ISSN: 2641-3086

Review Article
Open Access Peer-Reviewed

**Cite this as**

**Copyright License**

Block cipher mode of operation is a scrutinized cryptographic primitive for secure encryption and decryption that ensures privacy, authenticity, and authenticated encryption [1,2]. In the last few years, researchers conducted a lot of research on block cipher modes, and it is believed that building an efficient and secure mode of operation for block cipher is now a big problem. For this purpose NIST recommends five modes of operation for the efficiency of block cipher, these operation modes are: Electronic Code Book (ECB), Cipher Block Chaining (*CBC*), Cipher Feedback (CFB), Output Feedback (OFB), Counter mode (CTR) and standardized in 2001 [3].

The cryptographic modes of operation have seen significant advancements, driven by the need for secure, efficient encryption methods suited to a variety of applications, from traditional computing environments to emerging technologies like the Internet of Things (IoT) and cloud computing [4]. The ECB and *CBC* have been foundational, with the ECB’s simplicity being offset by its vulnerability to pattern analysis due to identical plaintext blocks producing identical ciphertext blocks [5]. *CBC* mode improved security by introducing data dependency through the *XOR* operation with the previous ciphertext block, although it also required careful management of initialization vectors (IVs) to prevent attacks [6]. The advent of *CTR* mode brought a paradigm shift with operations, highlighting the importance of non-repeating counters for maintaining security [7]. Recent research has also focused on authenticated encryption modes like GCM, which provide both encryption and integrity in a single operation, responding to the growing demand for data protection that encompasses both confidentiality and authentication [8].

As we move further into the decade, the cryptographic community has turned its attention to developing lightweight cryptographic solutions that cater to the constraints of IoT devices and ensuring encryption schemes can withstand the potential future threats posed by quantum computing [9]. The push towards quantum-resistant algorithms underscores a proactive approach to cryptanalysis, with a keen eye on both current and future security landscapes [10]. Moreover, the increasing integration of encryption into everyday technologies has underscored the need for modes of operation that not only secure data against sophisticated attacks but do so with minimal impact on system performance and user experience [9]. This period has underscored the dynamic nature of cryptographic research, where innovation is not just about creating new encryption methods but also about adapting existing protocols to meet the evolving demands of technology and society [11].

Moreover, block cipher modes of operation have much attention lately and several other block cipher modes of operation suggested and analyzed [12]. Of many modes of operation, the *CTR* mode now a days are widely using mode of operation and has a number of desirable advantages than other modes. On the other hand, some authenticated encryption mode combined with *CTR* mode like CCM mode (*Counter with* *CBC*-MAC) [13] and that was designed as a non-patented alternative to *OCB* mode [14]. The authenticated encryption mode *EAX* [15] uses *CTR* mode for confidentiality and *OMAC* hash algorithm for authentication [16]. In such a way, *CWC* mode [17] combines *CTR* mode for a confidentiality with a Carter-Wegman universal hashing function over 2^{127}1 ﬁeld for authentication [18]. Let E be a block cipher with n-bits block length, let *CTR* be an *n-bit* counter, and message *m=(m _{1},m_{2}…m_{n}*) broken into n-bit blocks, the

${c}_{i}\text{}\leftarrow {s}_{i}\oplus {m}_{i}\text{},\text{(1)}$

${s}_{i}\leftarrow {E}_{k}\left(ctr+i\right)\text{}for\text{}i=1,\text{}.\text{}.\text{}.\text{},\text{}n,\text{(2)}$

