Research Article | Open Access
Je Sen Teh, Azman Samsudin, "A Chaos-Based Authenticated Cipher with Associated Data", Security and Communication Networks, vol. 2017, Article ID 9040518, 15 pages, 2017. https://doi.org/10.1155/2017/9040518
A Chaos-Based Authenticated Cipher with Associated Data
In recent years, there has been a rising interest in authenticated encryption with associated data (AEAD) which combines encryption and authentication into a unified scheme. AEAD schemes provide authentication for a message that is divided into two parts: associated data which is not encrypted and the plaintext which is encrypted. However, there is a lack of chaos-based AEAD schemes in recent literature. This paper introduces a new 128-bit chaos-based AEAD scheme based on the single-key Even-Mansour and Type-II generalized Feistel structure. The proposed scheme provides both privacy and authentication in a single-pass using only one 128-bit secret key. The chaotic tent map is used to generate whitening keys for the Even-Mansour construction, round keys, and random s-boxes for the Feistel round function. In addition, the proposed AEAD scheme can be implemented with true random number generators to map a message to multiple possible ciphertexts in a nondeterministic manner. Security and statistical evaluation indicate that the proposed scheme is highly secure for both the ciphertext and the authentication tag. Furthermore, it has multiple advantages over AES-GCM which is the current standard for authenticated encryption.
Encryption and authentication of data are traditionally performed by two separate algorithms under the influence of different secret keys. This is known as generic composition which has three variations: Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC . Recently, there has been a rising interest in the field of authenticated encryption with associated data (AEAD) which combines encryption and authentication into a unified scheme. It deals with the cryptographic problem of sending a message that has to be entirely authenticated but divided into two parts: associated data (additional information such as packet headers) that must be sent in the clear and the actual plaintext that must be encrypted . AEAD schemes are also more efficient and less prone to implementation errors, unlike generic composition . This is because an AEAD scheme can be implemented without extensive cryptographic knowledge and is easy for interoperability . As it only requires one key for both privacy and integrity, it saves on key bits and key setup time and reduces the risk of users selecting insecure parameters.
The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR)  was introduced in 2014 to identify authenticated ciphers that offer advantages over AES-GCM, which has weak key problems and is susceptible to a cyclic attack . CAESAR is currently in its second round of evaluation, with 30 candidate ciphers remaining. AEAD proposals for CAESAR need to have higher level of security and be as fast as AES-GCM or faster than AES-GCM with similar security level. The design of AEAD schemes is based on various constructs such as block ciphers, stream ciphers, and sponge constructions.
The aim of this paper is to construct an AEAD scheme based on chaos theory that is secure and efficient and fulfils the requirements set by CAESAR. For additional security, the AEAD scheme is designed to be able to take advantage of true random number generators (TRNG) to resist statistical-based cryptanalysis. Due to the existence of efficient and uniformly distributed software-based TRNGs, it is feasible to utilize true random numbers in cryptographic algorithms. These TRNGs take advantage of physical phenomena that occur within computing hardware such as multicore processors , graphics processing units , or hard disks  and quantifies them to generate nondeterministic numbers. As the inputs of AEAD schemes include secret and public message numbers, TRNGs can be implemented to generate secret message numbers to provide immunity to statistical-based cryptanalysis.
In this paper, a new AEAD scheme based on the chaotic tent map is proposed. It is designed based on the single-key Even-Mansour construction  and utilizes key-dependent random s-boxes. Both the whitening keys for the Even-Mansour scheme and s-boxes are generated based on chaos. The proposed AEAD scheme requires only a single-pass to produce both the authentication tag (MAC) and ciphertext. The cipher is evaluated for resistance against cryptanalytic attacks and its security is also analysed based on thorough statistical testing. Although not compulsory, the AEAD scheme can be implemented alongside a TRNG to provide immunity to statistical-based cryptanalysis.
The rest of this paper is structured as follows: Section 2 provides an introduction to AEAD schemes and chaotic maps that are vital to understanding the rest of the paper. Section 3 describes the proposed AEAD algorithm in detail, followed by Section 4 that analysed its security. The paper is concluded in Section 5 with some closing remarks.
2.1. Authenticated Encryption with Associated Data
The following are inputs to an authenticated encryption algorithm along with their corresponding security requirements (, ):(i)Variable-length plaintext (ip)(ii)Variable-length associated data (i)(iii)-bit secret message number (ip)(iv)-bit public message number/nonce (i)(v)-bit secret key
The output of an AEAD scheme consists of a ciphertext with the same length as the plaintext (except for schemes with secret message numbers which have extra blocks of ciphertext depending on the size of ) and an authentication tag or MAC of bits. AEAD schemes need not support secret message numbers () but require unique nonces for semantic security. The inputs to an authenticated decryption algorithm include the ciphertext, associated data, nonce, and secret key. The secret message number will be extracted from ciphertext. It outputs the plaintext if verification is successful; otherwise the algorithm outputs an error message.
