Modified Generalized Feistel Network Block Cipher for the Internet of Things

Abstract

With the advent of the Internet-of-Things (IoT) technologies, millions of low-resource devices are constantly used at the network’s edge. As a result, the large amount of private and sensitive data generated by these devices must be securely transported, stored, and processed, posing a challenge because these resource-constrained IoT devices cannot meet the criteria of conventional encryption ciphers. Due to this limitation on IoT-enabled devices, lightweight cryptography has emerged as a new area of study. Lightweight block ciphers, a subfield of lightweight cryptography, include the substitution–permutation network (SPN) and Feistel-based networks. Feistel networks are further divided into two types: classical Feistel networks and generalized Feistel networks (GFN). While classical Feistel ciphers divide a message into two sub-blocks, GFN divides a message into k sub-blocks for some k > 2 called the partition number. One popular form of GFN is the so-called Type-II. Unfortunately, this type of Feistel structure needs a large number of rounds to obtain a full diffusion property. A full diffusion means all output sub-blocks are affected by all input sub-blocks. Therefore, this paper proposed a new lightweight block cipher by modifying the GFN structure, focusing on providing optimal security to the cipher with a small number of rounds. The algorithm was subjected to a series of statistical and cryptographic randomization analyses in order to investigate the avalanche effect on the ciphertext and the algorithm’s random properties, such as confusion, diffusion, and independence. The avalanche criterion and output randomness results show that this algorithm meets the fundamental security requirement for a lightweight block cipher.

1. Introduction

The Internet of Things (IoT) is a re-evolution and improvement of the currently Internet-connected computer components [1]. In recent years, there has been a rise in the use of low-powered IoT devices. According to IoT Analytics, the Internet-of-Things market is expected to grow by 18% to 14.4 billion active connections in 2022 [2]. By 2025, more than 30 billion connected Internet-of-Things devices will be connected. These devices are not only ubiquitous, but they also form the backbone of a network that provides users with stealthy benefits. Connected devices, such as automobiles and household appliances, comprise electronic circuitry, software, actuators, and networks. IoT devices can collect vast amounts of data, analyze the data, make intelligent decisions, and distribute the results back to the devices so they can act intelligently.

With the widespread adoption of high-speed wireless technology and the proliferation of “smart” devices, the Internet of Things (IoT) has grown exponentially, with IoT devices producing vast quantities of data. According to a recent report by DataProt, the amount of data generated by IoT devices will reach 73.1 zettabytes (ZB) by 2025 [3]. However, the increased connectivity of these devices has made it easier for cybercriminals to gain unauthorized access to private information on the networks, as certain devices may be susceptible to attacks. Therefore, cryptography, a branch of mathematics related to creating secure communication protocols for data transmission, is used as a crucial component of information security to protect communication systems.

In today’s digital age, cryptography plays a critical role, particularly in the Internet of Things (IoT), where connected devices are vulnerable to numerous security threats, such as hacking and eavesdropping. As the number of connected devices in the IoT continues to increase, the need for secure communication protocols has become more pressing, making cryptography an indispensable tool for ensuring the confidentiality, integrity, and authenticity of data transmitted over IoT networks. However, conventional cryptography algorithms are unsuitable for use in resource-constrained IoT devices due to their high resource demands. Consequently, lightweight cryptography is employed for smart objects in the IoT environment as a replacement for traditional cryptography techniques. For IoT security, a number of lightweight cryptography techniques are available, including lightweight block ciphers, lightweight hash functions, lightweight message authentication codes, and lightweight stream ciphers, with lightweight block ciphers being the most frequently used.

Over the years, several lightweight block ciphers, such as PRESENT [4], LED [5], RECTANGLE [6], SKINNY [7], and SPECK [8], have been developed with simple structures and a high throughput for efficient implementation. While several new lightweight block ciphers have recently been proposed, they have yet to undergo extensive cryptanalysis to be considered as state-of-the-art. Additionally, in low-power and lossy networks, security remains a significant concern, necessitating the need for more innovation in developing lightweight algorithms.

A lightweight block cipher must possess confusion and diffusion properties in its design components to provide sufficient security to the algorithm [9]. Confusion uses a substitution function to obscure the relationship between plaintext and ciphertext, whereas diffusion uses a permutation function to distribute the plaintext statistics throughout the ciphertext. To achieve these objectives, there are two main fundamental structures of lightweight block ciphers: the Feistel network and the substitution–permutation network (SPN). While different techniques can be used to develop algorithms, they are based on either one of these foundational structures. The encryption and decryption operations in the SPN lightweight block cipher are non-identical, requiring additional cycles and codes for execution. In contrast, the encryption and decryption processes in the Feistel lightweight block cipher are similar [10]. Feistel ciphers do not require additional cycles and codes for execution, resulting in a low memory usage and the ability to be implemented in hardware with a low average power consumption.

