Research Article  Open Access
Je Sen Teh, Azman Samsudin, "A ChaosBased Authenticated Cipher with Associated Data", Security and Communication Networks, vol. 2017, Article ID 9040518, 15 pages, 2017. https://doi.org/10.1155/2017/9040518
A ChaosBased Authenticated Cipher with Associated Data
Abstract
In recent years, there has been a rising interest in authenticated encryption with associated data (AEAD) which combines encryption and authentication into a unified scheme. AEAD schemes provide authentication for a message that is divided into two parts: associated data which is not encrypted and the plaintext which is encrypted. However, there is a lack of chaosbased AEAD schemes in recent literature. This paper introduces a new 128bit chaosbased AEAD scheme based on the singlekey EvenMansour and TypeII generalized Feistel structure. The proposed scheme provides both privacy and authentication in a singlepass using only one 128bit secret key. The chaotic tent map is used to generate whitening keys for the EvenMansour construction, round keys, and random sboxes for the Feistel round function. In addition, the proposed AEAD scheme can be implemented with true random number generators to map a message to multiple possible ciphertexts in a nondeterministic manner. Security and statistical evaluation indicate that the proposed scheme is highly secure for both the ciphertext and the authentication tag. Furthermore, it has multiple advantages over AESGCM which is the current standard for authenticated encryption.
1. Introduction
Encryption and authentication of data are traditionally performed by two separate algorithms under the influence of different secret keys. This is known as generic composition which has three variations: EncryptandMAC, MACthenEncrypt, and EncryptthenMAC [1]. Recently, there has been a rising interest in the field of authenticated encryption with associated data (AEAD) which combines encryption and authentication into a unified scheme. It deals with the cryptographic problem of sending a message that has to be entirely authenticated but divided into two parts: associated data (additional information such as packet headers) that must be sent in the clear and the actual plaintext that must be encrypted [2]. AEAD schemes are also more efficient and less prone to implementation errors, unlike generic composition [3]. This is because an AEAD scheme can be implemented without extensive cryptographic knowledge and is easy for interoperability [4]. As it only requires one key for both privacy and integrity, it saves on key bits and key setup time and reduces the risk of users selecting insecure parameters.
The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) [5] was introduced in 2014 to identify authenticated ciphers that offer advantages over AESGCM, which has weak key problems and is susceptible to a cyclic attack [6]. CAESAR is currently in its second round of evaluation, with 30 candidate ciphers remaining. AEAD proposals for CAESAR need to have higher level of security and be as fast as AESGCM or faster than AESGCM with similar security level. The design of AEAD schemes is based on various constructs such as block ciphers, stream ciphers, and sponge constructions.
The aim of this paper is to construct an AEAD scheme based on chaos theory that is secure and efficient and fulfils the requirements set by CAESAR. For additional security, the AEAD scheme is designed to be able to take advantage of true random number generators (TRNG) to resist statisticalbased cryptanalysis. Due to the existence of efficient and uniformly distributed softwarebased TRNGs, it is feasible to utilize true random numbers in cryptographic algorithms. These TRNGs take advantage of physical phenomena that occur within computing hardware such as multicore processors [7], graphics processing units [8], or hard disks [9] and quantifies them to generate nondeterministic numbers. As the inputs of AEAD schemes include secret and public message numbers, TRNGs can be implemented to generate secret message numbers to provide immunity to statisticalbased cryptanalysis.
In this paper, a new AEAD scheme based on the chaotic tent map is proposed. It is designed based on the singlekey EvenMansour construction [10] and utilizes keydependent random sboxes. Both the whitening keys for the EvenMansour scheme and sboxes are generated based on chaos. The proposed AEAD scheme requires only a singlepass to produce both the authentication tag (MAC) and ciphertext. The cipher is evaluated for resistance against cryptanalytic attacks and its security is also analysed based on thorough statistical testing. Although not compulsory, the AEAD scheme can be implemented alongside a TRNG to provide immunity to statisticalbased cryptanalysis.
The rest of this paper is structured as follows: Section 2 provides an introduction to AEAD schemes and chaotic maps that are vital to understanding the rest of the paper. Section 3 describes the proposed AEAD algorithm in detail, followed by Section 4 that analysed its security. The paper is concluded in Section 5 with some closing remarks.
2. Preliminaries
2.1. Authenticated Encryption with Associated Data
The following are inputs to an authenticated encryption algorithm along with their corresponding security requirements (, ):(i)Variablelength plaintext (ip)(ii)Variablelength associated data (i)(iii)bit secret message number (ip)(iv)bit public message number/nonce (i)(v)bit secret key
The output of an AEAD scheme consists of a ciphertext with the same length as the plaintext (except for schemes with secret message numbers which have extra blocks of ciphertext depending on the size of ) and an authentication tag or MAC of bits. AEAD schemes need not support secret message numbers () but require unique nonces for semantic security. The inputs to an authenticated decryption algorithm include the ciphertext, associated data, nonce, and secret key. The secret message number will be extracted from ciphertext. It outputs the plaintext if verification is successful; otherwise the algorithm outputs an error message.