$ctr\leftarrow ctr+n.\text{(3)}$

Provable security is the standard security goal for modes of operation. The first two-formal notion of security (i.e. semantic security and polynomial security) for asymmetric encryption was first introduced by [19]. In the treating asymmetric setting given by Goldwasser, he says the symmetric case can be dealt with similarly, one ingredient missing in this view is a CPA model it is must be in symmetric setting. The four notion of security for symmetric encryption given by [20], and analyze the concrete security of different modes of operation under the attack assumptions of chosen-plaintext attack (*CPA*). These notions of security are following: *left-or-right* indistinguishability (*LR*), Real-or-Random indistinguishability (*RR*), Find-then-Guess security (*FTG*) and Semantic security (*SEM*). The security of cryptographic modes of operation, such as ECB, *CBC*, OFB, CFB, and Counter, is quantified through an advantage function. This function measures the maximum advantage an adversary could gain in compromising the mode’s security. By establishing bounds on this advantage, cryptographers can assess and compare the relative security levels of different modes, ensuring that they remain robust against potential attacks. The variability of the boundaries of the advantage function directly impacts the perceived security of a cryptographic mode of operation. Tighter bounds (lower advantages) indicate stronger security, as they suggest minimal gain for an adversary attempting to breach the system. In setting these boundaries, assumptions about the adversary’s capabilities, such as computational resources and access to plaintext-ciphertext pairs, are crucial. Restrictions often include limiting the adversary to polynomial-time computations and specifying the amount of data they can encrypt or decrypt. These assumptions and restrictions help in constructing a realistic security model, within which the cryptographic strength of different modes can be rigorously evaluated and compared.

W.Diffie and M. Hellman were first introduced to the counter mode (*CTR mode* [21]) and standardized by H.Lipmaa, P.Rogaway, and D. Wagner [22]. The *CTR* mode has signiﬁcant efficiency advantages than existing modes of operation that recommended by NIST. Furthermore, it also give the better concrete security than other modes of operation [20]. On the other hand, *CTR* mode perceived disadvantages, its crucial for *CTR* mode that the counter value is not reuse in encryption. Inappropriately, if user reuses the counter, then all the security is loss. Usually there are small hamming difference in between successive *CTR* and ctr+1. Successive counter blocks are generated by a next-counter function, that is such a simple operation (i.e. integer increment). The next-counter function provides the uniqueness of the inputs of the underlying block cipher but cannot provide any security properties. These details could be important if the underlying block cipher has a crucial weakness, but they are not important when considering the underlying block to be secure (i.e. *AES*) [23,24]. The small hamming difference of successive counter blocks (*ctr,ctr+1,…,ctr+n*) facilitate the differential cryptanalysis. So, details led to concern that the attacker can obtain many plaintext pairs with the known small plaintext difference.

In this paper we refine the *CTR* mode with a small additional overhead which is known as the *Counter-Off set* mode (*CTR-Off set*) that is very simple, fully parallelizable and efficient compared to conventional privacy-only *CTR* mode. The *CTR-Off set* mode achieves higher resistance against differential cryptanalysis than *CTR* mode and provides the concrete security as same as *CTR* mode. *CTR-Off set* Mode enhances unpredictability by using the block cipher to encrypt the counter values before they are used to generate the keystream. The use of *XOR* with these encrypted values and the original counter values adds another layer of randomness, thwarting potential cryptanalytic attacks that exploit predictability in the encryption process. This two-step process—encrypting the counter and then using *XOR*—transforms a predictable serial input into an unpredictable one, thereby enhancing the overall security of the cryptographic scheme.

This paper introduces the Counter-Offset mode, enhancing the traditional Counter mode’s resistance to differential cryptanalysis. Section 1 outlines the evolution and significance of block cipher modes. Section 2 covers essential preliminaries and security analysis foundations. Section 3 elaborates on the Counter-Offset mode, its algorithm, and security benefits. Section 4 provides a detailed security analysis, demonstrating its superiority over the conventional Counter mode. Finally, Section 5 discusses the performance of the Counter-Offset mode and suggests future research directions, emphasizing its potential for securing cryptographic systems against advanced cryptanalytic techniques while retaining operational efficiency.