Feistel networks are a popular choice for implementing lightweight block ciphers, with classical Feistel networks and generalized Feistel networks (GFN) being the two main types. While classical Feistel networks divide messages into two sub-blocks, the GFN divides them into k sub-blocks, where k is greater than 2. The GFN of Type-II, in particular, is a popular form where the Feistel transformation is applied to two consecutive sub-blocks, followed by a cyclic shift of sub-blocks. This type of Feistel structure is easy to implement and has been used in ciphers such as RC6 [11], HIGHT [12], and CLEFIA [13]. However, it is important to note that the Type-II GFS has low diffusion properties and requires a larger number of rounds to achieve full diffusion [14,15], meaning all output sub-blocks are affected by all input sub-blocks.

In this research paper, we propose a secure modified GFN lightweight block cipher that provides optimal security for IoT devices while utilizing a minimal number of rounds. To the author’s knowledge, there have been no previous studies on the proposal of GFN lightweight block ciphers with fewer than 25 rounds and sufficient security levels. Existing Feistel-based lightweight block cipher algorithms, such as ANU [16], FeW [17], Granule [18], LiCi [19], MANTRA [20], NUCLEAR [21], NUX [22], Piccolo [23], TEA [24], TED [25], T-TWINE [26], and VAYU [27], all use more than 25 rounds.

Aligned with Malaysia’s National Cryptography Policy (NCP) [28] and National Cyber Security Policy (NCSP) [29], we proposed a modified GFN algorithm. This algorithm will be rigorously tested through various statistical and cryptographic analyses to assess its ability to meet fundamental security requirements, such as confusion, diffusion, and independence, while maintaining a high performance level within the resource constraints of IoT devices. Specifically, we will analyze the algorithm’s avalanche effect on the ciphertext and its random properties. The results of these analyses will demonstrate the algorithm’s effectiveness as a lightweight block cipher for IoT devices.

The paper is structured as follows: The existing Feistel-based lightweight block cipher, its design structure, and its weaknesses are discussed in Section 2. Section 3 describes the proposed modified generalized Feistel network lightweight block cipher’s basic structure design. Section 4 then discusses the statistical and cryptographic analyses conducted on the proposed cipher. Section 5 presents the results and analyses’ discussions. Finally, Section 6 provides a summary of our research findings.

2. Related Work

Block ciphers are cryptographic algorithms that work on fixed block sizes and key sizes. In block ciphers, two important operations are employed for encryption: confusion and diffusion. Confusion makes the relationship between the encryption key and ciphertext complex. Specifically, it is designed to ensure that each bit of the key influences every bit of the ciphertext. On the other hand, diffusion propagates the influence of each bit in the plaintext block over a number of bits in the ciphertext block to ensure that the resulting ciphertext is oversensitive to statistical attacks.

There are two types of block ciphers: the Feistel-based network and substitution–permutation network (SPN). The Feistel structure’s round function is applied to only half of the state. It simplifies the construction of a circuit that can be utilized for encryption and decryption with minimum overhead. Hence, the fundamental benefit of the Feistel structure is that both the encryption and decryption operations utilize the same programme code [30]. This study will therefore concentrate on the Feistel-based lightweight block cipher structure.

As explained, the Feistel network is categorized into the classical Feistel and generalized Feistel network (GFN). The Type-II GFN is the most popular type of GFN due to its security and simplicity. Figure 1a,b show the difference between the classical Feistel and Type-II GFN structures. The illustrations show a single round. Feistel [n] is the classical balanced Feistel scheme, while Feistel2 [k, n] is a Type-II Feistel network. Variable k refers to the number of n-bit input blocks X₁…, X_k. The illustration is for $k=4$.

As mentioned in [30], the basic factors for assessing the performance of a lightweight block cipher are its key size, block size, structure type, and the number of rounds. According to the authors of [31], a lightweight cipher must overcome three key obstacles: the small silicon area or memory footprint, low power consumption, and an appropriate level of security. Cazorla et al. [32] emphasize the algorithm’s block size, key size, and key scheduling aspects. They claim that a lightweight algorithm must have a block size between 32 and 64 bits rather than the conventional 64 and 128 bits.

