Lightweight Hash Function Design for the Internet of Things: Structure and SAT-Based Cryptanalysis

Abstract

This paper introduces a lightweight cryptographic hash algorithm, LWH-128, developed using a sponge-based construction and specifically adapted for operation under constrained computational and energy conditions typical of embedded systems and Internet of Things devices. The algorithm employs a two-layer processing structure based on simple logical operations (XOR, cyclic shifts, and S-boxes) and incorporates a preliminary diffusion transformation function G, along with the Davis–Meyer compression scheme, to enhance irreversibility and improve cryptographic robustness. A comparative analysis of hardware implementation demonstrates that LWH-128 exhibits balanced characteristics in terms of circuit complexity, memory usage, and processing speed, making it competitive with existing lightweight hash algorithms. As part of the cryptanalytic evaluation, a Boolean SATisfiability (SAT) Problem-based model of the compression function is constructed in the form of a conjunctive normal form of Boolean variables. Experimental results using the Parkissat SAT solver show an exponential increase in computational time as the number of unknown input bits increased. These findings support the conclusion that the LWH-128 algorithm exhibits strong resistance to preimage attacks based on SAT-solving techniques.

1. Introduction

The Internet of Things (IoT) is being actively adopted across a wide range of domains—from healthcare to industry and agriculture. However, the widespread deployment of IoT brings significant challenges to the field of information security, particularly when it comes to devices with limited computational and energy resources. One of the key issues remains ensuring reliable protection for such devices under constraints of memory, performance, and energy efficiency. This calls for the development of adaptive and lightweight cryptographic solutions capable of functioning effectively under these conditions.

It is important to consider not only the level of security but also the impact of protective mechanisms on device performance and operational stability. Moreover, it is necessary to account for the trade-off between the level of protection and resource limitations to achieve an optimal balance. The application of new approaches to securing IoT systems must also take into account the specific requirements of each application domain. In this context, research into lightweight security solutions is particularly relevant for the sustainable development of IoT technologies [1,2].

Among lightweight cryptographic primitives, hash functions hold particular importance, as they are used to ensure data integrity and authentication in various communication protocols. For IoT devices, the development of lightweight hash functions is critically important—such functions must provide a high level of security while maintaining minimal resource consumption. At the same time, it is essential to consider how the integration of cryptographic mechanisms affects the performance and reliability of the final system. Thus, the study of lightweight hash functions and their integration into IoT devices is one of the key areas in ensuring cybersecurity under resource-constrained conditions [3,4,5].

In August 2018, the National Institute of Standards and Technology (NIST) announced a call for submissions of lightweight authenticated encryption and hashing algorithms designed for software or hardware environments with constrained resources. A total of 57 algorithms were submitted. In March 2021, ten algorithms advanced to the final round: ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak. On 7 February 2023, NIST announced the winner of the competition—the ASCON family of algorithms, which was recommended as the standard for lightweight cryptography [6].

Despite the completion of the competition and the selection of recommended algorithms, including hash functions, the development of new solutions in this field remains relevant. Standardization does not mark the end of research, especially in light of emerging threats, evolving architectures, and new requirements posed by the IoT industry. When designing new lightweight hash functions, it is important not only to take resource constraints into account, but also to conduct in-depth cryptanalysis using modern mathematical methods.

Of particular importance is the algebraic approach, in which the structure of the hash function is modeled as a system of Boolean equations. This enables the use of Boolean SATisfiability (SAT) problem solvers to assess the algorithm’s resistance to various types of attacks, including collision and preimage finding. SAT solvers are effective in identifying contradictions or solutions within given logical structures, making them a valuable tool for uncovering potential vulnerabilities in hash functions. Additionally, algebraic analysis helps detect structural weaknesses related to linearity or predictable dependencies.

It is also crucial to consider how the architecture of a hash function affects the complexity of the SAT model and the time required to solve it. Thus, the use of SAT solvers has become an essential component of formal analysis in the design of secure and robust lightweight hash functions, providing a higher level of assurance in the algorithm’s security prior to its deployment in real-world systems [7,8].

The satisfiability problem is the problem of determining whether there exists an assignment of variables that makes a propositional logic formula true. It has significant practical importance in computational theory, artificial intelligence, and cryptographic analysis.

Today, SAT solvers are used to address various cryptographic problems. For example, they have been applied in the cryptanalysis of the RSA (Rivest–Shamir–Adleman) public-key cryptosystem, enabling the factorization of numbers up to 417 bits in length, as well as in the analysis of the Trivium cipher and its modifications. Moreover, a homomorphic public-key cryptosystem based on the SAT problem has been proposed. Finally, SAT solvers are successfully used to verify the invertibility of vector Boolean functions.

In its classical formulation, the SAT problem assumes that the formula is expressed in conjunctive normal form (CNF) and is NP-complete. Modern SAT solvers are designed specifically to handle CNF instances. SAT-solving algorithms can be classified as systematic or local search algorithms, and they are often used in a complementary manner.

In modern cryptanalysis, SAT solvers have become a powerful tool for the formal analysis of symmetric ciphers and hash functions. In particular, they are used for key recovery in ciphertext-only attacks or known-plaintext attacks. Beyond ciphers, SAT solvers are actively used to analyze hash functions—for example, in collision search and preimage or second-preimage attacks—which help assess the security level of the algorithm. Thus, the SAT-based approach serves as an effective analysis method that enhances the reliability of cryptographic design [9].

2. Literature Review

With the rapid growth of IoT systems and the widespread adoption of embedded devices, there is an increasing interest in the development of lightweight cryptographic primitives. In recent years, research has been actively conducted to design and optimize constructions capable of operating efficiently under constraints on memory, computational resources, and energy consumption. This review covers key publications focused on current trends, design methods, and directions in the development of lightweight hash algorithms, taking into account the specifics of their application within the IoT ecosystem.

In [10], the main approaches used in the design of lightweight hash functions are examined, along with current trends related to their security parameters. The Merkle–Damgård, sponge, and HAIFA structures are analyzed, and their suitability for resource-constrained systems, such as IoT and cyber-physical systems (CPS) is evaluated. A comparative analysis of algorithm performance is provided according to criteria such as speed, memory usage, energy efficiency, and resistance to various types of attacks (e.g., collision and preimage finding). In addition, the study discusses the characteristics that hash functions should possess in the context of post-quantum threats. The scientific contribution of the article lies in the classification of existing approaches and in outlining directions for further research and development.

