Designing Two Secure Keyed Hash Functions Based on Sponge Construction and the Chaotic Neural Network

In this paper, we propose, implement, and analyze the structures of two keyed hash functions using the Chaotic Neural Network (CNN). These structures are based on Sponge construction, and they produce two variants of hash value lengths, i.e., 256 and 512 bits. The first structure is composed of two-layered CNN, while the second one is formed by one-layered CNN and a combination of nonlinear functions. Indeed, the proposed structures employ two strong nonlinear systems, precisely a chaotic system and a neural network system. In addition, the proposed study is a new methodology of combining chaotic neural networks and Sponge construction that is proved secure against known attacks. The performance of the two proposed structures is analyzed in terms of security and speed. For the security measures, the number of hits of the two proposed structures doesn’t exceed 2 for 256-bit hash values and does not exceed 3 for 512-bit hash values. In terms of speed, the average number of cycles to hash one data byte (NCpB) is equal to 50.30 for Structure 1, and 21.21 and 24.56 for Structure 2 with 8 and 24 rounds, respectively. In addition, the performance of the two proposed structures is compared with that of the standard hash functions SHA-3, SHA-2, and with other classical chaos-based hash functions in the literature. The results of cryptanalytic analysis and the statistical tests highlight the robustness of the proposed keyed hash functions. It also shows the suitability of the proposed hash functions for the application such as Message Authentication, Data Integrity, Digital Signature, and Authenticated Encryption with Associated Data.


Introduction
Hash functions can be used in various applications such as Message Authentication, Digital Signature, Data Integrity, and Authenticated Encryption [1]. As a definition, a hash function H takes an input message M, and produces an output value h, named hash code, digital fingerprint, message digest, or simply hash. Precisely, the hash function H takes a bit sequence M (e.g., data, image, video, and file) with an arbitrary finite length, and produces a fixed length digest h of u bits. The digest acts as a kind of signature for the input data. Moreover, when the same hash function H is run for the same input message M, the same hash value h is obtained [2].
A cryptographic hash function employs an encryption algorithm in producing the output value h. The advantage of cryptographic hash functions is to meet some security requirements and to be immune against different attacks such as statistical, brute-force, and cryptanalytic attacks, etc. Recently, CNN based hash functions [3,4] attract the interest of research community because of the important properties of chaotic systems and neural networks related to the nonlinear security [5,6].
In general, chaos is a kind of deterministic random-like process generated by nonlinear dynamical systems. Chaos was given by Edward Lorenz [7], and its main properties have been investigated by a large community of research [8]. Chaotic systems are appropriate to be used in cryptographic hash algorithms due to their pertinent properties such as random-like behavior, sensitivity to tiny changes in initial conditions, and unstable periodic orbits. In addition, neural networks are powerful computational models, designed to simulate the human brain and adopted to solve many problems in different fields. Neural networks exhibit, by construction, many convenient properties to be used in cryptographic hash algorithms such as parallel implementation, flexibility, nonlinearity, one-way, data diffusion, and compression functions.
At first, some designers combine both these systems (chaos and neural network) in the Merkle-Dåmgard structure to build robust CNN hash functions [9,10]. In our previous work [2], Abdoun et al. designed, implemented, and analyzed the performance, in terms of security and speed, of two proposed keyed CNN hash functions based on the Merkle-Dåmgard (MD) construction with three output schemes, i.e., CNN-Matyas-Meyer-Oseas, Modified CNN-Matyas-Meyer-Oseas, and CNN-Miyaguchi-Preneel. However, the Merkle-Dåmgard construction has several vulnerabilities to some attacks such as Second preimage, Multicollisions, Herding, and Length extension attacks [11,12]. To resist these attacks, a new Secure Hash Algorithm called SHA-3 [13] based on an instance of the KECCAK algorithm was selected as a winner of the National Institute of Standards and Technology (NIST) hash function competition in 2015 [13][14][15][16][17][18]. Indeed, the SHA-3 family consists of four cryptographic hash functions such as, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 and two Extendable-Output Functions (XOFs) such as SHAKE128 and SHAKE256 [13]. For the XOFs, the length of the output can be chosen to meet the requirements of user applications. There are different structures being used to build various hash functions such as Wide Pipe [19], Merkle-Dåmgard [20,21], Haifa [22], Fast Wide Pipe [23], Sponge [24], etc. Indeed, a number of these existing structures are employed in the design of many popular hash functions. The Merkle-Dåmgard construction is used in the design of MD5 [25] family like SHA-1 [26], and SHA-2 [27] standards, while the Sponge construction is used to design a new secured standard hash algorithm SHA-3 [13], which will be used when the current standard SHA-2 will be inevitably compromised. In our previous work [28], Abdoun et al. proposed, implemented, and analyzed the performance of a new structure for keyed hash function based on chaotic maps, neural network, and Sponge construction.
In this paper, two robust keyed hash functions that contain a chaotic system (CS) and a CNN-based Sponge construction are proposed. In these two proposed structures, the input message M is hashed to a hash value h with a fixed length of bits equal to 256 or 512 bits. The combination of Sponge construction and CNN results the increase in the robustness of the proposed hash function. The proposed structures are based on the efficient CS [36]. The efficient CS in [36] produces pseudo-chaotic samples and those are used as the parameter values of the neural network. In addition, the proposed activation function of neural network is formed of two chaotic maps that are connected in parallel. The proposed CNN and CS ensure that our hash functions are more secure against different attacks in comparison with other hash functions that are based on Sponge construction. Indeed, the various experimental results and theoretical analysis demonstrate the effectiveness and prove that the proposed hash functions have very good statistical properties, high message sensitivity, high key sensitivity, strong collision resistance, and are immune against collision, preimage, and second preimage attacks [37].
The rest of the paper is organized as follows: Section 2 introduces a brief reminder of cryptographic hash function properties. Then, the general models of Sponge and keyed-Sponge constructions are presented. Section 3 describes in detail the proposed structures of the two keyed CNN hash functions based on Sponge construction with their important constitutive elements. Section 4 shows the results and analysis in terms of security and computational performance for the proposed hash functions, and comparison with the two standards SHA-2 and SHA-3. Finally, in Section 5, conclusions for the contribution and the future work are given.