2.2. Chaotic Maps
Chaotic maps are deterministic dynamical systems that have random-like behavior, sensitivity to slight changes in initial parameters, ergodicity, diffusion, and confusion characteristics. These qualities are analogous to requirements in cryptographic algorithms; thus chaotic maps have been used to design hash functions , encryption algorithms , key exchange protocols , and digital signature schemes . Authenticated image encryption schemes based on chaos have been introduced by Bakhshandeh and Eslami  as well as Yang et al. . However, they are both generic composition schemes with a distinct hash function and encryption algorithm. No chaos-based, unified AEAD schemes have been introduced in recent literature.
The chaotic tent map is used to design the proposed AEAD scheme as shown in (1), where is the control parameter that falls within the range of . In addition to being a fast and simple map, the tent map is selected because it has been widely studied and applied in the field of chaotic cryptography. The behavior of the chaotic map evolves from periodic to aperiodic as increases from 0 to 2 as shown in the tent map’s bifurcation diagram in Figure 1. The proposed AEAD sets for all tent map iterations.
Recent literature has shown that unimodal chaotic maps such as the tent map are susceptible to initial condition/parameter estimation techniques using statistical tools [17, 18]. Another problem of digital chaotic systems is dynamical degradation that occurs due to finite precision, which leads to short cycle lengths . These problems can be addressed by using chaotic perturbation which changes the trajectory of the chaotic map’s orbit by modifying its initial condition using external values. The proposed AEAD scheme takes advantage of chaotic perturbation in its design as discussed in Section 3.
In software, chaotic map iterations involve real numbers that are usually represented by floating point variables. However, floating point operations are slower than binary operations. For faster speed and reproducibility, fixed point (FxP) representation  is used in the proposed AEAD scheme. A 32-bit FxP variable consists of the two most significant bits (MSB) that represent integers before the radix point and the 30 least significant bits (LSB) that represent fractional bits.
3. Design Specifications
3.1. Parameters and Notations
All integers stated in the following algorithms are in hexadecimal format. Prior to modification by the nonce or secret keys, the initial values for all registers are arbitrarily chosen random numbers. The proposed 128-bit AEAD scheme has the following parameters:(i)128-bit secret key, (ii)64-bit nonce, (iii)128-bit secret message number, (iv)Associated data, (v)Message, (vi)128-bit tag,
The following are notations used in this paper:(i)Length of a string, , denoted by (ii): Bitwise XOR(iii): Bitwise AND(iv): Bitwise concatenation of and (v): -bit modular addition(vi): Bitwise left rotation by positions on a -bit variable, where (vii): Bitwise right shift of by bits(viii): substitution function using an 8-bit s-box, (ix): performing -iterations of the chaotic map with an initial value (x): floor function to map a real number to the previous largest integer(xi): converting the FxP representation to real number(xii): mask for the FxP fractional bits
Because the AEAD design involves chaotic map iterations, round constants are used in several parts of the algorithms to prevent weak key problems. Weak keys can initialize the chaotic map’s initial condition to zero, which makes the system nonrandom and insecure. These round constants are taken from the list of prime numbers: , 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, , where is the index/round. The proposed AEAD scheme also uses a block shuffle and its inverse as shown in Table 1.
3.2. Random -Box Generation
The composition method  is used to generate chaos-based s-boxes for the AEAD scheme. The composition of two 8-bit permutations, and , is denoted by , where is the set of all 8-bit integers. First, a set consisting of four chaos-based s-boxes is generated by permuting the AES s-box. To obtain the final s-box, a composition of four s-boxes from is used, where the s-boxes are selected based on randomly generated indices (repetitions are allowed). To generate the numbers used to permute AES and also as indices for the s-box composition, a chaos-based RNG is used. The initialization process and the RNG algorithm are as shown in Algorithms 1 and 2, respectively, where and are chaotic map initial conditions that are constantly modified by perturbation values, and .
The initialization process equally divides the secret key bits into four registers and two rotation variables such that all key bits are used only once. During the initialization, round constants are used to ensure that values of that initialize all registers to zero will result in nonzero starting values for the RNG. A total of 200 iterations for each tent map are performed for transient elimination, although 48 iterations have been deemed sufficient .
Each 8-bit s-box, for , is first initialized as the AES s-box. Next, Algorithm 2 is used to generate for for each . Each s-box is then permuted as follows:To obtain the final s-box, , four additional values are generated by Algorithm 2. A four-modulo operation is applied on these values which are then used as s-box indices, for . The final s-box is a composition of the four s-boxes indexed by : . As depends only on , it can be precomputed by both parties. is later modified by in the actual encryption process.
3.3. Key Schedule Algorithm
The key scheduling algorithm generates 20 round keys from the secret key . As they do not depend on or , the keys can also be precomputed. The algorithm is based on the Feistel network, whereby the secret key is first divided into two halves, . and are then XOR-ed into two registers that have initial values of and . The tent map’s initial condition is set to . One round of the key scheduling function is shown in Figure 2, where is the round number.
