Graph Cipher: A New Approach to Block Encryption

by

Author: Denis Avetisyan

Researchers have developed a novel block cipher, ExpanderGraph-128, that harnesses the power of graph theory for enhanced security and streamlined hardware implementation.

A cryptographic layer leverages a 3-regular expander graph-where each of the 64 vertices connects to three neighbors defined by modular arithmetic <span class="katex-eq" data-katex-display="false">n_1(i)=(i-1)\bmod 64</span>, <span class="katex-eq" data-katex-display="false">n_2(i)=(i+1)\bmod 64</span>, and <span class="katex-eq" data-katex-display="false">n_3(i)=(i+16)\bmod 64</span>-to achieve efficient hardware implementation alongside rapid data mixing, despite the inevitable accumulation of technical debt inherent in complex designs.
A cryptographic layer leverages a 3-regular expander graph-where each of the 64 vertices connects to three neighbors defined by modular arithmetic n_1(i)=(i-1)\bmod 64, n_2(i)=(i+1)\bmod 64, and n_3(i)=(i+16)\bmod 64-to achieve efficient hardware implementation alongside rapid data mixing, despite the inevitable accumulation of technical debt inherent in complex designs.

This paper details the design and formal security analysis of ExpanderGraph-128, a lightweight cryptographic primitive based on expander graphs and a Feistel network.

Conventional lightweight cryptographic designs typically rely on complex component-level optimizations for security, yet struggle to balance efficiency with provable guarantees. This paper introduces ‘ExpanderGraph-128: A Novel Graph-Theoretic Block Cipher with Formal Security Analysis and Hardware Implementation’, presenting a 128-bit block cipher-ExpanderGraph-128 (EGC128)-that leverages the structural properties of sparse expander graphs to achieve strong diffusion and security. Formal analysis, including MILP bounds demonstrating \geq 2^{147.3} -bit differential and \geq 2^{145} -bit linear security, combined with a resource-efficient hardware implementation-achieving 261~Mbps with only 380 LUTs on an FPGA-suggests a promising new direction for cryptographic design; could graph-theoretic constructions offer a pathway to more secure and efficient lightweight ciphers?

Another Cipher? We’ve Been Down This Road Before.

Conventional block cipher construction has historically faced a trilemma: bolstering security often necessitates increased computational complexity, thereby hindering speed and inflating the resources required for practical implementation. Existing designs frequently rely on iterative rounds of substitution and permutation, which, while providing robust diffusion and confusion, can become bottlenecks in both software and hardware. Furthermore, achieving a sufficient level of security against modern cryptanalytic attacks, such as differential and linear cryptanalysis, often demands larger key and block sizes, contributing to increased memory footprint and slower processing times. This inherent tension between these three crucial characteristics-security, speed, and efficiency-has driven the search for alternative cryptographic primitives and design methodologies, prompting exploration into approaches that can break free from these traditional limitations.

EGC128 distinguishes itself through the innovative application of expander graph networks within its cipher design. These networks facilitate rapid and thorough diffusion of information – ensuring that each plaintext bit influences multiple ciphertext bits after only a few rounds – thereby bolstering resistance against differential and linear cryptanalysis. This approach yields a cipher with a notably compact hardware footprint, crucial for resource-constrained environments, while simultaneously achieving competitive throughput rates comparable to established block ciphers. The structural properties of expander graphs enable a highly parallelizable design, optimizing performance without sacrificing security, and presenting a compelling alternative for applications demanding both efficiency and robust cryptographic protection.

Avalanche diffusion analysis over 20 rounds, averaged across numerous trials, reveals that the cipher rapidly diffuses information in the first 10 rounds (reaching 25% diffusion via graph expansion) before converging to approximately 49% diffusion by round 20, approaching the ideal diffusion rate for a random permutation.
Avalanche diffusion analysis over 20 rounds, averaged across numerous trials, reveals that the cipher rapidly diffuses information in the first 10 rounds (reaching 25% diffusion via graph expansion) before converging to approximately 49% diffusion by round 20, approaching the ideal diffusion rate for a random permutation.

Expander Graphs: The Theoretical Foundation

EGC128 employs a 3-regular expander graph as the core of its diffusion layer, enabling rapid propagation of changes to all ciphertext bits. A 3-regular graph signifies that each vertex is connected to exactly three other vertices, ensuring a balanced and efficient network for diffusion. This specific graph structure allows any single bit change to influence a substantial portion of the ciphertext after a limited number of diffusion rounds. The high degree of connectivity inherent in the expander graph facilitates this quick spreading effect, exceeding the performance of many traditional diffusion methods like simple substitution-permutation networks. This efficient diffusion is critical for the cipher’s security, preventing attackers from exploiting localized changes to the ciphertext.