In this section, we focus on some related deﬁnitions and their concrete security analysis. Our treatment follows the [1]. In [1], they described the security notion of symmetric encryption and analyzed the concrete security of three modes of operation (*XOR*,*CTR* and *CBC*) under *CPA* attack. Here we consider only *LR* under *CPA* attack, which gives the reduction among the other notions. If adversary *A* is a probabilistic algorithm, we define *d←A(m _{1},m_{2}*) is the experiment of adversary

The resources of the adversary *A* are parameters of concrete security. Let *t* be the running time of adversary *A*, *q _{e}* be the number of encryption oracle queries. The amount of the ciphertext of adversary

**Deﬁnition:** Let *SE = (K,E,D)* be a symmetric encryption scheme. Let *A _{cpa}* be an adversary give access to the Oracle
${E}_{k}\text{}(LR(\xb7,\xb7,b)),$
Consider the following experiment:

$Ex{p}_{SE,\text{}{A}_{cpa}}^{LR-CPA-b\text{}}(k)\text{(4)}$

$k\stackrel{\text{\$}}{\leftarrow}k\text{(5)}$

$d\leftarrow {A}_{cpa}^{{E}_{k}(LR(\xb7,\xb7,b))\text{}}(k)\text{(6)}$

The advantage of the adversary can be figured out as follows:

$Ad{v}_{SE,\text{}{A}_{cpa}}^{LR-CPA\text{}}\left(\text{k}\right)=Pr[Ex{p}_{SE,\text{}{A}_{cpa}}^{LR-CPA-1\text{}}(k)=1]-Pr[Ex{p}_{SE,\text{}{A}_{cpa}}^{LR-CPA-0\text{}}(k)=1]\text{(7)}$

So, we can define the advantage function as follows.

$Ad{v}_{SE}^{LR-CPA\text{}}(k,\text{}t,\text{}{q}_{e},{\mu}_{e})=\underset{{A}_{cpa}}{max}\{\text{}Ad{v}_{SE,\text{}{A}_{cpa}}^{LR-CPA\text{}}(k)\}\text{(8)}$

We consider an encryption scheme to be good if the advantage of a reasonable adversary closes to zero meaning the adversary is not doing a good job. The symmetric encryption schemes are based on pseudorandom permutations (*PRP*) or pseudorandom functions (*PRF*). Let
$per{m}^{l}$
be the family of all permutations on
${\{0,\text{}1\}}^{l}$
and
$ran{d}^{l\to L}$
be the family of all functions
${\{0,\text{}1\}}^{l}\to {\{0,\text{}1\}}^{L}.$
. We will not deﬁne *PRP* and *PRF*, for detail see [25]. The concrete security of the symmetric encryption schemes (i.e.*XOR* mode, *CTR* mode, and *CBC* mode) using random functions (*RF*), random permutations (*RP*), *PRP* and *PRF* are describe below. Let *F* be a function family having key-length *k*, input-length and output-length *L*. To specify the function, we will use *f* = *F _{k}*. The followings are speciﬁed the

*SE = (K,E,D)* be the symmetric encryption scheme corresponding to *XOR* mode. The key generation algorithm *K*, just outputs a random key *k* for the underlying *PRF* family *F*, and specifying *f* = *F _{k}* of

$l-bits$ to L – bits.

** XOR lower bound insecurity using a RF:** Let
$R=ran{d}^{l\to L}$
be the random function, then for any

$Ad{v}_{XOR[R]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\ge 0.316\text{}\frac{{\mu}_{e\text{}.\text{}(\text{}{q}_{e}-1)}}{L\text{}.\text{}{2}^{l}\text{}}\text{(9)}$

**Proof:** Proposition 9 [20]

* XOR upper bound insecurity using a RF :* Let
$R=ran{d}^{l\to L}$
be the random function, then for any

$Ad{v}_{XOR[R]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}\frac{{\mu}_{e\text{}.\text{}(\text{}{q}_{e}-1)}}{L\text{}.\text{}{2}^{l}\text{}}\text{(10)}$

**Proof:** Lemma 10 [20]

** XOR security using a PRF :** Let

$Ad{v}_{XOR[F]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}2.\text{A}d{v}_{F}^{\text{pdf}}(t,{q}^{\text{'}})+\frac{{\mu}_{e\text{}.\text{}(\text{}{q}_{e}-1)}}{L\text{}.\text{}{2}^{l}\text{}}\text{(11)}$

**Proof:** Theorem 11 [20]

The *CTR* mode achieves better security than that of the *XOR*. The adversary has no advantage in the ideal case.

