A 1600-bit Table-Free ARX Sponge with MILP-Proven 1,052 Active Components and 2^(-26,712) Differential Trail Bound
The first cryptographic primitive where the algebraic structure of the permutation itself changes with every invocation.
One permutation. Zero borrowed components. Complete cryptographic suite from scratch.
KK(S) = S XOR E : state XOR universal entropy at the precise instant of creation
Warning
KK is a novel, un-audited cryptographic primitive. It has not been reviewed by third-party cryptographers. Do not use for production security until formal peer review is complete.
- What is KK?
- Quick Start
- The Primitive
- What Ships in the Box
- Performance
- Architecture
- Security Model
- Building
- Testing
- Fuzzing
- no_std Support
- Documentation
- License
KK (Keeney Kode) is a 1600-bit cryptographic sponge permutation built entirely from arithmetic, rotation, and XOR operations (the ARX paradigm) without lookup tables, S-boxes, or borrowed components. It introduces two novel primitives that no published cipher uses:
- Multiply-Fold-Rotate (MFR): Widening 64-bit multiply, XOR fold, and rotation. Bijective, non-linear, full-word mixing. Per-bit scaling of maximum differential probability: 2^(-63) at full 64-bit width.
- Data-Dependent Rotation (DDR): The rotation distance is derived from all 64 bits of the input word, forcing exponential path explosion in differential and linear trail analysis. Constant-time branchless implementation on all platforms.
These are composed into a quintet round, a 5-word mixing structure applied in row, column, and diagonal phases across 32 rounds of 15 quintets each (480 quintet-rounds total).
Every cipher ever published has a fixed algebraic structure. The key changes what the cipher does to your data, but the cipher itself is the same mathematical object on every invocation.
KK is fundamentally different. The rotation schedule governing MFR operations is derived from a runtime entropy snapshot captured at the moment of encryption. The algebraic structure of the permutation itself changes with every invocation. Each ciphertext is produced by a permutation with a distinct internal geometry.
This makes multi-query differential and linear attacks structurally inapplicable: the attacker cannot accumulate observations under a fixed permutation because no fixed permutation exists. It also enables built-in temporal commitment proofs that bind ciphertexts to their creation timestamps with cryptographic strength, directly applicable to regulatory compliance, audit trails, supply-chain integrity, and tamper-evident logging.
Modern symmetric cryptography relies on a small number of standard primitives (AES, SHA-2/SHA-3, ChaCha20-Poly1305). While these have withstood decades of cryptanalysis, the resulting monoculture concentrates systemic risk: a structural break in any single widely deployed primitive would cascade across protocols, implementations, and infrastructure simultaneously.
KK occupies a previously empty point in the design space:
| Property | KK | Keccak/SHA-3 | ChaCha20 | Ascon | RC5/RC6 |
|---|---|---|---|---|---|
| Table-free ARX | Yes | No (chi S-box) | Yes | No (S-box) | Yes |
| Wide sponge (1600-bit) | Yes | Yes | No (512-bit CTR) | No (320-bit) | No (block cipher) |
| Data-dependent rotations | Yes (DDR) | No | No | No | Yes |
| Per-invocation algebraic variance | Yes | No | No | No | No |
| Complete crypto suite from single permutation | Yes | Partial | No | Partial | No |
KK is positioned as a diversity candidate: not as a replacement for established standards, but as an independently designed construction for systems requiring algorithmic heterogeneity, table-free constant-time execution, built-in temporal binding, or a sponge-based suite with a non-S-box algebraic lineage.