Table 1. Comparisons of Feistel-based lightweight block ciphers.

Lightweight Block Cipher	Rounds	Key Size	Block Size	Weaknesses
RC5	0–255	128	64	Differential-key attacks.
TEA	variable	128	64	Related-key attacks.
XTEA	variable	128	64	Related-key rectangle attacks on 36 rounds.
DESL	16	56	64	Size of the key.
ITUBEE	-	80	80	Self-similarity cryptanalysis.
SIMON	32, 36, 42, 44, 52, 54, 68, 69, 72	64, 72, 96, 128, 144, 192, 256	32, 48, 64, 96, 128	Attacks on reduced versions—differential fault analysis.
ANU	25	80/128	64	Related-key boomerang attacks.
PICCOLO	25, 31	80, 128	64	Biclique cryptanalysis.
SLIM	32	80	32	Size of the key.

compares various Feistel-based lightweight block ciphers with respect to their structure, key size, block size, necessary rounds, and principal attack flaws.

RC5 is a type of Feistel network that relies on data-dependent rotations, as described in [33]. Despite being developed prior to the popularity of lightweight ciphers, RC5 is still considered a viable option for devices with limited resources, such as wireless sensor nodes, as demonstrated in [34]. However, RC5-32/12/16 is vulnerable to differential cryptanalysis (refer [35]). While this attack can be extended to 18 rounds, it would necessitate nearly the entire codebook, requiring 264 ciphertexts.

The TEA, also known as the tiny encryption algorithm, is a cipher that employs 128-bit keys, 64-bit blocks, and 64 rounds, as described in [24]. The advantage of this algorithm is its key design. Additionally, TEA is power-, energy-, and memory-efficient, simple, and easy to implement. The TEA requires only 7408 encryption cycles and does not utilize S-boxes. However, Refs. [36,37] stated that the TEA is susceptible to equivalent-key attacks and performs poorly when used as a hash function. The XTEA, also referred to as the eXtended TEA or block TEA, was created to solve the shortcomings of its predecessor, TEA, as described in [38]. Among other enhancements, the XTEA can operate on blocks of arbitrary size and implements a more complicated key-scheduling mechanism. Nonetheless, [39] describes a 36-round related-key rectangle attack against the XTEA. The corrected block TEA, or XXTEA, was proposed [40] in an effort to fix these vulnerabilities. Nevertheless, [41] provides a chosen plaintext attack that employs a differential analysis against the full-round cipher.

George Leander et al. [42] proposed a novel approach to enhance the security and efficiency of the data encryption standard (DES) with their lightweight variant, the DESL, utilizing a serial hardware architecture and a single S-Box in place of the original eight S-Boxes. The S-Box was meticulously optimized to decrease the gate complexity, resulting in a resistance to common attacks, such as linear and differential cryptanalysis and the Davies–Murphy attack. The DESL achieves a security level suitable for many applications and is more resistant to linear cryptanalysis than the DES, as a result of the improved non-linearity of the S-Box. However, the DESL’s key size is no longer practical and is now vulnerable to brute-force attacks.

ITUbee [43] is a recently proposed lightweight encryption that has been created exclusively for 8-bit software-based devices. It employs a Feistel structure and consists of 80-bit keys and 80-bit blocks. ITUbee utilizes round-dependent constants rather than a strong key schedule. Although this strategy is meant to improve ITUbee’s efficacy, a self-similarity cryptanalysis performed in [44] reveals that it is ineffective. The cryptanalysis proves that the reduced round form of the encryption can be distinguished from a perfect random permutation. In addition, a deterministic related-key differential distinguisher for the 8-round version of the single-key model is described, decreasing the cipher’s security by one bit.

The NSA invented the SIMON [45] cipher, which is efficient in both software and hardware. It supports multiple key and block sizes, including 64-, 72-, 96-, 128-, 144-, 192-, and 256-bit key sizes, and 32-, 48-, 64-, 96-, and 128-bit block sizes. In addition, it supports a variety of round numbers, including 32, 36, 42, 44, 52, 54, 68, 69, and 72. Several separate cryptanalysis attempts on SIMON have yielded insights into the cipher’s design and attacks on its reduced-round variants [46]. However, differential fault attacks on SIMON are outlined in [47]. Moreover, [48] demonstrates that cube and dynamic cube attacks on SIMON with a 64-bit key and 32-bit block can recover the complete key in a feasible amount of time.