*SE = (K,E,D)* be the symmetric encryption scheme corresponding to *CTR* mode. The key generation algorithm *K*, just outputs a random key *k* for the underlying *PRF* family *F* and specifying *f* = *F _{k}* of
$l-bits$
to

**CTR security using a RF:** Let
$R=ran{d}^{l\to L}$
be the random function, then for any *t,q _{e}* and
${\mu}_{e}\le L{2}^{l}\text{}$

$Ad{v}_{CTR\left[R\right]}^{LR-CPA\text{}}\left(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e}\right)=0\text{(12)}$

**Proof:** Lemma 12 [20]

**CTR security using a RF:** Let *F* be a *PRF* family with
$l-bit$
input-length and
$L-bit$
output-length. Then, for any *t,q _{e}*, and
${\mu}_{e}=\text{min}({q}^{\text{'}}L,\text{}L{2}^{l})$
,

$Ad{v}_{CTR[F]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}2.\text{A}d{v}_{F}^{\text{prf}}(t,q)\text{(13)}$

**Proof:** Theorem 13 [20]

Although in the *CBC* mode,
$l=L\text{}$
is required, and each Fk should be a permutation, [1] consider the *F* is a *PRF* family
$(l=L)$
. Also, we will see the case that *F* is a PRP.

**The concrete security of the CBC mode:**

Let us see the concrete security of the *XOR*, *CBC* and *CTR* modes. We ﬁrst summarize the security of the *XOR* mode.

** CBC lower bound insecurity using a RP:** Let
$RP=per{m}^{l}$
be the random permutation, then for
${q}_{e}=\frac{{\mu}_{e}}{l},\text{}$
and
${\mu}_{e}\le l{.2}^{\frac{l}{2}}\text{}$

$Ad{v}_{CBC\left[RP\right]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\ge \text{}0.316\text{}\left(\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(14)}$

**Proof:** Proposition 15 [20]

** CBC upper bound insecurity using a RF:** Let
$R=ran{d}^{l\to L}$
be the random function, then for any

$Ad{v}_{CBC\left[R\right]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\le \left(\text{}\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(15)}$

**Proof:** Lemma 16 [20]

** CBC Security using a PRP:** Let

$Ad{v}_{CBC[F]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}2.\text{A}d{v}_{F}^{\text{prp}}\left(t,q\right)+{\text{q}}^{2}{2}^{-l-1}+\left(\text{}\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(16)}$

**Proof:** Theorem 17 [20]

** CBC Lower Bound Insecurity using a RF:** [26] Let
$R=ran{d}^{l\to L}$
be the random function, then for any

$Ad{v}_{CBC[R]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\ge \text{}0.316\text{}\left(1-\frac{\text{}2\text{}}{{2}^{\frac{l}{2}}\text{}}\right).\left(\text{}\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(17)}$

** CBC Upper Bound Insecurity using a RP:** [26] Let
$RP=per{m}^{l},$
Then, for any

$Ad{v}_{CBC[RP]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}\left(\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(18)}$

** CBC security using a PRF:** [26] Let

$Ad{v}_{CBC[F]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}2.\text{}(\text{A}d{v}_{F}^{\text{prf}}\left(t,q\right)+\text{}\left(\frac{{\mu}_{e}{}^{2}\text{}}{{l}^{2}\text{}}\u2013\frac{\text{}{\mu}_{e}\text{}}{l\text{}}\right)\cdot \frac{1}{{2}^{l}\text{}}\text{(19)}$