Properties and Classification of Cryptographic Hash Functions
The cryptographic hash function H (noticed also as hash functions in the rest of paper) must verify the two implementation properties, i.e., ease of computation and compression, in addition to the three main security properties, i.e., preimage resistance (called one-way), second preimage resistance (called weak collision resistance), and collision resistance (called strong collision resistance).

Structures of Cryptographic Keyed Hash Functions Based on Sponge Construction
In this section, we describe the three phases of the Sponge construction, and then how to build keyed-Sponge hash functions from unkeyed Sponge construction.

The Sponge Construction: Initialization, Absorbing and Squeezing Phases
In Figure 1, the general structure of the unkeyed Sponge construction is shown and it has three phases: Initialization, Absorbing, and Squeezing. The unkeyed Sponge construction, which operates on a state HM i (i ≥ 0) of size b bits, builds a new hash function. These states are split into an outer part of r-bit size named bitrate, which is accessible externally, and an inner part C of c-bit size named capacity, which is hidden. The size called width b-bit is given by b = r + c. In the initialization phase, the initial value IV = HM 0 of b-bit size is set to 0. The input message M is padded and then split into q blocks of r-bit size. Next, in the absorbing phase, the q blocks of the entire message are absorbed on the basis of message block M i by message block M i , (i = 1, . . . , q). In the squeezing phase, the hash value h is obtained by squeezing out r-bit block by r-bit block.
Note that the security depends partially on the capacity c, while the speed of the construction relies partially on the bitrate r. In the absorption process, HM i , (i = 0, . . . , q − 1), with r-bit size is xored with each message block M i , (i = 1, . . . , q), to become the input of the function f. If we increase the bitrate r, then more bits are absorbed at once and the process runs faster. However, the increase of the bitrate r implies the decrease in the capacity c, or the security is reduced. Thus, there is a trade-off between security and speed.
As mentioned before, the KECCAK-p family of permutations is the specialization of the KECCAK-f family: where n r is the number of rounds and b is the width. Therefore, the KECCAK family is denoted by where N is the concatenation of the initial message M with the suffix 01, or (N = M 01); pad10 * 1 is the used padding rule explained below; d is the hash value length (u = d); and Sponge[.] is the sponge function. As we can see, for a given input message M, this equation is restricted to the case n r = 24 rounds and b = 1600 bits. In particular, the four variants of SHA-3 standard hash functions are defined from the KECCAK[c](N, d) function as follows: In each case, the suffix 01 supports the domain separation; it distinguishes the SHA-3 hash functions from the XOFs, where its suffix is 1111 (N = M 1111), and the capacity c is double the hash value length u, i.e., c = 2u.
Thus, to ensure that the obtained message (M 01) of arbitrary length is padded to become a bit string with the length of multiple of r bits, and a padding rule is necessary. Indeed, a simple padding rule with 0 is insufficient because the produced hash value will be vulnerable to various attacks due to the collision between all-zero latest message blocks.

