An Enhanced Key Schedule Algorithm of PRESENT-128 Block Cipher for Random and Non-Random Secret Keys

: The key schedule algorithm (KSA) is a crucial element of symmetric block ciphers with a direct security impact. Despite its undeniable signiﬁcance, the KSA is still a less focused area in the design of an encryption algorithm. PRESENT is a symmetric lightweight block cipher that provides the optimal balance between security, performance, and minimal cost in IoT. However, the linear functions in KSA lead to a slow and predictable bit transition, indicating the relationship between round keys. A robust KSA should produce random and independent round keys irrespective of the secret key. Therefore, this research aims to improve the KSA PRESENT-128 block cipher with enhanced randomness, round key bit difference, and the avalanche effect. The experiments on round keys and ciphertext with random, low density and high-density secret key datasets endorse the expected improvements. Moreover, the results show that the improved KSA produces random round keys that successfully pass the NIST randomness test. The bit transition from one round key to another is increased from 20% to 40%, where a greater inclination of the avalanche effect has an increased effect with 50% bit change. On the other hand, the improved KSA PRESENT requires an additional 0.001871 s to generate round keys, as a security cost trade-off.


Introduction
The security of a symmetric block cipher depends on the strength of the encryption algorithm and the secret key.As encryption algorithms are publicly available, the security of a cipher resides in the strength and length of the secret key [1].According to NIST [2][3][4], a minimum key length to resist brute force attacks is 112 bits.In symmetric block ciphers, the mathematical functions in encryption and the key schedule algorithm (KSA) directly influence the security of the encrypted data [5,6].Therefore, these functions are carefully selected and combined to produce a strong ciphertext [7,8].
The secret key uses the KSA to generate the round keys for the encryption/decryption process in the symmetric block cipher.These round keys are directly XOR'ed with the cipher state (the encrypted data from the previous round) to conceal a particular round's input and output.So, to produce random round data, the round keys should be random and independent of each other.Keyspace for a 128-bit key is quite extensive, and it is practically impossible to test all secret key combinations during the algorithm design and testing.Still, there is a fair chance that the researcher's intentional investigation [9] or accidental discovery may lead to identifying such secret keys, making the cipher behave unexpectedly [10].These secret keys are weak, semi-weak, and equivalent keys.Hence the security design of a KSA is equally important as the encryption [7] so that there are no weak or equivalent keys.
An algorithm with a hardware-oriented design incurring minimum possible delay is considered ideal in an IoT environment [11,12].In the past few years, many lightweight encryption algorithms have been proposed for resource-constrained devices to provide optimum security and good speed; these algorithms include SKINNY [13], Loong [14], SFN [15], TEA [16], SIT [17], RECTANGLE [18] and PRESENT [19].Many encryption algorithms outperform high-end devices, but their performance degrades when used in resource-constrained IoT devices [20][21][22][23][24][25], and a similar case was observed for AES [26].The lightweight encryption solutions are designed with minimal gates in hardware, and out of the total 1000-10,000 GE on the radio frequency identification (RFID) tag [27,28], only 250-4000 GEs are dedicated for encryption algorithms.The PRESENT block cipher has a good balance between security, cost, and performance triangle for lightweight encryption algorithms, compared to other competitive solutions [29].Consequently, PRESENT is one of the most widely used symmetric block ciphers aimed at resource-constrained devices, such as sensors and RFID tags [19,23], acquiring only 1570 and 1886 GEs for 80-bit and 128-bit versions, respectively [19].
Although PRESENT [19] performs very well in IoT, its limited focus on security is worth examining.One of the significant issues in PRESENT is its KSA, as highlighted by different researchers [20][21][22].The KSA uses a combination of linear and nonlinear functions.A recent study [4] highlighted that PRESENT KSA fails the National Institute of Standards and Technology (NIST) statistical test on round keys for non-random secret keys.This is primarily because these non-linear functions in the "substitution box" (S-box) are applied to 8 bits, followed by XOR on only 5 bits, for each round key's generation, leading to a prolonged transition in round keys.Moreover, they also proved that the round keys pass the frequency test when the secret key is random because the shift operation changes the bit position, resulting in a new binary string as a round key.A similar shift operation results in no bit change for a non-random key with all zeros.Such keys result in a slow and predictable transition among round keys and thus reveal information about other round keys and secret keys to the attacker.
PRESENT was improved by many researchers [24,25].Still, there is no clear evidence about improving its KSA and analyzing its effect on encrypted data, and this simple KSA is not specific to PRESENT only.The KSA of International Data Encryption Algorithm (IDEA) [30] has only one function of the circular shift, which makes it ideal for random keys but not ideal for non-random keys.Even the advanced encryption standard (AES) is vulnerable to cryptanalytic attacks because of KSA [31].These KSA vulnerabilities have led to a new research area to overcome KSA's limitations to generate random and independent round keys.
A considerable amount of literature has been published on improving KSA for different encryption algorithms.The work in [32] improved the KSA of AES to optimize the number of active s-boxes; later, HM Hussain [31] enhanced the KSA to tolerate cryptanalytic attacks.Recently, the work in [33] has highlighted the concept of slow diffusion in the AES key schedule in the initial round.The proposed improvement has additional key permutations for better diffusion, validated using the avalanche effect and frequency test.The KSA of AES was also improved by Shivani [34] by introducing three secret keys instead of one to increase the keyspace and overall system security.In addition, a highly efficient and independent KSA has been introduced, which uses chaos to generate round keys [35].This research indicates that randomness, avalanche effect, the difference between round keys, and linear cryptanalysis are important security measures.This independent KSA demonstrated better performance when compared with existing state-of-the-art solutions.In [36], an enhanced KSA was introduced using the triple transposition key process for the GOST encryption algorithm.Elbert M. Galas in [37] enhanced the KSA of XXTEA by using a random value called seed to enhance the confusion and diffusion among the round keys.Later, the KSA of the RECTANGLE algorithm was enhanced by authors in [38] to increase the randomness among the round keys.Moreover, they managed to keep the design simple to constrain the algorithmic complexity and KSA time.
The above-mentioned recent studies endorse the fact that security advancements are generating more attention in KSA, as the improvements have significantly elevated the security of the overall algorithm.This study focuses on the design of the KSA PRESENT.It improves the design to enhance the security of the overall cryptosystem while retaining the lightweight structure by keeping the 3000 GEs limit in consideration.Moreover, a fair comparison between the KSA PRESENT and improved KSA is performed for round keys, ciphertext and cost to compare the security improvements introduced.Keeping the security, cost and performance triangle in mind, the improved KSA is also compared against time.
The rest of this paper is organized as follows: Section 2 contains a theoretical explanation of the PRESENT encryption, and the KSA PRESENT in detail.Section 3 gives a detailed insight into the design and rationale for the improvements in the KSA PRESENT.Section 4 summarizes the data generation to compare the KSA PRESENT and the improved KSA, followed by a detailed discussion and results analysis in Section 5. Section 6 concludes this study and provides some future directions for interested researchers.

