A Chaos-Based Authenticated Cipher with Associated Data

In recent years, there has been a rising interest in authenticated encryptionwith associated data (AEAD)which combines encryption and authentication into a unified scheme. AEAD schemes provide authentication for a message that is divided into two parts: associated data which is not encrypted and the plaintext which is encrypted. However, there is a lack of chaos-based AEAD schemes in recent literature.This paper introduces a new 128-bit chaos-basedAEAD scheme based on the single-key Even-Mansour and Type-II generalized Feistel structure. The proposed scheme provides both privacy and authentication in a single-pass using only one 128-bit secret key. The chaotic tent map is used to generate whitening keys for the Even-Mansour construction, round keys, and random s-boxes for the Feistel round function. In addition, the proposed AEAD scheme can be implemented with true randomnumber generators tomap amessage tomultiple possible ciphertexts in a nondeterministicmanner. Security and statistical evaluation indicate that the proposed scheme is highly secure for both the ciphertext and the authentication tag. Furthermore, it has multiple advantages over AES-GCM which is the current standard for authenticated encryption.


Introduction
Encryption and authentication of data are traditionally performed by two separate algorithms under the influence of different secret keys.This is known as generic composition which has three variations: Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC [1].Recently, there has been a rising interest in the field of authenticated encryption with associated data (AEAD) which combines encryption and authentication into a unified scheme.It deals with the cryptographic problem of sending a message that has to be entirely authenticated but divided into two parts: associated data (additional information such as packet headers) that must be sent in the clear and the actual plaintext that must be encrypted [2].AEAD schemes are also more efficient and less prone to implementation errors, unlike generic composition [3].This is because an AEAD scheme can be implemented without extensive cryptographic knowledge and is easy for interoperability [4].As it only requires one key for both privacy and integrity, it saves on key bits and key setup time and reduces the risk of users selecting insecure parameters.
The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) [5] was introduced in 2014 to identify authenticated ciphers that offer advantages over AES-GCM, which has weak key problems and is susceptible to a cyclic attack [6].CAESAR is currently in its second round of evaluation, with 30 candidate ciphers remaining.AEAD proposals for CAESAR need to have higher level of security and be as fast as AES-GCM or faster than AES-GCM with similar security level.The design of AEAD schemes is based on various constructs such as block ciphers, stream ciphers, and sponge constructions.
The aim of this paper is to construct an AEAD scheme based on chaos theory that is secure and efficient and fulfils the requirements set by CAESAR.For additional security, the AEAD scheme is designed to be able to take advantage of true random number generators (TRNG) to resist statistical-based cryptanalysis.Due to the existence of efficient and uniformly distributed software-based TRNGs, it is feasible to utilize true random numbers in cryptographic algorithms.These TRNGs take advantage of physical phenomena that occur within computing hardware such as multicore processors [7], graphics processing units [8], or hard disks [9] and quantifies them to generate nondeterministic numbers.As the inputs of AEAD schemes include secret and public message numbers, TRNGs can be implemented to generate secret message numbers to provide immunity to statisticalbased cryptanalysis.
In this paper, a new AEAD scheme based on the chaotic tent map is proposed.It is designed based on the single-key Even-Mansour construction [10] and utilizes key-dependent random s-boxes.Both the whitening keys for the Even-Mansour scheme and s-boxes are generated based on chaos.The proposed AEAD scheme requires only a single-pass to produce both the authentication tag (MAC) and ciphertext.The cipher is evaluated for resistance against cryptanalytic attacks and its security is also analysed based on thorough statistical testing.Although not compulsory, the AEAD scheme can be implemented alongside a TRNG to provide immunity to statistical-based cryptanalysis.
The rest of this paper is structured as follows: Section 2 provides an introduction to AEAD schemes and chaotic maps that are vital to understanding the rest of the paper.Section 3 describes the proposed AEAD algorithm in detail, followed by Section 4 that analysed its security.The paper is concluded in Section 5 with some closing remarks.The output of an AEAD scheme consists of a ciphertext with the same length as the plaintext (except for schemes with secret message numbers which have extra blocks of ciphertext depending on the size of ) and an authentication tag or MAC of  bits.AEAD schemes need not support secret message numbers ( = 0) but require unique nonces for semantic security.The inputs to an authenticated decryption algorithm include the ciphertext, associated data, nonce, and secret key.The secret message number will be extracted from ciphertext.It outputs the plaintext if verification is successful; otherwise the algorithm outputs an error message.