The article [11] presents a systematic review of the potential of lightweight cryptographic algorithms for ensuring security within IoT infrastructures. The algorithms are examined in terms of computational complexity, power consumption, robustness, and architectural optimization. Special attention is given to the relationship between hash functions and device energy consumption. It is emphasized that the proposed solutions contribute to environmental sustainability, data confidentiality, and system stability. A key advantage of the study is its classification of existing solutions and their adaptation to various application scenarios. In addition, the authors highlight current technological trends, unresolved challenges, and gaps in research. The main directions for future work include the use of artificial intelligence and machine learning methods for dynamic cryptographic algorithm management, as well as the development of ultra-lightweight solutions for real-time cyberattack detection.

Study [12] focuses on the analysis of lightweight hash functions for IoT systems integrated with blockchain technologies. It presents an experimental comparison of several algorithms, assessing their impact on transaction speed, memory usage, and energy consumption. Particular attention is paid to cryptographic strength and resistance to various types of attacks. The effectiveness of the algorithms is evaluated by latency and throughput metrics. The authors justify the selection of hash functions suitable for resource-constrained architectures and capable of meeting security requirements. Among the priority areas identified are the development of post-quantum-resistant hash functions, their integration with specific blockchain protocols (such as Hyperledger and IOTA), and the design of multi-layered architectures for secure data exchange among IoT devices.

The authors of article [13] design and evaluate a lightweight hash function based on the SPECK block cipher, with a focus on computational efficiency and robustness. The study examines the round structure, sensitivity to input changes (avalanche effect), diffusion, and resistance to known attacks. The algorithm is tested in various configurations, and its performance (measured in cycles per byte and memory usage) is compared with traditional hash functions. The results demonstrate the competitiveness of the proposed solution. The simplicity and ease of implementation make the algorithm well-suited for constrained environments. The paper provides a detailed account of the development process, from concept to experimental validation.

In [14], the MinHash algorithm and its weighted modifications are examined as probabilistic methods for estimating similarity between data sets. The review covers the theoretical foundations, practical aspects of application, and a comparative analysis of weighting schemes. The advantages and limitations of each approach are analyzed, with examples provided by large-scale data processing tasks, such as text similarity detection, clustering, and indexing. A key strength of the work lies in establishing a connection between theoretical models and their practical applicability. The article highlights the relevance of probabilistic models and scalable solutions in modern information systems.

In [15], a review of locality-sensitive hashing (LSH) algorithms is presented, covering both their theoretical foundations and practical applications. The core principle of LSH is to map similar elements to nearby hash values, which is especially important for high-dimensional data. The article discusses major types of LSH (binary, projection-based, and trigger-based) and methods for improving their efficiency. Examples are given of applications in indexing, fast search, bioinformatics, and privacy protection. The work emphasizes such benefits as scalability and suitability for parallel processing. The main value of the article lies in the systematic link it draws between theory and practice in the field of LSH.

A review of recent research in lightweight hash functions shows that the main focus is on designing cryptographic algorithms capable of delivering sufficient security with minimal computational and energy costs. Scientific studies underscore the importance of architectural simplicity, initial diffusion, resistance to common attacks, and adaptability to the constrained-resource environments typical of IoT systems. At the same time, a lack of solutions is observed that can effectively combine a compact internal state with a high degree of input transformation at early processing stages. Several works give particular attention to post-quantum resilience and the potential for further integration of auxiliary data-processing mechanisms.

Thus, the analysis indicates strong scientific and practical interest in developing sponge-based hash functions with reduced internal state and high initial diffusion. This confirms the relevance of the present study, which is aimed at designing a hash function architecture with an integrated preprocessing function $G,$ characterized by low computational complexity, resistance to standard cryptographic attacks, and suitability for broad deployment in the IoT ecosystem.

This work builds on the previously developed HBC-256 hash algorithm, which is based on a block cipher and designed to ensure strong cryptographic security [16,17]. HBC-256 has demonstrated strong performance in terms of collision resistance, avalanche effect, output distribution uniformity, and efficiency on resource-constrained platforms. Its comprehensive statistical and cryptographic analysis confirmed both its practical applicability and the soundness of its architectural design. Thanks to the extensive validation of HBC-256, it became possible, with a high degree of confidence and methodological predictability, to develop its modified version featuring a shortened internal state and a built-in preprocessing function $G$. This modification reduced the resource load while maintaining the required level of security, making the proposed algorithm more adaptable for use in constrained computational environments, such as IoT devices.

3. Materials and Methods

This study is devoted to the development of an efficient cryptographic hash function based on a modified sponge construction, designed for use in IoT systems under the constraints of limited computational resources and increased security requirements.

To achieve this goal, the following tasks are addressed:

• To design the architecture of the hashing algorithm with the integration of an additional preprocessing function $G$ featuring a reduced internal state, and to present a formal description and model of the entire construction.
• To justify the choice of parameters for function $G$ that ensures initial diffusion of the input data with minimal computational overhead.
• To assess the algorithm’s resistance to algebraic cryptographic attacks, as well as its performance and resource efficiency in comparison with existing lightweight hash functions.

3.1. Design of the Proposed Hash Function

The developed hash function is intended for use in environments with limited computational and energy resources, typical of IoT devices. It is based on a lightweight structure employing cyclic shifts, XOR operations, and S-boxes, providing a balance between performance and cryptographic strength.

The scientific novelty of this study lies in the structural enhancement of the classical cryptographic sponge construction, tailored for application in IoT systems. In the proposed architecture, an additional lightweight preprocessing function $G$ is integrated before the main transformation function $F$. Function G features a reduced internal state and high processing speed.

Function $G$ performs a preliminary diffusion transformation of the input data, contributing to entropy expansion and a more uniform distribution within the internal state before applying function $F$. Such a two-level processing approach improves both the cryptographic robustness and the efficiency of hashing under constrained-resource conditions.

The hash function accepts an input message of arbitrary length and produces a fixed-length output of 128 bits. The internal structure of the algorithm includes:

• A fixed number of rounds;
• A simple mixing function with a minimal number of logical operations;
• Initial setup using key constants and message length parameters.