The spectral gap of a graph, defined as the difference between the largest and second-largest eigenvalues of its adjacency matrix, directly quantifies the rate at which information propagates across the graph. In the context of EGC128, a larger spectral gap indicates faster diffusion – meaning a single ciphertext bit change will rapidly influence many other bits. Mathematically, if \lambda_{max} and \lambda_{second} represent the largest and second-largest eigenvalues respectively, the spectral gap is \lambda_{max} - \lambda_{second} . A wider gap signifies improved resistance to cryptanalytic attacks, particularly those exploiting limited diffusion, as the cipher’s resistance is directly proportional to the speed with which changes disseminate throughout the ciphertext.

The diffusion layer in EGC128 employs an expander graph where each vertex represents a bit of the ciphertext and is subject to a local Boolean function application. This design choice moves beyond simple bit permutations, introducing non-linearity directly into the diffusion process. Applying these functions at each vertex ensures that a change in any single bit rapidly influences multiple other bits throughout the ciphertext. The specific Boolean functions used are designed to maximize the avalanche effect – a small input change resulting in significant output variation – and to resist known linear and differential cryptanalytic attacks. This vertex-based, non-linear diffusion is a core element of the cipher’s security and efficiency.

A single Feistel round transforms a 128-bit state <span class="katex-eq" data-katex-display="false">(L_r, R_r)</span> into <span class="katex-eq" data-katex-display="false">(L_{r+1}, R_{r+1})</span> by applying a nonlinear function <span class="katex-eq" data-katex-display="false">F_{core}</span> based on a 3-regular expander graph to the right branch <span class="katex-eq" data-katex-display="false">R_r</span>, combining the result with a round key <span class="katex-eq" data-katex-display="false">R_r</span> via XOR, and then swapping branches to maintain invertibility.
A single Feistel round transforms a 128-bit state (L_r, R_r) into (L_{r+1}, R_{r+1}) by applying a nonlinear function F_{core} based on a 3-regular expander graph to the right branch R_r, combining the result with a round key R_r via XOR, and then swapping branches to maintain invertibility.

Formal Verification: Because Hope Isn’t a Strategy

A formal security analysis of EGC128 utilized Mixed-Integer Linear Programming (MILP) to establish concrete bounds on its resistance to differential and linear cryptanalysis. This approach involved modeling the cipher’s operations as a set of linear constraints and an objective function, allowing for automated search of optimal attack characteristics. The MILP formulation enabled the derivation of lower bounds on the number of S-box trails in differential attacks and the determination of the minimum number of linear approximations with a given bias. By systematically exploring the solution space, the analysis provides quantifiable security margins against these two prevalent cryptanalytic techniques, offering a rigorous assessment beyond traditional heuristic evaluations.

Pseudorandomness testing of EGC128’s output was performed using the NIST Statistical Test Suite (STS), specifically adhering to guidelines outlined in NIST Special Publication 800-22. This suite comprises fifteen statistical tests designed to detect deviations from truly random behavior in cryptographic random number generators and cipher output. Successful completion of these tests, with acceptable p-values exceeding a predefined significance level, indicates that EGC128’s output exhibits statistical properties consistent with a pseudorandom sequence, thereby validating its appropriateness for use in security-sensitive cryptographic applications. The tests evaluate characteristics such as frequency, serial correlation, and the distribution of patterns within the generated bitstream.

Differential cryptanalysis assesses a cipher’s resistance to attacks exploiting differences in ciphertext resulting from small changes in plaintext. Analysis of EGC128 demonstrates a minimum differential weight of 147.3 bits after 10 rounds of encryption. This metric quantifies the probability of a successful differential attack; higher values indicate greater resistance. Extrapolation of these results indicates an expected differential weight of at least 413 bits following 20 rounds, suggesting a substantial margin of security against known differential attack techniques. These values were calculated through rigorous analysis of the cipher’s S-box layer and diffusion properties, indicating a strong defense against attacks attempting to exploit differential characteristics.

Mixed-integer linear programming analysis reveals that the number of active Rule-A nodes exhibits initial super-linear growth before approaching saturation at 64 nodes per round, indicating a defined convergence pattern.
Mixed-integer linear programming analysis reveals that the number of active Rule-A nodes exhibits initial super-linear growth before approaching saturation at 64 nodes per round, indicating a defined convergence pattern.