PRESENT Block Cipher
This section emphasizes the lightweight structure of the PRESENT block cipher [19].The block size is 64 bits, whereas the key size has two variants with 80 and 128 bits referred to as PRESENT-80 and PRESENT-128, respectively.It has a traditional substitution permutation network (SPN) structure, making it suitable for a resource-constrained environment [12,23,[39][40][41].This research aims to extend the key schedule of PRESENT-128 only, because the minimum key length to resist a brute force attack is 112 bits [4].

PRESENT Encryption
PRESENT runs 31 rounds of encryption to convert the plaintext into ciphertext.Each round comprises three basic operations, given in Algorithm 1 as pseudocode (C language), starting with AddRoundKey; the first 64 bits of the round key are XOR'ed with the plaintext block.The second operation is sBoxLayer, where the 64-bit output from the previous operation undergoes non-linear transformations based on the substitution box, as presented in Table 1.This substitution box has a non-linear bijective mapping, where S : F 4  2 →F 4 2 is followed by a permutation operation (pLayer) with a bit-by-bit permutation with P : F 64 2 →F 64 2 .The substitution and permutation layers were inspired by SERPENT [42] and DES [38], at the design stage.There are 31 rounds of SPN with an extra layer as round 32, having only addRoundKey using the 31st round key to complete the encryption process.The basic encryption of PRESENT is depicted in Figure 1 below.

The KSA PRESENT
The key schedule algorithm for PRESENT can operate on 80 and 128 bits, but for illustration purposes, this research focuses on PRESENT-128.Moreover, the minimum string requirement or input size recommended for performing the desired NIST statistical tests is also 100 bits (n ≥ 100 bits), which is convenient for PRESENT-128 [43].At the beginning of the process, a 128-bits secret key is stored in the key register, K = k 127 k 126 . . .k 0 .At the 1st round, the 64-bits round key k 1 comprises the leftmost 64-bit of the secret key in key register K.The steps of the KSA PRESENT are given below and repeated 31 times to generate 31 different round keys as depicted in Figure 2.  The following round key, k i , consists of the leftmost 64-bits of the updated key register, K.The steps are repeated until 31 round keys are produced for the addRoundKey operation in the PRESENT encryption.The KSA PRESENT is primarily designed to have a left shift, 8-bits substitution, and an XOR operation with the least significant bit of the round counter.This simple design is exceptionally considered for the security of low-power devices so that any extra computations are not needed, but this simple design has certain limitations, as given below: 1.
No robust transition is observed in round keys starting from round 1.This is primarily because the left shift (linear function) is applied on 47% bits and only changes bit position.The nonlinear functions s-box and XOR modify 13 bits in each round; this difference is equivalent to 10% of all the bits.2.
If one bit is toggled in a secret key, the bit difference is not visible to all generated round keys.In a worst-case scenario [41], the one-bit difference between two secret keys contributes to only a 16-bit difference among 31 round keys.This is not the required avalanche effect among round keys.Therefore, an attacker can calculate the statistical dependence between round keys.

