Authenticated Encryption Based on Chaotic Neural Networks and Duplex Construction

In this paper, we propose, implement and analyze an Authenticated Encryption with Associated Data Scheme (AEADS) based on the Modified Duplex Construction (MDC) that contains a chaotic compression function (CCF) based on our chaotic neural network revised (CNNR). Unlike the standard duplex construction (SDC), in the MDC there are two phases: the initialization phase and the duplexing phase, each contain a CNNR formed by a neural network with single layer, and followed by a set of non-linear functions. The MDC is implemented with two variants of width, i.e., 512 and 1024 bits. We tested our proposed scheme against the different cryptanalytic attacks. In fact, we evaluated the key and the message sensitivity, the collision resistance analysis and the diffusion effect. Additionally, we tested our proposed AEADS using the different statistical tests such as NIST, Histogram, chi-square, entropy, and correlation analysis. The experimental results obtained on the security performance of the proposed AEADS system are notable and the proposed system can then be used to protect data and authenticate their sources.


Research Background
Authenticated encryption (AE) is a term used to describe encryption systems that simultaneously protect the confidentiality, integrity, and authenticity of the data transmitted over insecure channels. Many applications and protocols require these forms of security. However, so far, these properties have been designed separately [1][2][3].
The AE schemes are classified into three groups. The first group is a straightforward class called Encrypt-Then-MAC (ETM), which is designed and implemented by using both a hash function and a block cipher, e.g., the CBC-HMAC scheme [4] that is widespread used in IP security protocol suite IPSec and other applications [5]. The second group is composed of AE schemes based on block cipher, e.g., CCM, GCM, EAX, and OCB [6], and some of these schemes are even standardized or recommended by National Institute of Standards and Technology (NIST). The third group is the AE schemes based permutation [7], which were proposed and implemented with the appearance of Sponge functions, e.g., ASCON [8], PHOTON-Beetle [9], Oribatida [10], etc. The last type is a new research topic, and these three types of schemes exhibit some useful properties in terms of key agility, software efficiency and hardware implementation [11].
In 2011, Bertoni et al. [12] proposed an AE scheme called SpongeWrap which is based on the Duplex construction [13]. A Duplex construction is a Sponge function that allows the extraction of certain bits from the intermediate chaining variables for each block under processing (see Figure 1). It is claimed that the security level of the Duplex is equivalent to the Sponge's security [12]. With such a construction, many applications can be built, such as reseedable Pseudo Random bit sequence Generator (PRG) and efficient AE schemes, requiring only one call to the permutation function f per input block [14]. In fact, the Duplex construction is composed of two phases: the first one is the Initialization phase while the second one is the Duplexing phase. In the first phase, the Initial Value IV, set to 0, is composed of an outer part with the size equal to the bitrate r and an inner part with the size equal to the capacity c. The input message M of arbitrary length L is divided into blocks M i , (i ≥ 1), of maximum length equal to the maximum duplex rate ρ max [15]. The value of ρ max is given by: where |M i | is the length of the block message M i , (i ≥ 1), Pad is a function that pads each block message M i to obtain |M i | equal to r, and Pad[r](|M i |) = (r − |M i |)-bit padded to the message block M i . The padding scheme should be injective, reversible, and must ensure that the last block is non-zero [16]. Normally, the simplest padding sequence is equal to multiples of 10 or 10*. In case ρ max (Pad, r) is equal to r − 1, the |Pad[r](|M i |)| is equal to 1 [17,18].
In the second phase, each M i is padded using the function Pad and called one time. This ensures that every padded block is non-zero. Unlike the Sponge function, the Duplex construction takes an input string for each call, and returns an output string Z i of length u i that depends on all previous inputs [7].
Similar to the Sponge function, the Duplex construction can be converted to a cryptographic keyed hash algorithm by using one of the three methods shown in [19,20]