For the full design rationale, analysis, and formal specification, see the Combined Paper
use kk_crypto::{encode, decode};
let key = b"our-shared-secret";
// Encode: symbol values become functions of this cosmic instant
let packet = encode(key, b"Hello KK!").unwrap();
// Decode: same secret, same moment reference, same message
let plaintext = decode(key, &packet).unwrap();
assert_eq!(plaintext, b"Hello KK!");AEAD (Authenticated Encryption with Associated Data)
use kk_crypto::{encode_aead, decode_aead};
let key = b"our-shared-secret";
let aad = b"metadata-not-encrypted-but-authenticated";
let packet = encode_aead(key, aad, b"secret payload").unwrap();
let plaintext = decode_aead(key, aad, &packet).unwrap();
assert_eq!(plaintext, b"secret payload");Forward-Secret Sessions (Rope Ratchet)
use kk_crypto::{encode_session, decode_session, RopeRatchet};
let key = b"session-key";
let mut alice = RopeRatchet::new(key);
let mut bob = RopeRatchet::new(key);
// Each message ratchets the cipher's algebraic structure forward
let (packet, step) = encode_session(&mut alice, b"message 1").unwrap();
let plaintext = decode_session(&mut bob, &step, &packet).unwrap();
assert_eq!(plaintext, b"message 1");
// Old keys are gone. Backward computation is impossible.Key Agreement (KK-EKA)
use kk_crypto::{EkaInitiator, EkaResponder};
let psk = b"pre-shared-key";
let (mut alice, msg1) = EkaInitiator::begin(psk).unwrap();
let (mut bob, msg2) = EkaResponder::respond(psk, &msg1).unwrap();
let alice_key = alice.finalize(&msg2).unwrap();
let bob_key = bob.finalize(&alice.msg3(&msg2).unwrap()).unwrap();
// alice_key == bob_key, derived from mutual entropy contributionStreaming (Large Messages)
use kk_crypto::{StreamEncoder, StreamDecoder};
let key = b"stream-key";
let mut encoder = StreamEncoder::new(key).unwrap();
encoder.update(b"chunk 1").unwrap();
encoder.update(b"chunk 2").unwrap();
let packet = encoder.finalize().unwrap();
let mut decoder = StreamDecoder::new(key, &packet).unwrap();
let mut buf = Vec::new();
decoder.read_to_end(&mut buf).unwrap();Batch Encoding (High Throughput)
use kk_crypto::{encode_aead_batch, decode_aead_batch};
let key = b"batch-key";
let aad = b"batch-aad";
let messages: Vec<&[u8]> = vec![b"msg1", b"msg2", b"msg3"];
let packets = encode_aead_batch(key, aad, &messages).unwrap();
let decoded = decode_aead_batch(key, aad, &packets).unwrap();A 1600-bit sponge construction built entirely from first principles. No borrowed components.
State: 25 x 64-bit words = 200 bytes = 1600 bits
Rate: 19 words (152 bytes, 1216 bits)
Capacity: 6 words ( 48 bytes, 384 bits) ~ 192-bit security
Rounds: 32, each with 15 quintet operations = 480 quintet-rounds
| Operation | What it does |
|---|---|
| MFR (Multiply-Fold-Rotate) | Widening 64-bit multiply, fold XOR with ^b re-injection, rotation. Non-linear, bijective, full-word mixing. Extrapolated single-operation max differential: 2^(-63). |
| DDR (Data-Dependent Rotation) | Rotation distance derived from all 64 bits of input via multiplicative selector (0xB5C0FBCFEC4D3B2F = ⌊frac(∛5) × 2⁶⁴⌋). Constant-time branchless implementation. Forces exponential path explosion in trail analysis. |
- 5-word quintet mixing: Row, column, and diagonal phases ensure full diffusion in 4 rounds
- Entropy-derived rotation schedules: The algebraic structure of the permutation changes per invocation
- Nothing-up-my-sleeve constants: 25 values from fractional parts of square roots of the first 25 primes
- Intra-round re-keying: Capacity words mixed back into rate every 8 rounds with round-dependent rotation
- No lookup tables: Inherent cache-timing side-channel resistance on all platforms, verified by dudect (|t| = 2.28, threshold 4.5)
- Complementary duality: MSB differential weakness and LSB linear weakness sit at opposite ends of the word. No single bit position is exploitable in both dimensions simultaneously.
| Property | Bound | Margin over 2^(-800) target |
|---|---|---|
| MILP-proven active components (32R, general) | 1,052 minimum | Proven optimal (CBC solver) |
| MILP-proven active components (32R, sponge) | 1,067 minimum | Proven optimal (CBC solver) |
| Differential trail (32 rounds, 424+ active MFR) | 2^(-26,712) | 25,912 bits |
| MILP structural bound (conservative MDP) | 2^(-1,489) | 689 bits |
| Linear trail (32 rounds) | 2^(-2,544) | 1,744 bits |
| DDR universal floor per active quintet | LP ≤ 2^(-12) | Regardless of MFR behavior |
| Strict avalanche criterion | Mean |
Ideal |
| Bit independence | Max correlation |
Near-zero |
| Hash collisions | Zero in |
N/A |
A word-level truncated differential MILP model solved to proven optimality by the CBC solver establishes structural lower bounds on the number of active non-linear components in any differential trail through the KK permutation.
| Rounds | General | Sponge | Trail Bound (General) | Trail Bound (Sponge) |
|---|---|---|---|---|
| 1 | 6 | 6 | 2^(-8.5) | 2^(-8.5) |
| 2 | 41 | 41 | 2^(-58.0) | 2^(-58.0) |
| 3 | 73 | 75 | 2^(-103.3) | 2^(-106.1) |
| 4 | 110 | 111 | 2^(-155.7) | 2^(-157.1) |
| 8 | 254 | 254 | 2^(-359.4) | 2^(-359.4) |
| 16 | 519 | 519 | 2^(-734.4) | 2^(-734.4) |
| 32 | 1,052 | 1,067 | 2^(-1,488.6) | 2^(-1,509.8) |
All 14 models (7 round counts x 2 scenarios) solved to proven optimality with zero gap.