ANU [16] is a block cipher with a small memory footprint and low power consumption. It supports 128-bit or 80-bit key lengths with a remarkably small chip area of only 1015 GE for 128-bit keys. ANU demonstrates a high level of resistance to linear and differential attacks, biclique cryptanalysis, and zero-correlation attacks, making it an attractive option for a variety of cryptographic applications. Recent research [49] demonstrates that ANU is vulnerable to related-key boomerang attacks.

PICCOLO [23] is a novel variation of the generalized Feistel network (GFN) block cipher introduced by Kyoji Shibutani et al. PICCOLO is intended to handle a 64-bit block cipher, with key sizes of 80 or 128 bits, and can run for 25 or 31 cycles. The F-function of PICCOLO consists of two S-box layers separated by a diffusion matrix, with the key applied only before the second S-box layer. PICCOLO employs 8-bit word-based permutations, as opposed to the standard GFN’s 16-bit word-based cyclic shifts. The key schedule is based on permutation for greater hardware efficiency. PICCOLO takes fewer rounds, consumes less power, and has a greater throughput than other GFNs. PICCOLO is, however, susceptible to biclique cryptanalysis [50].

SLIM [51] is a symmetric 32-bit block cipher based on the Feistel structure. Controlling SLIM is an 80-bit key. Like with other symmetric block ciphers, encryption and decryption use the same key. SLIM contains four 44 S-boxes that execute a non-linear operation on a 16-bit word and serve as a non-linear component of the cipher. The creators of SLIM assert that it is immune to differential cryptanalysis because they were only able to find a trail of up to seven rounds using a heuristic method. On this cipher, no other cryptanalysis attacks have been attempted. Nonetheless, SLIM’s key size is deemed insufficient to provide appropriate security in actual contexts [52].

IoT lightweight cipher designs are required to have robust encryption standards, robust architecture, low complexity, rapid execution time, minimal power consumption, low resource utilization, and great resilience to potential assaults. Despite this, a considerable number of attacks against ciphers that are thought to be resistant have been uncovered. As a result, the construction of lightweight block ciphers has attracted the attention of various academics, particularly in the last five years. An exhaustive literature assessment on lightweight block ciphers demonstrates that the currently available ciphers are not fully optimized, allowing room for future research. Therefore, the hunt for a lightweight cipher that fits the requirements of a good cipher continues.

3. The Modified GFN Lightweight Block Cipher

This section outlines the fundamental design principles of the modified GFN lightweight block cipher (MGFN) by introducing a unique set of operations and transformations that deviate from the conventional Feistel cipher.

The MGFN utilizes a Type-II Feistel structure that has been modified for its architecture. Unlike conventional Type-II GFN ciphers, as shown in Figure 1a,b, the MGFN’s round and block permutation functions have unique designs and operations. To further illustrate the MGFN lightweight block cipher, please refer to Figure 2.

3.1. Encryption Process

Initially, the 64-bit plaintext P is segmented into 16-bit word sequences. The cipher state comprises 24 rounds for processing 64-bit input and output data, with encryption operations leveraging the 128-bit key. This 128-bit key serves as a master key that generates 56 subkeys with a length of 64 bits each, which are employed in the encryption pre-whitening, round function, and post-whitening process. Section 3.2 provides a comprehensive explanation of how these subkeys are generated.

To encrypt a 64-bit plaintext, the MGFN algorithm first divides it into four 16-bit blocks, $P_0$, $P_1$, $P_2$, and $P_3$, where $P$ is the least significant 16 bits. The algorithm then applies pre-whitening on $P_0$, $P_1$, $P_2$, and $P_3$ before entering the round function.

Next, in the round function, the F-Function is applied to $P_0$ and $P_1$, which comprises four layers: the AddKey layer, the RShift layer, the SBox layer, and the PBox layer. Each layer’s procedure is described as follows:

• addKey layer: In this layer, the two input words are XORed with subkeys.
• RShift layer: This layer allows the two input words to undergo rotation shifts of 3 and 8 bits, respectively.
• SBox layer: In this layer, a 4-bit input, denoted by x, is transformed into a 4-bit output, denoted by S[x]. It should be noted that S[x] may not necessarily be equal to s. The values of x and S[x] used in this layer are provided in

  Table 2. The S-box used in MGFN.