3.2. Efficiency Evaluation Methods

The assessment of computational and resource complexity of lightweight hash functions is a key step in evaluating their applicability under constrained computational and energy resources. A comprehensive analysis takes into account the following parameters: the amount of Random Access Memory (RAM) and Read-Only Memory (ROM) used, the hardware complexity of the algorithm, and the Clock Cycles per Byte (CPB) metric.

The RAM and ROM usage is measured in bytes and reflects the minimum amount of temporary and permanent memory required for the algorithm to function. This parameter is particularly important when deploying hash functions on microcontrollers with limited memory capacity [18,19].

The hardware complexity of the algorithm is typically expressed in terms of Gate Equivalents (GE), indicating the equivalent number of basic logic gates required to implement the design in a digital integrated circuit. Lower GE values imply a more compact and cost-effective implementation, which is critical when designing cryptographic primitives for hardware platforms with limited logic capacity [20].

The Cycles per Byte (CPB) metric is a universal measure widely used to evaluate the performance of cryptographic schemes. It indicates the number of clock cycles required by the processor to process one byte of data. This parameter enables objective comparison of algorithm efficiency regardless of the specific hardware platform [21,22].

The comparative analysis was carried out against a number of other lightweight hash functions, including SPONGENT-128, s-QUARK, Ascon-Hash, BLAKE, and Keccak.

3.3. SAT-Based Cryptanalysis

A SAT solver is a specialized program designed to check the satisfiability of a logical formula expressed in CNF. Historically, the foundation of the first efficient SAT solvers was the DPLL algorithm (Davis–Putnam–Logemann–Loveland), which is a complete backtracking search method developed to solve the Boolean satisfiability problem. In this algorithm, truth values are assigned to variables sequentially: a variable is selected and assigned the value “true”, after which the formula is simplified and checked recursively.

If a conflict arises—i.e., a subset of the assigned values results in a false disjunction—backtracking is performed: the current variable is assigned the opposite value, and the process continues. A key feature that distinguishes DPLL from a brute-force approach is the mechanism of logical inference of other variable values based on the current assignment, known as unit propagation. This strategy has made DPLL particularly effective in solving a wide range of practical problems [23].

An enhanced algorithm known as CDCL (Conflict-Driven Clause Learning) was later developed based on DPLL and has become the core of modern SAT solvers. CDCL retains the basic structure of DPLL but incorporates additional mechanisms, including variable selection heuristics and conflict-driven clause learning. Its key advantage lies in the ability to record conflict-inducing combinations as new clauses, enabling the solver to prune large regions of the search space that are guaranteed to lead to contradictions. This significantly accelerates the solving process and reduces unnecessary backtracking.

Boolean variables are those that take values from the set $\left\{0, 1\right\}$. A Boolean formula over n variables is a logical expression constructed according to formal syntactic rules using Boolean variables $x_1, x_2, \dots , x_n,$ logical connectives (such as AND, OR, NOT), and parentheses. These expressions are also known as propositional formulas or formulas in the algebra of logic.

The set ${\left\{0,1\right\}}^n$ represents all Boolean vectors of length $n.$ Each Boolean formula $F$ defines a total Boolean function $f_F:{\left\{0,1\right\}}^n\to \left\{0,1\right\}$, which maps a vector of input variable values to an output value. The formula $F$ is said to be satisfiable if there exists an assignment $\beta \in {\left\{0,1\right\}}^n$ such that $f_F\left(\beta \right)=1$. Such an assignment is called a satisfying assignment. If no such assignment exists, the formula is considered unsatisfiable.

A special class of Boolean formulas is formed by normalized representations, the most common of which is CNF. In CNF, a formula is written as a conjunction of disjunctions, where each disjunction (clause) is composed of literals—that is, variables or their negations. Any Boolean formula can be converted into CNF through standard transformations, such as Tseitin transformation [24]. The resulting formula $C\left(F\right)$, which is satisfiability-equivalent to the original formula F, may contain more variables, but can be constructed in polynomial time with respect to the size of $F$.

Hereafter, by the Boolean satisfiability problem (SAT), we refer to the task of determining whether a given CNF formula $C$ is satisfiable—that is, whether there exists an assignment of Boolean variable values such that $C$ evaluates to true. The SAT problem is a classical NP-complete problem. This means that if the class P (problems solvable in polynomial time) is not equal to the class NP (problems verifiable in polynomial time), then no algorithm can solve SAT in the general case in polynomial time with respect to the size of the input CNF.

4. Results

The proposed LWH-128 algorithm is based on a cryptographic sponge construction and can be viewed as a simplified and modified version of the HBC-256 hash algorithm [16].

Key parameters of the algorithm:

• Construction: cryptographic sponge;
• Internal state size: 216 bits (27 bytes);
• Input block size: 72 bits (9 bytes);
• Hash output (tag $T$) size: 128 bits (16 bytes);
• Initialization vector ($IV$) length: 152 bits;
• $Nonce\left(N\right)$ length: 64 bits (8 bytes);
• Round functions $G$ and $F$ are built on the block cipher $CF$ used in the HBC-256 algorithm.

The algorithm consists of three stages (see Figure 1):

• Initialization;
• Hashing (absorbing);
• Finalization (squeezing).

4.1. Stage 1: Initialization

During the initialization stage, the input value IS of length 216 bits is formed by concatenating the 152-bit initialization vector $IV$ and the 64-bit Nonce ($N$), that is, $IS=IV\left|\right|N$. This bit sequence is fed into the round function F and serves as the initial state for the next stage. At this stage, the F function composed of subfunctions $F_2$ and $F_3$, is applied in 20 rounds. The initial values are defined as follows: $IV$ = 00...000, $Nonce$ = 10...001. The structure and operation of the G function (used in the second stage) and the $F$ function (used in the second and third stages) are described below.

4.2. Stage 2: Hashing

The hashing stage is intended for processing the input message $P$. The message is divided into blocks of r = 72 bits. If the last block is incomplete, it is padded to the required length with a bit sequence where the first and last bits are set to one, and all intermediate bits are zeros—following the scheme used in the HBC-256 algorithm. If the last block is already full, an additional block is appended, constructed according to the same scheme.

Each 72-bit block is represented as a 3 × 3 byte matrix and processed by the auxiliary function $G$, whose input and output are also 72 bits in length. The output of $G$ is then passed to the round function $F$, which produces a new internal state of 216 bits. This updated state is used to process the next message block. All blocks of the message $P$ are processed iteratively in this manner, and the resulting internal state is passed to the next stage of the algorithm.

