Cryptographic Strength Evaluation of Key Schedule Algorithms

Key schedule algorithms play an important role in modern encryption algorithms, and their security is as crucial as the security of the encryption algorithms themselves. Many studies have been performed on the cryptographic strength evaluation of the encryption algorithms; however, strength evaluation of the key schedule algorithms often obtains less attention that can lead towards the possible loophole in the overall encryption process. In this paper, a criterion is proposed to evaluate the cryptographic strength of the key schedule algorithms. -is criterion includes different methods of data generation from subkeys and a suitable set of statistical tests. -e statistical tests are used to explore the cryptographic properties such as diffusion, confusion, independence, and randomness in the subkeys generated by the key schedule algorithm. -e proposed criterion has been applied to some of the key schedule algorithms of different block ciphers. -e results confirm that the proposed criterion can effectively differentiate between strongand weak-key schedule algorithms.


Introduction
e security of a block cipher mainly depends on the strength of the encryption algorithm and the secrecy of the secret key. e security of an encryption algorithm is achieved through the nonlinear and linear functions/components [1]. Substitution box(s) or some multiplication functions are used to introduce the nonlinearity in the encryption algorithm. Linear functions such as permutation, circular shifts, and MDS matrix diffuse the nonlinearity on the whole input block [2]. ese functions enable the encryption algorithm to hide the relationship between plain text and ciphertext. e security of an encryption algorithm is directly affected by the strength of the Key Schedule Algorithm (KSA). e KSA drives the subkeys from the secret key which are used in each round of an encryption algorithm. It is required that the subkeys generated by KSA may not have any linear relationship with each other as well as with the secret key. e KSA needs to be strong enough such that if an attacker gets knowledge of some bits of the subkeys or even knows a single subkey, then he could not be able to calculate the whole secret key [3]. e cipher designers take care of Shannon's principal during the design stage of an encryption algorithm to achieve confusion and diffusion properties. ese properties should also be taken care of in a KSA in order to have independence among subkeys.
A simple and weak KSA generates the subkeys that have a linear relationship with each other and the secret key. Related-key attacks and slide attacks take the advantage of this simple relationship between the subkeys and secret key. Such relationship also makes the cipher vulnerable to linear and differential attack [4]. A strong KSA helps to make the overall cipher more resistant to linear and differential attack.
In comparison to the requirements of the strong encryption algorithm, there has been less focus on the requirements of a strong key schedule algorithm in the literature. Knudsen [5] pointed out that a key schedule is strong if all subkeys are equally secure. According to Blumenthal et al. [3], several attacks can take advantage of the linear relation between subkey bits. To achieve maximum avalanche effect in the subkeys, they proposed that a KSA must possess the property that all input key bits must equally affect the output subkeys of the KSA. In [6], the authors recommended that related key and differential attacks can be thwarted by maximizing the avalanche in the subkeys and avoiding the linearity in KSAs.
May et al. [7] proposed three desirable properties for the KSA, that is, collision resistance one-way function, independence between subkeys and secret-key bits, and implementation efficiency. Two statistical tests, namely, frequency test and Strict Avalanche Criteria (SAC) of the CryptX test suite, were used to measure the strength of KSA of AES. In [8], evaluation of the independence between the subkeys generated by the KSA is presented. e authors have shown that independence among the subkeys ensures the KSA's strength against the key-dependent attack. e avalanche effect is a desirable cryptographic property in the cryptographically secure algorithms. If a KSA shows good avalanche value, then it indicates more security. Low avalanche value shows the poor randomization in the algorithm which can help the cryptanalyst to partially and completely break the algorithm [9]. e strength of a KSA depends on the functions used to generate the subkeys. In the literature, many KSAs are proposed which use different techniques to generate the subkeys. For example, IDEA block cipher uses the linear function (circular shift) to generate the subkeys [10]. Similarly, KSA of PRESENT block cipher [11] uses the linear permutation as a major component to generate the subkeys. However, the nonlinear function (s-box) is used only on the limited number of bits. Twofish uses a complicated key schedule algorithm. It utilizes a combination of confusion and diffusion in its KSA to generate the subkeys [12]. e KSA of AES uses the linear and nonlinear functions to generate the subkeys [13]. Huang and Xuejia modified the KSA of AES [14] by taking the transpose of the subkey matrix. e authors claimed that this modification will make the new KSAs immune against the SQUARE, meet-in-themiddle, and the related-key attacks. e authors in [15] are of the view that a strong key schedule can be designed by using only those functions which are the part of the encryption algorithm. e KSA of Serpent block cipher falls in this category [16]. May et al. [6] proposed a new KSA of AES based on all functions taken from the encryption algorithm. e proposed KSA passed the frequency and SAC tests from the CryptX test suite. e authors also claimed to reduce the code size of the overall block cipher. e authors in [17] identified the weaknesses in the key schedule algorithm of RC4. In [18], the authors described the benefits of using chaos in the key schedule algorithm, and in [19], the authors presented a multidimensional key algorithm for RC6. However, in all of these studies, no criteria were discussed for evaluating the cryptographic strength of the key schedule algorithms. e above studies reflect that the evaluation of the KSA during its design stage has been the less focused area in the literature. Unfortunately, there is no known testing tool kit to evaluate the cryptographic strength of a KSA. e bit confusion, bit diffusion, independence, and randomness are desirable cryptographic properties of subkeys generated by any KSA. erefore, it is proposed that a KSA may at least be tested against these properties.
is research work aims to propose testing criteria to evaluate the cryptographic strength of any key schedule algorithm. It includes methods of data generation from subkeys and a suitable set of statistical tests that explore the cryptographic properties of a key schedule algorithm. Studies show that although statistical tests are not the sufficient criteria for claiming the cryptographic strength of the cryptographic algorithms, however, it provides necessary criteria for a strong cryptographic algorithm. If an algorithm passes the statistical tests, it does not mean that the algorithm will withstand all the possible attacks; however, if an algorithm fails the necessary statistical tests, then it surely will not withstand even the basic attacks on the algorithm [20][21][22][23]. erefore, along with the cryptographic properties, namely, confusion, diffusion, independence, correlation, and time complexity, the statistical tests of frequency, bit independence, bit correlation, and high/low-density key are considered in the proposed strength evaluation criterion of the KSA. e remaining paper is organized as follows: Section 2 briefly describes the criteria to evaluate the cryptographic strength of any KSA. For analysis, four KSAs are selected from literature and are listed in Section 3. e data generation process for the strength evaluation of KSA is presented in Section 4 and results are discussed in Section 5. e concluding remarks are given in the last section of this paper.