Research Significance
The specificity of our proposed AEADS system is in the use of a chaotic compression function instead of a permutation function. It is well known that non-linear dynamic discrete time systems (chaotic maps) can generate chaos and the attractor (signature) of each chaotic map is characterized by the presence of symmetrical patterns [21]. Two chaotic maps, namely the Skew-tent (ST) map and PWLCM map used in the proposed chaotic compression function, have symmetrical mapping related to their parameters. This paper is organized into the following sections: Section 2 provides a short description of mostly related works; in Section 3, we describe in details the proposed AEADS based on the MDS-CNNR structure that comes up to solve existing issues in most of the works completed in the literature. Section 4 presents and discusses the results with different security metrics. Section 5 analyzes the features of the AEAD schemes covered in this work and compares the performance with our proposed AEADS. Finally, Section 6 concludes this work and suggests future research directions.

Related Works
Many methods exist to construct different kinds of AE schemes [22]. The simple method is to immediately use the AE modes already existed, recommended and standardized by NIST. A more complicated way that forms a challenging way is to design a completely new AE mode. Note that in the third round of the CAESAR competition, most candidates proposed, designed, and implemented new AE modes. In fact, Berton et al. designed in 2016 a new AE mode adopted by the Ketje scheme, an authenticated encryption scheme based on Keccak-p, called MonkeyWrap [23]. Actually, it is very similar to the SpongeWrap method proposed by Bertoni et al. in 2011 [7]. The major difference between these two schemes is that MonkeyWrap adopts, during its whole process lifecycle, MonkeyDuplex permutations. In fact, MonkeyWrap uses two mixing layers to obtain the ciphertexts; the first one is applied on the input data, while the second one is applied on the output data. Additionally, between these two mixing layers, MonkeyWrap XORs the message number with the internal data processed by the system. On the other hand, MonkeyWrap iterates the obtained message blocks several times in order to calculate the authenticated tag. Furthermore, Bertoni et al. [24] designed in 2015 another AE scheme based on a Sponge function, called Motorist, that was adopted by the Keyak scheme. First, it encrypts the message blocks and its number with a unique private vector in order to obtain the authenticated tag and the corresponding cipher blocks. Motorist applies the same procedure to all message blocks in parallel, and that is performed by supporting more than one duplex operation at the same time. In 2016, Jean et al. designed an AE scheme, called Deoxys, based on Deoxys-BC [25]. Deoxys is an efficient scheme for small messages (few dozen bytes), which is essentially important for various lightweight applications [26]. In this proposed scheme, Jean et al. combines the inputs of authenticated ciphers to obtain the authenticated tags and ciphertexts. Additionally, with the same techniques as the Advanced Encryption Standard algorithm, it can resist side-channel attacks [27].
Moreover, Dobraunig et al. [8] proposed in 2016 an AE scheme, intuitively defined on words with 64-bit length, called Ascon. The words used in this scheme are only composed from the bitwise Boolean functions like OR, AND, XOR, ROT, and NOT [28]. The permutation of Ascon scheme is similar to this used in MonkeyDuplex construction. The authenticated tag and ciphertexts are produced after processing input data including the nonce, secret key, AD, and message blocks. For both software and hardware implementation, Ascon provides, in terms of speed and size, lightweight characteristics and has also good performance on both implementation. Hence, it is highly recommended in the Internet of Things (IoT) use case, where various lightweight computing devices communicate with a back-end server using different protocols. In 2019, Bao et al. [9] designed an authenticated encryption and hash family called PHOTON-Beetle, that adopts the Sponge-based construction mode Beetle with permutation value equal to P 256 (it is also used for the PHOTON hash [29]). In fact, PHOTON-Beetle can be categorized into two classes based on its functionalities: PHOTON-Beetle-AEAD which is a family of authenticated encryption, and PHOTON-Beetle-Hash which is a family of hash functions. These two families are parameterized by the rate of message absorption r. The main innovation behind Beetle Sponge mode is the combination of two values, i.e., the ciphertext block and the feedback of the permutation output, to generate the next permutation input. Bhattacharjee et al. proposed Oribatida, a family of lightweight AE schemes, where its design is based on the known duplex construction mode [10]. At its core, Oribatida, a variant of the MonkeyWrap AE mode, extended by a ciphertext masking that boosts the security, inherits the minimal security guarantees of the well-known duplex construction mode. Moreover, all members of this proposed family are expected to provide 128-bit security for hashing and encryption.