In the above, we can see that the *CTR* mode gives better security in a *RF* as compared to the other modes. There is no collision in the input strings underlying the function *f*, since the function *F* is in a random function. The adversary cannot distinguish in the LR sense. However, the * XOR, CBC*, mode and NIST recommended modes of operation may have collision on input strings of the underlying function

**The CTR-off set mode:** CTR-Offset Mode represents a significant evolution in counter-based encryption strategies, specifically designed to fortify cryptographic systems against sophisticated forms of cryptanalysis like differential and linear cryptanalysis [27]. Its innovation lies in the manner it manipulates the counter values to enhance the security provided by the block cipher, even when the cipher itself may have weaknesses.

In conventional Counter (CTR) mode, encryption proceeds by combining the plaintext with a keystream generated by encrypting a sequence of counter values. These counters are typically incremented by one, leading to a scenario where successive counter values have a small Hamming difference — meaning only a few bits change between one counter and the next. This small difference is systematic and predictable, which can be exploited by adversaries using differential cryptanalysis, especially if the underlying block cipher is not robust against such attacks. Similarly, linear cryptanalysis can take advantage of predictable relationships between the plaintext, ciphertext, and the key.

CTR-Offset Mode innovates by injecting a layer of unpredictability into the counter values before they are used to generate the keystream, depicted in Figure 1. This unpredictability is achieved by first encrypting the counter value and then *XOR*ing it with the counter itself to create a new, less predictable value. The result of this *XOR* operation, the offset-modified counter, is encrypted once more to produce the keystream.

The dual encryption process serves a dual purpose: not only does it introduce more complexity into the keystream generation, making it harder for attackers to find useful correlations, but it also leverages the security of the block cipher to its fullest. By ensuring the input to the block cipher is unpredictable, CTR-Offset Mode makes each block’s encryption independent of the others, significantly mitigating the risks posed by differential and linear cryptanalysis.

**Here is how the encryption process in CTR-Offset Mode works in more detail:**

- A counter value (typically starting from zero and incrementing) is prepared for each block of plaintext data that needs to be encrypted.
- The counter value is encrypted using the block cipher (denoted as
*E*) to create a temporary value._{k} - This temporary value is then
*XOR*ed with the counter value to produce a modified counter, which is substantially different from the original counter, thereby increasing unpredictability. - The modified counter is encrypted again with the same block cipher, producing the keystream.
- The keystream is then
*XOR*ed with the plaintext block to produce the ciphertext block.

This process is repeated for each block of data, with the counter incrementing each time as shown in the encryption algorithm.

The same incremented counter values used during encryption are processed through the same steps to reproduce the keystream used for each block. The ciphertext block is *XOR*ed with the corresponding keystream to retrieve the original plaintext as shown in the decryption algorithm.

By encrypting the counter value before it is used to create the keystream, CTR-Offset Mode disrupts the pattern that might be exploited in differential or linear cryptanalysis. Each block is encrypted with a keystream based on a counter value that is no longer predictable after being passed through the block cipher and *XOR* operation. This makes it much more challenging for an attacker to deduce the key or find a systemic relationship within the encrypted data, even if they have access to multiple plaintext-ciphertext pairs.

Furthermore, the use of the same encryption function twice in generating the keystream does not compromise security but rather enhances it. The first encryption of the counter generates a temporary value that is entirely unrelated to the actual keystream. This temporary value, when *XOR*ed with the counter, produces a modified counter that bears no obvious relation to its original form. The second encryption of this modified counter then generates the actual keystream. The strength of this approach lies in its unpredictability — any patterns or predictability from the original counters are obscured through this process.

CTR-Offset Mode is a robust response to the vulnerabilities exposed in traditional *CTR* mode. It adds a layer of unpredictability that preserves the operational advantages of *CTR* such as the ability to encrypt blocks in parallel and the independence of each block’s encryption while significantly bolstering its resistance to cryptanalysis. For environments where the underlying block cipher may have potential weaknesses, the CTR-Offset Mode offers a heightened level of security, making it a prudent choice for modern cryptographic applications.