The -function is described in Algorithm 3. The network is executed 16 times for transient elimination without producing any keys. Starting from round number round keys are then produced from 20 rounds of the network. Excluding transient elimination rounds, each round key is generated from a total 640 iterations of the chaotic tent map. The value of is modified 64 times, where, each time, it is subjected to a four-bit rotation to ensure that all 64 bits are modified by in 16 passes. is rotated by 15 bits each time to ensure that its upper and lower bits are all used in the chaotic iterations.
3.4. Masking Algorithm
The proposed AEAD scheme is based on the single-key Even-Mansour construction that has been proven to have the same level of security as the original two-key construction . 16 eight-bit mask registers are first initialized based on the secret key and nonce and then modified by a chaotic function. The values of these registers are used as the prewhitening and postwhitening masking keys for each block of data. The initialization of the mask registers and variables for the chaotic function are summarized in Figure 3, where .
After the mask and chaotic variables are initialized, the masking algorithm is iterated eight times for transient elimination and to diffuse the key bits into all registers. The masking algorithm is as shown in Algorithm 4 where registers are involved in chaotic perturbation. These registers are then used to modify the mask registers, . Round constants are only used in the transient elimination rounds to generate nonzero initial mask values. The mask registers are later modified by in the encryption process.
3.5. Algorithm Description
The overall design of the AEAD is based on the single-key Even-Mansour scheme  and a Type-II generalized Feistel structure (GFS) . There are two main functions, and . encrypts and and also generates a tag, , to verify , , and . decrypts to obtain and and then generates to verify the authenticity of , , and . If verification fails, the decrypted message is not released to the recipient. The algorithm is shown in Figure 4, where is the number of blocks, is the number of blocks, represents intermediate tags, is the checksum, and is the set of mask registers for block- of data. The algorithm has the same structure as . However the inverse block shuffle and reversed round keys are used to decrypt and to generate the intermediate tags, .
3.5.1. Round Function
The round function, , is executed 20 times for all data blocks where denotes the number of rounds. The same 20 round keys generated by the key scheduling algorithm are used for all blocks. When processing message blocks (), is divided into two halves, where the output of the first 10 rounds is used as the intermediate tag . The round function is based on the Type-II GFS as shown in Figure 5. The 64-bit round key is divided into 8 bytes, where its most significant byte is fed into the left most -function. The -function consists of two operations, XOR of the round key and substitution:where and are byte indexes of the data block and round key, respectively.
3.5.2. Modification of -Box and Mask
For further security, is used to modify both and prior to processing the first block of data. To modify , two more indexes for s-box composition are obtained from , , and . is obtained by XOR-ing each of the eight most significant bytes of whereas is obtained by XOR-ing each of the eight least significant bytes. The final s-box is computed by composing two additional s-boxes: . The modification of registers is performed by XOR-ing each byte of to each byte of .
3.5.3. AEAD Mode
The encryption and tag generation process is as follows:(1)Using , generate for and .(2)Initialize based on and .(3)Encrypt to obtain and .(4)Generate and modify using (Section 3.5.2).(5)If and are not 128-bit multiples, pad and with a single bit of “1,” followed by all “0” until the required length.(6)Encrypt for and XOR results to obtain .(7)Encrypt to obtain and , where .(8)Compute . Encrypt and XOR the result with , , and . Perform one final encryption to obtain .
The decryption and tag verification process is as follows:(1)Using , generate for and .(2)Initialize based on and .(3)Decrypt to obtain and .(4)Generate and modify using (Section 3.5.2).(5)If is not a 128-bit multiple, pad with a single bit of “1" followed by all “0" until the required length.(6)Encrypt for and XOR results to obtain .(7)Decrypt to obtain and , where .(8)Compute . Encrypt and XOR the result with , , and . Perform one final encryption to obtain .(9)Compare with . If they do not match, the plaintext is not released to the recipient and an error symbol, , is output.
3.5.4. MAC-Only Mode
The proposed AEAD scheme can also be used solely as a MAC. In the MAC-only mode, the algorithm is the same except that ciphertext blocks need not be computed. In addition, the secret message number is unused and is set to .
Chaos-based algorithms require real number computation which is usually performed using floating point representation. FxP representation is used to ensure that the proposed AEAD scheme is not platform-specific. In addition, it contributes to better performance as basic binary operations can be used on FxP variables which require fewer clock cycles than floating point operations.
The proposed cipher has several features that are advantageous for AEAD designs. Firstly, each block of data can be processed in parallel. The only overhead is the iteration of the masking algorithm which has to be performed based on the block number. It is an online, one-pass cipher whereby the encryption of one block does not depend on other blocks. The verification algorithm is highly nonce-misuse resistant due to the randomly generated . The proposed AEAD scheme also has out-of-order verification; whereby if any blocks are permuted or out of order, it will result in a different MAC.