Unkeyed Sponge Construction to Keyed-Sponge Construction
The unkeyed Sponge hash functions, which use an initial value IV, are transformed to keyed-Sponge hash functions, without any structural modification, by adding a secret key K as an additional entry to the structure. In the literature, three types of keyed-Sponge functions were reported as displayed in Figure 2: 1. The Outer keyed-Sponge (OKS) [38]: The input message is obtained by prepending the secret key K to the message M, i.e., K M as in Figure 2a. 2. The Inner keyed-Sponge (IKS) [39]: The inner part of the initial value IV contains the secret key K as in Figure 2b. 3. The Full-State Keyed Sponge (FKS) [40]: The inner part of the initial value IV contains the secret key K as IKS, but the input message M is absorbed over the entire b-bit state instead of absorbing it in the r-bit outer part only as in Figure 2c.
In the literature, the OKS and IKS hash functions were analyzed by Andreeva et al. [41], and Naito and Yasuda [42]. The donkeySponge construction employed the idea of the third type as in [43], and an analysis for only one output block was given by Gaži et al. [44]. A complete security analysis of the FKS was given by Daemen et al. [45] and Mennink et al. [40].
Under the security perspective, the same security level of c bits is achieved by the three modes, and there is no reason to take a key K of size |K| bits greater than the capacity c (|K| > c) [46]. However, in terms of the number of permutation evaluations, OKS and IKS are less efficient than FKS, that is, the absorption of b-bit input data at a time rather than r bits (r < b). Thus, we restrict our focus to FKS hash functions. There are several applications of the keyed-Sponge hash functions such as the MAC generation and the Bitstream encryption. For the first application, the MAC function is given by where Z 2 is a binary sequence; IV is the initial value; K is the secret key; and |K|, b, L, and u are the lengths of the secret key K, the initial value IV, the message M, and the desired hash value h, respectively. For the second application, the STREAM function is given by: In the next section, we introduce our proposed keyed-Sponge CNN hash functions.

Proposed Keyed-Sponge Chaotic Neural Network Hash Functions
The proposed keyed-Sponge hash functions are the chaotic functions C f i , (i ≥ 1) that contain a CS and a CNN [47]. These chaotic functions use a padded message block M i 0 c , (i = 1, . . . , q) of size b-bit, subkeys KM i , (i ≥ 1) of length 128 bits and a secret key KM 0 of length |K| = 160 bits and produce hash values with two variant lengths, 256 bits and 512 bits, depending on the value of r and c as shown in Figure 3.
The first CNN hash function is made up of a two-layered Neural Network called Structure 1, whereas the second hash function is made up of a one-layered Neural Network followed by a combination of Nonlinear (NL) functions called Structure 2 [28].
In the following subsection, the architecture of the two proposed keyed-Sponge CNN hash functions is described.

Description of the General Structure of the Two Proposed Keyed-Sponge CNN Hash Functions
The general structure of the proposed keyed-Sponge CNN hash functions (KSCNN[c](M 01, u)) is composed of three phases, i.e., Initialization, Absorbing, and Squeezing phases (see Figure 3).

Phase 1: Initialization
This phase initializes the secret key K = KM 0 and the initial value IV = HM 0 to 0, and determines the values of r and c according to Table 1. In addition, the input message M is appended by the suffix 01, in this phase. Then, the appended message M||01 is padded using the function Pad (explained below), and divided into q blocks of the r-bit size, M i with (i = 1, . . . , q).
For Structures 1 and 2, we adopt the same value of c like the standard SHA-3, i.e., c equal to 512 bits (like SHA3-256) for the 256-bit hash value, and c equal to 1024 bits (like SHA3-512) for the 512-bit hash value.
We use the multi-rate padding Pad in our proposed hash functions, which appends a bit sequence 10 * 1 of length v + 2 bits (a bit 1 followed by the minimum number v of bits 0, and lastly a bit 1), as shown in Equation (5): where mod is the modulo function and L = |M|. In general, we have three cases of padding as shown in Figure 4: Case 2 : mod(|M + 2|, r) = 0; Now, let's take a look at the three cases of padding, where r = 1088 bits as follows: Then, we divide the padded message into q blocks, and the obtained message is processed as a sequence of blocks:

Phase 2: Absorbing
In the second phase, the q blocks of the message, M i , (i = 1, . . . , q), are absorbed, and each block is of r bits. Each message block M i , (i = 1, . . . , q), is padded by the sequence 0 c . Then, the obtained blocks M i 0 c , (i = 1, . . . , q) with the length of b bits are xored with the intermediate hash values HM i−1 , (i = 1, . . . , q). It is noted that HM 0 is defined in the initialization phase (HM 0 = IV). The obtained values from the xor operation h i−1 , (i = 1, . . . , q), with the length of 1600 bits form the inputs of chaotic functions C f i , (i = 1, . . . , q), in addition to the subkeys KM i , (i = 1, . . . , q − 1), of 128 bits. For every r-bit input message block M i , (i = 1, . . . , q), the chaining variables HM i , (i = 1, . . . , q), of b bits (e.g., b = 1600 bits) are filled from the outputs of C f i , (i = 1, . . . , q). KM 0 = K is the secret key of 160 bits for the first chaotic function C f 1 [48]. For the other chaotic functions C f i , (i ≥ 2), the subkeys KM i , (i = 1, . . . , q − 1) are obtained from the Least Significant Bit (LSB) of HM i , (i = 1, . . . , q − 1), or KM i = LSB(HM i ), (i = 1, . . . , q − 1). These subkeys KM i (i = 1, . . . , q − 1) are used by the CS to generate initial conditions and the necessary parameters for the CNN. For the final chaotic function C f q , HM q forms the final hash value h q with the length equal to b bits as the output of the absorbing phase of the message M. The pseudo-code of the absorbing phase Algorithm 1 is presented below: The absorbing phase.

Phase 3: Squeezing
Squeezing phase is only used when the length of the hash value u is greater than the width b, i.e., u > b. In this case, the hash value h q of b bits generated by the absorbing phase is the input to the squeezing phase, and the obtained hash values HM i , (i ≥ q), are sequentially forwarded to C f i , (i ≥ q + 1). For each HM i , (i ≥ q), we extract the r most significant bits to form Z j , (j ≥ 1), and the 128 least significant bits to produce the key KM i , (i ≥ q), for the CS of each C f i , (i ≥ q + 1). Finally, the r-bit size of all obtained values Z j , (j ≥ 1), are concatenated to constitute the final hash value h of the desired length of u bits as follows: The obtained hash value h can be used as a Message Authentication Code (MAC) for Digital Signature (DS) and Authenticated Encryption (AE) applications [49,50]. The pseudo-code of the squeezing phase Algorithm 2 is given below: The squeezing phase.
In the next paragraph, the proposed CS will be used in the chaotic functions C f i , (i ≥ 1), to generate the necessary parameters and initial conditions for CNN as described above.

Detailed Description of the Proposed Chaotic System
As shown in Figure 5, the proposed CS is a simple version of that given by S. El Assad and H. Noura [36]. It is based on the Discrete Skew Tent map (DSTmap) in Equation (8) as where N is the finite precision equal to 32 bits; and Q1 is the control parameter of DSTmap. KSs(n − 1) and KSs(n) are the outputs of DSTmap at the (n − 1)th and nth iterations, respectively. The value range of Q1, KSs(n − 1), and KSs(n) is from 1 to 2 N − 1. The secret key K of the first input block message, M 1 , is represented by the following equation: where KSs1(−1), Ks1, KSs1(0), Q1, and Us are parts of the secret key K. Us is only used for generation of the first sample. The components of the secret key K are samples of 32 bits, and its size is:

Keyed-Sponge Hash Functions Based on Two-Layered CNN Structure (Structure 1)
The structure of the chaotic function C f i for KSCNN[512] and KSCNN[1024] is shown in Figure 6. It contains two layers of neurons, i.e., a CNN input layer of five neurons and a CNN output layer of eight neurons. The necessary samples, Key Stream KS, are generated by the CS to supply the both layers. The KS is composed as follows: The size of KS must be: Indeed, all neurons of the two CNN layers use the same activation function with different number of inputs. For the input layer, each neuron has 10 inputs receiving data from h i , (i = 0, . . . , q − 1) as displayed in Figures 6 and 7. In addition, for (k = 0, . . . , 4), the first five inputs P j , (j = 10k, . . . , 10k + 4), of each neuron are weighted by the W I j , (j = 10k, . . . , 10k + 4), and then added together with the bias BI k (weighted by 1), to form the input of the chaotic map DSTmap. The last five inputs P j , are weighted by W I j , (j = 10k + 5, . . . , 10k + 9), and then combined together with the same bias BI k to form the input of the chaotic map DPWLCmap. All inputs P j , biases BI k and weights W I j are samples (integer values) of 32 bits. QI k,1 and QI k,2 are the control parameters of DSTmap and DPWLCmap, respectively. The biases BI k , (k = 0, . . . , 4), are necessary in case the input message is null as seen in Figure 7. The chaotic map DPWLCmap is realized as follows: where KSp(n − 1) and KSp(n) are the outputs of DPWLCmap at the (n − 1)th and nth iterations, respectively; N is the number of bits defining the finite precision, N = 32 bits; Q2 is the control parameter; KSp(n − 1), KSp(n) and Q2 range between 1 to 2 N−1 .
After computation, the two outputs of DSTmap and DPWLCmap are xored together to produce the output of neurons represented by C k , (k = 0, . . . , 4), which is presented by the following equation: At the output layer, each neuron has five inputs, WO k,j × C j , (k = 0, . . . , 7; j = 0, . . . , 4), where k represents the index of output neurons, j represents the index of input neurons; WO k,j , (k = 0, . . . , 7; j = 0, . . . , 4), are the weights associated with the connections between output and input layers, and C j , (j = 0, . . . , 4) are the outputs of neurons at the input layer; WO k,j , (k = 0, . . . , 7; j = 0, . . . , 4), and C j , (j = 0, . . . , 4), both are samples of 32-bit length. As presented in Figure 8 for the inputs of each neuron at the output layer, the outputs of the first three neurons at the input layer, C 0 , C 1 and C 2 , are fed to the chaotic map DSTmap, and the last two outputs C 3 and C 4 from the input layer are sent to the chaotic map DPWLCmap. After computation, the outputs of chaotic maps DSTmap and DPWLCmap are xored together to generate the output of the neuron, given by the following equation: Here, the control parameters QO k,1 , QO k,2 , (k = 0, . . . , 7), and the biases BO k , (k = 0, . . . , 7), used by the two chaotic maps, are also samples of 32 bits in length.
Finally, the output layer of the proposed structure is iterated seven times to produce the intermediate hash values with the length b = 7 × 8 × 32 bits.