2.2. Chaotic Maps
Chaotic maps are deterministic dynamical systems that have randomlike behavior, sensitivity to slight changes in initial parameters, ergodicity, diffusion, and confusion characteristics. These qualities are analogous to requirements in cryptographic algorithms; thus chaotic maps have been used to design hash functions [11], encryption algorithms [12], key exchange protocols [13], and digital signature schemes [14]. Authenticated image encryption schemes based on chaos have been introduced by Bakhshandeh and Eslami [15] as well as Yang et al. [16]. However, they are both generic composition schemes with a distinct hash function and encryption algorithm. No chaosbased, unified AEAD schemes have been introduced in recent literature.
The chaotic tent map is used to design the proposed AEAD scheme as shown in (1), where is the control parameter that falls within the range of . In addition to being a fast and simple map, the tent map is selected because it has been widely studied and applied in the field of chaotic cryptography. The behavior of the chaotic map evolves from periodic to aperiodic as increases from 0 to 2 as shown in the tent map’s bifurcation diagram in Figure 1. The proposed AEAD sets for all tent map iterations.
Recent literature has shown that unimodal chaotic maps such as the tent map are susceptible to initial condition/parameter estimation techniques using statistical tools [17, 18]. Another problem of digital chaotic systems is dynamical degradation that occurs due to finite precision, which leads to short cycle lengths [19]. These problems can be addressed by using chaotic perturbation which changes the trajectory of the chaotic map’s orbit by modifying its initial condition using external values. The proposed AEAD scheme takes advantage of chaotic perturbation in its design as discussed in Section 3.
In software, chaotic map iterations involve real numbers that are usually represented by floating point variables. However, floating point operations are slower than binary operations. For faster speed and reproducibility, fixed point (FxP) representation [20] is used in the proposed AEAD scheme. A 32bit FxP variable consists of the two most significant bits (MSB) that represent integers before the radix point and the 30 least significant bits (LSB) that represent fractional bits.
3. Design Specifications
3.1. Parameters and Notations
All integers stated in the following algorithms are in hexadecimal format. Prior to modification by the nonce or secret keys, the initial values for all registers are arbitrarily chosen random numbers. The proposed 128bit AEAD scheme has the following parameters:(i)128bit secret key, (ii)64bit nonce, (iii)128bit secret message number, (iv)Associated data, (v)Message, (vi)128bit tag,
The following are notations used in this paper:(i)Length of a string, , denoted by (ii): Bitwise XOR(iii): Bitwise AND(iv): Bitwise concatenation of and (v): bit modular addition(vi): Bitwise left rotation by positions on a bit variable, where (vii): Bitwise right shift of by bits(viii): substitution function using an 8bit sbox, (ix): performing iterations of the chaotic map with an initial value (x): floor function to map a real number to the previous largest integer(xi): converting the FxP representation to real number(xii): mask for the FxP fractional bits
Because the AEAD design involves chaotic map iterations, round constants are used in several parts of the algorithms to prevent weak key problems. Weak keys can initialize the chaotic map’s initial condition to zero, which makes the system nonrandom and insecure. These round constants are taken from the list of prime numbers: , 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, , where is the index/round. The proposed AEAD scheme also uses a block shuffle and its inverse as shown in Table 1.

3.2. Random Box Generation
The composition method [21] is used to generate chaosbased sboxes for the AEAD scheme. The composition of two 8bit permutations, and , is denoted by , where is the set of all 8bit integers. First, a set consisting of four chaosbased sboxes is generated by permuting the AES sbox. To obtain the final sbox, a composition of four sboxes from is used, where the sboxes are selected based on randomly generated indices (repetitions are allowed). To generate the numbers used to permute AES and also as indices for the sbox composition, a chaosbased RNG is used. The initialization process and the RNG algorithm are as shown in Algorithms 1 and 2, respectively, where and are chaotic map initial conditions that are constantly modified by perturbation values, and .


The initialization process equally divides the secret key bits into four registers and two rotation variables such that all key bits are used only once. During the initialization, round constants are used to ensure that values of that initialize all registers to zero will result in nonzero starting values for the RNG. A total of 200 iterations for each tent map are performed for transient elimination, although 48 iterations have been deemed sufficient [22].
Each 8bit sbox, for , is first initialized as the AES sbox. Next, Algorithm 2 is used to generate for for each . Each sbox is then permuted as follows:To obtain the final sbox, , four additional values are generated by Algorithm 2. A fourmodulo operation is applied on these values which are then used as sbox indices, for . The final sbox is a composition of the four sboxes indexed by : . As depends only on , it can be precomputed by both parties. is later modified by in the actual encryption process.
3.3. Key Schedule Algorithm
The key scheduling algorithm generates 20 round keys from the secret key . As they do not depend on or , the keys can also be precomputed. The algorithm is based on the Feistel network, whereby the secret key is first divided into two halves, . and are then XORed into two registers that have initial values of and . The tent map’s initial condition is set to . One round of the key scheduling function is shown in Figure 2, where is the round number.