Key Schedule Evaluation Criterion
In the current era of modern block ciphers, breaking the cipher is relatively harder and required lots of resources and time, so attackers are more interested in finding the secret key by other means, for example, brute force attacks, dictionary attacks, and deriving key bits of subkeys. us secure KSA is necessary for any block cipher and it directly affects the security of block cipher [8,24]. A KSA must possess strong confusion and diffusion properties and all generated subkeys must be independent of each other so that any compromised subkey does not reveal any information about other subkeys or secret keys. A week key schedule algorithm makes a strong cipher vulnerable to many statistical and other cryptanalysis attacks. If the KSA generates the subkeys that have simple relationship, then it will degrade the security of the overall cipher, in order to resist against the related-key attacks, slide attacks, linear and differential attacks [4], boomerang and rectangle attacks [25], and SQUARE and meet-in-the-middle attacks [14]. erefore, a key schedule algorithm should be well designed and complex.
In this paper, we define a Key Schedule Evaluation Criterion (KSEC) that can evaluate the cryptographic properties such as confusion, diffusion, randomness, and independence among subkeys. In this regard, four sets of statistical tests, namely, frequency, bit independence, bitwise uncorrelation, and high/low-density keys, are selected to evaluate the abovementioned cryptographic properties. Moreover, as complex KSA can affect the time efficiency of a block cipher, so time efficiency of KSA is also calculated. e description of selected cryptographic sets of tests is given in the following sections. Before explaining the tests, it is necessary to express a key schedule algorithm in the 4element model [8]. is model can be defined as Here, SK is a subkey set, F is the key schedule algorithm function, K is the secret key to length n-bits, m is the length of subkeys, and r is the number of subkeys.