Chaotic Maps.
Chaotic maps are deterministic dynamical systems that have random-like behavior, sensitivity to slight changes in initial parameters, ergodicity, diffusion, and confusion characteristics.These qualities are analogous to requirements in cryptographic algorithms; thus chaotic maps have been used to design hash functions [11], encryption algorithms [12], key exchange protocols [13], and digital signature schemes [14].Authenticated image encryption schemes based on chaos have been introduced by Bakhshandeh and Eslami [15] as well as Yang et al. [16].However, they are both generic composition schemes with a distinct hash function The chaotic tent map is used to design the proposed AEAD scheme as shown in (1), where  is the control parameter that falls within the range of [0, 2].In addition to being a fast and simple map, the tent map is selected because it has been widely studied and applied in the field of chaotic cryptography.The behavior of the chaotic map evolves from periodic to aperiodic as  increases from 0 to 2 as shown in the tent map's bifurcation diagram in Figure 1.The proposed AEAD sets  = 1.99999 for all tent map iterations.

𝑐 (𝑥
Recent literature has shown that unimodal chaotic maps such as the tent map are susceptible to initial condition/parameter estimation techniques using statistical tools [17,18].Another problem of digital chaotic systems is dynamical degradation that occurs due to finite precision, which leads to short cycle lengths [19].These problems can be addressed by using chaotic perturbation which changes the trajectory of the chaotic map's orbit by modifying its initial condition using external values.The proposed AEAD scheme takes advantage of chaotic perturbation in its design as discussed in Section 3. In software, chaotic map iterations involve real numbers that are usually represented by floating point variables.However, floating point operations are slower than binary operations.For faster speed and reproducibility, fixed point (FxP) representation [20] is used in the proposed AEAD scheme.A 32-bit FxP variable consists of the two most significant bits (MSB) that represent integers before the radix point and the 30 least significant bits (LSB) that represent fractional bits.The initialization process equally divides the secret key bits  =  1 ‖  0 into four registers and two rotation variables such that all key bits are used only once.During the initialization, round constants are used to ensure that values of  that initialize all registers to zero will result in nonzero starting values for the RNG.A total of 200 iterations for each tent map are performed for transient elimination, although 48 iterations have been deemed sufficient [22].

Design Specifications
(1) Input: 32 for 0 ≤  < 256 for each   .Each s-box is then permuted as follows: To

Key Schedule Algorithm.
The key scheduling algorithm generates 20 round keys from the secret key .As they do not depend on  or , the keys can also be precomputed.The algorithm is based on the Feistel network, whereby the secret key is first divided into two halves,  =  1 ‖  0 . 0 and  1 are then XOR-ed into two registers that have initial values of reg 0 = 4924216470 and reg 1 = 683003817.
The tent map's initial condition is set to  = 0.One round of the key scheduling function is shown in Figure 2, where  is the round number.
The -function is described in Algorithm 3. The network is executed 16 times for transient elimination without producing any keys.Starting from round number  = 0, 20 round keys are then produced from 20 rounds of the network.Excluding transient elimination rounds, each round key is generated from a total 640 iterations of the chaotic tent map.The value of  is modified 64 times, where, each time, it is subjected to a four-bit rotation to ensure that all 64 bits are modified by  in 16 passes.reg 1 is rotated by 15 bits each time to ensure that its upper and lower bits are all used in the chaotic iterations.

