A Lightweight block cipher based on quasigroups

The extensive deployment of tiny computing devices, such as sensors, tablets and smart phones, present a requirement for encryption systems fit for low-resource equipments. Despite implementation advances, Advanced Encryption Standard (AES) is not suitable for extremely constrained environments such as sensor networks and smart phones. In this paper, we give a new lightweight block cipher based on quasigroups. A quasigroup can be viewed as a series of S-boxes. All the S-boxes of the quasigroup used in this new cipher are optimal in linearity and differential uniformity, and all the components of these S-boxes have the highest algebraic degree. We compare the performance of this new cipher with AES by using the NIST-STS, the randomness of the new cipher is better than that of AES.


Introduction
The extensive deployment of low powered systems, such as sensors, tablets and smart phones, will be an IT landscape of this century. This provides a challenging area in the design of cryptosystems since tiny computing device's constraints of low power, low memory and limited communication ranges. Most cryptosystems such as AES and RSA were designed for desktop environments, the algorithms become a drain on battery life of low powered devices. Further, with the increase of cloud services, data being transmitted to and by these devices is growing at an exponential rate [1].
A quasigroup (Q, ) is a groupoid where Q is a set and  is a binary operation on Q such that the equations a  x = b and y  a = b are uniquely solvable for each pair of elements a, b  Q. |Q| is called the order of the quasigroup (Q, ). A quasigroup of order v can be viewed as a series of v S-boxes. The theory of quasigroup applications in cryptology goes through a period of rapid enough growth now. Quasigroup theory is widely used in the design of hash functions [2,3], secret sharing systems [4], authentication of a message [5,6], zero knowledge protocols [7], stream ciphers [8,9], and block ciphers [10,11], etc.
Battey and Parakh designed a quasigroup block cipher with a randomly chosen quasigroup of order 256 [10]. A quasigroup of order 256 maybe too big for low memory devices, and a random chosen quasigroup may not be optimal in linearity and differential uniformity. In this paper, we will present a new lightweight block cipher based on a carefully chosen quasigroup of order 16. The new cipher is named Quasigroup Lightweight block cipher (QLW for short). The paper is organized as follows: in Section 2 we will define two kinds of string transformations based on quasigroups, etransformation and d-transformation. In Section 3 we present the algorithm of QLW. In Section 4 we analyse the security of QLW, include the linearity, differential uniformity, algebraic degree and randomness. Section 5 contains concluding remarks.

String Transformations based on Quasigroups
Let Q be a finite set and (Q,) be a quasigroup. Let Q + be the set of all nonempty words (i.e. finite strings) formed by the elements of Q. The elements of Q + will be denoted by The mapping E a, is called an e-transformation of Q + based on (Q, ) with leader a, and the graphical representation of E a, is shown in Figure 1. We define another mapping D a, : The mapping D a, is called a d-transformation of Q + based on (Q, ) with leader a, and the graphical representation is shown in Figure 2. Let (Q,) be a quasigroup, define another binary operation "\" on Q as follows: It is easy to see that (Q, \) is also a quasigroup and (Q, \) is called the 132-conjugate of (Q,).
Theorem 1 [12] Let Q be a finite set, (Q,) be a quasigroup and (Q, \) be the 132-conjugate of (Q,). Then  a  Q and i.e. D a,\ is the inverse bijection of E a, . Table 1 is the multiplication table of a quaisgroup (Q,), where Q is the set of finite fields F 16 . It is easy to check that

Description of Quasigroup Lightweight Block Cipher
Our quasigroup lightweight block cipher (QLW for short) consist of 32 rounds. The block length is 64 bits. The key lengths of 80 and 128 bits are supported. The encryption algorithm has three parts: 1. generating round keys; 2. e-transformation layer; 3. e-xor layer. The decryption algorithm has three parts: 1. generating round keys; 2. d-xor layer; 3. d-transformation layer.
Let Q = F 16 , (Q, ) be the quasigroup of order 16 shown in Table 1 and (Q, \) be the 132conjugate of (Q, ). Let R = F 2 and (R, ) be the quasigroup with the XOR operation  in F 2 . It is easy to check that the 132-conjugate of (R, ) is itself.

t t t t t t t D c c c c c c c c
The encryption algorithm is shown in Table 3  is the block of plain text. The graphical description of the decryption of round i is shown in Figure 5.