Frequency Test.
In random data, the proportion of zero and one should be close to 50%. e purpose of this test is to determine whether the numbers of 1's and 0's are equal in the subkeys [15] generated by a KSA. If the subkeys fail to pass the frequency test, it implies that the subkeys do not fulfill the basic requirement of randomness. erefore, that KSA will be considered weak and there is no need to apply the remaining tests to explore other weaknesses. A brief description of the frequency test is given as follows.
Let a 0 and a 1 denote the number of 0's and 1's in an n-bit sequence and the statistics used is [16,26,27] Here, Z approximately follows a χ 2 (chi-square) distribution with 1 degree of freedom if n ≥ 10.

Bit-Independence Tests (BITs).
e second test in the KSEC is bit-independency tests (BITs) which is used to check the bit confusion and diffusion properties of a KSA. Confusion and diffusion properties in a KSA ensure that the relationship between the secret key and the subkeys is complex and a bit change in the secret key (K) will propagate the effect on all subkeys bits. e aim of these properties in the KSA is to prevent the cipher from the application of statistical attacks and cryptanalysis attacks like related-key attacks, slide attacks, and so on. BITs depend on the degree of completeness (d c ), avalanche effect (d a ), and strict avalanche effect (d sa ) [28]. To calculate these values, avalanche vectors are produced by XORing the subkeys generated by K and K (i) (for i � 1, 2, . . . , n), where K (i) is obtained by complementing the i th bit of K. A brief description of BITs is given in the following sections. (2)) n ⟶ (GF(2)) m of n input bits maps into m output bits is said to be complete, if each output bit depends upon all input bits [28]; that is,

Avalanche
Effect (AE). A function f: (GF(2)) n ⟶ (GF(2)) m has the avalanche effect, if an average of 1/2 of the output bits changes with the change in the single bit of the input [28]; that is,

Strict Avalanche Criteria (SAC)
. A function f: (GF (2)) n ⟶ (GF (2)) m satisfies the strict avalanche criterion, if each output bit changes with a probability (Pr) of 1/2 whenever a single input bit is complemented [28,29]; that is, A KSA is said to have a good degree of completeness, avalanche effect, and strict avalanche criterion if the following equalities are satisfied: If a KSA fails to satisfy these limits, then KSA does not exhibit good confusion and diffusion properties.

Bitwise-Uncorrelation Tests (BUCT).
e third test in the KSEC is BUCT which checks the correlation among the bits of subkeys [8]. A KSA is said to pass BUCT if all subkeys are bitwise not correlated with each other. e subkeys which hold this property exhibit immunity against the linear and differential attacks and the key-dependent attacks. To express the relationship between every bit of K i and K j , XOR all possible combinations of bits of K i and K j . Bit strings resulting from the XOR operation are concatenated to get the required sequence which is explained in the following: where Here, i ≠ j, i � 1, 2, . . . , r, j � 1, 2, . . . , r, and (K i [L] ⊕ K j ) is the XOR between the L th byte of K i with all bits of K j . e binary sequence generated by (7) is then tested for randomness by using four statistical tests including Security and Communication Networks frequency, runs, poker, and autocorrelation which are described below. All subkeys are said to be bitwise uncorrelated if generated data by (7) passes all these four statistical tests.

Frequency Test.
e definition of this test has been described above in Section 2.1. However, here the frequency test is applied to the data generated by (7).

Runs Test.
Let O i denote the number of runs of 0 of length i and 1 i denotes the number of runs of 1 of length i in an n-bit sequence [27,30]. e length of expected contin- e following statistics is used to evaluate the length of runs in a sequence: Here, Z follows χ 2 (chi-square) distribution with (2L-2) degrees of freedom.

Poker Test.
Poker test checks the number of times the P-bits block appears in an n-bit sequence [27]. Divide the sequence into B nonoverlapping blocks, each of length P. Suppose b i is the i th bit of a P-bit sequence. e following statistics is used to test the uniformity distribution of P-bit blocks: where 4 ≤ P ≤ 8 and Z approximately follows a χ 2 (chisquare) distribution with 2 P − 1 degree of freedom.

Autocorrelation Test.
Autocorrelation test checks the degree of dependence between a sequence (S i ) and its shifted sequence (S i+d ) [27]. Let d be a fixed integer, 1 ≤ d ≤ (n/2); then the following test statistics are used to check the dependency among (S i ) and (S i+d ): where n − d ≥ 10 and then Z(d) follows a N(0, 1) distribution.