3.
For a non-random secret key, the KSA PRESENT takes 16 rounds (on average) to reach a perfect random round key.

The Improved KSA PRESENT
This section discusses the proposed design of KSA PRESENT, as this design aims to overcome the weaknesses mentioned in Section 2.2.The main idea while designing the improved KSA is to maintain the lightweight structure of the PRESENT without weighing down the KSA with computationally expensive operations.Thus, the proposed KSA can work in coherence with the existing encryption algorithm without increasing complexity.The improved KSA design aims to improve the randomness between the round keys as well as the ciphertext.

The Proposed KSA
The improved KSA PRESENT has an initial step similar to the original KSA PRESENT.A complete diagram of the improvements is presented in Figure 3.A key register, K stores the 128-bit secret key, and the leftmost 64-bit in the current key register are extracted as the round key k 1 .Later, the steps are followed to generate 31 round keys as given below: Step 1: Store the secret key to a key register, K = k 127 k 126 . ..k 0 Step 2: Split the key K into four blocks with 32 bits each: Step 3: Step 4: Apply 61 bits shift to the left of

Update the key register
Step 5: XOR five bits of K with the least significant bit of round counter After all these steps, extract the leftmost 64-bits round key, k i from K and use it in the AddRoundKey function, followed by an increment in the round counter i.

Key Schedule Evaluation
Breaking the encryption algorithm by launching a dictionary attack is time consuming and requires a lot of resources.Thus, attackers are trying a different way by gaining access to round keys or secret keys.Therefore, it is desirable to strengthen the KSA and the encryption algorithm to ensure security [41].A strong KSA must generate random and independent round keys because the dependent round keys lead to different attacks, such as slide attacks, related key/round keys attack, meet-in-the-middle (MITM) attacks, and linear and differential cryptanalyses [20,44,45].
This section provides insight into the evaluation metrics, designed to validate the expected enhancements in the improved KSA and the original version.The KSA is evaluated from three perspectives-round keys, the ciphertext, and cost as depicted in Figure 4-to evaluate the security improvements introduced from the improved KSA.Three binary datasets that are in common for most of these tests are referred to as HD (high density), LD (low density), and R (random) [6,46].An HD has all ones and only two zeros at most, and LD is the exact reverse of HD with all zeros and at most two ones.HD and LD are considered non-random datasets or biased datasets.The random dataset is created, using the "rand" function in Matlab.The secret key and the round key length is 128 bits, so these datasets will be 128 bits long and referred to as HDK, LDK and RK.The length of the plaintext is 64 bits, so each value from the datasets is 64 bits long and referred to as HDP, LDP and RP.The round keys and ciphertext will evaluate the algorithm from software security perspectives, whereas the cost is the exact gate requirement in the hardware environment.Each test is briefly described in this section, followed by the results and findings in the subsequent section.

Round Key Evaluation
A secret key is a key used to generate the round keys for subsequent rounds.In this section, four tests are conducted to evaluate the randomness between round keys.The details of each test, subtests, the property to be evaluated, the number of secret keys, and the significance level are summarized in Table 2.

Frequency Test
For a given random and non-random dataset of keys, there must be an equal proportion of ones and zeros in the round keys being produced [47].Thus, this test is a basic NIST test to prove randomness in round keys [43].If any KSA fails to produce random round keys, there is no need to apply any further tests, as the requirements become stricter in the upcoming tests, and the algorithm will not pass them.The evaluation can be expressed using ( 1)- (3). where, Here, n represents the length of the input bit string.S n is the absolute value of the sequence being observed, and S obs is the absolute value divided by the square root of the length of the string.Moreover, er f c(.) is a complementary error function explained extensively in [39] based on the above equations.For evaluation purposes, both KSAs are subjected to 10,000 random secret keys.This frequency test observes the computed p-value from the input sequence of bits.As per the decision rule, if p-value ≥ 0.01, then the sequence is concluded as being random with a confidence of 99%; otherwise, it is non-random.