Description of the Proposed AEADS Based on the Keyed MDS-CNNR Structure
The architecture of the proposed AEADS based on the Keyed MDS-CNNR structure is composed of two phases: Initialization phase and Duplexing phase (see Figure 2).  The initialization phase uses the Initial Value IV of b-bit length to set the value of h 0 . Additionally, the secret key of 160-bit length is used to supply the Chaotic System (CS), KM 0 = K, formed by a recursive cell of order one which contains a discrete Skew tent map [30].

Message
Then, the Chaotic compression function C f 0 , composed CS and Chaotic Neural Network (CNN), takes KM 0 and h 0 to produce the first chaining variable HM 0 of b-bit length.
For this phase, we define the function CNND.initialize() for our proposed CNN-Duplex construction. This function is explained by Algorithm 1.

Algorithm 1 The initialization function
Where CNND is a CNN-Duplex object of the CNNDuplex[Cf, Pad, r] function. Notice that for the input data of the other cells, we choose two values of the bitrate r and the capacity c: the first choice is r = 256 bits and c = 256 bits (b = 512 bits = 64 bytes), and the second choice is r = 512 bits and c = 512 bits (b = 1024 bits = 128 bytes).
The duplexing phase takes an input string S and returns an output of b bits. In Algorithm 2, we define the CNND.duplexing() function for our proposed CNN-Duplex construction.

Algorithm 2 The duplexing function
Where, l is the length of input string S; bf is the bit-frame equal to 0 or 1; and the input string S of (r-2)-bit length can be AD, M, or 0. Notice that the length of the last block can be arbitrary. Additionally, the calls where S is an empty string are referred to as blank calls, while the calls with b = 0 are referred to as mute calls.
In this phase, the sub-keys of the CS of size |KM| = 128 bits are extracted from the intermediate chaining variable HM of size |HM| = b bits (KM = LSB(HM)). These HM are XORed with (S||b f ||Pad[r](|S||b f |)||0 b−r ) to produce the input h of b-bit length used by the CNN function. The output of CS supplies the parameters of CNN.
The authenticated encryption with associated data function CNNDuplex-AEAD takes the following elements as inputs: 1. An Initial Value IV, and a secret key K; 2. An Associated Data (AD) that will be authenticated but not encrypted; 3. A message M that will be both authenticated and encrypted.
In general, the Associated Data AD and the message M, when they are available, are divided into multiple blocks AD i , (i = 1, . . . , I) and M j , (j = 1, . . . , J), respectively. It must be noted that the blocks of AD (AD i ; i = 1, . . . , I) are concatenated by a bf equal to 1, except for the last block, wherein its bf is equal to 0. Moreover, the blocks of M (M j ; j = 1, . . . , J) are concatenated by a bf equal to 0, except for the last block, wherein its bf is equal to 1. The bit-frame bf is used for two goals: first, to ensure that both the generated key stream and the obtained authentication tag blocks are in two separate domains; second, to assure that the AD and M input blocks can be recovered later from the input sequence of the duplex construction [12]. After the absorption of AD||b f , the scheme absorbs M||b f and, then generates the ciphertext C, block by block: C j = M j ⊕ HM |M j | of length |C j | = |M j |; and HM is the response of the CNND to the previous CNND.duplexing() call. If the needed authentication tag T's length (Tlen) is greater than r-2, then the duplexing phase enters in the tag generation phase, where all input strings are equal to 0. The obtained ciphertext C and the authentication tag T will be sent to the receiver.
For each CNNDAEAD.encrypt(AD, M, b) request, the latter transmits the blocks of the AD and the message M to the CNND.duplexing(S, b). A formal definition and description of CNNDuplex-AEAD encryption function is provided in Algorithm 3.