4.3. Stage 3: Finalization

The finalization stage completes the hashing process and produces the final hash value $T$ (tag). The input to this stage is the 216-bit internal state obtained from the previous stage. It is processed again by the $F$ function, which includes the subfunctions $F_2$ and $F_3$. To ensure cryptographic irreversibility, the Davies–Meyer construction is applied: the lower 64 bits of the output from the $F$ function are XORed with the last 64 bits of the internal state produced before finalization. These bits form the first fragment of the output tag $T$. To produce the full 128-bit hash value, the 20-round $F$ function is applied twice, each time using the Davies-Meyer scheme.

4.4. Function $G$

Function $G$ operates on data represented as a 3 × 3 square matrix containing 9 bytes. The 72-bit (9-byte) input, given as a sequence of bytes $\left(d_1,d_2,\dots ,d_9\right)$, is interpreted as the elements of a matrix filled left to right, top to bottom:

$$D=\left(\begin{array}{ccc}{d}_1& d_2& d_3\\ d_4& d_5& d_6\\ d_7& d_8& d_9\end{array}\right)=\left(\begin{array}{ccc}{d}_{11}& d_{12}& d_{13}\\ d_{21}& d_{22}& d_{23}\\ d_{31}& d_{32}& d_{33}\end{array}\right)$$

In its design principle, function G is similar to the CFKey round key generation algorithm used in the HBC-256 hash function. At the same time, it has a number of distinguishing features: it uses only a single round; the working matrix has a size of 3 × 3; and only one S-box is applied. Function G consists of three consecutive transformations: StageG-1, StageG-2, and StageG-3. Each of these will be described in more detail below.

4.4.1. StageG-1 Transformation

This transformation consists of two steps (Step 1 and Step 2) and is designed to generate a new matrix from the initial matrix $D$. A distinctive feature of this transformation is the sequential application of both linear and nonlinear cryptographic operations. During the computation of each matrix element, two cryptographic components are applied in the following order.

Step 1. Linear transformation. In this step, intermediate values ${\mathrm{d}}_{\mathrm{ij}}^{\prime }$, are computed based on the structure of matrix $D$, which is filled from left to right and top to bottom, where $i,j=1,2,3$. The values $d_{ij}^{\prime }$ are calculated as the modulo 2 sum (XOR operation) of three elements from row i and two elements from column j, excluding the element at position (i, j) itself. For example, when computing $d_{12}$ (highlighted in red in Figure 2), five matrix elements are involved, highlighted with background shading. The result is given by the formula: $d_{12}^{\prime }=d_{11}\oplus d_{12}\oplus d_{13}\oplus$ $d_{22}\oplus d_{32}$.

Step 2. Nonlinear transformation. In this step, the intermediate value $d_{ij}^{\prime }$ is transformed using a substitution through an S-box, producing the new value of the corresponding matrix element $d_{ij}$.

The general form of the StageG-1 transformation is given as follows:

$$\begin{array}{c}{d}_{ij}^{\prime }={\displaystyle {\displaystyle \sum }_{k=1}^3}{d}_{ik}\oplus \left({\displaystyle {\displaystyle \sum }_{\begin{array}{c}k=1\\ k\ne i\end{array}}^3}{d}_{kj}\right);\\ d_{ij}=S\left(d_{ij}^{\prime }\right);\end{array}\}i,j=1,2,3.$$

(1)

where $d_{ij}^{\prime }$ is the intermediate value of the matrix element D, $S$ is the substitution table (S-box), and $\sum$ denotes modulo 2 additions (bitwise XOR).

The S-box is a predefined bijective nonlinear mapping $S:{\mathbb{Z}}_{2^4}\to {\mathbb{Z}}_{2^4}$ and is shown in

Table 1. S-box.

	Values																Note
x	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F	HB-1, S2 [25]
$S$(x)	2	E	F	5	C	1	9	A	B	4	6	8	0	7	3	D

.

The S-box operates at the nibble level. The following notations are introduced: $t_1=b_7{b}_6{b}_5{b}_4$—left nibble, $t_0=b_3{b}_2{b}_1{b}_0$—right nibble (all bits are given in binary form). The substituted values are determined as: $p_1=S\left(t_1\right)$, $p_0=S\left(t_0\right)$. After substitution, the resulting nibbles are concatenated to form the updated byte $d_{ij}$.

4.4.2. StageG-2 Transformation

This transformation performs a bitwise rotation. The new elements of the matrix D, obtained after StageKey-1, are arranged into a one-dimensional array: $D=\left(d_{11},d_{12},d_{13},d_{21},d_{22},d_{23},d_{31},d_{32},d_{33}\right)$.

Each byte is converted into a bit sequence, and all nine bytes are concatenated into a single bit string: $W=d_{11}\left|\left|d_{12}\right|\right|d_{13}\left|\left|d_{21}\right|\right|d_{22}\left|\left|d_{23}\right|\right|d_{31}\left|\left|d_{32}\right|\right|d_{33},$ where $\left|W\right|$ = 72 bits.

A one-bit left rotation is applied to this bit string: $W\prime =W⋘1$. Then, W′ is sequentially divided into 9 bytes, forming the updated matrix $D$: $D=\left(d_{11},d_{12},d_{13},d_{21},d_{22},d_{23},d_{31},d_{32},d_{33}\right)$.

4.4.3. StageG-3 Transformation

Structurally, this transformation is very similar to the previously described StageG-1. The key difference lies in the order in which the elements of the new matrix are computed: calculations proceed from bottom to top and from right to left, starting with element d₃₃ and ending with $d_{11}$.

The formula that combines both steps—linear and nonlinear transformation—is given below:

$$\begin{array}{c}{d}_{ij}^{\prime }={\displaystyle {\displaystyle \sum }_{k=1}^3}{d}_{ik} \oplus \left({\displaystyle {\displaystyle \sum }_{\begin{array}{c}k=1\\ k\ne i\end{array}}^3}{d}_{kj}\right); \\ d_{ij}=S\left(d_{ij}^{\prime }\right);\end{array}\} i,j=3, 2, 1;$$

(2)

The output of function $G$ is the updated byte matrix:

$$D=\left(\begin{array}{ccc}{d}_{11}& d_{12}& d_{13}\\ d_{21}& d_{22}& d_{23}\\ d_{31}& d_{32}& d_{33}\end{array}\right)$$

Below is the pseudocode (Algorithm 1) for the function G.