The function is described in Algorithm 3. The network is executed 16 times for transient elimination without producing any keys. Starting from round number round keys are then produced from 20 rounds of the network. Excluding transient elimination rounds, each round key is generated from a total 640 iterations of the chaotic tent map. The value of is modified 64 times, where, each time, it is subjected to a fourbit rotation to ensure that all 64 bits are modified by in 16 passes. is rotated by 15 bits each time to ensure that its upper and lower bits are all used in the chaotic iterations.

3.4. Masking Algorithm
The proposed AEAD scheme is based on the singlekey EvenMansour construction that has been proven to have the same level of security as the original twokey construction [10]. 16 eightbit mask registers are first initialized based on the secret key and nonce and then modified by a chaotic function. The values of these registers are used as the prewhitening and postwhitening masking keys for each block of data. The initialization of the mask registers and variables for the chaotic function are summarized in Figure 3, where .
After the mask and chaotic variables are initialized, the masking algorithm is iterated eight times for transient elimination and to diffuse the key bits into all registers. The masking algorithm is as shown in Algorithm 4 where registers are involved in chaotic perturbation. These registers are then used to modify the mask registers, . Round constants are only used in the transient elimination rounds to generate nonzero initial mask values. The mask registers are later modified by in the encryption process.

3.5. Algorithm Description
The overall design of the AEAD is based on the singlekey EvenMansour scheme [10] and a TypeII generalized Feistel structure (GFS) [23]. There are two main functions, and . encrypts and and also generates a tag, , to verify , , and . decrypts to obtain and and then generates to verify the authenticity of , , and . If verification fails, the decrypted message is not released to the recipient. The algorithm is shown in Figure 4, where is the number of blocks, is the number of blocks, represents intermediate tags, is the checksum, and is the set of mask registers for block of data. The algorithm has the same structure as . However the inverse block shuffle and reversed round keys are used to decrypt and to generate the intermediate tags, .
3.5.1. Round Function
The round function, , is executed 20 times for all data blocks where denotes the number of rounds. The same 20 round keys generated by the key scheduling algorithm are used for all blocks. When processing message blocks (), is divided into two halves, where the output of the first 10 rounds is used as the intermediate tag . The round function is based on the TypeII GFS as shown in Figure 5. The 64bit round key is divided into 8 bytes, where its most significant byte is fed into the left most function. The function consists of two operations, XOR of the round key and substitution:where and are byte indexes of the data block and round key, respectively.
3.5.2. Modification of Box and Mask
For further security, is used to modify both and prior to processing the first block of data. To modify , two more indexes for sbox composition are obtained from , , and . is obtained by XORing each of the eight most significant bytes of whereas is obtained by XORing each of the eight least significant bytes. The final sbox is computed by composing two additional sboxes: . The modification of registers is performed by XORing each byte of to each byte of .
3.5.3. AEAD Mode
The encryption and tag generation process is as follows:(1)Using , generate for and .(2)Initialize based on and .(3)Encrypt to obtain and .(4)Generate and modify using (Section 3.5.2).(5)If and are not 128bit multiples, pad and with a single bit of “1,” followed by all “0” until the required length.(6)Encrypt for and XOR results to obtain .(7)Encrypt to obtain and , where .(8)Compute . Encrypt and XOR the result with , , and . Perform one final encryption to obtain .
The decryption and tag verification process is as follows:(1)Using , generate for and .(2)Initialize based on and .(3)Decrypt to obtain and .(4)Generate and modify using (Section 3.5.2).(5)If is not a 128bit multiple, pad with a single bit of “1" followed by all “0" until the required length.(6)Encrypt for and XOR results to obtain .(7)Decrypt to obtain and , where .(8)Compute . Encrypt and XOR the result with , , and . Perform one final encryption to obtain .(9)Compare with . If they do not match, the plaintext is not released to the recipient and an error symbol, , is output.
3.5.4. MACOnly Mode
The proposed AEAD scheme can also be used solely as a MAC. In the MAConly mode, the algorithm is the same except that ciphertext blocks need not be computed. In addition, the secret message number is unused and is set to .
3.6. Features
Chaosbased algorithms require real number computation which is usually performed using floating point representation. FxP representation is used to ensure that the proposed AEAD scheme is not platformspecific. In addition, it contributes to better performance as basic binary operations can be used on FxP variables which require fewer clock cycles than floating point operations.
The proposed cipher has several features that are advantageous for AEAD designs. Firstly, each block of data can be processed in parallel. The only overhead is the iteration of the masking algorithm which has to be performed based on the block number. It is an online, onepass cipher whereby the encryption of one block does not depend on other blocks. The verification algorithm is highly noncemisuse resistant due to the randomly generated . The proposed AEAD scheme also has outoforder verification; whereby if any blocks are permuted or out of order, it will result in a different MAC.