Security Analysis
In this section, we analyse the algebraic property of the used quasigroup shown in Table 1 and the randomness of the cipher text.

Linearity, Differential Uniformity and Algebraic Degree
S-boxes are widely used in block ciphers and hash functions. Usually, S-boxes are the only nonlinear part in Feistel network and therefor they have to be carefully chosen to make the cipher to resist all kinds of attacks. An nn-bit S-box can be viewed as a mapping on finite fields 2 n F . An invertible nn-bit S-box can be viewed as a permutation on 2 n F . Let Q = 2 n F and (Q, ) be a quasigroup. As we know that each row of the multiplication table is a permutation on Q.  i  Q, Define a permutations on Q as follows: Then S i (x) is an nn-bit S-box. For example, the quasigroup shown in Table 1 has 16 44-bit Sboxes. We denote these S-boxes by Q 0 , Q 1 ,…,Q 15 . : The linearity of f is defined as The linearity of S is defined as 2 2 , The linearity of an S-box gives a measure for the resistance against linear cryptanalysis. The smaller the linearity is, the more secure the S-box is against linear attack. The smallest known linearity of a 44-bit S-box is 4, see [13]. Let Define the differential uniformity of S-box S as 0, The differential uniformity gives a measure for the resistance of S against differential cryptanalysis. Similarly, the smaller the differential uniformity is, the more secure an S-box against differential cryptanalysis. It has been shown that Diff(S) is always even and no S-box with Diff(S) = 2, see [13]. Therefor we have Diff(S)  4. An bijective S-box is said to be optimal if Lin(S) and Diff(S) reach the minimum.
Definition 1 [13] Let S be a 44-bit S-box. S is called to be optimal if it fulfills the following conditions: (1) S is a bijection; (2) Lin(S) = 8; The algebraic degree of f is the maximal weight of v such that c v  0. Each nn-bit S-box S has 2 n  1 components 2 ( ) , ( ) , \{0}.
The algebraic degree of S is defined as the maximal degree of its components:  Table 1 is carefully chosen by computer searches. It can be check that all the 16 S-boxes of (Q, ) , Q 0 , Q 1 ,…,Q 15 , are optimal, and all the 1615 = 240 components of these S-boxes have the highest degree, degree of 3.

Randomness
The National Institute of Technology-Statistical Test Suite (NIST-STS) is used to evaluate the randomness of QLW with 80 bits key. The NIST-STS package gives a P-value and Success/Fail status for various standardized tests. Each P-value is the probability that a perfect random sequence generator would have produced a sequence with less random than the one being tested [14]. Each test was given a P-value threshold (i.e. a significance level ). If a P-value result from a test exceed the value of , the sequence is considered to be random, otherwise, non-random. Typically,  is chosen in the range [0.001, 0.01].
We compared the performance of QLW with Advanced Encryption Standard-256 (AES256) using the NIST-STS. Table 4 shows the average P-values (over 20 runs) for the various tests. The second and the fourth columns show the average P-values for all zero (0x0) and all 0xF inputs, respectively, in QLW. The third and fifth columns show the tests for AES256. The sixth column is the average P-value for all two inputs of QLW and the seventh column is the average P-value for all two inputs of AES256. The last column is the ratio of the P-values of QLW and AES256. We can notice that the P-values of these tests all cross 0.01, so, we can get a conclusion that the cipher text sequence is random. In addition, the proposed new block cipher, QLW, performs better than AES256.

Conclusions
In this we have presented a light weight block cipher based on a quasigroup of order 8. All the corresponding S-boxes are optimal in linearity and differential uniformity, and all the 815 = 120 components of these S-boxes have the highest degree, degree of 3. By using NIST-STS, we test the randomness of the new block cipher with all zero (0x0) and 0xF inputs over 20 runs and compared the reslts with that AES256 with all zero (ox00) and 0xFF inputs, the new algorithm performs better than AES256.
For future work, we intend to give more detailed analysis of the security of the new block cipher on algebraic attacks and give detailed performance.