Algorithm 1: Function $G\left(D\right)$

System parameters: S-box: $S$

Local parameters: i, j, k, $d^{\prime }$, W

Input: Block of P: D = ($d_1,d_2,\dots ,d_9$) = $\left(d_{11},d_{12},d_{13},d_{21},d_{22},d_{23},d_{31},d_{32},d_{33}\right)$

Output: Transformed block D = ($d_1,d_2,\dots ,d_9$) = $\left(d_{11},d_{12},d_{13},d_{21},d_{22},d_{23},d_{31},d_{32},d_{33}\right)$

1:   Set: $W=\varnothing$, $d^{\prime }=0$

2:      /* Start of StageG1 prosessing */

3:         for $i=1$ to $3$ do

4:            for $j=1$ to $3$ do

5:               for $k=1$ to $3$ do

6:                  Compute $d^{\prime }\leftarrow \oplus {\displaystyle \sum }_{k=1}^3{d}_{ik}\oplus \left(\oplus {\displaystyle \sum }_{\begin{array}{c}k=1\\ k\ne i\end{array}}^3{d}_{kj}\right)$

7:               $\mathrm{Compute}{d}_{ij}\leftarrow S\left(d^{\prime }\right)$

8:      /* End of StageG1 prosessing */

9:      /* Start of StageG2 prosessing */

10:         /* Represent $D$ as sequence of Bit: $W\leftarrow Convert.ToBit\left(D\right)$*/

11:         for $i=1$ to $9$ do

12:             $W\leftarrow W \parallel Convert.ToBit\left(d_i\right)$

13:         $W\leftarrow W ⋘ 1$ /* 1-bit cyclic left shift */

14:      /* Represent $W$ as sequence of Byte: $D=\left(d_1,d_2,\dots ,d_9\right)$ */

15:         for $j=1$ to $9$ do

16:            $d_i\leftarrow Convert.ToByte$($W$)

17:      /* End of StageG2 prosessing */

18:      /* Start of StageG3 prosessing */

19:         for $i=3$ down to $1$ do

20:            for $j=3$ down to $1$ do

21:               for $k=1$ to $3$ do

22:                  Compute $d^{\prime }\leftarrow \oplus {\displaystyle \sum }_{k=1}^3{d}_{ik}\oplus \left(\oplus {\displaystyle \sum }_{\begin{array}{c}k=1\\ k\ne i\end{array}}^3{d}_{kj}\right)$

23:               $\mathrm{Compute}{d}_{ij}\leftarrow S\left(d^{\prime }\right)$

24:   /* End of StageG3 prosessing */

25:   return Transformed block D

4.5. Round Function F

The round function $F$ is used at all stages of the algorithm and performs R = 20 rounds. Its input consists of a 9-byte matrix $D$ (the output of function $G$) and an internal state $X$ of 216 bits (27 bytes). The output of function $F$ is also 216 bits (27 bytes)—the updated internal state. The state $X$ is interpreted as a sequence of bytes as follows: $X=$ ($x_1,x_2,x_3,\dots ,x_{27}$). The internal bytes of $X$ are sequentially distributed among three square matrices $A, B,$ and $C$, each of size 3 × 3:

$$A=\left(\begin{array}{ccc}{x}_1& x_2& x_3\\ x_4& x_5& x_6\\ x_7& x_8& x_9\end{array}\right)=\left(\begin{array}{ccc}{a}_{11}& a_{12}& a_{13}\\ a_{21}& a_{22}& a_{23}\\ a_{31}& a_{32}& a_{33}\end{array}\right),$$

$$B=\left(\begin{array}{ccc}{x}_{10}& x_{11}& x_{12}\\ x_{13}& x_{14}& x_{15}\\ x_{16}& x_{17}& x_{18}\end{array}\right)=\left(\begin{array}{ccc}{b}_{11}& b_{12}& b_{13}\\ b_{21}& b_{22}& b_{23}\\ b_{31}& b_{32}& b_{33}\end{array}\right),$$

$$C=\left(\begin{array}{ccc}{x}_{19}& x_{20}& x_{21}\\ x_{22}& x_{23}& x_{24}\\ x_{25}& x_{26}& x_{27}\end{array}\right)=\left(\begin{array}{ccc}{c}_{11}& c_{12}& c_{13}\\ c_{21}& c_{22}& c_{23}\\ c_{31}& c_{32}& c_{33}\end{array}\right).$$

The operation of the round function F can be divided into three subfunctions: $F_1$, $F_2$, and $F_3$.

4.5.1. Subfunction ${\mathrm{F}}_1$

Each of the nine elements of the input matrix $D$ is successively XORed with the elements located on the main diagonals of matrices $A, B,$ and $C$. The resulting values are passed through the S-box, producing updated matrices $A, B$, and $C$:

$$A=\left(\begin{array}{ccc}S\left(a_{11}\oplus d_{11}\right)& a_{12}& a_{13}\\ a_{21}& S\left(a_{22}\oplus d_{12}\right)& a_{23}\\ a_{31}& a_{32}& S\left(a_{33}\oplus d_{13}\right)\end{array}\right),$$

$$B=\left(\begin{array}{ccc}S\left(b_{11}\oplus d_{21}\right)& b_{12}& b_{13}\\ b_{21}& S\left(b_{22}\oplus d_{22}\right)& b_{23}\\ b_{31}& b_{32}& S\left(b_{33}\oplus d_{23}\right)\end{array}\right),$$

$$C=\left(\begin{array}{ccc}S\left(c_{11}\oplus d_{31}\right)& c_{12}& c_{13}\\ c_{21}& S\left(c_{22}\oplus d_{32}\right)& c_{23}\\ c_{31}& c_{32}& S\left(c_{33}\oplus d_{33}\right)\end{array}\right)$$

4.5.2. Subfunction ${\mathrm{F}}_2$

At this stage, the elements on the main diagonals of matrices $A, B,$ and $C$ are recomputed (i.e., $a_{ii},b_{ii},c_{ii}$ for $i=1,2,3$). Each such element is XORed with the other elements in the same row and in the same column:

$$\begin{array}{c}{a}_{ii}^{\prime }={\displaystyle {\displaystyle \sum }_{j=1}^3}{a}_{ij} \oplus \left({\displaystyle {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3}{a}_{ji}\right); \\ a_{ii}=S\left(a_{ii}^{\prime }\right);\end{array}\} i=1, 2, 3;$$

(3)

$$\begin{array}{c}{b}_{ii}^{\prime }={\displaystyle {\displaystyle \sum }_{j=1}^3}{b}_{ij} \oplus \left({\displaystyle {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3}{b}_{ji}\right); \\ b_{ii}=S\left(b_{ii}^{\prime } \right);\end{array}\} i=1, 2, 3;$$

(4)

$$\begin{array}{c}{c}_{ii}^{\prime }={\displaystyle {\displaystyle \sum }_{j=1}^3}{c}_{ij} \oplus \left({\displaystyle {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3}{c}_{ji}\right); \\ c_{ii}=S\left(c_{ii}^{\prime } \right);\end{array}\} i=1, 2, 3;$$

(5)

The result is then passed through the S-box. Thus, the output of the subfunction $F_2$ is the new set of values on the main diagonals of matrices $A, B,$ and $C$.