Algorithm 3 The Authenticated Encryption function
This algorithm treats AD, M, C instances equal to the empty string as a single (empty) block Where, CNNDAEAD is an instance of the authenticated encryption function CNNDuplex- The structure of the decryption process is shown in Figure 3. It takes the following elements as inputs: 1. The same Initial Value IV and the same secret key K taken from the encryption process; 2. The same Associated Data AD used in the encryption process; 3. The ciphertext C to be decrypted; 4. The authentication tag T used to check the integrity of the Associated Data AD and the authenticity of the message M.
As observed from Figure 3, the decryption process is similar to the encryption process by exchanging message M j , (j = 1, . . . , J) and ciphertext C j , (j = 1, . . . , J) blocks. This means that M j = C j ⊕ HM |C j | , where HM is the response of CNND to the previous CNND.duplexing() call. If the calculated tag T is equal to the received authentication tag T, then the original message M is delivered. Otherwise, an Error message is delivered.
For each CNNDAEAD.decrypt(AD, C, T) request, the latter transmits the blocks of the AD and the retrieved message M from C to CNND.duplexing(S, b). A formal definition and description of the CNNDuplex-AEAD decryption process is provided in Algorithm 4.

Algorithm 4 The Authenticated Encryption function
This algorithm treats AD, M, C instances equal to the empty string as a single (empty) block Note that the AD plays the same role as the header of the message in all network applications [31]. The role of the IV is similar to that used in the stream cipher.
The structure of the proposed Chaotic function Cf is shown in Figure 4. It contains a CS and a single layer CNN, followed by a set of non-linear (NL) functions. The input layer of CNN is composed of four neurons. The activation function of each neuron is composed of the Discrete Skew Tent map (DSTmap) and the Discrete Piecewise Linear Chaotic map (DPWLCmap). The CS produces a Key Stream KS (all necessary samples) in order to supply the two layers, as represented in Equation (2): The size of KS is represented in the following equation: For the first choice (r = 256 bits, c = 256 bits), each input neuron has four input data and three 32-bit parameters BI k QI k,1 , and QI k,2 (see Figure 5). BI k is the bias of the neurons at the input layer while QI k,1 and QI k,2 are the control parameters for the activation function of DSTmap and DPWLCmap, respectively. Indeed, for this case, the necessary sizes of 32-bit parameters are calculated as follows: |QI| = 8 samples, |BI| = 4 samples, |W I| = 16 samples, |WO| = 4 samples, and so the total size of |KS| is equal to 32 samples. For the second choice (r = 512 bits, c = 512 bits), each input neuron has eight input data and three 32-bit parameters BI k , QI k,1 , and QI k,2 (see Figure 6). Indeed, for this case, the necessary sizes of 32-bit parameters are calculated as follow: |QI| = 8 samples, |BI| = 4 samples, |W I| = 32 samples, |WO| = 4 samples, and so the total size of |KS| is equal to 48 samples.