Masking Algorithm.
The proposed AEAD scheme is based on the single-key Even-Mansour construction that has been proven to have the same level of security as the original two-key construction [10].16 eight-bit mask registers are first initialized based on the secret key and nonce and then modified by a chaotic function.The values of these registers are used as the prewhitening and postwhitening masking keys for each block of data.The initialization of the mask registers and variables for the chaotic function are summarized in Figure 3, where  =  1 ‖  0 .
After the mask and chaotic variables are initialized, the masking algorithm is iterated eight times for transient elimination and to diffuse the key bits into all registers.The masking algorithm is as shown in Algorithm 4 where registers (, , , ) are involved in chaotic perturbation.These registers are then used to modify the mask registers, .Round constants are only used in the transient elimination rounds to generate nonzero initial mask values.The mask registers are later modified by  in the encryption process.

Algorithm Description.
The overall design of the AEAD is based on the single-key Even-Mansour scheme [10] and a Type-II generalized Feistel structure (GFS) [23].There are two main functions,   and d .  encrypts  and  and also generates a tag, , to verify , , and .  decrypts  to obtain  and  and then generates  to verify the authenticity of , , and .If verification fails, the decrypted message is not released to the recipient.The   algorithm is shown in Figure 4, where  is the number of  blocks,  is the number of  blocks,  represents intermediate tags, ∑  (1) Input: 8-bit mask registers   for 0 ≤  < 16, 32-bit initial values  and , 32-bit perturbation values  and , round/block number .
(2) Output: Modified 8-bit mask registers   for 0 ≤  < 16 32 bits 30 bits 32 bits 30 bits  Security and Communication Networks where  and  are byte indexes of the data block and round key, respectively.

Modification of
The modification of  registers is performed by XOR-ing each byte of  to each byte of .

AEAD Mode.
The encryption and tag generation process is as follows: (1) Using , generate   for 0 ≤  < 20 and   .
(5) If || and || are not 128-bit multiples, pad  and  with a single bit of "1," followed by all "0" until the required length.The decryption and tag verification process is as follows: (1) Using , generate   for 0 ≤  < 20 and   .
(5) If || is not a 128-bit multiple, pad  with a single bit of "1" followed by all "0" until the required length.9) Compare  verif y with .If they do not match, the plaintext is not released to the recipient and an error symbol, Γ, is output.

MAC-Only Mode.
The proposed AEAD scheme can also be used solely as a MAC.In the MAC-only mode, the algorithm is the same except that ciphertext blocks need not be computed.In addition, the secret message number is unused and is set to  = 0.
3.6.Features.Chaos-based algorithms require real number computation which is usually performed using floating point representation.FxP representation is used to ensure that the proposed AEAD scheme is not platform-specific.In addition, it contributes to better performance as basic binary operations can be used on FxP variables which require fewer clock cycles than floating point operations.
The proposed cipher has several features that are advantageous for AEAD designs.Firstly, each block of data can be processed in parallel.The only overhead is the iteration of the masking algorithm which has to be performed based on the block number.It is an online, one-pass cipher whereby the encryption of one block does not depend on other blocks.The verification algorithm is highly nonce-misuse resistant due to the randomly generated .The proposed AEAD scheme also has out-of-order verification; whereby if any blocks are permuted or out of order, it will result in a different MAC.
To achieve high security against cryptanalytic attacks, users have the option of using a TRNG to generate .A TRNG depends on physical phenomena; therefore  becomes nondeterministic in nature.Each plaintext is then randomly mapped to different ciphertexts.However, anyone with the correct secret key is able to extract  to decrypt and verify the message successfully regardless of how  was generated.Although the randomization of  contributes to strong security characteristics as described in Section 4.5.4,the proposed AEAD scheme becomes nonincremental in nature.The entire associated data or message needs to be recomputed if one block is changed because  changes upon each encryption.

Security Analysis
This section examines the security of all components of the proposed AEAD scheme.For all tests, inputs are set to zero ( = 0,  = 0,  = 0) unless stated otherwise.As it is difficult to provide mathematical proof for real number-based cryptographic algorithms, the AEAD scheme is evaluated mainly using statistical means.