  $\mathit{x}$	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
  $\mathit{S}\left[\mathit{x}\right]$	7	E	F	0	D	B	8	1	9	3	4	C	2	5	A	6

  . The resulting outputs from this layer are then combined to form a 32-bit word.
• PBox layer: In this layer, each of the 32 bits in the input word is mapped to its corresponding output position, with the specific mapping specified in

  Table 3. The permutation bit in MGFN.

  i	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
  $\mathit{P}\left[\mathit{i}\right]$	4	11	18	7	23	19	2	25	14	26	1	28	20	8	29	0
  i	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
  $\mathit{P}\left[\mathit{i}\right]$	31	5	15	21	9	13	24	6	17	12	22	3	16	30	10	27

  . It is worth noting that the values in Table 3 are sourced from the ultra-lightweight PICO [53] algorithm, which is known for its exceptional performance in customized hardware.

The output from the F-Function is then XORed with $P_2^r$ and $P_3^r$, where $r$ denotes the round number from 0 to 24. After 24 rounds, the algorithm applies post-whitening on $P_0^{24},P_1^{24}, P_2^{24}$, and $P_3^{24}$, and the 64-bit ciphertext is obtained by concatenating these blocks.

3.2. Key Schedule Process

The key schedule of the MGFN lightweight block cipher was developed by modifying the PRESENT [4] algorithm. The key provided by the user consists of 128 bits and is represented as $k_{127}{k}_{126}\dots k_0$, and is stored in the K key register. In round i, the 64-bit-register round key $K_i$ are rotated 61 bits to the right, and the 64 leftmost bits of the resulting value are used as the new round key. After extracting $K_i$, the key register $K=k_{127}{k}_{126}\dots k_0$ is updated and mathematically defined as follows:

(1)

$k_{127}{k}_{126}\dots k_1{k}_0\leftarrow k_{66}{k}_{65}\dots k_{68}{k}_{67}$

(2)

$k_{127}{k}_{126}{k}_{125}{k}_{124}\leftarrow S\left[k_{127}{k}_{126}{k}_{125}{k}_{124}\right]$

(3)

$k_{123}{k}_{122}{k}_{121}{k}_{120}\leftarrow S\left[k_{123}{k}_{122}{k}_{121}{k}_{120}\right]$

(4)

$k_{66}{k}_{65}{k}_{64}{k}_{63}{k}_{62}\leftarrow k_{66}{k}_{65}{k}_{64}{k}_{63}{k}_{62}\oplus rc$

The $rc=i$ is the round counter where $i=1, 2,\dots , 14$.

4. Statistical and Cryptographic Analyses

This section outlines the statistical and cryptographic analytical approach that was used to analyze all 24 rounds of the proposed MGFN lightweight block cipher. This examination is essential for evaluating the strength of the lightweight block cipher algorithms and can also be used to investigate other cryptographic primitives.

According to [54], a good encryption procedure must develop a perplexing relationship between its plaintext, key, and ciphertext (referred to as confusion) and disseminate the modifications made to the plaintext across the ciphertext (known as diffusion). Confusion is often attained by substitution operations, whereas diffusion is attained via permutations [52]. By adding confusion and diffusion, a cryptographic algorithm can introduce enough randomness that no ciphertext pattern is discernible.

In order to evaluate the efficacy of the proposed MGFN lightweight block cipher, we applied two crucial security analysis criteria for block ciphers. Firstly, we performed an avalanche effect test to evaluate the confusion and diffusion properties of the cipher. Secondly, we performed a randomness analysis to assess the randomness features of the cipher output. The outcomes of these tests provide vital information on the robustness and strength of the proposed MGFN lightweight block cipher.

4.1. Avalanche Effect Test

The avalanche effect is a useful measure for analyzing the confusion and diffusion properties of a lightweight block cipher. This test evaluates the robustness of a cryptographic algorithm by monitoring changes to the output caused by modifications in the input. The avalanche effect test was performed by generating 64-bit plaintext and ciphertext inputs using a pseudorandom bit generator. The permutation methods then processed these inputs to obtain the corresponding outputs. The avalanche effect was subsequently determined using Equation (1), as described in [55]. The ideal value for the avalanche effect should be 50% of the total number of cipher bits [56]:

$$Bit Error Rate=\frac{cd}{TC}$$

(1)

where $cd$ is the number of ciphertext bit differences and $TC$ is the total number of ciphertext bits.