4.5.3. Subfunction ${\mathrm{F}}_3$

At the final stage of each round, a byte permutation is applied to matrices $A, B,$ and $C$ using a fixed pattern PerF:

$$A=\left(\begin{array}{ccc}{b}_{11}& c_{21}& a_{31}\\ c_{11}& a_{21}& b_{31}\\ a_{11}& b_{21}& c_{31}\end{array}\right),B=\left(\begin{array}{ccc}{b}_{12}& c_{22}& a_{32}\\ c_{12}& a_{22}& b_{32}\\ a_{12}& b_{22}& c_{32}\end{array}\right),C=\left(\begin{array}{ccc}{b}_{13}& c_{23}& a_{33}\\ c_{13}& a_{23}& b_{33}\\ a_{13}& b_{23}& c_{33}\end{array}\right).$$

This completes the execution of one round of function $F$. Starting from the second round and up to the final one, only subfunctions $F_2$ and $F_3$ are applied. The result of the final round is a 27-byte value, which is considered the output of function $F$. The pseudocode (Algorithm 2) presented below specifies the operational algorithm of the F function.

Algorithm 2: Function $F\left(X, D\right)$

System parameters: S-box: $S$

Local parameters: i, j,$d_a^{\prime }, d_b^{\prime }$,$d_c^{\prime }$

Input: Block of state: X = ($x_1,x_2,\dots ,x_{27}$)

Transformed block of P: D = ($d_1,d_2,\dots ,d_9$) = $\left(d_{11},d_{12},d_{13},d_{21},d_{22},d_{23},d_{31},d_{32},d_{33}\right)$

Output: Transformed block X = ($x_1,x_2,\dots ,x_{27}$)

1:   Set: $A\leftarrow \left(a_{11},a_{12},a_{13},a_{21},a_{22},a_{23},a_{31},a_{32},a_{33}\right)=\left(x_1,x_2,x_3,x_4,x_5,x_6,x_7,x_8,x_9\right)$

2:   Set: $B\leftarrow \left(b_{11},b_{12},b_{13},b_{21},b_{22},b_{23},b_{31},b_{32},b_{33}\right)=\left(x_{10},x_{11},x_{12},x_{13},x_{14},x_{15},x_{16},x_{17},x_{18}\right)$

3:   Set: $C\leftarrow \left(c_{11},c_{12},c_{13},c_{21},c_{22},c_{23},c_{31},c_{32},c_{33}\right)=\left(x_{19},x_{20},x_{21},x_{22},x_{23},x_{24},x_{25},x_{26},x_{27}\right)$

4:      /* Start of StageF1 prosessing */

5:         for $i=1$ to $3$ do

6:            Compute $A\leftarrow S\left(a_{ii}\oplus d_{1i}\right)$

7:            Compute $B\leftarrow S\left(b_{ii}\oplus d_{2i}\right)$

8:            Compute $C\leftarrow S\left(c_{ii}\oplus d_{3i}\right)$

9:      /* End of StageF1 prosessing */

10:      /* Start of StageF2 prosessing */

11:         $d_a^{\prime }=0$, $d_b^{\prime }=0$, $d_c^{\prime }=0$

12:         for $i=1$ to $3$ do

13:            for $j=1$ to $3$ do

14:               Compute $d_a^{\prime } \leftarrow \oplus {\displaystyle \sum }_{j=1}^3{a}_{ij} \oplus \left(\oplus {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3{a}_{ji}\right)$

15:               Compute $d_b^{\prime } \leftarrow \oplus {\displaystyle \sum }_{j=1}^3{b}_{ij} \oplus \left(\oplus {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3{b}_{ji}\right)$

16:               Compute $d_c^{\prime } \leftarrow \oplus {\displaystyle \sum }_{j=1}^3{c}_{ij} \oplus \left(\oplus {\displaystyle \sum }_{\begin{array}{c}j=1\\ j\ne i\end{array}}^3{c}_{ji}\right)$

17:             $\mathrm{Compute}{a}_{ii}\leftarrow S\left(d_a^{\prime }\right)$

18:            $\mathrm{Compute}{b}_{ii}\leftarrow S\left( d_b^{\prime }\right)$

19:            $\mathrm{Compute}{c}_{ii}\leftarrow S\left( d_c^{\prime }\right)$

20:      /* End of StageF2 prosessing */

21:      /* Start of StageF3 prosessing */

22:         $A\leftarrow \left(a_{11},a_{12},a_{13},a_{21},a_{22},a_{23},a_{31},a_{32},a_{33}\right)$ = $\left(b_{11},c_{21},a_{31},c_{11},a_{21},b_{31},a_{11},b_{21},c_{31}\right)$

23:         $B\leftarrow \left(b_{11},b_{12},b_{13},b_{21},b_{22},b_{23},b_{31},b_{32},b_{33}\right)$ = $\left(b_{12},c_{22},a_{32},c_{12},a_{22},b_{32},a_{12},b_{22},c_{32}\right)$

24:         $C\leftarrow \left(c_{11},c_{12},c_{13},c_{21},c_{22},c_{23},c_{31},c_{32},c_{33}\right)$ = $\left(b_{13},c_{23},a_{33},c_{13},a_{23},b_{33},a_{13},b_{23},c_{33}\right)$

25:      /* End of StageF3 prosessing */

26:      return Transformed block X=($x_1,x_2,\dots ,x_{27}$) = ($A, B, C$)

5. Discussion

Although NIST has already standardized the ASCON family as the primary solution for lightweight cryptography, the development of alternative hash functions remains relevant for several reasons. First, the LWH-128 architecture features a more compact internal state (216 bits), which reduces memory and hardware requirements compared to most competition finalists. Second, by integrating an additional preprocessing function G, the design achieves accelerated initial data diffusion, which enhances cryptographic strength in the early rounds with minimal computational overhead.