To achieve high security against cryptanalytic attacks, users have the option of using a TRNG to generate . A TRNG depends on physical phenomena; therefore becomes nondeterministic in nature. Each plaintext is then randomly mapped to different ciphertexts. However, anyone with the correct secret key is able to extract to decrypt and verify the message successfully regardless of how was generated. Although the randomization of contributes to strong security characteristics as described in Section 4.5.4, the proposed AEAD scheme becomes nonincremental in nature. The entire associated data or message needs to be recomputed if one block is changed because changes upon each encryption.
4. Security Analysis
This section examines the security of all components of the proposed AEAD scheme. For all tests, inputs are set to zero (, , ) unless stated otherwise. As it is difficult to provide mathematical proof for real number-based cryptographic algorithms, the AEAD scheme is evaluated mainly using statistical means.
4.1. Preliminary Statistical Testing
Before other evaluation methods are used, statistical test suites such as NIST SP 800-22 , DIEHARD , and ENT  are used as preliminary tests for majority of the AEAD components. The minimum/maximum passing ratio () for NIST and DIEHARD for a significance level of 0.01 is calculated based on (4), where is the number of samples, as follows:The summary of inputs required for each test suite is listed below. (i)NIST: 1000-Mbit file generated with , , , divided into 1000 samples(ii)DIEHARD: 50 87.5-Mbit files generated with , , ; each DIEHARD suite has 18 tests with multiple values that are each taken as individual samples(iii)ENT: 87.5-Mbit file generated with , , .The minimum value to indicate uniformity for each NIST test is 0.0001 whereas the DIEHARD tests require values in the range of . The min/max for the NIST and DIEHARD test suites are listed in Table 6 of the Appendix. As for the ENT test suite, a number sequence fails if its results stray too far from the ideal values listed in Table 7 of the Appendix. Passing all three test suites indicates that the number sequence is pseudorandom with no obvious statistical defects.
4.2. -Box Evaluation
Random s-boxes are generated based on a chaotic number sequence which is tested using the NIST, DIEHARD, and ENT test suites. It passes all three as shown in Tables 8, 12, and 16 of the Appendix. In the following experiments, s-boxes are produced for , , where their characteristics such as the avalanche effect, strict avalanche criterion (SAC), linear and differential probability, nonlinearity, and keyspace are examined.
4.2.1. Avalanche and Strict Avalanche Criterion
To exhibit the avalanche effect, one-half of the output bits should change on average whenever a single input bit is toggled. To determine if an 8-bit s-box fulfils this requirement, the possible inputs are first divided into pairs, , which differ only in bit . The 8-bit avalanche vectors, , are then calculated for all () as follows:For 10000 random s-boxes all possible input pairs are tested. Results indicate that 50.1899% of each bits are equal to one when an input differs in only bit .
To satisfy the SAC, each individual output bit should change with a probability of 50% when a single input bit is toggled. Similar to the previous test, possible inputs are first divided into pairs, , which differ only in bit . The 8-bit avalanche vectors, are then calculated for all (). For 10000 random s-boxes and all possible input pairs, the average probability that a bit location in is equal to one when an input differs in only bit is 50.1993%.
Both results show that the s-boxes generated by the proposed AEAD scheme have strong avalanche effect and fulfil the SAC. Satisfying the SAC also implies that the s-box is a complete function, whereby each output bit is dependent on all input bits .
4.2.2. Differential Distribution and Linear Approximation
For 10000 randomly generated s-boxes, the differential distribution  and linear approximation  tables are computed. These tables consist of the probabilities of differential and linear characteristics for various input/output combinations that can be used in differential and linear attacks. The worst case differential and linear probabilities are and , respectively. These probabilities are sufficient to resist cryptanalytic attacks which are described in Section 4.5.
4.2.3. Nonlinearity and Key Sensitivity
Let be the -dimensional vector space over the field . The nonlinearity of a function is defined byA perfectly nonlinear function has a nonlinearity of , which is 120 for an 8-bit s-box. Out of 10000 randomly generated s-boxes, the average nonlinearity is 92.6646, which is 77.22% nonlinear. The generated s-boxes have lower nonlinearity than the AES s-box (). However, unlike a static s-box, attackers cannot linearly approximate a randomized s-box without knowledge of the keys used to generate it. Therefore, slight changes to the secret key should generate different s-boxes. For all 128-bit secret keys with hamming weight of one, the proposed AEAD scheme generates unique s-boxes. In addition, for 2000 incrementally generated s-boxes ( to ), all s-boxes are also unique. This shows that the random s-box algorithm is highly sensitive to slight changes to .
4.3. Mask Evaluation
The output of the masking algorithm is first tested using the NIST, DIEHARD, and ENT test suites. The 128-bit mask values generated by the AEAD scheme successfully pass all three as shown in Tables 9, 13, and 17 of the Appendix.