KM0
Secret key For the first choice, each h S , (S = AD, M, T) at the input layer is formed by P j , (j = 4k, . . . , 4k + 3). The first two input blocks P j , (j = 4k, 4k + 1), weighted by the appropriate input weights W I j , (j = 4k, 4k + 1), are both added with the input bias BI k (weighted by 1) to construct the input of the first DSTmap function. The second two input blocks P j , (j = 4k + 2, 4k + 3), weighted by the appropriate input weights W I j , (j = 4k + 2, 4k + 3), are both added with the same input bias BI k to construct the input of the second DPWLCmap function.
For the second choice, each h S , (S = AD, M, T) at the input layer is formed by P j , (j = 8k, . . . , 8k + 7). The first four input blocks P j , (j = 8k, . . . , 8k + 3), weighted by the appropriate input weights W I j , (j = 8k, . . . , 8k + 3), are all added with the input bias BI k (weighted by 1) to construct the input of the first DSTmap function. The second four input blocks P j , (j = 8k + 4, . . . , 8k + 7), weighted by the appropriate input weights W I j , (j = 8k + 4, . . . , 8k + 7), are all added with the same input bias BI k to construct the input of the second DPWLCmap function. All inputs P j are 32-bit samples (integer values), and the all input biases BI k are necessary in case having a null input message. The DSTmap and the DPWLCmap are represented by Equations (4) and (5), respectively.
where, N is the finite precision equal to 32 bits length; and Q1 represents the control parameter of the DSTmap. KSs(n) and KSs(n-1) are the outputs of DSTmap at the nth and (n − 1)th iterations, respectively. Q1, KSs(n), and KSs(n-1) range between 1 and 2 N − 1.
where Q2 represents the control parameter of the DPWLCmap. KSp(n) and KSp(n − 1) are the outputs of DPWLCmap at the nth and (n − 1)th iterations, respectively. Q2, KSp(n), and KSp(n − 1), and range between 1 to 2 N−1 . After computing, both outputs of the chosen chaotic maps DSTmap and DPWLCmap are combined together using XOR operation to calculate the outputs of neurons denoted by the parameter C k , (k = 0, . . . , 3), which is given by Equation (6) for the first choice, and by Equation (7) for the second choice.
In the proposed AEADS, and in order to calculate the b-bit intermediate hash values, we first iterate the output layer n r times, with n r = 1, 8, 24, according to the required security level and speed. Then, with the chosen value of n r , we iterate again the output layer twice for the first choice (r = 256 bits, c = 256 bits) and four times for the second choice (r = 512 bits, c = 512 bits) to obtain the intended b-bit intermediate hash values.

Performance Analysis of the Proposed AEADS
In this section, we will first assess the security of the proposed AEADS against known cryptanalytic attacks. After that, we calculate some statistical tests [32].

Cryptanalytic Analysis
This section examines the security of all components of the proposed AEADS. Indeed, we calculate the key space and we test the key sensitivity, the message sensitivity, the collision resistance, the diffusion effect in order to confirm the resilience of the proposed AEADS against most cryptanalytic attacks.

Key Space
The length of secret key K, composed by all parameters of the system and by all initial conditions, is equal to 160 bits. It means that the brute force attack of the proposed AEADS is impracticable.