To achieve high security against cryptanalytic attacks, users have the option of using a TRNG to generate . A TRNG depends on physical phenomena; therefore becomes nondeterministic in nature. Each plaintext is then randomly mapped to different ciphertexts. However, anyone with the correct secret key is able to extract to decrypt and verify the message successfully regardless of how was generated. Although the randomization of contributes to strong security characteristics as described in Section 4.5.4, the proposed AEAD scheme becomes nonincremental in nature. The entire associated data or message needs to be recomputed if one block is changed because changes upon each encryption.
4. Security Analysis
This section examines the security of all components of the proposed AEAD scheme. For all tests, inputs are set to zero (, , ) unless stated otherwise. As it is difficult to provide mathematical proof for real numberbased cryptographic algorithms, the AEAD scheme is evaluated mainly using statistical means.
4.1. Preliminary Statistical Testing
Before other evaluation methods are used, statistical test suites such as NIST SP 80022 [24], DIEHARD [25], and ENT [26] are used as preliminary tests for majority of the AEAD components. The minimum/maximum passing ratio () for NIST and DIEHARD for a significance level of 0.01 is calculated based on (4), where is the number of samples, as follows:The summary of inputs required for each test suite is listed below. (i)NIST: 1000Mbit file generated with , , , divided into 1000 samples(ii)DIEHARD: 50 87.5Mbit files generated with , , ; each DIEHARD suite has 18 tests with multiple values that are each taken as individual samples(iii)ENT: 87.5Mbit file generated with , , .The minimum value to indicate uniformity for each NIST test is 0.0001 whereas the DIEHARD tests require values in the range of . The min/max for the NIST and DIEHARD test suites are listed in Table 6 of the Appendix. As for the ENT test suite, a number sequence fails if its results stray too far from the ideal values listed in Table 7 of the Appendix. Passing all three test suites indicates that the number sequence is pseudorandom with no obvious statistical defects.
4.2. Box Evaluation
Random sboxes are generated based on a chaotic number sequence which is tested using the NIST, DIEHARD, and ENT test suites. It passes all three as shown in Tables 8, 12, and 16 of the Appendix. In the following experiments, sboxes are produced for , , where their characteristics such as the avalanche effect, strict avalanche criterion (SAC), linear and differential probability, nonlinearity, and keyspace are examined.
4.2.1. Avalanche and Strict Avalanche Criterion
To exhibit the avalanche effect, onehalf of the output bits should change on average whenever a single input bit is toggled. To determine if an 8bit sbox fulfils this requirement, the possible inputs are first divided into pairs, , which differ only in bit . The 8bit avalanche vectors, , are then calculated for all () as follows:For 10000 random sboxes all possible input pairs are tested. Results indicate that 50.1899% of each bits are equal to one when an input differs in only bit .
To satisfy the SAC, each individual output bit should change with a probability of 50% when a single input bit is toggled. Similar to the previous test, possible inputs are first divided into pairs, , which differ only in bit . The 8bit avalanche vectors, are then calculated for all (). For 10000 random sboxes and all possible input pairs, the average probability that a bit location in is equal to one when an input differs in only bit is 50.1993%.
Both results show that the sboxes generated by the proposed AEAD scheme have strong avalanche effect and fulfil the SAC. Satisfying the SAC also implies that the sbox is a complete function, whereby each output bit is dependent on all input bits [27].
4.2.2. Differential Distribution and Linear Approximation
For 10000 randomly generated sboxes, the differential distribution [28] and linear approximation [29] tables are computed. These tables consist of the probabilities of differential and linear characteristics for various input/output combinations that can be used in differential and linear attacks. The worst case differential and linear probabilities are and , respectively. These probabilities are sufficient to resist cryptanalytic attacks which are described in Section 4.5.
4.2.3. Nonlinearity and Key Sensitivity
Let be the dimensional vector space over the field . The nonlinearity of a function is defined byA perfectly nonlinear function has a nonlinearity of , which is 120 for an 8bit sbox. Out of 10000 randomly generated sboxes, the average nonlinearity is 92.6646, which is 77.22% nonlinear. The generated sboxes have lower nonlinearity than the AES sbox (). However, unlike a static sbox, attackers cannot linearly approximate a randomized sbox without knowledge of the keys used to generate it. Therefore, slight changes to the secret key should generate different sboxes. For all 128bit secret keys with hamming weight of one, the proposed AEAD scheme generates unique sboxes. In addition, for 2000 incrementally generated sboxes ( to ), all sboxes are also unique. This shows that the random sbox algorithm is highly sensitive to slight changes to .
4.3. Mask Evaluation
The output of the masking algorithm is first tested using the NIST, DIEHARD, and ENT test suites. The 128bit mask values generated by the AEAD scheme successfully pass all three as shown in Tables 9, 13, and 17 of the Appendix.
4.3.1. Mask Cycle Length
The cycle length of the masking algorithm must be sufficiently large to avoid attacks that can take advantage of any mask value cycles. Theoretically, the cycle length is limited by the precision of the fixed point representation used in chaotic iterations. This amounts to , as 30 bits are used to represent the fractional bits. This is a conservative bound, as chaotic perturbation and chaotic coupling further extend the cycle length. Because there are two chaotic maps used to modify the mask registers, the total cycle length is the least common multiple of their cycle lengths. Based on this lower bound, the proposed AEAD scheme will be able to support messages of approximately blocks before a mask cycle occurs.