4.3.1. Mask Cycle Length
The cycle length of the masking algorithm must be sufficiently large to avoid attacks that can take advantage of any mask value cycles. Theoretically, the cycle length is limited by the precision of the fixed point representation used in chaotic iterations. This amounts to , as 30 bits are used to represent the fractional bits. This is a conservative bound, as chaotic perturbation and chaotic coupling further extend the cycle length. Because there are two chaotic maps used to modify the mask registers, the total cycle length is the least common multiple of their cycle lengths. Based on this lower bound, the proposed AEAD scheme will be able to support messages of approximately blocks before a mask cycle occurs.
4.4. Key Schedule Evaluation
The key schedule algorithm generates only 20 round keys for a secret key. Therefore, data for the statistical test suites are generated using incremental secret keys (incremented from ) except for the DIEHARD test which still uses randomly generated secret keys. Results in Tables 10, 14, and 18 of the Appendix indicate that the key schedule algorithm passes all test suites.
4.4.1. Avalanche and Strict Avalanche Criterion
The key schedule algorithm is analysed for avalanche effect and SAC similar to the s-box evaluation in Section 4.2.1. The avalanche vectors are calculated using (5), where 10000 randomly generated pairs of , are used as inputs. To depict the avalanche effect, one-half of each round key should change on average whenever a single input key bit is toggled. The percentages of bits that are equal to one when the input key differs in only bit are 50.0403%, 49.99%, 50.0719%, 49.9422%, 49.9228%, 49.9047%, 50.0417%, 49.92%, 49.9942%, 49.9925%, 49.8973%, 50.0503%, 50.1373%, 50.0075%, 49.9709%, 49.9975%, 50.0342%, 50.0542%, 49.9628%, and 49.9153% for each of the 20 rounds, respectively. This has an overall average of 49.9924% per round.
To fulfil the SAC, each round key bit should change with a probability of 50% when a single input key bit is toggled. For each of the 20 rounds, the average probabilities that a bit location in is equal to one when the input key differs in only bit are 49.9998%, 49.9891%, 50.0914%, 49.8953%, 49.9978%, 49.9583%, 49.9866%, 50.0108%, 49.9941%, 49.9044%, 49.9095%, 49.9452%, 50.0287%, 50.0473%, 50.0302%, 50.0439%, 50.0852%, 50.017%, 50.0633%, and 49.9419%. This has an overall average of 49.997% per round.
Results show that the key schedule algorithm has strong avalanche effect and fulfils the SAC. This implies that the key schedule algorithm is a complete function, where all round key bits are dependent on all input secret key bits.
4.5. Encryption Algorithm Security
This section analyses the security of the AEAD scheme against various cryptanalytic attacks. A lower bound of security against these attacks is first determined with . Then, additional security provided by using a TRNG to generate is discussed. Prior to other security analyses, the ciphertext of the AEAD scheme is tested using statistical suites with results in Tables 11, 15, and 19.
4.5.1. Differential and Linear Cryptanalysis
The security bound for differential and linear cryptanalysis can be determined based on the minimum number of active s-boxes for a differential characteristic () and linear characteristic (), where is the number of rounds. The number of is dependent on the type of block shuffle used in the round function. In an early design, the number 10 block shuffle from  was used in the proposed AEAD scheme, supposedly with . However, a branch and bound algorithm was used and found that . Instead, an isomorphic shuffle to the number 10 shuffle was used, adopted from  with and for shown in Table 2.
The maximum differential and linear probabilities for the AEAD scheme’s s-boxes are and , respectively as mentioned in Section 4.2.2. The probability for differential and linear distinguishers are calculated usingFor and , and , where is the linear bias, denoted by . The number of plaintexts required for a differential and linear distinguishing attack is then and , respectively, which are both more than the available . Therefore, the full 20 rounds have a safe security margin against differential and linear cryptanalysis.
4.5.2. Algebraic Attack
In an algebraic attack, s-boxes are described by an overdefined system of algebraic equations that hold true with a probability of one . The use of random s-boxes increases the resistance of a cipher against this attack . The proposed AEAD scheme uses key-dependent s-boxes which are further randomized by ; therefore it is difficult to obtain a system of equations for these s-boxes. Without these equations, an algebraic attack is not feasible. The proposed cipher is thus resistant to algebraic attacks.
4.5.3. Timing Attack
Timing attacks exploit operations with data-dependent execution time to reveal the secret key [34, 35]. In the proposed AEAD scheme, the secret key is used to generate s-boxes and round keys and also to initialize the mask register. The remaining operations consist of Bitwise operations that have constant execution time. Therefore, the proposed cipher is resistant to timing attacks because its encryption speed is independent of the key value.