5.1. Performance Evaluation of the Proposed Lightweight Hash Algorithm

To assess the efficiency of the developed LWH-128 algorithm, a comparative analysis was conducted with a number of well-known lightweight hash functions: SPONGENT-128, s-QUARK, Ascon-Hash, BLAKE, and Keccak-f. These algorithms are designed for use in devices with limited computational and energy resources, including IoT systems. The comparison criteria included circuit area (in gate equivalents, GE), RAM usage, and computational performance measured in bits processed per clock cycle (

Table 2. Comparative performance of hash algorithms.

Algorithm	Circuit Area (GE)	RAM (Bytes)	Speed (Bits/Cycle)
SPONGENT-128 [26]	1064–5011	≈128	$\approx$0.25
s-QUARK [27]	2296–4640	$\approx$160	$\approx$0.1–0.2
Ascon-Hash [28]	2570–3750	$\approx$200	$\approx$0.8–1.0
BLAKE [29]	13,575	$\approx$256	$\approx$1.2–1.5
Keccak-f [26]	2520–4900	$\approx$400	$\approx$1.0
LWH-128	2525–4000	$\approx$160	$\approx$0.9–1.0

).

In terms of circuit complexity, SPONGENT-128 remains the most compact solution, with a minimum area of only 1064 GE, making it especially suitable for ultra-small chips and low-power systems. The s-QUARK, Keccak-f, and Ascon-Hash algorithms have slightly higher values, ranging from 2300 to 4900 GE, while the proposed LWH-128 algorithm demonstrates comparable figures—from 2525 to approximately 4000 GE—remaining within an acceptable complexity range for microcontrollers and ASIC-based hardware implementations. In contrast, the BLAKE algorithm exhibits the highest circuit complexity, making it less suitable for lightweight implementations.

In terms of RAM usage, LWH-128 occupies a favorable position, requiring approximately 160 bytes of memory, which is comparable to s-QUARK and lower than Ascon-Hash (≈200 bytes) and Keccak-f (≈400 bytes). This efficiency makes it preferable for low-power systems with limited memory availability.

A comparison of computational performance shows that LWH-128 demonstrates stable and high processing speed—approximately 0.9–1.0 bits per cycle. This level is on par with Ascon-Hash and Keccak-f, though lower than BLAKE, which achieves up to 1.5 bits per cycle. However, considering that BLAKE’s high performance comes at the cost of significant hardware overhead and increased resource consumption, LWH-128 appears to be a more balanced solution for constrained computational platforms.

Thus, the results demonstrate that the developed LWH-128 algorithm offers a good balance between resource efficiency and computational performance. It can provide an adequate level of security while maintaining high efficiency in resource-constrained environments, making it a promising candidate for use in IoT systems and other resource-limited applications.

5.2. Analysis of Hash Function Resistance Using SAT Solvers

To convert the hashing algorithm into a Boolean formula, the Transalg software (Version: 1.1.5.0) suite was employed [30]. All core operations of the algorithm were implemented within this framework, including permutations, cyclic shifts, S-box substitutions, and the addition of elements selected from the matrix rows and columns.

The TA-language implementation was then processed by the Transalg parser, which constructed a parse tree—an internal representation of the algorithm’s logic. Based on this tree, the translation module generated a system of Boolean equations equivalent to the behavior of the source code. The Boolean formula was transformed into CNF using Tseitin’s method. In the preimage problem setting, the unknown bits were randomly selected from the 72-bit input block. This choice made it possible to model various scenarios of partial message knowledge.

As a result of encoding the hashing algorithm, a CNF Boolean formula was obtained containing 30,087 variables and 635,201 clauses. The total number of literals—i.e., variables and their negations—reached 171,921, reflecting the high structural complexity of the algorithm’s logical representation.

Table 3. Parameters of the Boolean model of the hash function for different numbers of rounds.

Number of Rounds	Number of Variables	Number of Literals	Number of Clauses
1	2329	18,481	98,273
2	3806	26,621	126,725
3	5267	34,697	154,985
4	6705	42,681	182,969
5	8179	50,809	211,385
6	9647	58,913	239,729
7	11,107	66,985	267,977
8	12,567	75,057	296,225
9	14,027	83,129	324,473
10	15,487	91,201	352,721
11	16,947	99,273	380,969
12	18,407	107,345	409,217
13	19,867	115,417	437,465
14	21,327	123,489	465,713
15	22,787	131,561	493,961
16	24,247	139,633	522,209
17	25,707	147,705	550,457
18	27,167	155,777	578,705
19	28,627	163,849	606,953
20	30,087	171,921	635,201

presents numerical characteristics of the Boolean model of the studied hash function depending on the number of transformation rounds, including the number of variables, literals, and logical expressions.

As previously noted, the algorithm under consideration is a modified version of the HBC-256 hash function, adapted for use in IoT systems. The results of its cryptanalysis using SAT solvers were presented in [31]. In this study, the following solvers were used to assess resistance to SAT-based attacks: Lingeling (version sc2022), CaDiCaL 1.6.0, Kissat 1.0.3, and the multithreaded versions Plingeling (sc2022), Treengeling (sc2022), and Parkissat 1.0.3. All of these solvers are participants in the annual international SAT Competition and demonstrate strong performance in various categories.

Based on the analysis of Table 2 in source [31], it was found that, among the tested solvers, Parkissat demonstrated the highest efficiency. The solvers CaDiCaL and Lingeling showed satisfactory results for small-size problems; however, their performance significantly decreased as the parameters increased. The solver Kissat, despite promising results at the initial stages, proved to be highly inefficient as the problem’s complexity grew. The parallel solvers Plingeling and Treengeling exhibited greater resilience to increasing input complexity; however, their computational performance was still affected by the exponential growth in execution time. At the same time, Parkissat showed comparatively higher stability and produced more reliable results at larger parameter values compared to the other solvers. Accordingly, further experiments on preimage finding for the modified hash algorithm were conducted using this solver.