Keyed-Sponge Hash Functions Based on One-Layered CNN and One NL Output Layer (Structure 2)
The architecture of the second proposed KSCNN hash function uses the same input CNN layer as that in Structure 1, and the second layer is replaced by NL functions. The NL functions are similarly used in SHA-2 as displayed in Figure 9. The CS generates the necessary samples to supply the CNN of and its size is Here, |WO| = 5 samples instead of 40 samples as used in Structure 1.

Performance Analysis
In order to evaluate the performance of KSCNN[512] and KSCNN[1024], the performance analysis focuses on the security and the number of needed cycles per byte (NCpB). In addition, we compare the obtained performance with the standard hash algorithm SHA-3. First, we analyze the preimage resistance (one-way property) of the proposed structures. Then, we evaluate the statistical tests such as the collision resistance, the distribution of hash value, the sensitivity of hash value h to the message M and the sensitivity of hash value h to the secret key K, and the diffusion effect. In addition, we study the immunity of the proposed structures against the brute-force and cryptanalytic attacks. The detailed description of these tests is presented in our previous work [47]. For that, we just resume in this section the necessary test description to interpret the obtained results.

One-Way Property
According to Equations (14) and (15), for a hash value h, it is highly difficult to retrieve the secret key K and the message M. For a given secret key K, the attacker tries to find the message M using the brute force attack (as explained in the Section 4.3.1), such that its hash is equal to a given hash value. On average, an attacker tries 2 u−1 values of the message, to find the hash value h of length u (u is equal to 256 or 512 bits). Nowadays, with such lengths, this attack is infeasible [51,52].

Statistical Tests
In this sub-section, we implement and analyze the different statistical tests.

Collision Resistance Analysis
This statistical test quantitatively evaluates the collision resistance [51]. For that, given a hash value h of a random message M in the ASCII format h = {c 1 , c 2 , . . . , c s }, and its corresponding h = {c 1 , c 2 , . . . , c s } obtained with one bit flipping of the same message M, we calculate the number of hits ω as follows: where the function The value s = u 8 , and T(.) is the function that converts the entries to their equivalent decimal values.
In theory, the relation between a number of tests and a number of hits ω = 0, 1, 2, . . . , s as mentioned in [53] that where J represents the number of independent experiments. These theoretical values of W J (ω) according to Equation (22) are given in Tables 2 and 3 for hash values with the lengths of 256 and 512 bits, respectively.  For the two lengths of hash values, the obtained results in Table 4 indicate that the number of rounds n r = 8 and n r = 24 give the best results. Indeed, for 256-bit hash value length with n r = 8, there are two hits for 17 tests, one hit for 244 tests, and zero hits for 1787 tests. For n r = 24, there are two hits for 11 tests, one hit for 213 tests, and zero hits for 1824 tests. Similar behavior is obtained for the 512-bit hash value with a slight increase in the number of hits.
In Table 5, we summarize the obtained number of hits ω = 0, 1, 2, 3, 4 for the two proposed structures. As expected, we obtain comparable results. The absolute difference d of two hash values is calculated as The mean, mean/character, minimum, and maximum of d are presented in Table 6. It is clear that the values of mean/character are close to the expected ones as observed from the obtained results, evaluated by Equation (24) that are equal to 85.33 for 256-bit hash value length (L = 256) and equal to 170.66 for 512-bit hash value length [54]:

Hash Value Distribution
Theoretically, the hash value h, produced by a hash function H, should be uniformly distributed in the entire output range. For this purpose, we execute the following test for a given message M as: "With the wide application of Internet and computer technique, information security becomes more and more important. As we know, hash function is one of the cores of cryptography and plays an important role in information security. Hash function takes a message as input and produces an output referred to as a hash value. A hash value serves as a compact representative image (sometimes called digital fingerprint) of input string and can be used for data integrity in conjunction with digital signature schemes." The hash value h is computed using Structures 1 and 2 with the 256-bit and 512-bit hash value lengths. In Figure 11, we exhibit the ASCII values of the message M (Figure 11a), and its hexadecimal hash value h (Figure 11b) according to their index of positions.
As predicted, the distribution of the original message is located around a small area, while the distribution of hexadecimal hash value looks like a mess. The distribution of the hash value h (Figure 11d) is also verified, even under the worst case of zero input message (Figure 11c). Similar results are obtained for the two proposed structures with their two variant hash output lengths.

Sensitivity of Hash Value h to the Input Message M
A hash function H is very sensitive to an input message M. It means that a small change in its input will generate a totally different hash value h i . To this end, for a given secret key K, the hash value h i in hexadecimal, the number of changed bits B i (h, h i ), and the sensitivity of the hash value h to the original message M are measured by Hamming Distance HD i (h, h i )(%) for the two proposed structures with their two variants of hash value lengths of 256 and 512 bits as and The different message variants are obtained under the following six conditions:

Condition 1:
The input message M is the one given in Section 4.2.2. Condition 2: The first character W in the input message is changed to X. Condition 3: The word With in the input message is changed to Without. Condition 4: The dot at the end of the input message is changed to the comma. Condition 5: A blank space at the end of the input message is added. Condition 6: We exchange the first block M 1 "With the wide application of Internet and computer technique, information security becomes more and more important. As we know, hash function is one of the cores of cryptography and plays an important role in information security. Hash function takes a mes," with the second block M 2 "sage as input and produces an output referred to as a hash value. A hash value serves as a compact representative image (sometimes called digital fingerprint) of input string and can be used for data integrity in conjunction with digital signature schemes." With each condition, Table 7 shows the obtained results of h i , B i , and HD i (%) for the 256-bit hash value. Similar results are obtained for |h| = 512 bits. In Table 8, the obtained results for the two structures with their two lengths of 256 and 512 bits are compared. All the results are close to the expected values (B i = 128 bits for the 256-bit hash value length, B i = 256 for the 512-bit hash value length, and HD i = 50% for all proposed structures), demonstrating the high sensitivity to the input message M for the two proposed structures.

Sensitivity of Hash Value h to the Secret Key K
A hash function H is highly sensitive to the secret key K when a slight change in K produces a completely different hash value h i . Here, for the previous message M with each of the five following conditions and for the two proposed structures with their two variants of hash value length 256 and 512 bits, we calculate the hash value h i (hexadecimal), the number of changed bits B i (h, h i ) (bits), and the sensitivity of the hash value h to the secret key K measured by Hamming Distance HD i (h, h i )(%): Condition 1: The original secret key K is used. In each of these conditions, we flip the LSB in the aforementioned parameters and initial conditions. Condition 2: The initial condition KSs(0) in the secret key is changed. Condition 3: The parameter Ks in the secret key is changed. Condition 4: The initial condition KSs(−1) in the secret key is changed. Condition 5: The control parameter Q1 in the secret key is changed. Table 9 presents the obtained results of h i , B i , and HD i (%) for 256-bit hash value length. Comparable results are obtained for |h| = 512 bits. We compare the results of the two proposed structures for two lengths of 256 and 512 bits in Table 10. All results obtained are close to the expected values (B i = 128 bits for the 256-bit hash value length, B i = 256 for the 512-bit hash value length, and HD i = 50% for all proposed structures), demonstrating the high sensitivity to the secret key K of the two proposed structures.