4.5.4. Security with True Random Secret Message Number
If is generated by a nondeterministic TRNG, the cipher is able to resist a wide range of statistical-based cryptanalytic attacks. A nondeterministic ensures that multiple encryptions of even the same pair will involve different s-boxes and masking values. This leads to different outputs. However, a legitimate recipient can easily decrypt and verify these ciphertext-MAC pairs as long as the secret key is correct.
Randomized s-boxes prevent any cryptanalytic attacks that rely on approximating the behavior of the s-box, such as differential, linear, and algebraic attacks. Even if an approximation of the s-box is obtained for a particular plaintext-ciphertext pair, it is only applicable to that specific pair. The cipher is also immune to attacks that rely on selecting input differences that cancel out the effect of encryption keys such as the differential attack, truncated differential attack, and impossible differential attack. This is because the masking keys are modified by the truly random , making them nondeterministic for each plaintext encryption. For a differential characteristic to hold, values for a plaintext pair have to match, which occurs with a probability of for a uniform TRNG.
Key recovery attacks based on an -round statistical distinguisher involve the encryption of multiple plaintexts for rounds to obtain their corresponding -round ciphertexts. Attackers then guess subkey bits, decrypt the ciphertext for rounds, and verify their guess based on the -round statistical distinguisher. If is nondeterministic, attackers will not be able to obtain the correct subkey using this method as each plaintext is encrypted based on different s-boxes and masking keys. In practice, the statistical distinguisher only holds if two plaintexts are encrypted with same , which again occurs with a probability of for a uniform TRNG.
As previously mentioned, generating using a TRNG makes the cipher misuse resistant. If the same nonce is used twice, the resulting MAC and ciphertext are still secure as long as is not repeated for the same 3-tuple. In short, implementing the proposed AEAD scheme with a TRNG or even a hybrid RNG will strengthen its immunity against statistical-based cryptanalysis as well as user misuse.
4.6. MAC Security
This section analyses the statistical quality of the authentication tag produced by the proposed AEAD scheme. In the following experiments, the input parameters are set to , , , whereby only and vary.
4.6.1. Statistical Analysis of Diffusion and Confusion
In this test, an () pair is randomly generated and its corresponding tag, , is computed. Next, a random bit within the () pair is toggled and its corresponding tag, , is computed. and values are compared and the number of changes at each bit location is stored as . The following equations are then computed:
Mean Changed Bit Number
Mean Changed Probability
Standard Variance of the Changed Bit Number
Standard Variancewhere is the number of trials. The test is performed for and the results are tabulated in Table 3. The distribution plot and histogram of for are shown in Figures 7 and 6. Results show that the MAC values have a mean changed bit number, , and mean changed probability, , that are near-ideal (64 bits and 50%). Low standard variance values depict strong diffusion and confusion capabilities. In Figures 7 and 6, is shown to be evenly and normally distributed centering on 64 bits. These near-ideal statistical results indicate that the slightest change to the or will produce a different authentication tag.
4.6.2. Analysis of Collision Resistance
Similar to Section 4.6.1, MACs for an () pair and a slightly modified pair are produced and stored in ASCII format. The two MACs are compared and the number of hits (equal ASCII characters in the same position) are counted. Next, the absolute difference, , between the two MACs is calculated as follows:where and are the th entry of the original and modified MAC, while the function converts the entry to its equivalent decimal value. The test results for 10000 trials are compared against theoretical values (see  for calculation of theoretical values) in Tables 4 and 5. Results indicate that the proposed AEAD scheme has strong collision resistance as the experimental results are near-ideal.
4.6.3. MAC Distribution
To resist statistical attacks, a MAC has to be evenly distributed at each bit position. Analysis of the MAC distribution starts with generating a random () pair and its modified version with one toggled bit, . The MAC of both messages is compared, and the number of changes at each bit location is counted. For , the minimum, maximum, and mean changed bit number are 4877, 5150, and 5002.3, respectively, with the distribution plot shown in Figure 8. The mean changed bit number is close to the theoretical value of 5000, where the maximum distance from ideal for each changed bit value is 150. This indicates that proposed AEAD scheme produces evenly distributed MAC values as depicted in Figure 8.
4.7. Advantage over AES-GCM
The proposed scheme has several advantages over AES-GCM which is currently the official standard for authenticated encryption . Firstly, the proposed AEAD scheme does not have any identified weak keys unlike AES-GCM . It is also resistant to nonce-misuse, providing full privacy and integrity even if nonce is repeated, unlike AES-GCM which requires unique nonce values for security . Most software-based AES implementations are susceptible to cache timing attacks , whereas the proposed cipher has a constant time implementation due to simple binary operations. AES-GCM’s security bound for integrity is equal to half the tag length  whereas the proposed AEAD scheme is able to provide full 128-bit security for integrity. Furthermore, the proposed AEAD scheme also has the flexibility to be implemented with a TRNG for immunity to statistical-based attacks.