4.4. Key Schedule Evaluation
The key schedule algorithm generates only 20 round keys for a secret key. Therefore, data for the statistical test suites are generated using incremental secret keys (incremented from ) except for the DIEHARD test which still uses randomly generated secret keys. Results in Tables 10, 14, and 18 of the Appendix indicate that the key schedule algorithm passes all test suites.
4.4.1. Avalanche and Strict Avalanche Criterion
The key schedule algorithm is analysed for avalanche effect and SAC similar to the sbox evaluation in Section 4.2.1. The avalanche vectors are calculated using (5), where 10000 randomly generated pairs of , are used as inputs. To depict the avalanche effect, onehalf of each round key should change on average whenever a single input key bit is toggled. The percentages of bits that are equal to one when the input key differs in only bit are 50.0403%, 49.99%, 50.0719%, 49.9422%, 49.9228%, 49.9047%, 50.0417%, 49.92%, 49.9942%, 49.9925%, 49.8973%, 50.0503%, 50.1373%, 50.0075%, 49.9709%, 49.9975%, 50.0342%, 50.0542%, 49.9628%, and 49.9153% for each of the 20 rounds, respectively. This has an overall average of 49.9924% per round.
To fulfil the SAC, each round key bit should change with a probability of 50% when a single input key bit is toggled. For each of the 20 rounds, the average probabilities that a bit location in is equal to one when the input key differs in only bit are 49.9998%, 49.9891%, 50.0914%, 49.8953%, 49.9978%, 49.9583%, 49.9866%, 50.0108%, 49.9941%, 49.9044%, 49.9095%, 49.9452%, 50.0287%, 50.0473%, 50.0302%, 50.0439%, 50.0852%, 50.017%, 50.0633%, and 49.9419%. This has an overall average of 49.997% per round.
Results show that the key schedule algorithm has strong avalanche effect and fulfils the SAC. This implies that the key schedule algorithm is a complete function, where all round key bits are dependent on all input secret key bits.
4.5. Encryption Algorithm Security
This section analyses the security of the AEAD scheme against various cryptanalytic attacks. A lower bound of security against these attacks is first determined with . Then, additional security provided by using a TRNG to generate is discussed. Prior to other security analyses, the ciphertext of the AEAD scheme is tested using statistical suites with results in Tables 11, 15, and 19.
4.5.1. Differential and Linear Cryptanalysis
The security bound for differential and linear cryptanalysis can be determined based on the minimum number of active sboxes for a differential characteristic () and linear characteristic (), where is the number of rounds. The number of is dependent on the type of block shuffle used in the round function. In an early design, the number 10 block shuffle from [30] was used in the proposed AEAD scheme, supposedly with . However, a branch and bound algorithm was used and found that . Instead, an isomorphic shuffle to the number 10 shuffle was used, adopted from [31] with and for shown in Table 2.

The maximum differential and linear probabilities for the AEAD scheme’s sboxes are and , respectively as mentioned in Section 4.2.2. The probability for differential and linear distinguishers are calculated usingFor and , and , where is the linear bias, denoted by . The number of plaintexts required for a differential and linear distinguishing attack is then and , respectively, which are both more than the available . Therefore, the full 20 rounds have a safe security margin against differential and linear cryptanalysis.
4.5.2. Algebraic Attack
In an algebraic attack, sboxes are described by an overdefined system of algebraic equations that hold true with a probability of one [32]. The use of random sboxes increases the resistance of a cipher against this attack [33]. The proposed AEAD scheme uses keydependent sboxes which are further randomized by ; therefore it is difficult to obtain a system of equations for these sboxes. Without these equations, an algebraic attack is not feasible. The proposed cipher is thus resistant to algebraic attacks.
4.5.3. Timing Attack
Timing attacks exploit operations with datadependent execution time to reveal the secret key [34, 35]. In the proposed AEAD scheme, the secret key is used to generate sboxes and round keys and also to initialize the mask register. The remaining operations consist of Bitwise operations that have constant execution time. Therefore, the proposed cipher is resistant to timing attacks because its encryption speed is independent of the key value.
4.5.4. Security with True Random Secret Message Number
If is generated by a nondeterministic TRNG, the cipher is able to resist a wide range of statisticalbased cryptanalytic attacks. A nondeterministic ensures that multiple encryptions of even the same pair will involve different sboxes and masking values. This leads to different outputs. However, a legitimate recipient can easily decrypt and verify these ciphertextMAC pairs as long as the secret key is correct.
Randomized sboxes prevent any cryptanalytic attacks that rely on approximating the behavior of the sbox, such as differential, linear, and algebraic attacks. Even if an approximation of the sbox is obtained for a particular plaintextciphertext pair, it is only applicable to that specific pair. The cipher is also immune to attacks that rely on selecting input differences that cancel out the effect of encryption keys such as the differential attack, truncated differential attack, and impossible differential attack. This is because the masking keys are modified by the truly random , making them nondeterministic for each plaintext encryption. For a differential characteristic to hold, values for a plaintext pair have to match, which occurs with a probability of for a uniform TRNG.