Preliminary Statistical Testing.
Before other evaluation methods are used, statistical test suites such as NIST SP 800-22 [24], DIEHARD [25], and ENT [26] are used as preliminary tests for majority of the AEAD components.The minimum/maximum passing ratio (PR) for NIST and DIEHARD for a significance level of 0.01 is calculated based on (4), where  is the number of samples, as follows: The summary of inputs required for each test suite is listed below., and 16 of the Appendix.In the following experiments, s-boxes are produced for  = rand ( ),  = 0,  = 0 where their characteristics such as the avalanche effect, strict avalanche criterion (SAC), linear and differential probability, nonlinearity, and keyspace are examined.

Avalanche and Strict Avalanche Criterion.
To exhibit the avalanche effect, one-half of the output bits should change on average whenever a single input bit is toggled.To determine if an 8-bit s-box fulfils this requirement, the 2 8 possible inputs are first divided into 2 7 pairs, (,   ), which differ only in bit .The 8-bit avalanche vectors,   , are then calculated for all (0 ≤  < 8) as follows: For 10000 random s-boxes all possible input pairs are tested.
Results indicate that 50.1899% of each   bits are equal to one when an input differs in only bit .
To satisfy the SAC, each individual output bit should change with a probability of 50% when a single input bit is toggled.Similar to the previous test, 2 8 possible inputs are first divided into 2 7 pairs, (,   ), which differ only in bit .The 8-bit avalanche vectors,   are then calculated for all (0 ≤  < 8).For 10000 random s-boxes and all possible input pairs, the average probability that a bit location in   is equal to one when an input differs in only bit  is 50.1993%.
Both results show that the s-boxes generated by the proposed AEAD scheme have strong avalanche effect and fulfil the SAC.Satisfying the SAC also implies that the s-box is a complete function, whereby each output bit is dependent on all input bits [27].

Differential Distribution and Linear Approximation.
For 10000 randomly generated s-boxes, the differential distribution [28] and linear approximation [29] tables are computed.These tables consist of the probabilities of differential and linear characteristics for various input/output combinations that can be used in differential and linear attacks.The worst case differential and linear probabilities are 2 −4.67807 and 2 −2.91254 , respectively.These probabilities are sufficient to resist cryptanalytic attacks which are described in Section 4.5.

Nonlinearity and Key Sensitivity. Let F 𝑛
2 be the dimensional vector space over the field F 2 .The nonlinearity of a function  : A perfectly nonlinear function has a nonlinearity of NL() = 2 −1 − 2 /2−1 , which is 120 for an 8-bit s-box.Out of 10000 randomly generated s-boxes, the average nonlinearity is 92.6646, which is 77.22% nonlinear.The generated s-boxes have lower nonlinearity than the AES s-box (NL( AES ) = 112).However, unlike a static s-box, attackers cannot linearly approximate a randomized s-box without knowledge of the keys used to generate it.Therefore, slight changes to the secret key should generate different s-boxes.For all 128bit secret keys with hamming weight of one, the proposed AEAD scheme generates unique s-boxes.In addition, for 2000 incrementally generated s-boxes ( = 0 to  = 70), all s-boxes are also unique.This shows that the random s-box algorithm is highly sensitive to slight changes to .

Mask Evaluation.
The output of the masking algorithm is first tested using the NIST, DIEHARD, and ENT test suites.The 128-bit mask values generated by the AEAD scheme successfully pass all three as shown in Tables 9, 13, and 17 of the Appendix.

Mask Cycle Length.
The cycle length of the masking algorithm must be sufficiently large to avoid attacks that can take advantage of any mask value cycles.Theoretically, the cycle length is limited by the precision of the fixed point representation used in chaotic iterations.This amounts to 2 30 − 1, as 30 bits are used to represent the fractional bits.This is a conservative bound, as chaotic perturbation and chaotic coupling further extend the cycle length.Because there are two chaotic maps used to modify the mask registers, the total cycle length is the least common multiple of their cycle lengths.Based on this lower bound, the proposed AEAD scheme will be able to support messages of approximately 2 60 − 1 blocks before a mask cycle occurs.To fulfil the SAC, each round key bit should change with a probability of 50% when a single input key bit is toggled.For each of the 20 rounds, the average probabilities that a bit location in   is equal to one when the input key differs in only bit  are 49.9998%,49.9891%, 50.0914%, 49.8953%, 49.9978%, 49.9583%, 49.9866%, 50.0108%, 49.9941%, 49.9044%, 49.9095%, 49.9452%, 50.0287%, 50.0473%, 50.0302%, 50.0439%, 50.0852%, 50.017%, 50.0633%, and 49.9419%.This has an overall average of 49.997% per round.