Implementation and Practicality: The Moment of Truth

The core of EGC128’s design rests upon a balanced Feistel network, a structure celebrated for its robust diffusion and confusion properties in cryptographic algorithms. This network operates through a series of iterative rounds, dividing the input data into two equal halves and repeatedly applying a round function to one half, combined with the other via XOR. The ‘balanced’ aspect ensures each data bit influences a substantial number of other bits in subsequent rounds, dramatically increasing the algorithm’s resistance to differential and linear cryptanalysis. This approach efficiently mixes and obscures the relationship between the plaintext and ciphertext, making it exceptionally difficult for an attacker to deduce the original data from its encrypted form. The carefully constructed round function, combined with the iterative nature of the Feistel network, provides a strong foundation for EGC128’s security profile.

The efficiency of EGC128 is significantly bolstered by its linear-feedback shift register (LFSR)-based key schedule. This design choice allows for the dynamic generation of round keys through a simple iterative process, eliminating the need to store a large number of pre-computed keys. Consequently, memory requirements are substantially reduced, making EGC128 particularly suitable for resource-constrained environments. The LFSR’s inherent speed further contributes to enhanced performance, as round keys can be generated on-the-fly with minimal computational overhead, contributing to the cipher’s overall throughput and responsiveness.

Practical realization of EGC128 was successfully demonstrated through implementation on an Artix-7 Field-Programmable Gate Array. This hardware instantiation achieved a throughput of 261 Megabits per second while operating at a clock frequency of 100 MHz, showcasing its potential for real-time applications. Remarkably, the implementation exhibited exceptionally low resource utilization, consuming only 380 Look-Up Tables (LUTs), representing a mere 1.8% of the available resources, and 1.6% of the available slices. These results confirm EGC128’s feasibility as a lightweight and efficient cryptographic solution suitable for resource-constrained environments and high-performance systems alike.

The 20-round ExpanderGraph-128 key schedule generates unique round keys <span class="katex-eq" data-katex-display="false">R_r</span> by XORing a constant lower key, the current state of a lightweight linear feedback shift register (LFSR) initialized with a split master key, and round-specific constants derived from π, eliminating the need for S-box lookups.
The 20-round ExpanderGraph-128 key schedule generates unique round keys R_r by XORing a constant lower key, the current state of a lightweight linear feedback shift register (LFSR) initialized with a split master key, and round-specific constants derived from π, eliminating the need for S-box lookups.

The elegance of ExpanderGraph-128, with its reliance on spectral graph theory, initially suggests a fortress against attack. Yet, history whispers warnings. The paper details a mathematically rigorous design, a formal security analysis attempting to preempt the inevitable entropy of production environments. One anticipates the first deployed instance will reveal unforeseen vulnerabilities, quirks in implementation, or simply, clever exploitation of assumptions. As Blaise Pascal observed, “All of humanity’s problems stem from man’s inability to sit quietly in a room alone.” Similarly, any cryptographic construction, however beautifully theorized, will eventually face the relentless pressure of real-world usage and the ingenuity of those seeking to break it. The pursuit of perfect security is, after all, a beautiful, prolonged suffering.

What’s Next?

The appeal of ExpanderGraph-128, like all constructions rooted in spectral graph theory, lies in the promise of security derived from mathematical structure. This is, predictably, where the future problems reside. Formal analysis, while presented here, is a snapshot. The real test will be the inevitable attempts to map the graph’s properties onto differential and linear cryptanalysis – to find the edges where the elegant theory yields to brute force production. The simplicity of the Feistel network is a virtue, but simplicity is often just a smaller attack surface.

The field will likely see a proliferation of ‘graph-inspired’ ciphers, each touting a novel expansion property or spectral characteristic. This is, historically, how ‘innovation’ occurs: rediscovering old constraints with new marketing. The true progress will not be in finding more graphs, but in a more rigorous understanding of why these structures offer (or fail to offer) lasting security. The emphasis should shift from proving security to quantifying the cost of breaking it.

Ultimately, the question isn’t whether ExpanderGraph-128 is secure – it’s how long it remains so. The relentless pressure of attackers will reveal its limitations, as it does with all constructions. The goal, therefore, shouldn’t be to create the ‘unbreakable’ cipher, but to build systems that degrade gracefully when, inevitably, they are broken. The field does not need more microservices-it needs fewer illusions.

Original article: https://arxiv.org/pdf/2603.12637.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-16 17:19