We use the notion of security as the same as in section 2. In this analysis we take RF instead of *RP*, so *F* is with input length
$l$
, the output length *L*, and key length *k*. If the underlying block cipher is a secure *PRF* has an advantage value ∈′ for resources *t′q*, then the advantage value of *CTR* – off set mode is at most 2∈′ for resources *t = t′*,
$\mu ={q}^{\prime}l$
and any *q*. On the other hand, if the underlying block cipher under the assumption is ideal (meaning∈′ = 0), it is possible for the adversary to attack other existing modes (like *CBC* mode) and derive some advantage. This is not true for *CTR* mode and *CTR* – *off set* mode.

The following theorem gives the concrete security of *CTR* – *off set* mode.

**Theorem: CTR-Offset security using a RF:**

Let
$R=ran{d}^{l\to L}$
be the random function, then for any *t,q _{e}* and
${\mu}_{e}\le L{2}^{l}\text{}$

**Proof:** Let (*M _{i},N_{i}*) be the oracle queries of the adversary A, where I =1,…q denote (

$Claim1:\text{}P{r}_{0}\left[\overline{D}\right]=P{r}_{1}\text{}\left[\overline{D}\right]\text{}for\text{}{\mu}_{e}\le L{2}^{l}\text{}$

**Proof:** We know that in the event D for either game, the input string does not have the same value for each query, since the counter values are different. In the input string corresponding to each block are associated with counter values and unpredictable value z. Thus, the input string does not repeat until
${2}^{l}$
block. So, the probability of each game is
$P{r}_{0}\left[\overline{D}\right]=P{r}_{1}\text{}\left[\overline{D}\right]=0\text{}for\text{}{\mu}_{e}\le L{2}^{l}$
.

$Claim2:\text{}P{r}_{0}\left[A=1|\text{}D\right]=P{r}_{1}\text{}\left[A=1|\text{}D\right]$

**Proof:** In either game, the given event D, we have that the underlying function *F* evaluate at a new point each time. Therefore, the output of the underlying function *F* is randomly and uniformly. The consequence of this is that each block cipher has a distribution that is independent of any previous block cipher. So, we have
$P{r}_{0}\text{}\left[A=1|\text{}D\right]=P{r}_{1}\text{}\left[A=1|\text{}D\right]$
.

The advantage of the adversary A we compute is as follows.

$Ad{v}_{CTR-Offset\left[R\right]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{=}P{r}_{1}\text{}\left[A=1\right]-P{r}_{0}\text{}\left[A=1\right]$

$\begin{array}{l}P{r}_{1}\text{}\left[A=1|\text{}D\right]\xb7P{r}_{1}\text{}\left[D\right]\text{}+\text{}P{r}_{1}\text{}\left[A=1|\text{}\overline{D}\right]\text{}.\text{}P{r}_{1}\text{}\left[\overline{D}\right]-\\ P{r}_{0}\text{}\left[A=1|\text{}D\right]\xb7P{r}_{0}\text{}\left[D\right]\text{}+\text{}P{r}_{0}\text{}\left[A=1|\text{}\overline{D}\right]\xb7P{r}_{0}\text{}\left[\overline{D}\right]\end{array}$

Using claim 1 and claim 2, we have,

$Ad{v}_{CTR-Offset\left[R\right]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})=0\text{(20)}$

**CTR-Offset security using a PRF:** Let *F* be a *PRF* family with
$l-bit$
input-length and
$L-bit$
output-length. Then, for any t,*q _{e}*, and µe = min (q’ L, L2ι).,

$Ad{v}_{CTR-Offset[F]}^{LR-CPA\text{}}(\xb7,\text{}t,\text{}{q}_{e},{\mu}_{e})\text{}\le \text{}2.\text{A}d{v}_{F}^{\text{prf}}(t,{q}^{\text{'}})\text{(21)}$

**Proof:** The proof is achieved similar way to the theorem 13 [20]. The addition here we assume *F* to be a *PRP* family instead of once we get the security assuming *F* to be a *PRF* family. [1] assume the encryption function of counter mode is a PRF, not a *PRP* like *AES*. To apply the PRP, its necessary to apply proposition 8 from [20,24,28,29].