This study conducted two types of avalanche tests: the bit error test and the key sensitivity test. The bit error test is utilized to evaluate the sensitivity of the MGFN lightweight block cipher to changes in the plaintext. It involves modifying one bit of the plaintext and observing its resulting ciphertext changes. The key sensitivity test is a means of observing how modifications to a key affect a ciphertext [57]. Even a minor change to the key can result in significant changes to the ciphertext. A single bit of the key is replaced to perform this test, starting from the first-bit position, and ending at the last.

The test outcome from both avalanche tests are determined using the bit error rate equation. Ideally, a sound block cipher should have a test result falling within the range of 0.5, or 50%, for modifications to the ciphertext bits, as calculated by the bit error rate formula.

Using the bit error rate equation, the outcome of both avalanche tests is calculated. A sound block cipher should have a test result within the range of 0.5, or 50%, as computed by the bit error rate formula, for modifications to the ciphertext bits.

4.2. Randomness Test

According to research by Ariffin and Yusof [58], a block cipher must meet the minimum security requirement of randomness. Therefore, a randomness test using the NIST Statistical Test Suite is conducted on the proposed MGFN lightweight block cipher algorithm to access the cipher randomness characteristics. Several algorithms have been assessed using the NIST Statistical Test Suite including SIMON [59,60], PRESENT [61], RECTANGLE [62], and 3D-RECTANGLE [57]. The method for randomness testing consists of several stages, which include selecting sample sequences from the algorithm, conducting statistical tests using the NIST Statistical Test Suite, and assessing the outcomes of these tests to evaluate the level of statistical randomness achieved.

Nine data categories of the block cipher were implemented to generate the keys and plaintexts i.e., strict key avalanche (SKAva), strict plaintext avalanche (SPAva), plaintext/ciphertext correlation (PtCtCorr), cipher block chaining (CBChain), random plaintext/random key (RandPtRandK), low-density key (LowDKey), high-density key (HighDKey), low-density plaintext (LowDPt), and high-density plaintext (HighDPt). Due to its specific function, each data set was selected.

Table 4. Input of data categories.

Data Category	Key	Plaintext	Derived Blocks	Length of Output (Bits) per Sample
SPAva	123 blocks of random	All zeroes	15,744	1,007,616
SPAva	All zeroes	245 blocks of random	15,680	1,003,520
PtCtCorr	One block of random	15,625 blocks of random	15,625	1,000,000
CBChain	One block of random	All zeroes	15,625	1,000,000
RandPtRandK	One block of random	15,625 blocks of random	15,625	1,000,000
LowDKey	8257 blocks of specific	One block of random	8257	528,448
HighDKey	8257 blocks of specific	One block of random	8257	528,448
LowDPt	One block of random	2081 blocks of specific	2081	133,184
HighDPt	One block of random	2081 blocks of specific	2081	133,184

summarizes the sequence of the output generated in each category of data based on the input data. Each data category created 100 unique samples, with each sample containing 2081 to 15,744 ciphertexts, or 133,184 to 1,007,624 bits of data. The lengths of the block and key determine the total number of blocks in each sample. The blocks were derived by adding the ciphertexts in order to generate lengthy bit sequences.

Fourteen (14) different statistical analysis tests as listed in

Table 5. Breakdown of the 140 p-values of each sample.

	Statistical Test	Total p-Value
Parameterized Test Selections	Block Frequency	1
	Linear Complexity
	Maurer’s Universal
	Approximate Entropy
	Overlapping Templates
	Serial	2
Non-Parameterized Test Selections	Runs	1
	Frequency
	Spectral DFT
	Binary Matrix Rank
	Longest Runs of Ones
	Cumulative Sums	2
	Random Excursion	8
	Random Excursion Variant	18

were conducted on the complete 24 encryption rounds of the MGFN lightweight block cipher. These tests were categorized into two: eight were non-parameterized test selections, which do not require any user input, while the remaining six were parameterized test selections, which require an input of parameter values.

In order to conduct the randomness tests, a significance level, α, must be established. For this particular experiment, the significance level was set at 1% (0.01). Therefore, the necessary number of samples for the experiments was calculated as 1/0.01 = 100 samples. According to Simion and Burciu [63], if the p-value obtained from a test is greater than or equal to α, then the sample is considered to be random with a confidence level of 99.9%. Conversely, if the p-value is less than α, then the sample is deemed to be non-random. Therefore, Table 5 also provides the corresponding p-values produced by each statistical test.