High-Density and Low-Density Key
A well-designed KSA needs to generate a random bit string of the round key, even if the secret key is HDK or LDK [6,46].Two datasets of LDK and HDK are created, each with 5000 keys.
This subsection discusses the NIST tests used to test the round key's randomness using the above mentioned non-random secret key datasets (HDK, LDK) as the input sequences.There are four tests: frequency, block frequency, cumulative sums (cusum), and runs, as depicted in Table 2.The frequency test is described in Section 4.1.1,whereas the other three tests are explained here.

•
Block Frequency Test: This test computes the proportion of zeros and ones in the M-bit block and determines whether the proportion of ones is approximately M/2.The p-value ≤ 0.01 indicates a significant deviation from the proportion of zeros and ones in at least one of the blocks and indicates a non-random sequence.The evaluation can be expressed using ( 4)- (7). where, Here, M is the length of each block, which can be any value greater than 19, n is the length of the binary string, and igmac(.) is the incomplete gamma function [43].The π i value is used in the calculation of χ 2 for 1 ≤ i ≤ N.

•
Cusum test: The cusum test is a random walk test where the maximum excursion (from zero) is defined by the cumulative sum of the adjusted (−1, +1) digits in the sequence.The test is performed in two modes, 0 (forward) and 1 (reverse).For a random sequence, the p-value for both modes must be more than or equal to 0.01 for 99% confidence.Equation ( 8) calculates the p-value for modes 0 and 1, where n is the binary string length, and φ is the standard normal cumulative probability distribution function.Meanwhile, z is the largest excursion of the cumulative sum in the (−1, +1) • Runs test: The runs test is performed to identify the total number of runs in sequence, and these runs are the uninterrupted sequence of identical bits.Ideally, there should be diverse sequences of zeros and ones of variable length for a string to be finally declared as random.As with previous tests, if the p-value ≤ 0.01, it is random; otherwise it is non-random.Under this test, p-value is computed using (9), where n is the length of the bit string, V n(obs) is the total number of runs, and π is the proportion of ones in the sequence.

Bit Differences between Round Keys
This test is inspired by [6] and is aimed to observe the complex relationship between round keys.This complexity will lead to the evaluation of confusion in round keys.Two consecutive round keys will be XOR'ed and the total number of ones will be counted for comparison purposes.The improved KSA expects the bit difference of 50% and more to have a good confusion followed by a complex relationship between secret key and round keys.

Hamming Weight Test
Julio Cesar Hernandez-Castro [41] performed a probabilistic meta-heuristic search to identify the set of round keys with very low Hamming weights.These keys are ideal to launch a differential cryptanalysis attack on an encryption algorithm.Round keys are directly XOR'ed with round data, and to bring significant changes in this round data, round keys should have enough randomness.Moreover, a higher number of zeros or ones in round keys makes subsequent keys predictable by bringing minor changes in the round data.Hence, the Hamming weight test ensures that a perfect balance of zeros and ones is achieved between round keys for maximum randomness in the ciphertext.
Consequently, an ideally balanced binary string with n bits should have a Hamming weight of n/2 [41].
In the PRESENT block cipher, 64 leftmost bits are used for each round's encryption process, and the rest of the bits are ignored.Thus, the calculation for the Hamming weight is applied only to these 64 bits, as these directly participate in the encryption process.As the value of n is 64, each string's ideal Hamming weight value is n/2 = 32.Researchers in [41] presented a specific PRESENT-128 secret key, 0x484a04d32c22f3ae28200190103481f3, yielding a cumulative Hamming weight of 433 in 31 round keys.We have 31 round keys and 1 secret key, with a total of 32 keys in the KSA PRESENT.Therefore, the Hamming weight value should be 32 rounds × 32 bits = 1024 bits, rightly equivalent to 50% of the total bits.The same key is used as a secret key for both the original and improved KSAs, and the Hamming weight of each of the round keys is calculated using (10).

Hamming Weight =
Number of non-zero bits Total bits (10)

Ciphertext Evaluation
This section gives a detailed insight into the methods to evaluate the ciphertext produced from the KSA and improved KSA PRESENT.These are used to evaluate the strength of the improved KSA PRESENT so that it can be considered a replacement for the existing KSA.Four experiments are performed on ciphertext to evaluate it in terms of the avalanche effect, the correlation coefficient, semi-equivalent key, and time complexity.Table 3 shows the tests, their respective sub-tests on key and plaintext, and the total number of datasets for the secret key, plaintext, and ciphertext bits.This test helps us evaluate the impact of KSA's improvements on the ciphertext.The avalanche effect (AE) measures the effect of change in the ciphertext by changing one bit in the associated plaintext or the key.The total number of ciphertext bits affected by the modification in plaintext is called the avalanche effect.This test measures the non-linear characteristics of the proposed algorithm.The value for a good avalanche effect should be 50% of the bits, ensuring that each ciphertext bit is affected by the plaintext or the key bit [48][49][50].
The formula used to calculate AE is adopted from [51] and is defined in (11).Here, x is the length of the plaintext/ciphertext, which is 64 bits in this algorithm, and c i and p i are the ith ciphertext and plaintext bits, respectively.The calculated value is further categorized as a percentage to have a fair comparison using (12).For evaluation purposes, two different approaches are used, from the secret key and the plaintext perspectives.First, the secret key is kept constant while the plaintext is subjected to bit change.Secondly, the plaintext is kept constant for the key evaluation, and the secret key is subjected to bit flip.Table 3 shows the dataset specifications for this test.