Key Schedule
Results show that the key schedule algorithm has strong avalanche effect and fulfils the SAC.This implies that the key schedule algorithm is a complete function, where all round key bits are dependent on all input secret key bits.

Encryption Algorithm Security.
This section analyses the security of the AEAD scheme against various cryptanalytic attacks.A lower bound of security against these attacks is first determined with  = 0.Then, additional security provided by using a TRNG to generate  is discussed.Prior to other security analyses, the ciphertext of the AEAD scheme is tested using statistical suites with results in Tables 11,15, and 19.

Differential and Linear Cryptanalysis.
The security bound for differential and linear cryptanalysis can be determined based on the minimum number of active s-boxes for a differential characteristic (AS   ) and linear characteristic (AS   ), where  is the number of rounds.The number of AS is dependent on the type of block shuffle used in the round function.In an early design, the number 10 block shuffle from [30] was used in the proposed AEAD scheme, supposedly with AS 20   /AS 20  = 44.However, a branch and bound algorithm was used and found that AS 20   /AS 20  = 37.Instead, an isomorphic shuffle to the number 10 shuffle was used, adopted from [31] with AS   and AS   for 1 ≤  ≤ 20 shown in Table 2.
The maximum differential and linear probabilities for the AEAD scheme's s-boxes are   = 2 −4.67807 and   = 2 −2.91254 , respectively as mentioned in Section 4.2.2.The probability for differential and linear distinguishers are calculated using For  = 14 and  = 16,  14 diff-dist = 2 −140.3421 and  16 lin-dist = 1/2 + 2 −67.9389 , where 2 −67.9389 is the linear bias, denoted by  lin .The number of plaintexts required for a differential and linear distinguishing attack is then 1/ 14 diff-dist = 2 140.3421 and 1/( lin ) 2 = 2 135.8778 , respectively, which are both more than the available 2 128 .Therefore, the full 20 rounds have a safe security margin against differential and linear cryptanalysis.

Algebraic Attack.
In an algebraic attack, s-boxes are described by an overdefined system of algebraic equations that hold true with a probability of one [32].The use of random s-boxes increases the resistance of a cipher against this attack [33].The proposed AEAD scheme uses keydependent s-boxes which are further randomized by ; therefore it is difficult to obtain a system of equations for these s-boxes.Without these equations, an algebraic attack is not feasible.The proposed cipher is thus resistant to algebraic attacks.

Timing Attack.
Timing attacks exploit operations with data-dependent execution time to reveal the secret key [34,35].In the proposed AEAD scheme, the secret key is used to generate s-boxes and round keys and also to initialize the mask register.The remaining operations consist of Bitwise operations that have constant execution time.Therefore, the proposed cipher is resistant to timing attacks because its encryption speed is independent of the key value.