Key recovery attacks based on an round statistical distinguisher involve the encryption of multiple plaintexts for rounds to obtain their corresponding round ciphertexts. Attackers then guess subkey bits, decrypt the ciphertext for rounds, and verify their guess based on the round statistical distinguisher. If is nondeterministic, attackers will not be able to obtain the correct subkey using this method as each plaintext is encrypted based on different sboxes and masking keys. In practice, the statistical distinguisher only holds if two plaintexts are encrypted with same , which again occurs with a probability of for a uniform TRNG.
As previously mentioned, generating using a TRNG makes the cipher misuse resistant. If the same nonce is used twice, the resulting MAC and ciphertext are still secure as long as is not repeated for the same 3tuple. In short, implementing the proposed AEAD scheme with a TRNG or even a hybrid RNG will strengthen its immunity against statisticalbased cryptanalysis as well as user misuse.
4.6. MAC Security
This section analyses the statistical quality of the authentication tag produced by the proposed AEAD scheme. In the following experiments, the input parameters are set to , , , whereby only and vary.
4.6.1. Statistical Analysis of Diffusion and Confusion
In this test, an () pair is randomly generated and its corresponding tag, , is computed. Next, a random bit within the () pair is toggled and its corresponding tag, , is computed. and values are compared and the number of changes at each bit location is stored as . The following equations are then computed:
Mean Changed Bit Number
Mean Changed Probability
Standard Variance of the Changed Bit Number
Standard Variancewhere is the number of trials. The test is performed for and the results are tabulated in Table 3. The distribution plot and histogram of for are shown in Figures 7 and 6. Results show that the MAC values have a mean changed bit number, , and mean changed probability, , that are nearideal (64 bits and 50%). Low standard variance values depict strong diffusion and confusion capabilities. In Figures 7 and 6, is shown to be evenly and normally distributed centering on 64 bits. These nearideal statistical results indicate that the slightest change to the or will produce a different authentication tag.

4.6.2. Analysis of Collision Resistance
Similar to Section 4.6.1, MACs for an () pair and a slightly modified pair are produced and stored in ASCII format. The two MACs are compared and the number of hits (equal ASCII characters in the same position) are counted. Next, the absolute difference, , between the two MACs is calculated as follows:where and are the th entry of the original and modified MAC, while the function converts the entry to its equivalent decimal value. The test results for 10000 trials are compared against theoretical values (see [36] for calculation of theoretical values) in Tables 4 and 5. Results indicate that the proposed AEAD scheme has strong collision resistance as the experimental results are nearideal.
















4.6.3. MAC Distribution
To resist statistical attacks, a MAC has to be evenly distributed at each bit position. Analysis of the MAC distribution starts with generating a random () pair and its modified version with one toggled bit, . The MAC of both messages is compared, and the number of changes at each bit location is counted. For , the minimum, maximum, and mean changed bit number are 4877, 5150, and 5002.3, respectively, with the distribution plot shown in Figure 8. The mean changed bit number is close to the theoretical value of 5000, where the maximum distance from ideal for each changed bit value is 150. This indicates that proposed AEAD scheme produces evenly distributed MAC values as depicted in Figure 8.
4.7. Advantage over AESGCM
The proposed scheme has several advantages over AESGCM which is currently the official standard for authenticated encryption [37]. Firstly, the proposed AEAD scheme does not have any identified weak keys unlike AESGCM [6]. It is also resistant to noncemisuse, providing full privacy and integrity even if nonce is repeated, unlike AESGCM which requires unique nonce values for security [37]. Most softwarebased AES implementations are susceptible to cache timing attacks [35], whereas the proposed cipher has a constant time implementation due to simple binary operations. AESGCM’s security bound for integrity is equal to half the tag length [6] whereas the proposed AEAD scheme is able to provide full 128bit security for integrity. Furthermore, the proposed AEAD scheme also has the flexibility to be implemented with a TRNG for immunity to statisticalbased attacks.
In terms of performance, the speed of AESGCM was compared against the proposed cipher on a computer with an Intel i74700MQ processor and 8 GB of RAM. The implementation of AESGCM was taken from the Crypto++ Library 5.6.2 [38]. The proposed AEAD scheme has a speed of 2401.73 Megabits/second compared to 1601.4 Megabits/second of AESGCM, approximately 1.5 times faster. The algorithm can still be further optimized for improved performance.