In terms of performance, the speed of AES-GCM was compared against the proposed cipher on a computer with an Intel i7-4700MQ processor and 8 GB of RAM. The implementation of AES-GCM was taken from the Crypto++ Library 5.6.2 . The proposed AEAD scheme has a speed of 2401.73 Megabits/second compared to 1601.4 Megabits/second of AES-GCM, approximately 1.5 times faster. The algorithm can still be further optimized for improved performance.
This paper introduced a new chaos-based authenticated encryption with associated data (AEAD) scheme. It is based on the single-key Even-Mansour construction and Type-II generalized Feistel with random s-boxes. The chaotic tent map was used to generate Even-Mansour whitening keys, round keys, and s-boxes used in the Feistel round functions. Chaotic perturbations were included in the proposed design to overcome weaknesses of unimodal chaotic maps. For improved performance, the fixed point representation was used for all real number operations. Results of rigorous statistical testing have shown that the proposed AEAD scheme has no observable statistical defects. In addition, it is resistant to cryptanalytic attacks such as the differential, linear, algebraic, and timing attacks. To increase its immunity against all statistical-based attacks, the AEAD can be implemented alongside a true random number generator to map messages to various ciphertexts in an unpredictable manner. It also has better performance than AES-GCM which is the current standard in authenticated encryption, with a throughput of approximately 2401.73 Megabits/second. In short, the proposed chaos-based AEAD scheme is a viable alternative to AES-GCM in terms of providing both privacy and integrity in a unified scheme.
The authors declare that there are no competing interests regarding the publication of this paper.
This work has been supported by Fundamental Research Grant Scheme (FRGS, 203/PKOMP/6711427) funded by the Ministry of Higher Education of Malaysia (MOHE). A special thanks to WeiJian Teng for his help in proofreading this paper.
- M. Bellare and C. Namprempre, “Authenticated encryption: relations among notions and analysis of the generic composition paradigm,” in Advances in Cryptology—ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3–7, 2000 Proceedings, T. Okamoto, Ed., vol. 1976, pp. 531–545, Springer, Berlin, Germany, 2000.
- P. Rogaway, “Authenticated-encryption with associated-data,” in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS '02), pp. 98–107, November 2002.
- N. Ferguson and B. Schneier, “A cryptographic evaluation of IPSec,” Tech. Rep., Counterpane Internet Security, 2000.
- M. Bellare, P. Rogaway, and D. Wagner, “The EAX mode of operation,” in Fast Software Encryption: 11th International Workshop (FSE 2004), B. Roy and W. Meier, Eds., pp. 389–407, Springer, Berlin, Germany, 2004.
- Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), https://competitions.cr.yp.to/caesar-call.html.
- M. J. O. Saarinen, “Cycling attacks on GCM, GHASH and other polynomial MACs and hashes,” in Fast Software Encryption: 19th International Workshop, FSE 2012, A. Canteaut, Ed., pp. 216–225, Springer, Berlin, Germany, 2012.
- S. Muller, “CPU time jitter based non-physical true random number generator,” 2014.
- J. S. Teh, A. Samsudin, M. Al-Mazrooie, and A. Akhavan, “GPUs and chaos: a new true random number generator,” Nonlinear Dynamics, vol. 82, no. 4, pp. 1913–1922, 2015.
- D. Davis, R. Ihaka, and P. Fenstermacher, “Cryptographic randomness from air turbulence in disk drives,” in Advances in Cryptology—CRYPTO '94, Y. Desmedt, Ed., vol. 839 of Lecture Notes in Computer Science, pp. 114–120, Springer, Berlin, Germany, 1994.
- O. Dunkelman, N. Keller, and A. Shamir, “Minimalism in cryptography: the even-mansour scheme revisited,” in Advances in Cryptology—EUROCRYPT 2012: 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings, vol. 7237 of Lecture Notes in Computer Science, pp. 336–354, Springer, Berlin, Germany, 2012.
- J. S. Teh, A. Samsudin, and A. Akhavan, “Parallel chaotic hash function based on the shuffle-exchange network,” Nonlinear Dynamics, vol. 81, no. 3, pp. 1067–1079, 2015.
- M. K. Mandal, M. Kar, S. K. Singh, and V. K. Barnwal, “Symmetric key image encryption using chaotic Rossler system,” Security and Communication Networks, vol. 7, no. 11, pp. 2145–2152, 2014.
- H.-Y. Lin, “Chaotic map-based three-party authenticated key agreement,” Security and Communication Networks, vol. 7, no. 12, pp. 2469–2474, 2014.
- P. Muthukumar, P. Balasubramaniam, and K. Ratnavelu, “Synchronization of a novel fractional order stretch-twist-fold (STF) flow chaotic system and its application to a new authenticated encryption scheme (AES),” Nonlinear Dynamics, vol. 77, no. 4, pp. 1547–1559, 2014.