Security with True Random Secret Message Number. If
is generated by a nondeterministic TRNG, the cipher is able to resist a wide range of statistical-based cryptanalytic attacks.A nondeterministic  ensures that multiple encryptions of even the same (, ) pair will involve different s-boxes and masking values.This leads to different (, ) outputs.However, a legitimate recipient can easily decrypt and verify these ciphertext-MAC pairs as long as the secret key is correct.
Randomized s-boxes prevent any cryptanalytic attacks that rely on approximating the behavior of the s-box, such as differential, linear, and algebraic attacks.Even if an approximation of the s-box is obtained for a particular plaintextciphertext pair, it is only applicable to that specific pair.The cipher is also immune to attacks that rely on selecting input differences that cancel out the effect of encryption keys such as the differential attack, truncated differential attack, and impossible differential attack.This is because the masking keys are modified by the truly random , making them nondeterministic for each plaintext encryption.For a differential characteristic to hold,  values for a plaintext pair have to match, which occurs with a probability of 2 −128 for a uniform TRNG.
Key recovery attacks based on an -round statistical distinguisher involve the encryption of multiple plaintexts for  +  rounds to obtain their corresponding ( + )round ciphertexts.Attackers then guess subkey bits, decrypt the ciphertext for  rounds, and verify their guess based on the -round statistical distinguisher.If  is nondeterministic, attackers will not be able to obtain the correct subkey using this method as each plaintext is encrypted based on different s-boxes and masking keys.In practice, the statistical distinguisher only holds if two plaintexts are encrypted with same , which again occurs with a probability of 2 −128 for a uniform TRNG.
As previously mentioned, generating  using a TRNG makes the cipher misuse resistant.If the same nonce is used twice, the resulting MAC and ciphertext are still secure as long as  is not repeated for the same (, , ) 3-tuple.In short, implementing the proposed AEAD scheme with a TRNG or even a hybrid RNG will strengthen its immunity against statistical-based cryptanalysis as well as user misuse.
4.6.MAC Security.This section analyses the statistical quality of the authentication tag produced by the proposed AEAD scheme.In the following experiments, the input parameters are set to  = 0,  = 0,  = 0, whereby only  and  vary.

Statistical Analysis of Diffusion and Confusion.
In this test, an (, ) pair is randomly generated and its corresponding tag, , is computed.Next, a random bit within the (, ) pair is toggled and its corresponding tag,   , is computed. and   values are compared and the number of changes at each bit location is stored as   .The following equations are then computed: Mean Changed Probability Standard Variance of the Changed Bit Number where  is the number of trials.The test is performed for  = 1024/2048/10000 and the results are tabulated in where   and    are the th entry of the original and modified MAC, while the function ( * ) converts the entry to its equivalent decimal value.The test results for 10000 trials are compared against theoretical values (see [36] for calculation of theoretical values) in Tables 4 and 5. Results indicate that the proposed AEAD scheme has strong collision resistance as the experimental results are near-ideal.

MAC Distribution.
To resist statistical attacks, a MAC has to be evenly distributed at each bit position.Analysis of the MAC distribution starts with generating a random (, ) pair and its modified version with one toggled bit, (, )  .The MAC of both messages is compared, and the number of changes at each bit location is counted.For  = 10000, the minimum, maximum, and mean changed bit number are 4877, 5150, and 5002.3,respectively, with the distribution plot shown in Figure 8.The mean changed bit number is close to the theoretical value of 5000, where the maximum distance from ideal for each changed bit value is 150.This indicates that proposed AEAD scheme produces evenly distributed MAC values as depicted in Figure 8.

Advantage over AES-GCM.
The proposed scheme has several advantages over AES-GCM which is currently the official standard for authenticated encryption [37].Firstly, the proposed AEAD scheme does not have any identified weak keys unlike AES-GCM [6].It is also resistant to noncemisuse, providing full privacy and integrity even if nonce is repeated, unlike AES-GCM which requires unique nonce values for security [37].Most software-based AES implementations are susceptible to cache timing attacks [35], whereas the proposed cipher has a constant time implementation due to simple binary operations.AES-GCM's security bound for integrity is equal to half the tag length [6] whereas the proposed AEAD scheme is able to provide full 128-bit security for integrity.Furthermore, the proposed AEAD scheme also has the flexibility to be implemented with a TRNG for immunity to statistical-based attacks.In terms of performance, the speed of AES-GCM was compared against the proposed cipher on a computer with an Intel i7-4700MQ processor and 8 GB of RAM.The implementation of AES-GCM was taken from the Crypto++ Library 5.6.2[38].The proposed AEAD scheme has a speed of 2401.73Megabits/second compared to 1601.4 Megabits/second of AES-GCM, approximately 1.5 times faster.The algorithm can still be further optimized for improved performance.

