The One-Sentence Version
In every cipher ever published, symbol A has a fixed value. Encryption hides what A means. In KK, symbol A has no fixed value. Its value is a function of the universe at the instant it was born.
KK(S) = S XOR E : state XOR universal entropy at the precise instant of creation
Encode the same byte twice, one nanosecond apart, and you get two cryptographically unrelated outputs. Not different ciphertext from the same algorithm. A structurally different cipher at each moment.
Why I Built This
I wanted to answer a question nobody was asking: What if the cipher itself changed shape every time you used it?
Every mainstream cipher (AES, ChaCha20, Keccak) treats its algebraic structure as fixed. The key selects a path through that structure, but the structure itself is a constant. KK flips this. The permutation's rotation schedule is derived from real-world entropy (CPU counters, thread jitter, OS randomness), so the algebraic structure of the cipher is different on every single invocation.
The result is a 1600-bit sponge construction with:
- 32 rounds, each with 15 quintet operations = 480 quintet-rounds total
- Two novel operations no published cipher uses (MFR and Data-Dependent Rotation)
- 5-word quintet mixing (no published cipher uses 5-word rounds)
- Entropy-derived rotation schedules per invocation
- Computed differential trail bound of 2^-26,712 and linear trail bound of 2^-2,544
And every cryptographic primitive ships from this single permutation. No external dependencies.
What Ships in the Box
Everything below is built from the KK permutation alone:
| Primitive | What It Does |
|---|---|
| KK-Hash | 256-bit collision-resistant hash |
| KK-KDF | Key derivation with per-derivation rotation schedule |
| KK-MAC | Message authentication, constant-time verify |
| KK-AEAD | Authenticated encryption with associated data |
| Rope Ratchet | 4-strand forward-secret session protocol |
| KK-EKA | 3-message key agreement, zero external primitives |
| KK-RNG | Forward-secret DRBG, ratchets on every call |
| Temporal Commitment | Binds ciphertext to the exact entropic instant |
| Streaming | Chunk-based large message support |
| AVX-512 Batch | 8 sponge states in lockstep across 512-bit registers |
| GPU | wgpu + CUDA acceleration, byte-identical to CPU |
| no_std | Bare core for embedded / WASM |
Zero external cryptographic dependencies. Not "we wrap AES for the heavy lifting." Zero.
Show Me the Code
use kk_crypto::{encode, decode};
let key = b"our-shared-secret";
// Encode: symbol values become functions of this cosmic instant
let packet = encode(key, b"Hello KK!").unwrap();
// Decode: same secret, same moment reference, same message
let plaintext = decode(key, &packet).unwrap();
assert_eq!(plaintext, b"Hello KK!");
AEAD:
use kk_crypto::{encode_aead, decode_aead};
let key = b"our-shared-secret";
let aad = b"metadata-not-encrypted-but-authenticated";
let packet = encode_aead(key, aad, b"secret payload").unwrap();
let plaintext = decode_aead(key, aad, &packet).unwrap();
Forward-secret sessions with the Rope Ratchet:
use kk_crypto::{encode_session, decode_session, RopeRatchet};
let key = b"session-key";
let mut alice = RopeRatchet::new(key);
let mut bob = RopeRatchet::new(key);
let (packet, step) = encode_session(&mut alice, b"message 1").unwrap();
let plaintext = decode_session(&mut bob, &step, &packet).unwrap();
// Old keys are gone. Backward computation is impossible.
Performance
All numbers on a single AMD Ryzen 9 9950X3D. Criterion framework, 100 samples per benchmark.
Batch AEAD
| Workload | Throughput |
|---|---|
| 1,000 x 64 KB | 5.22 GiB/s |
| 1,000 x 16 KB | 2.40 GiB/s |
| 1,000 x 4 KB | 1.53 GiB/s |
Core Primitives
| Primitive | Speed |
|---|---|
| KK permutation (32 rounds) | 1.14 us |
| KK-Hash | 186 MiB/s |
| KK-MAC | 127 MiB/s |
| KK-KDF | 145 MiB/s |
| KK-RNG (forward-secret per call) | 186 MiB/s |
| KK-EKA handshake | 44.6 us (22,400/sec) |
Scaling
| Config | Throughput |
|---|---|
| Single core (AVX-512) | 497 MiB/s |
| 16 threads | 4.09 GiB/s |
| 32 threads (SMT) | 5.22 GiB/s |
| GPU (CUDA, RTX 5080) | 2.08 GiB/s |
For context: single-core throughput matches SHA-3/Keccak while doing significantly more work per byte (entropy capture, temporal binding, per-chunk key derivation).
The Novel Operations
MFR (Multiply-Fold-Rotate)
Widening 64-bit multiply, fold XOR, fixed rotation. Non-linear, bijective, full-word mixing. Every bit of input affects every bit of output within a single application.
DDR (Data-Dependent Rotation)
The rotation distance is derived from all 64 bits of the input word. This is implemented as constant-time branchless code, so no timing side-channels. The critical property: no published linear or differential analysis framework efficiently handles data-dependent rotations. The best an attacker can do is assume uniform rotation distribution, which gives a provable per-quintet linear probability ceiling of LP <= 2^-12.
Together, these operations interact to create what I call complementary duality: the MSB differential weakness of MFR and the LSB linear weakness sit at opposite ends of the word. No single bit position is exploitable in both attack dimensions simultaneously.
Formal Analysis Highlights
I didn't just build it and hope. The repository includes formal differential and linear analysis:
- Full Difference Distribution Table (DDT) computed for a reduced sponge
- Full Linear Approximation Table (LAT) computed
- Bit-0 independence proof: Bit 0 never reaches the DDR rotation distance, proving its differential trail bound is exact (not a statistical artifact)
- 4-round full diffusion confirmed when DDR floor is included
- Differential bound 33,390x beyond 2^-800 target
- Linear bound 3.18x beyond 2^-800 target
All analysis code ships in /examples/ so you can reproduce every number.
The Honest Parts
Let me be upfront about what KK is and isn't:
KK has not been peer-reviewed. It's submitted to IACR ePrint (2026/108500), but no third-party cryptographer has audited it yet. Don't use it for production security until that happens.
The base codec has no replay protection. You need sequence numbers or timestamps at the protocol layer. (The Rope Ratchet sessions do provide forward secrecy.)
This is novel cryptography. The entire cryptographic community's default position on novel ciphers is skepticism, and rightly so. I welcome that scrutiny.
The Numbers That Matter
| Metric | Value |
|---|---|
| Tests passing | 251 (zero failures) |
| Fuzz targets | 8 |
| Lines of Rust | ~8,000 |
| External crypto deps | 0 |
| Differential trail bound | 2^-26,712 |
| Linear trail bound | 2^-2,544 |
| Batch AEAD throughput | 5.22 GiB/s |
| Forward-secret handshakes | 22,400/sec |
Try It
[dependencies]
kk-crypto = "0.1"
cargo test # 251 tests
cargo bench # 56 criterion benchmarks
cargo clippy # zero warnings
no_std for embedded/WASM:
[dependencies]
kk-crypto = { version = "0.1", default-features = false }
Links
- GitHub: github.com/Entrouter/KK-Keeney-Kode
- crates.io: crates.io/crates/kk-crypto
- ePrint: eprint.iacr.org/2026/108500
- Contact: hello@entrouter.com
KK is Apache 2.0 with Additional Terms (non-commercial). See the LICENSE for details.
I'd love feedback, especially from anyone who works in cryptanalysis. If you can break it, I want to know. That's the whole point of publishing.
Top comments (0)