The confidence interval formula is used to calculate the range of acceptable proportions for the ciphertext in this analysis, as described by [64]. The formula for the confidence interval is shown in Equation (2).

$$\left[p_a^{\prime },p_b^{\prime }\right]=p^{\prime }\pm 3\sqrt{\frac{p^{\prime }\left(1-p^{\prime }\right)}{s}}$$

(2)

In this analysis, $p\prime$ is the significance level ($1-\alpha$), which is equal to 0.01, and $s$ is the sample size of the ciphertext, which is 100. If the proportion falls outside of the interval $\left[p_a^{\prime },p_b^{\prime }\right]$, the sample is considered to be non-random, as noted by [65].

The acceptable rejection range for a statistical test with a single p-value is between zero and four samples. With tests such as serial and cumulative sums, however, there are two p-values that are independently examined. Random excursion and random excursion variant tests may not use all 100 ciphertext samples because some samples may not have the appropriate number of cycles (500 cycles). Hence, the acceptable rejection limits for these tests may differ based on the samples being tested.

5. Result and Discussion

This section presents the statistical and cryptographic analysis findings to assess the security of the proposed MGFN lightweight block cipher’s complete 24 rounds. Furthermore, we compare its results with those of other existing lightweight block ciphers.

5.1. The Avalanche Effect Test

The avalanche effect refers to measuring and analyzing an algorithm’s non-linearity characteristics. Therefore, the bit error and key sensitivity tests were performed to observe the avalanche effect of the proposed MGFN lightweight block cipher.

As previously explained, the bit error test measures the relationship between the plaintext and ciphertext. The results of testing random key and random plaintext samples on the MGFN lightweight block cipher are illustrated in Figure 3. The MGFN recorded 32 distinct bits out of 64 bits of plaintext, which corresponds to a bit error rate of 50%.

In addition, comparative research has been undertaken to analyze the avalanche effect and evaluate the efficacy of the MGFN to other leading lightweight block cipher algorithms, as shown in

Table 6. Comparison of avalanche effect on plaintext modifications.

Algorithm	Average Avalanche Effect	Reference
MGFN	50.00%	This paper
LED	52.83%	[66]
LRBC	58.00%	[66]
PRINCE	51.18%	[66]

. In terms of the avalanche effect, the comparison analysis reveals that the MGFN surpasses the other algorithms.

The key sensitivity test assessed the link between the key and the encrypted message. The test was conducted by subjecting a random set of keys and plaintext samples to the MGFN lightweight block cipher; the results are depicted in Figure 4’s scatter plots.

According to our analysis, the MGFN lightweight block cipher created 31 distinct bits on average and had a 50% error rate when the key bits were changed. Importantly, despite fluctuations in the key bits, the bit rate (BR) of the MGFN lightweight block cipher remained near to 0.5, showing a high degree of key sensitivity to the ciphertext. The findings show that the MGFN lightweight block cipher is highly sensitive to key changes.

Table 7. Comparison of avalanche effect on key modifications.

Algorithm	Average Avalanche Effect	Reference
MGFN	48.44%	This paper
PRINT	46.42%	[66]
TEA	47.12%	[66]
LRBC	55.75%	[66]

compares the MGFN and existing algorithms in terms of key modification while keeping the plaintext fixed. The results show that the MGFN lightweight block cipher outperformed all other algorithms regarding the avalanche effect on key sensitivity.

In summary, the avalanche effect results of the proposed modified Feistel-based lightweight block cipher demonstrate its ability to provide a diffusion property to the cipher output. While some results slightly deviated from the threshold value of 32 bits, our findings suggest that the permutation methods used can maintain the optimal output changes with minor or major input modifications.

5.2. The Randomness Test

To execute the randomness analysis at a significance level of 1%, a total of 24 encryption rounds of the MGFN lightweight block cipher were executed. Using Microsoft Visual Studio 2022’s random function, nine random input data were generated. According to the description, the data categories include SKAva, SPAva, PtCtCorr, CBChain, RandPtRandK, LowDKey, HighDKey, LowDPt, and HighDPt.

The NIST recommended a minimum number of input bits for the statistical tests conducted on the MGFN lightweight block cipher using the NIST Statistical Test Suite, as shown in

Table 8. The required input bits for each statistical test.