Key findings:
- The 192-bit security threshold (capacity/2) is crossed between rounds 5 and 6 using conservative per-component MDP of 2^(-1.415) from the exhaustive 8-bit DDT
- At full 32 rounds: security margin of ~7.7x the 192-bit target in the exponent
- The sponge scenario (rate-only input differences) yields equal or higher active counts, confirming that capacity isolation strengthens resistance
- These bounds are complementary to the existing 2^(-26,712) DDT extrapolation bound, which uses per-operation MDP at the full 64-bit scaling
The MILP model and solver scripts are in analysis/.
Everything below is built from the KK permutation alone. Zero external cryptographic dependencies.
| Primitive | Description |
|---|---|
| KK-Hash | 256-bit collision-resistant hash |
| KK-KDF | Key derivation with entropy-derived rotation schedule per derivation |
| KK-MAC | Message authentication, constant-time verification |
| KK Stream Cipher | Per-chunk independent keystream derivation |
| KK-AEAD | Authenticated encryption with associated data |
| Temporal Commitment | Binds ciphertext to the exact entropic moment of creation |
| Bound Commitment | Challenge-response with nonce chaining for replay prevention |
| Split-Channel Mode | Entropy snapshot transmitted on a separate channel |
| Rope Ratchet | 4-strand forward-secret session protocol, ~192-bit forward secrecy |
| KK-EKA | 3-message entropy key agreement, zero external primitives |
| KK-RNG | Forward-secret DRBG, ratchets on every call |
| AVX-512 Batch | 8 independent sponge states in lockstep across 512-bit registers |
| GPU Acceleration | wgpu compute shader + CUDA, RTX 5080 verified, byte-identical to CPU |
| no_std Core | Bare permutation + hash + KDF + MAC + RNG for embedded / WASM |
All numbers measured on a single AMD Ryzen 9 9950X3D ($699 consumer CPU). 16 cores / 32 threads, Zen 5, AVX-512, 5.35 GHz boost. Criterion framework, 100 samples per benchmark point, 251 tests passing.
| Workload | Throughput | Messages/sec |
|---|---|---|
| 1,000 x 64 KB | 5.22 GiB/s | 85,000+ |
| 1,000 x 16 KB | 2.40 GiB/s | 153,000+ |
| 1,000 x 4 KB | 1.53 GiB/s | 430,000+ |
| 10,000 x 4 KB | 1.67 GiB/s | 430,000+ |
| Primitive | Speed |
|---|---|
| KK permutation (32 rounds, 1600-bit) | 1.14 us |
| KK-Hash | 186 MiB/s |
| KK-MAC | 127 MiB/s |
| KK-KDF | 145 MiB/s |
| KK-RNG (forward-secret per call) | 186 MiB/s |
| Entropy rotation derivation | 11.4 ns |
| Config | Throughput | Notes |
|---|---|---|
| Single core (AVX-512 batch) | 497 MiB/s | Matches SHA-3/Keccak per-core while doing 4x the work per byte |
| 16 threads | 4.09 GiB/s | Physical cores only |
| 32 threads (SMT) | 5.22 GiB/s | +27% from hyperthreads (unusual for AVX-512) |
| GPU (wgpu WGSL) | 1.01 GiB/s | Raw permutation |
| GPU (CUDA native) | 2.08 GiB/s | Raw permutation, RTX 5080 |
| KK-EKA handshake | 44.6 us | 22,400 authenticated key agreements/sec |
| KK-RNG pool (32 threads) | 2.80 GiB/s | Forward-secret random bytes |
Entropy Sources > KK-Mix > Per-Symbol Derivation > Temporal Binding > Encoding
(entropy.rs) (kk_mix.rs) (kdf.rs) (temporal.rs) (codec.rs)
| Module | Role |
|---|---|
kk_mix.rs |
KK permutation, sponge, KK-Hash, KK-KDF, KK-MAC |
kk_mix_avx512.rs |
AVX-512 vectorized permutation (8 states simultaneously) |
entropy.rs |
Non-deterministic entropy (RDTSC, thread jitter, OS CSPRNG) |
kdf.rs |
Per-chunk keystream derivation (scalar + batched AVX-512) |
temporal.rs |
Temporal commitment binding |
codec.rs |
Public API, packet serialization, streaming, batch encoding |
session.rs |
Rope Ratchet forward-secret session protocol |
eka.rs |
KK-EKA three-message entropy key agreement |
rng.rs |
KK-RNG forward-secret DRBG |
qkd.rs |
BB84 quantum key distribution simulation |
Threat Model
KK assumes a pre-shared secret between sender and receiver. An attacker may observe, replay, or modify ciphertext in transit but does not know the shared secret.