Statistical Analysis of the Diffusion Effect
We obtain the optimal value of diffusion effect when flipping any bit in the input message M that causes a change of each output bit (binary format) in the hash value h with a probability of 50% [55]. This is often mentioned as the Strict Avalanche Criterion (SAC) in literature [56].
To quantify the performance of Structures 1 and 2 with their variants of hash output lengths of 256 and 512 bits, we execute the following diffusion test.
First, the hash value h for the previous message M is generated. Next, a new hash value h' for the same message M with one randomly changed bit is produced. Then, the number of bits changed B i between the two obtained hash values h and h' is calculated. This experiment is repeated J times, with J = 512, 1024, and 2048. Finally, we compute the six following statistical tests as below: 1. Minimum number of bits changed: . . ,J ) bits 2. Maximum number of bits changed: . . ,J ) bits 3. Mean number of bits changed: Mean changed probability (mean of HD i (%)): P = (B u ) × 100 % 5. Standard variance of the changed bit number: 2 6. Standard variance of the changed probability: The obtained results given in Table 11 with 2048 tests demonstrate that the diffusion effect is close to the expected results (B = 128 bits for the 256-bit hash value length,B = 256 for the 512-bit hash value length, and P = 50% for all proposed structures). In addition, it is noted that the diffusion is extremely stable for whatever the hash value length |h| in both Structure 1 and 2 because both the mean of number of changed bitsB and the mean of changed probability P are very close to the ideal values, while ∆B and ∆P are very small. For different number of tests (J = 512, 1024, and so on), similar results are obtained for the two proposed structures with their different hash value lengths (256 and 512 bits).
In addition, the histograms of B i as seen in Figures 12 and 13 of Structure 1 illustrate that the values of B i are centered on the ideal values 128 and 256 bits for u = 256 and 512 bits, respectively. We obtain similar results for Structure 2.

Cryptanalysis
In the literature, there exist known attacks, which can be applied to the two categories of hash functions, unkeyed or keyed. In [24], Bertoni et al. demonstrate the dependency of these known attacks on the hash value length u for the unkeyed hash function with the secret key length |K| and for the keyed hash function with the hash value length u. Normally, if an attacker comprises the secret key K, then the system is completely compromised during the key life time [57]. In the following, the robustness of the proposed two structures, Structures 1 and 2, against these known attacks is demonstrated.

Brute Force Attacks
The brute force attacks can be carried out on the secret key K (namely, exhaustive key search attack) and on the hash value h. We order the attacks on the hash value h from the easiest one to the hardest one: With this kind of attack, the attacker needs 2 |K|−1 = 2 159 tries for the two proposed hash functions. Thus, this attack is ineffective.
Collision Resistance Attack (Birthday Attack) [59]: With this kind of attack, the attacker tries to find two different messages (M, M ), which the proposed hash functions produce the same hash value h. To break the collision resistance property, the smaller workload expected by the attacker is approximately equal to 2 u/2 .

Preimage and Second Preimage Attacks [60]:
With the Preimage attack, the attacker tries to find the original message M for a known value h such that H(M) = h. In the Second preimage attack, knowing the hash value h for a given input message M, the attacker tries to find another message M that produces the same hash value h. With these two types of attacks, the smaller expected workload required by the attacker to break the collision resistance property is approximately 2 u .
In conclusion, to realize the attack on the hash value h for the two proposed structures with the minimum length (u = 256 bits), the minimum workload required by the attacker is 2 128 attempts, which is infeasible.

Cryptanalytic Attacks
With these kinds of attacks, the attacker tries to find specific weaknesses in the structure of a hash function, and performs on it some attacks, and it is expected that the amount of effort less than that with the brute force attack. In the next paragraphs, the two most common cryptanalytic attacks in the literature against the proposed hash functions are considered such that: In the two proposed hash functions, the secret key K is used as an input for the CS to produce the necessary supplies to the CNN, and is not prepended to the message M. Then, this type of attack cannot be conducted.

Meet-in-the-Middle Preimage Attack [62]:
The Meet-in-the-middle (MITM) attack is a generic cryptanalytic approach that is originally applied to the cryptographic systems based on block ciphers (chosen-plaintext attack). In 2008, Aoki and Sasaki [62] noticed that the MITM attack could be applied to hash functions, to find collision, preimage, or second preimage for intermediate hash chaining values instead of the final hash value h. This attack has successfully broken several hash function designs. As our hash functions are preimage resistant, the minimum effort (with u = 256 bits) to succeed the MITM attack with probability 0.632 is 2 u/2 = 2 128 tries.