High/Low-Density Key
Test. e purpose of this set of tests is to evaluate the strength of KSA when the secret key is nonrandom. A secure KSA is needed to generate random subkeys even when the input secret key is nonrandom. e low-and high-density bit vectors are used as nonrandom secret keys. e low-density keys are the set of secret keys in which one and two bits of the secret keys are 1, whereas other bits are zero. For high-density keys, the secret key has one or two zero bits, while the remaining bits are 1. e generated subkeys from nonrandom secret keys are tested against the randomness property. Four statistical tests, namely, frequency, runs, block frequency, and cusum [26], are selected for testing the randomness of subkeys. e said tests are taken from the NIST test suite since they can be applied on small sequences of subkeys (128-bit long) [26]. e other tests of NIST suite are not applied here due to the requirement of larger sequence length. e frequency and runs tests have been described in Sections 2.1 and 2.3, respectively; therefore only the block frequency and cusum tests are described in the following sections.

Block Frequency Test.
e n-bit input sequence is divided into B � n/M nonoverlapping blocks to perform this test. is test determines that the frequency of "ones" may be approximately equal to M/2 in each M-bit block. e following test statistics [26,30] is used to calculate the frequency of one or zero in B: where π i is the proportion of 1 in each M-bit block. e test statistics follow a χ 2 (chi-square) distribution with B degree of freedom.

Cumulative Sum (Cusum) Test.
In this test, 0's and 1's of the n-bit sequence are converted to values −1 and +1 using X i , where X i � (2ε i − 1). en calculate the cumulative sum S i of partial subsequences, each starting with X 1 for forward (0) mode or X n for backward (1) mode [26]; that is, e test statistics Z is given in the following equation: where Z is a normal distribution with N (0, 1).

Time Complexity.
Time complexity is another parameter to compare the computational efficiency of different KSAs [7]. A block cipher with good security and lesser execution time is preferred in real-time applications. Since KSA is an important part of a block cipher, so its execution time also contributes to the time complexity of an entire block cipher. A good key schedule is one that exhibits good confusion, diffusion, and independence properties as well as less execution time. e execution time of KSAs is also estimated and is given in the results and discussion section.
Each test described above needs some values of the parameter for the calculation of the results. Table 1 presents the values of different parameters and the minimum number of secret keys needed to perform these tests. Since the frequency, bitwise-uncorrelation and weak key tests involve the hypothesis testing; therefore, their threshold level is determined by the level of significance α. e value of α can be changed according to the requirement.

Key Schedule Algorithms
As the minimum recommended key size for block cipher is 128, therefore, for testing the security strength of KSAs, the proposed evaluation criteria are applied to the popular published algorithms that have secret key length of 128 bits or 256 bits. e KSAs of AES, Serpent, PRESENT, IDEA, and Twofish are selected and analyzed through the proposed criterion. e standard implementation of these algorithms with key size of 128/256 bits is considered. e subkey length used in the round function for these algorithms is different but for comparison purpose we took all the key lengths equal to 128 bits.
Triple DES is not selected for the evaluation process as it is not considered secure any more by NIST in 2017 and also Microsoft in 2018 [31,32]. Similarly, we did not select Blowfish (1993); instead we selected its superior version of Twofish (1998) for the evaluation purpose [33]. Table 2 describes the secret key length and subkey length for these KSAs. In this work, 11 subkeys are generated against each secret key by all KSAs since these numbers of subkeys are found to be sufficient to depict the statistical characteristics of a KSA.

Data Generation
e data generation methodology for each test is described in the following sections.

Frequency Test.
To test the balance property of subkeys, a set of ten thousand random secret keys {K1, K2, ..., K10, K10000} is taken and the subkeys are generated from each selected KSA. e SK set for KSAs can be presented as given in the following: where n is the length of the secret key and i � 1, 2, . . . , 10000. e frequency test is performed on 11 sets of 10,000 subkeys generated for each round. e chosen level of significance α is 0.03 which indicates that 97% of sequences of subkeys should pass this test.

Bit Independence Tests.
In BITs, ten thousand-random secret key set is taken {K1, K2, K3, . . ., K10,000} and the subkeys are generated from all KSAs. e complement set of each secret key is also produced by changing the j th bit of K i , that is, {K j i } for all i � 1, 2, . . . , 10000 and j � 1, 2, . . . , n. e SK set for KSAs can be represented as where n is the length of the secret key and SK set for the complement values is For each type of KSA, the avalanche vectors are generated to calculate the values of d c , d a andd sa as described in Section 2.2.