Confidentiality
Each encoding captures a unique EntropySnapshot (CPU counters, thread jitter, OS randomness). The snapshot feeds KK-KDF to derive per-chunk keystream. The same plaintext never produces the same ciphertext twice.
Integrity
Every packet carries a KK-MAC tag over (ciphertext + entropy snapshot). decode rejects any packet whose tag does not verify.
Temporal Binding
The TemporalCommitment in each packet commits to the entropy used during encoding. The receiver re-derives the commitment and rejects packets if it does not match.
Key Hygiene
All intermediate keys (commit keys, chunk keystream) are zeroized via the zeroize crate immediately after use. Output buffers are zeroized on error paths to prevent partial plaintext leaks.
Formal Bounds
| Property | Bound | Margin over 2^-800 target |
|---|---|---|
| MILP-proven active components (32R) | 1,052 minimum (general), 1,067 (sponge) | Proven optimal |
| Differential trail | 2^-26,712 | 25,912 bits |
| MILP structural bound (conservative MDP) | 2^-1,489 | 689 bits |
| Linear trail | 2^-2,544 | 1,744 bits |
| DDR universal floor | LP <= 2^-12 per active quintet | Regardless of MFR behavior |
| Full diffusion | 4 rounds | Confirmed |
Complementary duality proven: MSB differential weakness and LSB linear weakness sit at opposite ends of the word. No single bit position is exploitable in both dimensions simultaneously.
MILP structural lower bound (word-level truncated differential model) solved to proven optimality by CBC for all round counts 1 through 32. See analysis/ for the complete model and solver.
- Un-audited. Novel primitive, not reviewed by third-party cryptographers.
- No replay protection. Callers must add sequence numbers or timestamps at the protocol layer.
- Forward secrecy requires Rope Ratchet. The base codec does not provide forward secrecy on its own.
cargo build # standard build
cargo build --no-default-features # no_std (core primitives only)
cargo build --features gpu # wgpu GPU acceleration
cargo build --features cuda # CUDA GPU accelerationcargo test # 251 tests
cargo clippy # lint
cargo bench # 56 criterion benchmarks (100 samples each)| Category | Count |
|---|---|
| Unit tests | 94 |
| Integration tests | 63 |
| Property tests (proptest) | 18 |
| Deterministic test vectors | 44 |
| Documentation tests | 8 |
| GPU correctness tests | 10 |
| Criterion benchmark points | 56 |
| Total | 251 tests, zero failures |
8 fuzz targets under fuzz/. Requires cargo-fuzz:
cargo fuzz run hash_fuzz # KK-Hash
cargo fuzz run kdf_fuzz # KK-KDF
cargo fuzz run mac_fuzz # KK-MAC
cargo fuzz run roundtrip_fuzz # encode/decode roundtrip
cargo fuzz run aead_fuzz # AEAD mode
cargo fuzz run session_fuzz # Rope Ratchet sessions
cargo fuzz run temporal_fuzz # temporal commitment
cargo fuzz run eka_fuzz # key agreementWith --no-default-features, KK exposes the core permutation, KK-Hash, KK-KDF, KK-MAC, and KK-RNG for no_std + alloc environments (embedded, WASM).
[dependencies]
kk-crypto = { version = "0.1", default-features = false }| Document | Description |
|---|---|
| Combined Paper | Primary reference. Full design, analysis, specification, and performance in one document. Also available as PDF |
| Test Vectors | Deterministic reference vectors for cross-language implementation |
| Integration Guide | Examples for all codec modes, streaming, sessions, EKA |
| Technical Flex | Full technical breakdown and competitive analysis |
| Security Policy | Responsible disclosure process |
| Changelog | Version history |
J.A. Keeney, Australia, 2026
Apache 2.0 with Additional Terms. No commercial use without prior written authorization from John A Keeney / Entrouter. See LICENSE for full terms. Contact: hello@entrouter.com