5. Conclusion
This paper introduced a new chaosbased authenticated encryption with associated data (AEAD) scheme. It is based on the singlekey EvenMansour construction and TypeII generalized Feistel with random sboxes. The chaotic tent map was used to generate EvenMansour whitening keys, round keys, and sboxes used in the Feistel round functions. Chaotic perturbations were included in the proposed design to overcome weaknesses of unimodal chaotic maps. For improved performance, the fixed point representation was used for all real number operations. Results of rigorous statistical testing have shown that the proposed AEAD scheme has no observable statistical defects. In addition, it is resistant to cryptanalytic attacks such as the differential, linear, algebraic, and timing attacks. To increase its immunity against all statisticalbased attacks, the AEAD can be implemented alongside a true random number generator to map messages to various ciphertexts in an unpredictable manner. It also has better performance than AESGCM which is the current standard in authenticated encryption, with a throughput of approximately 2401.73 Megabits/second. In short, the proposed chaosbased AEAD scheme is a viable alternative to AESGCM in terms of providing both privacy and integrity in a unified scheme.
Appendix
Competing Interests
The authors declare that there are no competing interests regarding the publication of this paper.
Acknowledgments
This work has been supported by Fundamental Research Grant Scheme (FRGS, 203/PKOMP/6711427) funded by the Ministry of Higher Education of Malaysia (MOHE). A special thanks to WeiJian Teng for his help in proofreading this paper.
References
 M. Bellare and C. Namprempre, “Authenticated encryption: relations among notions and analysis of the generic composition paradigm,” in Advances in Cryptology—ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3–7, 2000 Proceedings, T. Okamoto, Ed., vol. 1976, pp. 531–545, Springer, Berlin, Germany, 2000. View at: Publisher Site  Google Scholar
 P. Rogaway, “Authenticatedencryption with associateddata,” in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS '02), pp. 98–107, November 2002. View at: Publisher Site  Google Scholar
 N. Ferguson and B. Schneier, “A cryptographic evaluation of IPSec,” Tech. Rep., Counterpane Internet Security, 2000. View at: Google Scholar
 M. Bellare, P. Rogaway, and D. Wagner, “The EAX mode of operation,” in Fast Software Encryption: 11th International Workshop (FSE 2004), B. Roy and W. Meier, Eds., pp. 389–407, Springer, Berlin, Germany, 2004. View at: Publisher Site  Google Scholar
 Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), https://competitions.cr.yp.to/caesarcall.html.
 M. J. O. Saarinen, “Cycling attacks on GCM, GHASH and other polynomial MACs and hashes,” in Fast Software Encryption: 19th International Workshop, FSE 2012, A. Canteaut, Ed., pp. 216–225, Springer, Berlin, Germany, 2012. View at: Publisher Site  Google Scholar
 S. Muller, “CPU time jitter based nonphysical true random number generator,” 2014. View at: Google Scholar
 J. S. Teh, A. Samsudin, M. AlMazrooie, and A. Akhavan, “GPUs and chaos: a new true random number generator,” Nonlinear Dynamics, vol. 82, no. 4, pp. 1913–1922, 2015. View at: Publisher Site  Google Scholar  MathSciNet
 D. Davis, R. Ihaka, and P. Fenstermacher, “Cryptographic randomness from air turbulence in disk drives,” in Advances in Cryptology—CRYPTO '94, Y. Desmedt, Ed., vol. 839 of Lecture Notes in Computer Science, pp. 114–120, Springer, Berlin, Germany, 1994. View at: Publisher Site  Google Scholar
 O. Dunkelman, N. Keller, and A. Shamir, “Minimalism in cryptography: the evenmansour scheme revisited,” in Advances in Cryptology—EUROCRYPT 2012: 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings, vol. 7237 of Lecture Notes in Computer Science, pp. 336–354, Springer, Berlin, Germany, 2012. View at: Publisher Site  Google Scholar
 J. S. Teh, A. Samsudin, and A. Akhavan, “Parallel chaotic hash function based on the shuffleexchange network,” Nonlinear Dynamics, vol. 81, no. 3, pp. 1067–1079, 2015. View at: Publisher Site  Google Scholar
 M. K. Mandal, M. Kar, S. K. Singh, and V. K. Barnwal, “Symmetric key image encryption using chaotic Rossler system,” Security and Communication Networks, vol. 7, no. 11, pp. 2145–2152, 2014. View at: Publisher Site  Google Scholar
 H.Y. Lin, “Chaotic mapbased threeparty authenticated key agreement,” Security and Communication Networks, vol. 7, no. 12, pp. 2469–2474, 2014. View at: Publisher Site  Google Scholar
 P. Muthukumar, P. Balasubramaniam, and K. Ratnavelu, “Synchronization of a novel fractional order stretchtwistfold (STF) flow chaotic system and its application to a new authenticated encryption scheme (AES),” Nonlinear Dynamics, vol. 77, no. 4, pp. 1547–1559, 2014. View at: Publisher Site  Google Scholar  MathSciNet
 A. Bakhshandeh and Z. Eslami, “An authenticated image encryption scheme based on chaotic maps and memory cellular automata,” Optics and Lasers in Engineering, vol. 51, no. 6, pp. 665–673, 2013. View at: Publisher Site  Google Scholar
 H. Yang, K.W. Wong, X. Liao, W. Zhang, and P. Wei, “A fast image encryption and authentication scheme based on chaotic maps,” Communications in Nonlinear Science and Numerical Simulation, vol. 15, no. 11, pp. 3507–3517, 2010. View at: Publisher Site  Google Scholar
 X. Wu, H. Hu, and B. Zhang, “Parameter estimation only from the symbolic sequences generated by chaos system,” Chaos, Solitons & Fractals, vol. 22, no. 2, pp. 359–366, 2004. View at: Publisher Site  Google Scholar
 D. Arroyo, G. Alvarez, J. Amigó, and S. Li, “Cryptanalysis of a family of selfsynchronizing chaotic stream ciphers,” Communications in Nonlinear Science and Numerical Simulation, vol. 16, no. 2, pp. 805–813, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 S. Li, X. Mou, Y. Cai, Z. Ji, and J. Zhang, “On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision,” Computer Physics Communications, vol. 153, no. 1, pp. 52–58, 2003. View at: Publisher Site  Google Scholar  MathSciNet