Correlation Coefficient Test
This test aims at analyzing the non-linear association between plaintext and ciphertext [51][52][53][54].The confusion effect of an algorithm is calculated using (13).In this equation, the value of AE directly comes from (11), where c i and p i are the ith ciphertext and plaintext bits, respectively.This test is applied using three different types of keys and 1500 plain texts in total, shown in Table 3.This test aims to identify the relationship between the plaintext and its corresponding ciphertext.This test is performed from an attacker's perspective, who has access to the ciphertext and is establishing a connection with the plaintext.In the given scenario, the obtained values of R range from 0, +1 to −1 (both positive and negative directions).

Semi-Equivalent Key Test
The invertible mappings in the KSA PRESENT ensure that there are no equivalent keys in any rounds [41].As in [7], equivalent keys encrypt any plaintext to the same ciphertext, primarily because they have similar key expansion.The research was later extended to search for semi-equivalent keys, which produce nearly similar key expansion, providing very low Hamming weight [9], leading to small bit differences in the ciphertext.One such key pair is listed as 0x2a1145cfce0db6e38eaff175d39c90dc and 0x2a1145cfcf0db6e38eaff175d39c90dc, which only differ in one bit (bold and underlined).These keys are subjected to the Hamming weight test using (10) to validate the expected improvement.

Time Complexity
Time complexity is considered one of the essential factors in the encryption process [46].As KSA directly affects the performance of the cryptosystem, there must be a time comparison between techniques.The KSA is kept simple to control the time complexity of the overall encryption process.If the time complexity of the key generation increases, it will directly affect the whole encryption's performance by increasing its time.A highly efficient KSA with computationally expensive functions is not ideal for resource-constrained devices because speed with optimal security is the ultimate requirement.Therefore, it is necessary to compare the KSA PRESENT's time with the improved variant.The average time of 100 KSA's is calculated for the time complexity analysis.

Cost
The design of an algorithm is directly affected by the implementation complexity.A lightweight cryptographic solution is only considered implementable if its hardware implementation is inexpensive.The algorithm's applicability is directly associated with the area required for its hardware implementation, as these algorithms are designed to secure systems and perform well on low power devices.The area for hardware implementation is measured in gate equivalence (GE).It measures computational complexity and the chip area required (cost) for implementation.For a lightweight cryptographic solution, this value should not exceed the 3000 GE limit.This GE is calculated for the original and improved KSA, using the fundamentals of the base algorithm [19] and is compared for the cost analysis.

Results and Discussion
It is well known that statistical tests are not enough to withstand attacks, yet an algorithm that does not pass this test is more vulnerable to attacks [55,56].In this section, a detailed comparison of the KSA PRESENT and the improved version is performed.For a fair comparison of these algorithms, the parameter values, the inputs, and the implementation environment are kept the same.The comparison is divided into three major subsections as round keys evaluation, ciphertext evaluation and cost evaluation.

Round Key Evaluation
KSA evaluation can be better considered if the tests are performed on the generated round keys.The tests evaluate the generated round keys from five different perspectives, and the results are discussed in the following sections.

Frequency Test
The sequence is only considered random if all the round keys pass the frequency test because if this test is failed, then there is no need to perform other statistical tests [57].For this purpose, a dataset of 10,000 random secret keys is used as input for both KSAs using Equations ( 1)-(3).Both algorithms pass the frequency test, as the secret keys are random, and thus, the generated round keys are also random.Figure 5 exhibits the passing proportion of 11 round keys produced from random secret keys using the KSA and the improved KSA PRESENT.Both KSAs pass the frequency test, achieving an approximately equal proportion.These results highlight that good frequency can be achieved in round keys, provided that the secret key is random.