Key Security and Sensitivity
An AEADS must be very sensitive to one bit change on the used key K. This property is important in order to test the resistance of the proposed algorithm against many different attacks [33]. Consequently, it is necessary to test the sensitivity of generated ciphertexts and obtained hash values when a slight change in the secret K occurred. Indeed, it is impossible from the generated sequences to calculate the secret key K due to the structure of the chaotic generator [34]. Therefore, to check the key sensitivity of ciphertexts, we calculate the following three parameters: Number of Pixel Change Rate (NPCR), Unified Average Changing Intensity (UACI), and Hamming Distance (HD) . The two parameters NPCR and UACI are introduced by Biham et al. [35] and are given by the following equations: where In Equations (10)-(12), the three variables i, j, and p represent the row, column, and plane indexes of the image, respectively. Additionally, the three values L, C, and P are, the length, width, and plane sizes of the image, respectively. Indeed, the two optimal values of NPCR and UACI are equal to 99.61% and 33.46%, respectively [36]. The parameters (NPCR, UACI) are necessary to ensure that the proposed AEADS is resistant against the key sensitivity attack but insufficient condition. For this reason, we calculate the Hamming Distance (HD) measure [37]. This measure is represented by the following equation: where |Ib| = L × C × P × 8 (in bits) is the length of the image. The optimal HD value is equal to 50%. So, a good AEADS must produce an HD value very close to 50% [38]. Table 1 shows that the values of three parameters NPCR, UACI, and HD of the proposed AEADS are very close to the optimal values. As a result, a very high resistance to different attacks is achieved. On the other hand, to check the key sensitivity of the authentication tag T with respect to the secret key K, we compute the authentication tags T i (in hexadecimal format), the number of changed bits B i (T, T i ) (bits), and the Hamming Distance HD i (T, T i )(%), for the following input message M "With the wide application of Internet and computer technique, information security becomes more and more important. As we know, hash function is one of the cores of cryptography and plays an important role in information security. Hash function takes a message as input and produces an output referred to as a hash value. A hash value serves as a compact representative image (sometimes called digital fingerprint) of input string and can be used for data integrity in conjunction with digital signature schemes." and under each of the five following conditions: Condition 1: We use the original secret key K.
In each of the following conditions, we flip the Least Significant Bit (LSB) in the above-mentioned initial conditions and parameters: Condition 2: We change the value of initial condition KSs(0) in the secret key K. Condition 3: We change the value of parameter Ks in the secret key K. Condition 4: We change the value of initial condition KSs(−1) in the secret key K. Condition 5: We change the value of control parameter Q1 in the secret key K.
We represent the results obtained, under each condition, of T i , B i , and HD i (%) for the two width values (b = 64 bytes and 128 bytes) with 256-bit authentication tag length in Table 2. For the two width values, all results are very close to the expected theoretical values (B i = 128 bits, and HD i = 50%), demonstrating the high key sensitivity of the proposed AEADS. To check this property, we measure the ciphertext and the authenticated Tag (in hexadecimal format), the number of changed bits B i (T, T i ) (in bits), and the sensitivity of the ciphertext and the authenticated tag to the initial message M (in %) for a given secret key K, by using the Hamming Distance HD i (T, T i ) (in %) metric as follows: (14) and Under the following conditions, we obtain the different message variants used for testing: Condition 1: The initial message M is the one used in Section 4.1.2. Condition 2: We change the first character "W" to "X" in the input message. Condition 3: We change the word "With" to "Without" in the input message. Condition 4: We change the dot (".") to comma (",") at the end of the input message. Condition 5: We add a "blank space" at the end of the input message. Condition 6: We swap the first block M 1 of the input message "With the wide application of Internet and computer technique, information security becomes more and more important. As we know, hash function is one of the cores of cryptography and plays an important role in information security. Hash function takes a mes," With the second block M 2 of the same input message "sage as input and produces an output referred to as a hash value. A hash value serves as a compact representative image (sometimes called digital fingerprint) of input string and can be used for data integrity in conjunction with digital signature schemes." Under each condition, we show the results of T i (in hexadecimal format), B i (in bits), and HD i (in percentage) obtained for the two width values (b = 64 bytes and 128 bytes) with T = 256 bits in Table 3. For the two width values, all results are very close to the expected theoretical values (B i = 128 bits, and HD i = 50%), demonstrating the high message sensitivity of the proposed AEADS.