Bitwise-Uncorrelation Tests (BUCT).
BUCT evaluates the dependency among the bits of subkeys. In BUCT, 500-random secret key set is taken. e SK set for KSAs is given as follows: where n is the secret key length and i � 1, 2, . . . , 500. e 500 sequences are generated by the method described in Section 2.3. e length of each sequence is given as follows:   (19) where (m � 128 and r � 11). e generated binary sequence will be tested against randomness by using four basic statistical tests, namely, frequency, runs, poker (P � 4), and autocorrelation (d � 2) [8,30]. e threshold level α is set at 0.10; that is, 10 (90%) out of 100 sequences are expected to be rejected (accepted).

High/Low-Density Key Tests.
In the previous tests, all KSAs are tested by taking the random input secret keys. A cryptographically strong KSA should also generate random subkeys when the input secret key is weak/nonrandom. For this purpose, high-and low-density keys are selected and used as secret keys in the KSAs. Four tests are selected from the NIST test suite, namely, frequency, block frequency, runs, and cusum tests. In NIST test suite, block frequency test is the parameterized test and value of block length is selected as 20. e number of the nonrandom secret keys in high and low density is 8257. e SK set of KSAs for high and low density is given as follows: where n is the secret key length and i � 1, 2, . . . , 8257. e total number of sequences in high-and low-density tests is (8257 × 11) 90827. e passing percentage for this number of sequences is 98% with the level of significance equal to 0.01 [26]. All parametric values required to generate data for different statistical tests have been summarized in Table 1.

Results and Discussion
In the following sections, the results of the statistical tests for the KSAs are discussed.

Frequency Test.
Frequency test is related to the confusion property of the KSA. A balance and uniformly distributed sequence makes the statistical attacks more complex. e results of the frequency test for KSAs of AES, Serpent, PRESENT, IDEA, and Twofish are shown in Figure 1. For each round, the subkeys of KSA of AES pass the frequency test with a value greater than 98%. e results show a good balance of zero and one in each subkey for the random input secret key. e KSA of Serpent also shows a good balance between the distribution of zero and one for the random input secret key. For each round subkey, the passing percentage is approximately equal to 99% (Figure 1).
Since KSA of PRESENT uses the rotation function, therefore, generated subkeys will also be random when the input secret key is random. Figure 1 shows that the passing percentage is approximately equal to 99% for each round subkey.
KSA of IDEA passed the frequency test with a high percentage for the subkey of each round. Since KSA of IDEA uses the 25-bit circular shift to generate subkeys, therefore, this rotation does not affect the distribution of zero and one in the subkeys. us the passing percentage is 99.02. e KSA of Twofish passed the frequency test which shows good balance of distribution of zeros and ones for the random input secret key. e KSAs of IDEA and PRESENT pass frequency test (for random input secret key); even though they are known to be vulnerable to many attacks [34][35][36][37], it can be inferred that the frequency test is necessary but not sufficient for strength evaluation of KSA in case of random input secrete keys. erefore, other tests are also required for the evaluation of KSAs.