	Statistical Test	Required No. of Bits
Parameterized Test Selection	Block Frequency	$n\ge 100$
	Linear Complexity	$n\ge \mathrm{1,000,000}$
	Maurer’s Universal	$n\ge \mathrm{387,480}$
	Approximate Entropy	Not specified
	Overlapping Templates	$n\ge \mathrm{1,000,000}$
	Serial	Not specified
Non-Parameterized Test Selection	Runs	$n\ge 100$
	Frequency	$n\ge 100$
	Spectral DFT	$n\ge 1000$
	Binary Matrix Rank	$n\ge \mathrm{38,912}$
	Longest Runs of Ones	$n\ge 128$
	Cumulative Sums	$n\ge 100$
	Random Excursion	$n\ge \mathrm{1,000,000}$
	Random Excursion Variant	$n\ge \mathrm{1,000,000}$

. Consequently, a number of data categories generated by the MGFN lightweight block cipher are unable to pass all the tests due to the limitations imposed by the requirements. Referring to Table 4 and Table 8, only the SKAva, SPAva, PtCtCorr, CBChain, and RandPtRandK data categories could be analyzed using all fourteen statistical tests. LowDKey and HighDKey, meanwhile, can only execute ten tests. LowDPt and HighDPt, on the other hand, can be executed with ten MGFN lightweight block cipher tests.

The acceptable rejection range determines whether or not a statistical sample passed or failed a test. If the rejected sequences fell within the acceptable range, a sample passed a test. The test fails if the rejected sequences fall outside of the range. Except for the random excursion and random excursion variant tests, the acceptable rejection range for all other statistical tests is [0, 4]. Due to insufficient cycles, the evaluated sample size for the random excursion and random excursion variant tests is less than 100.

Table 9. The number of rejected p-values.

	SKAva	SPAva	PtCtCorr	CBChain	RandPtRandK	LowDKey	HighDKey	LowDPt	HighDPt
Block Frequency	0	0	0	0	0	0	0	0	0
Linear Complexity	0	0	0	0	0	N/A	N/A	N/A	N/A
Maurer’s Universal	0	0	0	0	0	0	0	N/A	N/A
Approximate Entropy	0	0	0	0	0	0	0	0	0
Overlapping Templates	0	0	0	0	0	0	0	0	0
Serial	0	0	0	0	0	0	0	0	0
Runs	0	0	0	0	0	0	0	0	0
Frequency	0	0	0	0	0	0	0	0	0
Spectral DFT	0	0	0	0	0	0	0	0	0
Binary Matrix Rank	0	0	0	0	0	0	0	0	0
Longest Runs of Ones	0	0	0	0	0	0	0	0	0
Cumulative Sums	0	0	0	0	0	0	0	0	0
Random Excursion	0	0	0	0	0	N/A	N/A	N/A	N/A
Random Excursion Variant	0	0	0	0	0	N/A	N/A	N/A	N/A

outlined the number of rejected p-values for all statistical tests conducted across the nine data categories. The modified Feistel-based lightweight block cipher passed all statistical tests (one hundred percent).

A comparative analysis of randomness test results with other existing lightweight block ciphers was performed, and the results are shown in

Table 10. Comparison of randomness test.

Algorithm	Percentage Passed	Reference
MGFN	100%	This paper
RECTANGLE	67%	[62]
3D-RECTANGLE	89%	[57]
SPECK-128/128	78%	[67]
SPECK-128/192	56%	[67]
SPECK-128/256	44%	[67]

. The result indicates that the MGFN randomity properties are better than the other existing algorithms’. The comparison is indicated by calculating the percentage for the ‘passed’ category of data.

6. Conclusions

In this paper, a modified GFN lightweight block cipher with a 64-bit block length and a 128-bit key that operates in 24 rounds was presented. It is meant to provide high-security margins with a short number of rounds for devices with limited memory. A variation of the Type-II GFN is utilized as the design basis for the encryption with a four-layer round function: AddKey, RShift, Sbox, and Pbox.

On the basis of the security evaluation and preliminary cryptanalytic results of the MGFN, it is demonstrated that the cipher obtained an adequate security margin against well-known statistical and cryptographic analytics: the avalanche effect test and the randomness test. The avalanche effect test consisted of two tests: bit error rate and key sensitivity. The results reveal that the MGFN can impart a dispersion property to the cipher output. A secure cryptographic algorithm must pass all conditions for randomness. This is evidenced by the fact that the MGFN passed all fourteen statistical tests conducted on its algorithm’s output across nine data categories. However, passing all randomness tests does not ensure a cryptographic algorithm’s security strength [68]. Thus, an additional security analysis, such as linear and differential cryptanalysis, must be performed on the MGFN to confirm the security of the proposed encryption algorithm. Additionally, it is essential to assess the performance of the MGFN in terms of speed and memory usage in the future.