High and Low-Density Key Tests
The comparative results of NIST statistical tests are presented in Table 4 for HDK and LDK.Similar results on AES are also performed in the base paper [6] because it is a standard, and its KSA produces round keys with high randomness based on those four tests.From Table 4, proportions of KSA AES pass all statistical tests, representing the high randomness of round keys generated from nonrandom secret keys.Meanwhile, the KSA PRESENT does not pass any test for non-random keys.This transition is slowly propagative, and this is one of the leading reasons for successful attacks on the reduced round PRESENT [20,45].The improved KSA PRESENT successfully passes these statistical tests because of the new design considerations which produce random round keys from non-random secret keys.AES has a complex KSA with mostly non-linear functions, but for PRESENT, the KSAs are required to be less complicated owing to their application environment of primarily low-power devices.

Bit Differences between Round Keys
The PRESENT encryption algorithm is designed so that the round keys are directly XOR'ed with round data.Random round keys should be XOR'ed with round data to make it less predictable and more random.The KSA PRESENT has the left-shift function applied to 61 bits in each round key; this operation directly affects the maximum bits in each iteration.Tables 5 and 6 show the percentage of the bit difference among two consecutive round keys generated by the KSA and the improved KSA PRESENT, respectively.This difference is due to the one-bit change in different positions of each secret key.The test evaluates the average of the bit difference for 33 HDK, 33 LDK, and 34 random secret keys as input to both the KSA PRESENT and the improved KSA PRESENT.The result shows that the KSA PRESENT generates 6% to 43% of the bit difference among round keys when the secret key is HDK, while the improved KSA PRESENT generates 42% to 54% of the bit difference for the same keys.Using the LDK secret keys datasets, the percentage of the bit difference ranges from 4.8% to 41% for the KSA PRESENT and 44% to 60% for the improved KSA PRESENT.In comparison, the improved KSA PRESENT generates sturdy bit differences among round keys, but the KSA PRESENT generates low bit differences in the early rounds, and then improves later.As depicted in Figure 6, the improved KSA PRESENT outperforms the KSA PRESENT in each round.Using a random secret key dataset, the percentage of the bit change by the KSA PRESENT ranges between 48% and 51%, and the improved KSA PRESENT ranges between 49% and 58.3%.The average percentage of change for KSA PRESENT is between 20% and 45%, and the improved KSA PRESENT is between 52% and 58.4%.Ideally, the transition of bits between round keys should be at least 50%.The slow bit transition in early rounds of the KSA PRESENT can help the attackers predict the earlier round keys and access the secret key.

Hamming Weight Test
Low Hamming weight round keys can act as a helping hand for differential cryptanalysis attacks as discussed earlier.The KSA PRESENT produces low Hamming round keys if subjected to a special key [41].The obtained results are summarized in Table 7, with the round key's Hamming weight and round number calculated using (10).The KSA PRESENT produces round keys with Hamming weights ranging from 4 to 47.On the other hand, the improved algorithm produces round keys with Hamming weights ranging from 25 to 40, and the ideal value in each round is 32.The average Hamming weight for KSA PRESENT is 13.53, followed by 31.5 for the improved KSA PRESENT, indicating that the improved KSA produces round keys that can significantly resist differential cryptanalysis attacks [41].The ideal Hamming weight value for any secret key, along with its round keys, should be 1024 bits.The values presented in Table 7 show that the Hamming weight value for KSA PRESENT is 433/1024 × 100 = 42.28%,whereas when the same key is applied to the improved KSA, the obtained value is 1009/1024 × 100 = 98.5%.These findings indicate that the improved KSA achieves a significantly better Hamming weight and can be a better alternative to the existing KSA.

Ciphertext Evaluation
Ciphertext evaluation is an integral part of assessing the strength of the improved KSA.It is practically impossible to rule out the encryption algorithm that produces the ciphertext for the final evaluation.Thus, this section evaluates the impact of KSA on the encryption algorithm from four different perspectives, including the avalanche effect, correlation coefficient test, and time complexity.This gives a detailed insight into the effect of the improved KSA on the overall security system.