$Adv\left[PRF\right]\left(t,\text{}q\right)\le Adv\left[PRP\right]\left(t,\text{}q\right)+\text{}{q}^{2}{2}^{-l-1}\text{(22)}$

**Comparative security analysis:** To strengthen the claims about the security and efficacy of CTR-Offset Mode, a comprehensive evaluation against existing modes of operation and potential baseline algorithms in the field is essential. This evaluation must encompass both theoretical analysis and practical performance metrics. The comparative security analysis will delve into the resistance of CTR-Offset Mode against differential and linear cryptanalysis compared to modes like ECB, *CBC*, CFB, OFB, and standard CTR. It will also include statistical tests to assess the randomness and unpredictability of its ciphertext, alongside establishing theoretical security bounds to prove that CTR-Offset Mode maintains, or exceeds, the security level of standard *CTR* mode without introducing new weaknesses.

**Performance analysis:** The performance analysis section will benchmark the throughput and latency of CTR-Offset Mode against other modes, considering the additional encryption steps it entails. It will also assess the computational resources required, such as CPU cycles, memory usage, and power consumption, and examine the mode’s support for parallel processing. This analysis is critical for quantifying the impact of CTR-Offset Mode’s security enhancements on its performance, especially in different environments like software, hardware, and cloud.

**Implementation considerations:** Implementing CTR-Offset Mode in real-world applications demands careful attention to several critical considerations to ensure the system’s security and performance. This includes robust key management practices like secure key storage, regular key rotation policies, and proper nonce management to prevent nonce reuse. Performance considerations will address the mode’s impact on encryption and decryption operations and strategies for mitigating performance overhead through hardware acceleration and parallel processing. Additionally, ensuring the unpredictability of the keystream, secure implementation practices to resist side-channel attacks, and adherence to cryptographic standards and regulatory compliance are essential for the successful deployment of CTR-Offset Mode.

**Recommendations for future work:** The paper will conclude with recommendations for future work, highlighting areas for further research and development. This may involve exploring more efficient implementations of CTR-Offset Mode, investigating its security in the context of quantum computing advances, or developing enhanced strategies for nonce generation. These recommendations will be based on the findings from the comparative security analysis, performance analysis, and implementation considerations, aiming to guide future efforts in advancing cryptographic practices.

By covering these aspects, the paper aims to provide a holistic view of CTR-Offset Mode’s place within cryptographic practice, offering insights into its strengths, potential weaknesses, and practical considerations for implementation.

In this work, we presented the Counter-Offset mode, a novel adaptation of the traditional Counter mode, designed to significantly enhance resistance against differential cryptanalysis without forsaking the efficiency and parallelizability that are hallmarks of the original mode. Through meticulous analysis and comparison with established modes of operation, we have demonstrated that Counter-Offset mode not only retains the advantageous features of Counter mode but also introduces an additional layer of security by incorporating unpredictability into the encryption process. This enhancement addresses critical vulnerabilities, particularly in environments where the underlying block cipher might be susceptible to cryptanalytic attacks. Our findings affirm that the Counter-Offset mode stands as a robust, efficient, and secure mode of operation that aligns with the evolving landscape of cryptographic needs. Future work will focus on exploring the integration of Counter-Offset mode in real-world applications, optimizing its implementation, and further evaluating its performance and security in diverse scenarios. The continuous advancement of cryptographic methods, as exemplified by the development of the Counter-Offset mode, remains imperative in the pursuit of safeguarding digital information against increasingly sophisticated threats.