The research was initially conducted depending on the number of rounds in the hash function. In this phase, only the hash value was assumed to be known, and the number of known bits of the preimage required for full recovery was studied for each round configuration. The collected results are summarized in

Table 4. Number of preimage bits recovered using the Parkissat SAT solver.

Number of Rounds	Number of Unknown Bits n
1	72
2	72
3	72
4	72
5	32
6	14
7–20	13

.

As seen from Table 4, for hash functions with 1 to 4 rounds, it is possible to fully recover the preimage even when all of its bits are unknown. For example, in the case of the 5-round algorithm, preimage recovery is possible only when at most 32 bits are unknown (i.e., when 40 bits are known). For the 7–20 round configurations, only 13 bits may remain unknown, while the remaining 59 bits must be known. The next phase of the study focused on the time required for recovering the preimage for the 5-round configuration. These results are presented in

Table 5. Time indicators for solution search using the Parkissat SAT solver (5 rounds).

Unknown Bits n	Time, s	Unknown Bits n	Time, s
1	0.07	18	4208
2	1.242	19	6928
3	1.258	20	7623
4	1.261	21	8504
5	1.269	22	10,457
6	1.27	23	10,837
7	1.24	24	11,309
8	2.3	25	14,050
9	14	26	16,864
10	16	27	18,469
11	32	28	18,593
12	569	29	24,490
13	789	30	38,443
14	1337	31	49,381
15	1646	32	87,226
16	2661	33	<345,600
17	3825	34	Not computable

.

As shown in Table 5, the recovery time of the preimage was measured for different numbers of unknown bits. For instance, when 32 bits were unknown, recovery took 87,226 s. However, with 33 unknown bits, the time required became practically unbounded, and a solution could not be obtained. These results demonstrate that increasing the number of unknown variables significantly increases computational complexity and solution time. This highlights the efficiency of the Parkissat SAT solver and its practical applicability for solving complex cryptographic problems.

Subsequently, the study was extended to the full (20-round) algorithm.

Table 6. Time to find a solution using the Parkissat SAT solver for 20 rounds (in seconds).

Number of Unknown Bits (n)	Solving Time, s	Number of Unknown Bits (n)	Solving Time, s
1	0.747	8	2.477
2	0.755	9	2.507
3	2.199	10	3.725
4	2.220	11	4.948
5	2.329	12	59.712
6	2.398	13	965.21
7	2.429	14	<345,600

presents experimental results reflecting the time required for solving the full-round configuration using the Parkissat SAT solver.

Figure 3 provides a graphical interpretation of the dependence of solving time on the number of variables, clearly showing the growth of computational costs with increasing problem size.

All computational experiments were conducted on a high-performance computing node. The test platform was equipped with two AMD EPYC 7663 server processors, each containing 56 physical cores, totaling 112 cores. The clock frequency of the processors was 2.0 GHz. The system had 128 GB of RAM. The operating system used was Ubuntu Linux version 22.04.3 LTS.

As noted in [31], when the same experiment is run multiple times with identical input parameters, the solving time may vary. This is because SAT solvers rely on stochastic methods—in particular, the selection of variables to assign logical values (TRUE or FALSE) is made using a random number generator.

If the solver randomly selects a variable and value corresponding to a solution, the search process is accelerated. Otherwise, backtracking and reassignment of values are required, leading to additional computations. Therefore, to obtain an objective evaluation of the algorithm’s timing characteristics, it is advisable to perform repeated runs (e.g., 10 times) and average the results to minimize the impact of randomness and obtain a more representative assessment.

6. Conclusions

As a result of the conducted research, a lightweight hash algorithm named LWH-128 was developed. It is based on a cryptographic sponge construction and is optimized for environments with limited computational resources. Through structural modifications of the classical architecture, the algorithm introduces a lightweight diffusion transformation of input data via the G function and employs the Davis–Meyer construction during hash extraction to ensure irreversibility, enhance one-wayness, and improve overall cryptographic strength. The two-level processing scheme, relying on simple operations (XOR, rotations, and S-boxes) and a compact internal state, makes LWH-128 a reliable hash algorithm with low hardware complexity and a high level of security.

A comparative analysis (see Table 2) demonstrated that LWH-128 offers balanced characteristics for use in resource-constrained and energy-efficient environments, typical of (IoT) devices. In terms of key parameters—hardware complexity, memory footprint, and performance—the proposed algorithm shows efficiency comparable to existing lightweight solutions, confirming its practical applicability for embedded systems and IoT platforms.

As part of the study, a cryptanalytic experiment was also carried out using SAT solvers. The compression function was formalized as a Boolean satisfiability problem and expressed in CNF. The resulting Boolean formula included 171,921 disjunctive clauses, a total of 30,087 Boolean variables, representing the logical structure of the algorithm, and 635,201 logical literals.

The SAT solver Parkissat was used to search for solutions. As shown in Table 6 and Figure 3, the solution time increases rapidly—presumably exponentially—as the number of unknown input bits grows beyond 14. A particularly illustrative case involved 14 unknown bits out of a 72-bit input block: computing a single preimage took over 96 h on a high-performance computing system equipped with two 56-core AMD EPYC 7663 processors. The amount of RAM utilized during the process was 1.6 GB.

These findings lead to an important conclusion: even with a relatively small number of unknown bits (14 out of 72), finding a preimage becomes extremely computationally intensive. This demonstrates the high resistance of the LWH-128 hash function to SAT-based preimage attacks and confirms its cryptographic robustness against the considered class of threats.

7. Future Work

In this work, the lightweight hash algorithm LWH-128 was proposed, and its efficiency and resistance to SAT-solver-based attacks were analyzed. Nevertheless, several important directions remain for further research and development.

First, since a new construction has been introduced, it is necessary to explore possibilities for its improvement and extension. Possible steps include refining the substitution and permutation components to achieve better diffusion with minimal resource consumption, as well as investigating parameter settings for different classes of IoT devices. In addition, an implementation of LWH-128 on real embedded platforms is required, with measurements of power consumption, memory usage, and execution time, in order to confirm the practical applicability of the proposed solution.

Second, although the article mainly focuses on SAT-oriented cryptanalysis, it is also necessary to evaluate resistance to other types of attacks. Future studies are expected to consider differential cryptanalysis, linear attacks, and side-channel attacks, as these target different structural properties of the algorithm. This will significantly strengthen the stated security assurances and provide a more comprehensive evaluation of the LWH-128 algorithm.