Avalanche Effect (AE)
The security of the cryptosystem is directly dependent on the plaintext, and the key as the encryption algorithm is publicly available, based on Kerckhoffs's principle.In this section, the effect of the key and the plaintext change is explored in detail.The findings are summarized in Tables 8 and 9 for key and plaintext, respectively.The study gives a deep insight into how many ciphertext bits will change if only one bit of key or plaintext is changed.Ideally, this value should be 32 bits (for PRESENT), exactly 50% or more of the bits.These values are calculated using (11), followed by a percentage conversion from (12) for fair comparison and easy table categorization.Subsequently, the obtained values are categorized into four categories based on the avalanche effect percentage, with 30% to 40%, 40% to 50%, equal to 50% (ideal), and greater than 50% (perfect).Similar datasets are applied to both the KSA PRESENT and its improved version.
The average values in Tables 8 and 9 indicate that the avalanche effect is significantly increased using the improved KSA PRESENT.The observations in Table 8 for the 30% to 40% category are 7.031% for the KSA PRESENT, reduced to 4.427% using the improved KSA PRESENT, indicating few values with smaller AE.Similarly, the observations for 50% AE are 5.73% for the KSA PRESENT, increased to 9.375% using the improved KSA PRESENT.For all other observations, the values are close for both the KSA PRESENT and its improved variant.The AE value for plaintext in Table 9 for category 30% to 40%, is 2.08% for the KSA PRESENT and is reduced to 0.52% for the improved KSA PRESENT, showing fewer observations with small AE.Following a similar pattern, the observations for the KSA PRESENT are 42.19% and 36.98% for the improved KSA PRESENT, for the 40% to 50% category.For the exactly 50% category, the observation for the KSA PRESENT is only 12.5% and is increased to 18.75% for the improved KSA PRESENT.For all other categories, the observations are very similar for both KSAs. Figure 7 summarizes all the values obtained for AE in a graphical format.Figure 7a-c shows random, HDK, and LDK key datasets observations, respectively.Figure 7d-f shows random HDP and LDP datasets' observations, respectively.These comprehensive results prove that the curve of the avalanche effect is more inclined toward a higher percentage of change using the improved KSA PRESENT.(e) (f)

Correlation Coefficient
The correlation coefficient is the ultimate test to find the relationship between plaintext and its corresponding ciphertext.Equation ( 13) is used to calculate the correlation value for 1500 different inputs for the KSA PRESENT and its improved version.The obtained value, R, depicts this relationship, as its values include 0, +1 and −1.Here, the positive and negative values of the correlation depict the direction of the relationship [51].Value zero indicates a perfect value; the ciphertext is entirely independent of plaintext, and the attacker cannot establish any connection between the plaintext and ciphertext by looking at any one of them [58].Values from 0 to 0.3 indicate a very weak relationship between plaintext and ciphertext, whereas those from 0.3 to 0.7 indicate a moderate relationship both in the positive and negative directions.A very strong relationship is observed if the R-value is from 0.7 to 1, followed by a perfect relationship if R = +1 or R = −1.
The output values from the three datasets are categorized according to their relationships and summarized in Table 10.The KSA PRESENT and improved KSA PRESENT are subjected to five different RK, LDK, and HDK, each.Each key is applied to a total of 100 plaintexts, and the obtained R-value is categorized according to the correlation between plaintext and ciphertext.Furthermore, an average of each dataset is also calculated for a fair comparison of both schemes.Comparing the results for KSA, the improved KSA PRESENT significantly outperforms the existing scheme for R = 0 for all three datasets.There is an increase in the weak plaintext and ciphertext relationships for all other observations and a decrease in strong relationships.Hence, it can be established that the improved KSA PRESENT can be a good alternative for situations where an attacker tries to access the plaintext by using ciphertext to establish a connection between them through the correlation properties.Moreover, it can also be seen that there are no observations of moderate, strong, or perfect relations between the plaintext and ciphertext.This test uses a semi-equivalent secret key as input to both the KSA PRESENT and its improved variant.Table 11 summarizes the findings from both KSA for round keys as well as for ciphertext.These two keys differ with only one bit, and that bit is bold in the first column of Table 11.The difference between the 32 keys (31 round keys and 1 secret key) is listed in the second column indicating an increase from 16 to 779 bits using the improved KSA.Two keys differ by only one bit, so their values are compared for ciphertext too, using the consistent HD plaintext.By keeping the plaintext constant and observing the change in the ciphertext, the bit difference is increased from 43.75% to 53.13%.These findings prove that even when the improved KSA is subjected to semi-equivalent keys, it increases the round keys difference and bit difference in the ciphertext.

Time Complexity
A complex KSA may provide better security, yet it takes more time to generate round keys.In a resource-constrained environment, the proposed security model should consider an optimal time complexity to improve the performance of the cryptosystem.The time complexity comparison is performed in Matlab 2019, with CPU speed 3 GHz.The proposed KSA is compared against KSA of AES and the original PRESENT presented in Table 12.In comparison, the KSA for AES-128 takes approximately 8 s to generate 11 round keys for the encryption, while the same number of keys is generated in 0.002122 s by PRESENT.The improved KSA takes 0.005358 s to generate 11 round keys.This significant time difference between the KSAs indicates that the KSA for the AES algorithm has more complex functions than the KSA PRESENT and improved KSA PRESENT.The KSA is carefully designed with a combination of linear and non-linear functions, which result in better security, yet the time complexity is not increased much.Meanwhile, the KSA PRESENT takes 0.00580 s to generate 31 round keys, and the improved KSA PRESENT takes 0.007671 s to generate the same number of round keys.These values are obtained by taking the average of 100 different keys in KSA.This time difference of 0.001871 s is negligible as a trade-off for the security improvement demonstrated by the proposed KSA for the avalanche effect, randomness, and correlation coefficient.