- A. Bakhshandeh and Z. Eslami, “An authenticated image encryption scheme based on chaotic maps and memory cellular automata,” Optics and Lasers in Engineering, vol. 51, no. 6, pp. 665–673, 2013.
- H. Yang, K.-W. Wong, X. Liao, W. Zhang, and P. Wei, “A fast image encryption and authentication scheme based on chaotic maps,” Communications in Nonlinear Science and Numerical Simulation, vol. 15, no. 11, pp. 3507–3517, 2010.
- X. Wu, H. Hu, and B. Zhang, “Parameter estimation only from the symbolic sequences generated by chaos system,” Chaos, Solitons & Fractals, vol. 22, no. 2, pp. 359–366, 2004.
- D. Arroyo, G. Alvarez, J. Amigó, and S. Li, “Cryptanalysis of a family of self-synchronizing chaotic stream ciphers,” Communications in Nonlinear Science and Numerical Simulation, vol. 16, no. 2, pp. 805–813, 2011.
- S. Li, X. Mou, Y. Cai, Z. Ji, and J. Zhang, “On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision,” Computer Physics Communications, vol. 153, no. 1, pp. 52–58, 2003.
- R. Yates, Fixed-Point Arithmetic: An Introduction, Digital Signal Labs, 2013, http://www.digitalsignallabs.com/fp.pdf.
- D. Lambić and M. Živković, “Comparison of random s-box generation methods,” Publications de l'Institut Mathématique, vol. 93(107), no. 113, pp. 109–115, 2013.
- J. A. Oteo and J. Ros, “Double precision errors in the logistic map: statistical study and dynamical interpretation,” Physical Review E, vol. 76, no. 3, Article ID 036214, 2007.
- Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphers provably secure and not relying on any unproved hypotheses,” in Advances in Cryptology—CRYPTO' 89 Proceedings, G. Brassard, Ed., pp. 461–480, Springer, New York, NY, USA, 1990.
- A. Rukhin, J. Soto, and J. Nechvatal, “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” NIST Special Publication 800-22, National Institute of Standards and Technology, 2010.
- G. Marsaglia, DIEHARD: A battery of tests of Randomness, 1996, http://stat.fsu.edu/pub/diehard/.
- J. Walker, ENT Program, 2008, http://www.fourmilab.ch/random.
- A. F. Webster and S. E. Tavares, “On the design of s-boxes,” in Advances in Cryptology—CRYPTO '85 Proceedings, vol. 218 of Lecture Notes in Computer Science, pp. 523–534, Springer, Berlin, Germany, 2000.
- E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” in Advances in Cryptology—CRYPT0 '90, A. J. Menezes and S. A. Vanstone, Eds., vol. 537 of Lecture Notes in Computer Science, pp. 2–21, Springer, Berlin, Germany, 1991.
- M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology—EUROCRYPT '93, pp. 386–397, Springer, Berlin, Germany, 1994.
- T. Suzaki and K. Minematsu, “Improving the generalized feistel,” in Fast Software Encryption: 17th International Workshop, FSE 2010, Seoul, Korea, February 7–10, 2010, Revised Selected Papers, vol. 6147 of Lecture Notes in Computer Science, pp. 19–39, Springer, Berlin, Germany, 2010.
- T. Suzaki, K. Minematsu, S. Morioka, and E. Kobayashi, “TWINE: a lightweight block cipher for multiple platforms,” in Selected Areas in Cryptography: 19th International Conference, SAC 2012, L. R. Knudsen and H. Wu, Eds., pp. 339–354, Springer, Berlin, Germany, 2013.
- N. T. Courtois and J. Pieprzyk, “Cryptanalysis of block ciphers with overdefined systems of equations,” in Advances in Cryptology—ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security Queenstown, New Zealand, December 1–5, 2002 Proceedings, Y. Zheng, Ed., vol. 2501 of Lecture Notes in Computer Science, pp. 267–287, Springer, Berlin, Germany, 2002.
- N. T. Courtois, General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers, vol. 3373 of Lecture Notes in Computer Science, Springer, Berlin, Germany, 2005.
- P. C. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems,” in Advances in Cryptology—CRYPTO '96, N. Koblitz, Ed., vol. 1109 of Lecture Notes in Computer Science, pp. 104–113, Springer, Berlin, Germany, 1996.
- D. Bernstein, “Cache-timing attacks on AES,” 2005, http://cr.yp.to/papers.html#cachetiming.
- A. Akhavan, A. Samsudin, and A. Akhshani, “A novel parallel hash function based on 3D chaotic map,” EURASIP Journal on Advances in Signal Processing, vol. 2013, article 126, 2013.
- M. Dworkin, “Recommendation for block cipher modes of operation: galois/counter mode (gcm) and gmac,” Tech. Rep., National Institute of Standards and Technology (NIST), 2007.
- Crypto++ library, http://www.cryptopp.com/.
Copyright © 2017 Je Sen Teh and Azman Samsudin. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.