm |

LTS | Long Trail Strategy |

NIST | National Institute for Standards and Technology |

P-BOX | Permutation box—the permutation layer of an SPN |

PRNG | Pseudo-Random Number Generator |

S-BOX | Substitution box—the substitution layer of an SPN |

SHA-3 | Secure Hashing Algorithm 3 |

SPN | Substitution-Permutation Network |

WTS | Wide Trail Strategy |

Test Number/Name | Success Rate | Min P | Max P | Avg P |
---|---|---|---|---|

1. Monobit—Max Diff 109 (8.52%) | 8182 (99.09%) | 0.000016 | 1.000000 | 0.500998 |

2. Frequency within block | 8172 (98.97%) | 0.000023 | 0.999526 | 0.499081 |

3. Runs | 8162 (98.85%) | 0.000000 | 1.000000 | 0.501611 |

4. Longest run of ones | 8178 (99.04%) | 0.000100 | 0.993439 | 0.496900 |

6. DFT | 8166 (98.90%) | 0.000066 | 1.000000 | 0.494753 |

7. Non-overlapping template match | 8242 (99.82%) | 0.000188 | 1.000000 | 0.923600 |

11. Serial | 8135 (98.52%) | 0.000182 | 0.997537 | 0.414052 |

12. Approximate entropy | 8200 (99.31%) | 0.000075 | 0.999842 | 0.502494 |

13. Cusum | 8157 (98.79%) | 0.000016 | 0.999526 | 0.422093 |

Test Number/Name | Success Rate | Min P | Max P | Avg P |
---|---|---|---|---|

1. Monobit—Max Diff 97 (7.58%) | 9907 (99.07%) | 0.000126 | 1.000000 | 0.499881 |

2. Frequency within block | 9902 (99.02%) | 0.000082 | 0.999928 | 0.499588 |

3. Runs | 9895 (98.95%) | 0.000124 | 1.000000 | 0.497403 |

4. Longest run of ones | 9920 (99.20%) | 0.000004 | 0.993439 | 0.498367 |

6. DFT | 9901 (99.01%) | 0.000006 | 1.000000 | 0.490965 |

7. Non-overlapping template match | 9981 (99.81%) | 0.000236 | 1.000000 | 0.920993 |

11. Serial | 9824 (98.24%) | 0.000022 | 0.998638 | 0.403821 |

12. Approximate entropy | 9893 (98.93%) | 0.000106 | 0.999955 | 0.493109 |

13. Cusum | 9884 (98.84%) | 0.000111 | 0.999798 | 0.423216 |

Test Number/Name | Success Rate | Min P | Max P | Avg P |
---|---|---|---|---|

1. Monobit—Max Diff 98 (7.66%) | 9918 (99.18%) | 0.000065 | 1.000000 | 0.502647 |

2. Frequency within block | 9910 (99.10%) | 0.000021 | 0.999950 | 0.503439 |

3. Runs | 9894 (98.94%) | 0.000122 | 1.000000 | 0.501850 |

4. Longest run of ones | 9907 (99.07%) | 0.000000 | 0.993439 | 0.497037 |

6. DFT | 9912 (99.12%) | 0.000066 | 1.000000 | 0.489584 |

7. Non-overlapping template match | 9985 (99.85%) | 0.000094 | 1.000000 | 0.922027 |

11. Serial | 9832 (98.32%) | 0.000012 | 0.999070 | 0.409102 |

12. Approximate entropy | 9882 (98.82%) | 0.000026 | 0.999896 | 0.497468 |

13. Cusum | 9883 (98.83%) | 0.000014 | 0.999526 | 0.426680 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Sawka, M.; Niemiec, M.
A Sponge-Based Key Expansion Scheme for Modern Block Ciphers. *Energies* **2022**, *15*, 6864.
https://doi.org/10.3390/en15196864

**AMA Style**

Sawka M, Niemiec M.
A Sponge-Based Key Expansion Scheme for Modern Block Ciphers. *Energies*. 2022; 15(19):6864.
https://doi.org/10.3390/en15196864

**Chicago/Turabian Style**

Sawka, Maciej, and Marcin Niemiec.
2022. "A Sponge-Based Key Expansion Scheme for Modern Block Ciphers" *Energies* 15, no. 19: 6864.
https://doi.org/10.3390/en15196864