- Rogaway P. Japan, Evaluation of some blockcipher modes of operation. 2011.
- Katz J, Lindell Y. Introduction to modern cryptography. 2014. CRC press.
- Dworkin M. Recommendation for block cipher modes of operation. Methods and techniques. National Inst of Standards and Technology Gaithersburg MD Computer security Div. 2001.
- Mehmood A. Advances and Vulnerabilities in Modern Cryptographic Techniques: A Comprehensive Survey on Cybersecurity in the Domain of Machine/Deep Learning and Quantum Techniques. 2024; 12: 27530-27555.
- Gava J. Assessment of Radiation-Induced Soft Errors on Lightweight Cryptography Algorithms Running on a Resource-constrained Device. 2023.
- Karimov MM. Encryption Methods and Algorithms Based on Domestic Standards in Open-Source Operating Systems. 2023; 20: 42-49.
- Usman H. Access Control and Privacy Preservation of Medical Records with Enhanced Rivest-Shamir-Adleman Algorithm Using Counter Mode Encryption. 2023.
- Alkhyeli M. Secure Chat Room Application Using
*AES*-GCM Encryption and SHA-256. In 2023 15th International Conference on Innovations in Information Technology (IIT). 2023. IEEE. - Thabit F. A comprehensive literature survey of cryptography algorithms for improving the iot security. 2023; 100759.
- Dam DT. A survey of post-quantum cryptography: Start of a new race. 2023; 7(3): 40.
- Salami Y. Cryptographic Algorithms: A Review of the Literature, Weaknesses and Open Challenges. 2023; 16(2): 46-56.
- Stallings W. Cryptography and Network Security, 4/E. Pearson Education India. 2006.
- Dworkin M. Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. National Institute of Standards and Technology. 2004.
- Rogaway P, Bellare M, Black J. OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security (TISSEC), 2003; 6(3): 365-403.
- Bellare M, Rogaway P, Wagner D. A conventional authenticated-encryption mode. Manuscript. 2003.
- Iwata T, Kurosawa K. OMAC: One-Key
*CBC*MAC—Addendum. 2003. - Kohno T, Viega J, Whiting D. The CWC authenticated encryption (associated data) mode. ePrint Archives. 2003.
- Wegman MN, Carter JL. New hash functions and their use in authentication and set equality. Journal of computer and system sciences. 1981; 22(3): 265-279.
- Goldwasser S, Micali S. Probabilistic encryption. 1984; 28(2): 270-299.
- Bellare M. A concrete security treatment of symmetric encryption. In Proceedings 38th Annual Symposium on Foundations of Computer Science. 1997. IEEE.
- Diffie W, Hellman ME. Privacy and authentication: An introduction to cryptography. 1979; 67(3): 397-427.
- Lipmaa H, Wagner D, Rogaway P. Comments to NIST concerning
*AES*modes of operation: CTR-mode encryption. 2000. - Rijmen V, Daemen J. National Institute of Standards, and Technology. Advanced encryption standard. 2001; 19-22.
- McGrew DA. Counter mode security: Analysis and recommendations. Cisco Systems, Inc 2002; 2: 4.
- Bellare M, Kilian J, Rogaway P. The security of the cipher block chaining message authentication code. In Advances in Cryptology–CRYPTO. 1994.
- Sung J. Concrete security analysis of CTR-OFB and CTR-CFB modes of operation. In International Conference on Information Security and Cryptology. 2001.
- Wallén J. Design principles of the KASUMI block cipher. In Proceedings of the Helsinki University of Technology Seminar on Network Security. 2000.
- Xian L, Tingthanathikul W. Advanced Encryption Standard (
*AES*) in Counter Mode. ECE. - Sibleyras F. Cryptanalysis of the Counter mode of operation. 2017.

Subscribe to our articles alerts and stay tuned.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Help ?

**PTZ:** We're glad you're here. Please click "create a new query" if you are a new visitor to our website and need further information from us.

If you are already a member of our network and need to keep track of any developments regarding a question you have already submitted, click "take me to my Query."