Collision Resistance Analysis
In the cryptography field, collision resistance is a very important property of cryptographic hash functions. This statistical analysis evaluates the collision resistance property quantitatively [39]. To do this test, we calculate the number of hits ω as defined in Equation (16), given the authentication tag T = {c 1 , c 2 , . . . , c s } of a random input message M (in the ASCII format), and its corresponding authentication tag T = {c 1 , c 2 , . . . , c s } generated after flipping only one bit of the same input message M.
where the function f is represented as follow: Note that, the value of s is equal to u 8 , and the function D(.) converts the hexadecimal inputs to their equivalent decimal values. In theory, the relation between a number of hits ω = 0, 1, 2, . . . , s and a number of independent experiments J, as mentioned in [40], is represented by the following equation: In fact, the theoretical values of W J (ω), calculated according to Equation (18), are represented in Table 4. For the two choices of width b, the results obtained are given in Table 5. In fact, we obtain comparable results as expected. Then, the absolute difference d of the two authentication tags is defined as follow: The minimum, maximum, mean, and mean/character of d for the two lengths of b with J = 2048 tests are presented in Table 6. As observed from the obtained results, it is clear that the values of mean/character are very close to the expected ones that is equal to 85.33 for 256-bit authentication tag size (L = 256) [41]. Indeed, the expected value is evaluated by the following equation: The optimal value of the diffusion effect (mentioned also as the Strict Avalanche Criterion (SAC) in literature [42]) is obtained when swapping any bit in the original input message M that causes a variation in each output bit in the authenticated tag T with a probability equal to 50% [43]. To check the performance of the proposed AEADS, the next diffusion test is executed. First, the authentication tag T for the previous input message M is produced. Then, a new authentication tag T for the same input message M with one changed bit at random is generated. Next, the B i between the two obtained authentication tags T and T is computed. This test is repeated J times, with J equal to 512, 1024, and 2048 tests. At the end, we calculate the six statistical tests represented below:  Table 7 with J equal to 2048 tests demonstrate that the diffusion effect values, for the 256-bit authentication tag length, are very close to the expected results (B = 128 bits, and P = 50% for the proposed AEADS). Additionally, it is noted that bothB and P are very close to the ideal values, while ∆B and ∆P are very small, which means that the diffusion effect is highly stable.

Statistical Tests
As it is difficult to provide mathematical proof for cryptographic algorithms, the proposed AEADS is evaluated mainly using statistical tests. Consequently, we applied NIST test, histogram, chi-square, entropy, and correlation analysis.

NIST Test
Indeed, the NIST statistical test is used to evaluate the performance of the ciphertext generated, and is also considered one of the most popular standards that is used for investigating the randomness of binary data [44]. The NIST test is applied to many ciphertexts, and all the NIST values obtained are good NIST results (as expected), which means that the ciphertexts have a very high randomness. In fact, we present in Figure 8 one of the results obtained after applying the NIST statistical package.

Histogram and Chi-Square Analysis
An AEAD algorithm is considered to be very strong against different statistical attacks, if the histogram of the ciphertext is uniformly distributed. In fact, the uniformity test is essential for vision, but it is not sufficient. For this reason, we apply the chi-square test (defined by the Equation (21)) in order to confirm the uniformity of the histogram statistically: where the number of levels Nb is equal to 256 in this case, o i is the observed occurrence frequency of each color level (from 0 to 255) on the histogram of the encrypted image, and e i is the expected occurrence frequency of the uniform distribution, given in this case by the following equation: For a secure AEADS, the theoretical chi-square value, which is equal to 293 in the case of α = 0.05 and Nb = 256, must be more than the experimental chi-square one. In fact, the histograms os the plain/cipher images for Lena, Boat and Camera man (C-man) images, having a length equal to 512x512x3, are given in Figures 9-11. As we can see from the figures, the histograms of the ciphered images appear to be uniform. Additionally, in order to verify the uniformity, the chi-square test with number of classes equal to 256 and α = 0.05, is performed (see Table 8). As a result, the theoretical value are larger than the experimental one, which means that the histograms have a uniform distribution.

Entropy Analysis
The random behavior of the encrypted image can be quantitatively measured by the entropy information given by Shannon [45]: where H(C) is the entropy value of the ciphered image, and P(c i ) (c i = 0, 1, . . . , 255) is the probability of each gray level appearance. Note that, the entropy has maximum value equal to 8 in the case of equal probability levels. On the other hand, the encryption algorithm is more robust when the experimental entropy value is closer to the maximum value. In Table 9, we give the results received from the entropy test applied on the plain and ciphered images. From this table, it is clear that the obtained entropy values of encrypted images are very close to the optimal value, which means that the proposed AEADS has high levels of resilience.