 R. Yates, FixedPoint Arithmetic: An Introduction, Digital Signal Labs, 2013, http://www.digitalsignallabs.com/fp.pdf.
 D. Lambić and M. Živković, “Comparison of random sbox generation methods,” Publications de l'Institut Mathématique, vol. 93(107), no. 113, pp. 109–115, 2013. View at: Google Scholar
 J. A. Oteo and J. Ros, “Double precision errors in the logistic map: statistical study and dynamical interpretation,” Physical Review E, vol. 76, no. 3, Article ID 036214, 2007. View at: Publisher Site  Google Scholar
 Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphers provably secure and not relying on any unproved hypotheses,” in Advances in Cryptology—CRYPTO' 89 Proceedings, G. Brassard, Ed., pp. 461–480, Springer, New York, NY, USA, 1990. View at: Publisher Site  Google Scholar
 A. Rukhin, J. Soto, and J. Nechvatal, “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” NIST Special Publication 80022, National Institute of Standards and Technology, 2010. View at: Google Scholar
 G. Marsaglia, DIEHARD: A battery of tests of Randomness, 1996, http://stat.fsu.edu/pub/diehard/.
 J. Walker, ENT Program, 2008, http://www.fourmilab.ch/random.
 A. F. Webster and S. E. Tavares, “On the design of sboxes,” in Advances in Cryptology—CRYPTO '85 Proceedings, vol. 218 of Lecture Notes in Computer Science, pp. 523–534, Springer, Berlin, Germany, 2000. View at: Publisher Site  Google Scholar
 E. Biham and A. Shamir, “Differential cryptanalysis of DESlike cryptosystems,” in Advances in Cryptology—CRYPT0 '90, A. J. Menezes and S. A. Vanstone, Eds., vol. 537 of Lecture Notes in Computer Science, pp. 2–21, Springer, Berlin, Germany, 1991. View at: Publisher Site  Google Scholar
 M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology—EUROCRYPT '93, pp. 386–397, Springer, Berlin, Germany, 1994. View at: Publisher Site  Google Scholar
 T. Suzaki and K. Minematsu, “Improving the generalized feistel,” in Fast Software Encryption: 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers, vol. 6147 of Lecture Notes in Computer Science, pp. 19–39, Springer, Berlin, Germany, 2010. View at: Publisher Site  Google Scholar
 T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, “TWINE: a lightweight block cipher for multiple platforms,” in Selected Areas in Cryptography: 19th International Conference, SAC 2012, L. R. Knudsen and H. Wu, Eds., pp. 339–354, Springer, Berlin, Germany, 2013. View at: Publisher Site  Google Scholar
 N. T. Courtois and J. Pieprzyk, “Cryptanalysis of block ciphers with overdefined systems of equations,” in Advances in Cryptology—ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security Queenstown, New Zealand, December 1–5, 2002 Proceedings, Y. Zheng, Ed., vol. 2501 of Lecture Notes in Computer Science, pp. 267–287, Springer, Berlin, Germany, 2002. View at: Publisher Site  Google Scholar
 N. T. Courtois, General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers, vol. 3373 of Lecture Notes in Computer Science, Springer, Berlin, Germany, 2005.
 P. C. Kocher, “Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems,” in Advances in Cryptology—CRYPTO '96, N. Koblitz, Ed., vol. 1109 of Lecture Notes in Computer Science, pp. 104–113, Springer, Berlin, Germany, 1996. View at: Publisher Site  Google Scholar
 D. Bernstein, “Cachetiming attacks on AES,” 2005, http://cr.yp.to/papers.html#cachetiming. View at: Google Scholar
 A. Akhavan, A. Samsudin, and A. Akhshani, “A novel parallel hash function based on 3D chaotic map,” EURASIP Journal on Advances in Signal Processing, vol. 2013, article 126, 2013. View at: Publisher Site  Google Scholar
 M. Dworkin, “Recommendation for block cipher modes of operation: galois/counter mode (gcm) and gmac,” Tech. Rep., National Institute of Standards and Technology (NIST), 2007. View at: Google Scholar
 Crypto++ library, http://www.cryptopp.com/.
Copyright
Copyright © 2017 Je Sen Teh and Azman Samsudin. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.