Bit Independence Tests.
e KSA of AES does not fulfill the BIT criteria since the calculated values for d c and d a are far away from 1 for each round. Also, the value of SAC (d sa ) is 0.77 even after 11 th round subkey (Table 3). e results of SAC shows that key schedule algorithm of AES lacks in the confusion and diffusion property. e main problem in the KSA of AES is the relationship that the original key and the generated words have. If the value of one word is known, then the other words and secret key can be deduced by different methods. Also, KSA of AES has few nonlinear elements and slower diffusion structure to generate the subkeys. Most of the cryptanalysis attacks on AES takes the advantage of this weakness in its KSA, for example, relatedkey attacks, linear and differential attacks, and combined attack [5,38]. After a little modification, the SAC value of KSA can be improved which can make AES cipher more secure [6,9,13]. e KSA of Serpent passes the BIT criteria as the values of d c � 1, d a � 0.9999 and d sa � 0.991989 after the first round. From Table 3, it can be observed that the SAC value of the KSA of Serpent is approximately equal to 1 for each round subkey. e high SAC value indicates that the KSA of Serpent gives the strong immunity to cipher against statistical, related-key attacks and slide attacks. e KSA of PRESENT fails the BIT as the value of d c is 1 and the values of d a are found to be far away from 1 for each round subkey. e KSA also does not pass SAC property (d sa ≈ 0.50) even for the 11 th round which can also be seen from Table 3. e failure of the SAC test indicates that the KSA of PRESENT generates the nonrandom subkeys and the algorithm does not hide the relationship between subkeys and secret key completely. e weaknesses in the KSA might help the attacker to launch the cryptanalysis attacks, like related-key attacks, slide attacks, and so on, to partially break the cipher [36].
e calculated values of d c andd a are 0 for each round subkey of the KSA of IDEA. From Table 3, it can be seen that the SAC values of the KSA lie on the x-axis. Hence, the KSA of IDEA fails all tests of BIT (d c � 0, d a ≈ 0and d sa � 0) for each round subkey which indicates that the KSA does not provide good confusion and diffusion properties to subkeys. KSA of IDEA is a weak KSA and has linear relationship between the subkeys and secret key. is simple structure degrades the security of overall cipher. is weaknesses in KSA can make the IDEA cipher more vulnerable to relatedkey attacks, chosen-key differential attack, and linear and differential attacks [39,40]. e KSA of Twofish passed the BIT criteria after the four rounds. e KSA of Twofish uses the strong linear components and nonlinear components to hide the relationship between the subkeys and secret key.
is complex relationship leads the cipher strong against many cryptanalysis attacks which utilizes the avalanche weakness in KSA.

Bitwise-Uncorrelation Test (BUCT).
e results of the four basic tests are presented by the line graph in Figure 2 which shows that AES-KSA has a percentage value greater than or equal to 88% for all tests. In the case of Serpent-KSA, the value of the percentage for all tests is greater than or equal to 90%. It can be noticed from the graph that the percentage value of PRESENT-KSA is less than 55% for each test which is far away from the passing threshold (90%). However, the IDEA-KSA shows 0% value for all tests which indicates that all 500 sequences do not pass this test. e zero percentage result predicts the unbalance distribution of zero and one. KSAs of Twofish have good percentage (91%) for all the BUCT tests.
It can be concluded from the results that KSAs of AES and Serpent have good independence among the subkeys, whereas KSA of PRESENT has a correlation among the subkeys. On the other hand, KSA of IDEA has a strong correlation among the subkeys. KSAs of Serpent and Twofish have good independence among the subkeys which can make ciphers more immune against the cryptanalysis attacks related to KSA. KSAs of AES also have good results but are little bit lower than 90%. ese results strengthen the result concluded from BIT test. On the other hand, the BUCT results show that the KSA of PRESENT and IDEA generates the subkeys that are statistically correlated.
is correlation can aid an attacker to launch the cryptanalysis attacks like key-dependent attacks and related-key attacks on reduced round of PRESENT and IDEA cipher [5,40,41].    Table 4, the results of the KSAs of PRESENT show that the passing percentage value is zero for both high-and low-density keys in the case of PRESENT; that is, no sequence passes the statistical tests.

High/Low-Density Key
KSA of IDEA involves only the circular shift. Circular shifts do not convert the nonrandom behavior into the random one. It can be seen from Table 4 that the KSA fails all the tests of the low and high density of input secret key. e results showed that the KSA of PRESENTand IDEA generates the nonrandom subkeys when the input secret key is nonrandom.

Time Complexity.
e time of one execution for KSA can be used for comparison between KSAs. One execution of KSA implies the time taken by the KSA to generate the 11 subkeys. Each KSA is implemented in C language and the CPU speed is 3.00 GHz. Table 5 presents the comparison of execution time between the KSAs.
It can be seen from Table 5 that the KSA of Serpent and Twofish takes more time to generate the subkeys than all other KSAs. KSA of both the algorithms passed all the tests but their computational overhead is high. On the other hand, AES takes 8 seconds to generate the 11 subkeys. e execution time for KSA of PRESENT is 0.0001 seconds to generate 11 subkeys, whereas IDEA-KSA takes 0 seconds to generate the same number of subkeys.

Data Availability
All relevant data are available in the submitted Excel file.

Conflicts of Interest
e authors declare that they have no conflicts of interest.