Computing and Complexity Analysis
Here, the computing performance and the computational complexity of the two proposed structures are analyzed. Firstly, the computing performance of the two proposed structures with their hash value lengths of 256 and 512 bits for different message lengths is estimated. Then, the average hashing throughput HTH [MBytes/second] and the needed number of cycles to hash one Byte NCpB [cycles/byte] are calculated by Equations (27) and (28) where HT [second] is the average hashing time. The calculation is done in C code, running an Ubuntu Linux 14.04.1 (64-bit) operating system and using a computer with a 2.9 GHZ Intel core i7-4910MQ CPU and with 4 GB of RAM. In Tables 12 and 13, the average HT, the average HTH, and the average NCpB for the two proposed structures with their two hash value lengths of 256 and 512 bits are given. When the overhead related to the structures becomes negligible (from 10,000 data bytes and more), we observe that for any length of the hash values (256 or 512 bits), the hash throughput HTH of Structure 2 is just over twice that compared to Structure 1. In addition, we observe that, with any proposed structure, the hash throughput HTH with |h| equal to 256 bits (r = 1088 bits and c = 512 bits) is approximately twice the value with |h| equal to 512 bits (r = 576 bits and c = 1024 bits). Indeed, when r is increased, the hash time HT of the absorbing phase is decreased. Additionally, the HTH for the two proposed structures with their different hash value lengths are shown in Figure 14.
In addition, the computational complexity of the proposed functions varies with the number of required instructions and the latency of executions of these instructions. The computational complexity can be estimated by the big-O notation, which excludes constants, coefficients, and lower order terms. Indeed, the complexity is represented as a function O(f (n)) that depends on the input size n. It should be noted that the complexity of a series of sentences is in the same order of the sum of the individual complexities. In addition, some practical rules are considered to calculate the complexity [63]  1. The hashing process starts by taking a block message with fixed length as input. 2. The message block is padded using a cryptographically secure padding scheme. 3. The padded message block is entered for a combination of operations with a key obtained from the output of the previous block. 4. The final hash block outputs a fixed length hash value having the same size as the input block.
In our proposed hash functions, the equations of the key generator, neural network layers, and nonlinear functions are realized by multiplication/division and addition/subtraction operations. In addition, for double nested operations are used. This means that the computational complexity of the two proposed hash functions is on the order of O(n 2 ) [64,65].

Performance Comparison with the Standards SHA3, SHA2, and with Other Chaos-Based Hash Functions
This section presents the comparison of the computing performance for our proposed hash functions with the standard hash functions SHA-3, SHA-2 and some chaos-based hash functions in the literature in terms of robustness and speed. To the best of our knowledge, there has not been any chaos-based hash function using Sponge construction in the literature.
In Tables 14-18, we compare the obtained statistical results (collision resistance, diffusion, and message sensitivity) of our proposed chaos-based hash functions with the standard SHA-3 for |h| with the lengths of 256 and 512 bits, and with the standard SHA-2 and some other chaos-based hash functions in the literature for |h| equal to 256 bits. We can conclude that, after carefully analyzing the values in these tables, all of our obtained statistical results are close to those of the standard SHA-3 and of the other hash functions.
A comparison in terms of the needed number of cycles to hash one byte (NCpB) of the proposed chaos-based hash functions with the standard SHA-3 for 2048 tests and different data sizes is given in Table 19. We observe that globally the performance of the standard hash algorithm SHA-3 in terms of NCpB is better than that obtained by the proposed our hash functions. For example, for the long messages with length equal to 1 MB, the NCpB obtained by SHA-3 for both the hash length value, is seven times less than the NCpB of Structure 1, but it is only less than three times of the NCpB obtained by Structure 2 with n r = 8. However, we do our simulations in the sequential implementation without optimization. Thus, with a parallel implementation (with 50 output neurons at the input layer) using optimized calculation, the performance computing will be at least similar to that obtained on SHA-3 [66]. It can be even better than that of SHA-3 when using our proposed Structure 2 with n r = 8.
Finally, we give a comparison of NCpB of the proposed structures with 256-bit and 512-bit hash values with some chaos-based hash functions and with the standards SHA-2 and SHA-3 for one Mbits data size in Table 20. We observe that the obtained NCpB is better than the NCpB of the other cited works, except for that obtained in our previous work [47]. It is because the the structure of the Sponge construction is more complex than that of the Merkle-Dåmgard construction.

Conclusions and Future Work
In this paper, we have designed and realized the two proposed keyed CNN hash functions, conducted analysis of the computing performance, and performed security. These two structures are based on the Sponge construction and have two hash output lengths, i.e., 256 and 512 bits. The results of analysis in terms of cryptanalytical attacks and statistical analyses are similar to those obtained by the standard hash algorithm SHA-3. For the computing performance term, the results of our two proposed structures are less than the standard hash algorithm SHA-3 due to the sequential implementation. For a parallel implementation using 50 output neurons [66], the computing performance of Structure 2 with n r = 8 will be better than SHA-3. Then, the proposed keyed-Sponge CNN hash functions can be used in Digital Signature, Message Authentication, and Data Integrity applications.
Our future work will focus on the Extendable-Output Functions (XOFs), based on the keyed- Sponge CNN (CNN-SHAKE), where the proposed structures can produce hash outputs with variable length (as per user request). In addition, we will design and realize a new CNN structure based on the Duplex construction (CNN-DUPLEX) that will be useful for Authenticated Encryption with Associated Data (AEAD) applications.