Cost
Area requirements for PRESENT (128) are 1886 GE and are presented in Table 13, along with the cost calculation for the improved KSA.The cost of implementation is increased from 1886 to 2502.85 GEs (an additional 633 GEs).Firstly, it is still below 3000, which is the cost limit for lightweight cryptographic solutions [39].Secondly, there is always a trade-off between achieving better security and cost.

Conclusions
This research aims to investigate the security impact on the improvements of the KSA of the symmetric block cipher, PRESENT.An improved KSA with the golden ratio, XOR, and reverse operations overcomes the slow transition and predictable linear behavior in round keys of the existing KSA.The results accentuate that the improved KSA enhances the overall security of the PRESENT block cipher.The original KSA only provides random round keys when the secret key is random, but the improved KSA provides round key randomness for low-density, high-density, and random secret keys.Bit change in the round keys increases from 20% to 54% on average, with increased Hamming weight from 42.8% to 98.5%, and the round key difference for a semi-equivalent key is increased from 0.78% to 38% using the improved KSA.Moreover, the ciphertext analysis proved that the avalanche effect has increased using the improved KSA, and more values are observed with 50% or more avalanche effect.The correlation coefficient of plaintext and ciphertext has a higher number of zeros for the improved KSA, and this pattern is consistent in all random, low-, and high-density keys.As a trade-off to these improvements, the round key generation time is also increased by 0.001871 s on average, and there is a 32.6% increase in the required number of gates for hardware implementation, which is minimal considering the garnered security improvements.
This research has two significant findings that can be considered for future directions.To start, KSA plays a very critical role in the security strength of cryptographic algorithms.The random round keys directly influence the randomness of the algorithm.Secondly, it is not necessary to introduce complex mathematical operations in KSA to achieve better security, but a simple KSA with carefully selected linear and nonlinear operations can also enhance both round keys and ciphertexts.

Step 1 : 2 : 3 : 4 :
Store the secret key to the key register, K = k 127 k 126 . . .k 0 Step Apply 61 bits shift to the left of K, where K = [k 66 k 65 . ..k 127 , k 126 . ..k 67 ] Step Substitute the leftmost four bits of K using S-box, where K[k 127 k 126 k 125 k 124 ] = S − box[k 127 k 126 k 125 k 124 ] Step Substitute the next leftmost four bits of K using S-box, where: K[k 123 k 122 k 121 k 120 ] = S − box[k 123 k 122 k 121 k 120 ] Step 5: XOR five bits of with the least significant bit of round counter i, where K[k 66 k 65 k 64 k 63 k 62 ] = [k 66 k 65 k 64 k 63 k 62 ]⊕i

Figure 2 .
Figure 2. Detailed key schedule of PRESENT block cipher.

Figure 3 .
Figure 3. Detailed design of improved KSA PRESENT.

Figure 4 .
Figure 4. Key schedule algorithm (KSA) evaluation from round key, ciphertext and cost perspectives.

Figure 5 .
Figure 5. Frequency test on 11 round keys KSA PRESENT and improved KSA PRESENT.

Figure 6 .
Figure 6.The average percentage of bit difference between generated round keys by the KSA PRESENT and the improved version.

Figure 7 .
Figure 7. Key (a-c), plaintext (d-f) bits flipped, and the percentage of bits changed in ciphertext.

Algorithm 1
Pseudocode of PRESENT block cipher.

Table 2 .
Test, sub-tests, property to be tested, secret keys as input, output bits, and significance level of each test.

Table 3 .
Test, sub-tests, number of secret keys as input, number of plaintexts, and output bits.

Table 4 .
p-Value observations for high-and low-density key tests.

Table 5 .
Bit difference between round keys using KSA PRESENT.

Table 6 .
Bit difference between round keys using improved KSA PRESENT.

Table 7 .
The Hamming weight of round keys using the special secret key.

Table 8 .
Avalanche effect using flipped key bits on KSA PRESENT and improved KSA PRESENT.

Table 9 .
Avalanche effect using flipped plaintext bits on KSA PRESENT and improved KSA PRESENT.

Table 10 .
Correlation analysis between plaintext and ciphertext.

Table 11 .
Semi-equivalent keys, round keys and ciphertext difference.

Table 12 .
Time complexity of KSA, AES, PRESENT and improved KSA PRESENT.

Table 13 .
Cost comparison of KSA PRESENT and improved KSA PRESENT.