Conclusion
This paper introduced a new chaos-based authenticated encryption with associated data (AEAD) scheme.It is based on the single-key Even-Mansour construction and Type-II generalized Feistel with random s-boxes.The chaotic tent map was used to generate Even-Mansour whitening keys, round keys, and s-boxes used in the Feistel round functions.Chaotic perturbations were included in the proposed design to overcome weaknesses of unimodal chaotic maps.For improved performance, the fixed point representation was used for all real number operations.Results of rigorous statistical testing have shown that the proposed AEAD scheme has no observable statistical defects.In addition, it is resistant to cryptanalytic attacks such as the differential, linear, algebraic, and timing attacks.To increase its immunity against all

2. 1 .
Authenticated Encryption with Associated Data.The following are inputs to an authenticated encryption algorithm along with their corresponding security requirements ( = Integrity,  = Privacy): (i) Variable-length plaintext (ip) (ii) Variable-length associated data (i) (iii) -bit secret message number (ip) (iv) -bit public message number/nonce (i) (v) -bit secret key

3. 1 .
Parameters and Notations.All integers stated in the following algorithms are in hexadecimal format.Prior to modification by the nonce or secret keys, the initial values for
obtain the final s-box,   , four additional values are generated by Algorithm 2. A four-modulo operation is applied on these values which are then used as s-box indices,   for 0 ≤  < 4. The final s-box is a composition of the four s-boxes indexed by :   () =   3 (  2 (  1 (  0 ()))).As   depends only on , it can be precomputed by both parties.  is later modified by  in the actual encryption process.
6) Encrypt [] for 0 ≤  <  and XOR results to obtain   .(7) Decrypt [ + 1] to obtain  [] and [], where 0 ≤  < .(8) Compute ∑  .Encrypt ∑  and XOR the result with   ,   , and  [ * ] .Perform one final encryption to obtain  verif y .( The minimum  value to indicate uniformity for each NIST test is 0.0001 whereas the DIEHARD tests require  values in the range of [0.01, 0.99].The min/max PR for the NIST and DIEHARD test suites are listed in Table 6 of the Appendix.As for the ENT test suite, a number sequence fails if its results stray too far from the ideal values listed in Table 7 of the Appendix.Passing all three test suites indicates that the number sequence is pseudorandom with no obvious statistical defects.
4.2.-BoxEvaluation.Random s-boxes are generated based on a chaotic number sequence which is tested using the NIST, DIEHARD, and ENT test suites.It passes all three as shown in Tables8, 12 (5)luation.The key schedule algorithm generates only 20 round keys for a secret key.Therefore, data for the statistical test suites are generated using incremental secret keys (incremented from  = 0) except for the DIEHARD test which still uses randomly generated secret keys.Results in Tables10, 14, and 18 of the Appendix indicate that the key schedule algorithm passes all test suites.4.4.1.Avalanche and Strict Avalanche Criterion.The key schedule algorithm is analysed for avalanche effect and SAC similar to the s-box evaluation in Section 4.2.1.The avalanche vectors   are calculated using(5), where 10000 randomly generated pairs of ,   are used as inputs.To depict the avalanche effect, one-half of each round key should change on average whenever a single input key bit is toggled.The percentages of   bits that are equal to one when the input key differs in only bit  are 50.0403%,49.

Table 2 :
List of active S-boxes.

Table 3 :
Statistical results for 128-bit hash values of the proposed hash function.

Table 4 :
Number of hits.

Table 3 .
The distribution plot and histogram of   for  = 10000 are shown in Figures7 and 6. Results show that the MAC values have a mean changed bit number, , and mean changed probability, , that are near-ideal (64 bits and 50%).Low standard variance values depict strong diffusion and confusion capabilities.In Figures7 and 6,   is shown to be evenly and normally distributed centering on 64 bits.These near-ideal statistical results indicate that the slightest change to the  or  will produce a different authentication tag.

Table 6 :
Passing Ratios for NIST and DIEHARD.

Table 7 :
Ideal values for ENT test suite.
statistical-based attacks, the AEAD can be implemented alongside a true random number generator to map messages to various ciphertexts in an unpredictable manner.It also has better performance than AES-GCM which is the current standard in authenticated encryption, with a throughput of approximately 2401.73 Megabits/second.In short, the