Correlation Analysis
The correlation analysis is one of the statistical tests that are used to test the immunity of the cryptosystem against cryptanalysis. The attacker must not have any partial information on the original plain image or any information of the used secret key. This means that, the ciphered image should be extremely different from its original version. This property can be measured by correlation analysis. Indeed, it is well-known that neighboring pixels are very correlated and redundant in the plain images. Thus, the correlation and the redundancy of the neighboring pixels should be as low as possible in the ciphered images. In order to calculate the correlation coefficient, we use the following four equations [46]: where cov(x, y) In the equations before, x i and y i are the values of the two neighboring pixels in the encrypted image or the corresponding plain image. To test the security of our proposed AEADS concerning this kind of attack, we first set the value of N to 10,000 pairs of neighboring pixels in horizontal, vertical, and diagonal directions from the plain image and its encrypted version. We show in Table 10 the correlation coefficients of two neighboring pixels in the plain and encrypted images. As we can see from this table, these results are very close to the optimal values.

Performance Comparison with Other AE Algorithms
This section presents the different characteristics of essential AEAD algorithms in the literature. Additionally, it provides a comparison for our proposed AEADS from a security aspect with the main three modes such as; GCM mode, CCM mode, and OCB mode. Table 11 summarizes the characteristics of the essential AEAD algorithms. In fact, the characteristics mentioned in this section are taken from the basic list of properties required for NIST proposal and extended by features, which varies across modes [47,48].  Table 12 presents the security comparison of the three essential AEAD modes with our proposed AEADS. It shows that our proposed AEADS, similarly to other three-modes, is secure against the chosen plaintext attack. Additionally, these mentioned modes use one block cipher key mechanism that requests for the memory resources to save the key. In addition to the CCM mode, the other three modes are parallelizable. Our proposed scheme can be also implemented in a parallel manner, which will be useful for scenarios having powerful nodes in the network, such as a multi-core base station processing many large packets resulting from data aggregation [49]. The authenticity of the ciphertext depends on the IV or the nonce in the three modes, while it depends on the IV and K for our proposed AEADS.

Security Comparison
Therefore, these values must be kept identical in encryption and decryption processes. For Message Length Requirements, our proposed AEADS, like the OCB mode, allows any bit string, it can be satisfied by different applications. The CCM mode requests the message length must be multiples of 16, it is certainly to restrict the range of application.

Conclusions and Future Work
In this paper, we have designed, realized, and evaluated the robustness of a new Authenticated Encryption with Associated Data Scheme (AEADS) using the Duplex construction based on Chaotic Neural Networks provided by a chaotic system. The proposed scheme is composed of both encryption and decryption processes. In the encryption process the inputs are composed of IV, K, AD, and M, while the outputs are C and T. These outputs, in addition to IV, K, and AD, form the inputs of the decryption process. Then, the initial message M is decrypted if the calculated tag T is equal to the received tag T. Otherwise, an error message is delivered. These two processes are realized for the two-width length 64 bytes and 128 bytes. On the other hand, we tested our proposed scheme against the different cryptanalytic attacks. In fact, we evaluated the key and the message sensitivity, the collision resistance analysis and the diffusion effect. Additionally, we tested AEADS using the different statistical tests such as NIST, histogram, chi-square, entropy and correlation analysis. All the results obtained demonstrate that the security of the proposed system, against a battery of cryptanalytic and statistic attacks, has been achieved. We conclude that the proposed scheme simultaneously ensures the confidentiality and integrity of data transmitted over unsecured channels and the authenticity of the data source. Our future work will focus on an FPGA-based implementation of the system, the evaluation of its hardware performance and the comparison of our AEADS with other authenticated encryption modes.