ISSN: 2641-3086

Review Article
Open Access Peer-Reviewed

**Cite this as**

**Copyright License**

*GCM*) of authenticated encryption by introducing an “*offset*” mechanism. This modification aims to improve privacy and resist differential cryptanalysis without significantly impacting the mode’s efficiency and simplicity. The improved *GCM* maintains its original features, such as minimal block cipher invocations, the use of a single cryptographic key, and efficient *offset* computation. It provides a detailed analysis of the operational framework, including the integration and calculation of *offset*s in encryption and decryption processes. By complicating the predictability of differential cryptanalysis through unique *offset*s, the paper asserts this enhancement significantly increases *GCM*’s security within a concrete security model. The discussion emphasizes the benefits of the *offset*-enhanced *GCM* over other modes, highlighting its suitability for high-speed, parallelizable cryptographic applications while bolstering resistance against cryptanalytic attacks.

Block cipher mode of operation is a scrutinized cryptographic primitive for secure encryption and decryption that ensures privacy, authenticity, and authenticated encryption [1]. Authenticated encryption is a term that simultaneously provides confidentiality and authenticity to the data. Every cryptosystem requires both forms of security, but until relatively recently confidentiality and authenticity have been designed separately. Now, Authenticated encryption is implemented using a block cipher mode of operation structure. Recently, many authenticated encryption modes have been proposed [2,3]. The first authenticated encryption mode was IAPM (Integrity-Aware Parallelizable) mode proposed by Jutla’s [4]. The OCB (*offset* Code Book) mode which refine one of IAPM [5,6]. The OCB2, and OCB3 are refine version of OCB mode [7,8]. All of these are parallelized authenticated encryption mode suitable for high-speed cryptosystem [9,10]. There are some others motivated work combined with Counter mode and CBC − MAC is CCM mode uses only one key, however, it is not a suitable for high speed authenticated encryption because CBC − MAC is not parallelizable [11]. The other mode similar to CCM is *EAX* mode, combined Counter mode with OMAC [2,12]. The OMAC is not parallelized, so, *EAX* is not high speed authenticated encryption mode, but it refines some properties of CCM mode. Another authentication encryption mode is *cwc* combined with Counter mode with MAC based on the universal hash function over GF(2127 -1), But it’s relatively expensive to implement [13,14]. There is some authenticated encryption mode’s ability to authenticate with associated which simultaneously assures the confidentiality and authenticity of data. The method is sometimes termed for AHED (authenticated encryption with associated data) [15]. The CCM mode and *GCM* mode both have facilities for AHED and increase usability [16-18]. The Galois/Counter mode is recommended by the National Institute of Standards and Technology (NIST) and most favorite than CCM due to parallelizability [19,20].

Galois/Counter Mode (*GCM*) is a block cipher mode of operation designed to meet the need for confidentiality and authenticity of data and use universal hashing over a binary Galois field. It is implemented in many cryptosystems to achieve high speeds with low latency and low cost. Its design is supported by a well-understood theoretical foundation. There is an enthralling need for a mode of operation that can efficiently provide parallel authenticated encryption. The modes of operation must admit pipelined and parallelized construction and have high data rates. The Counter mode meets those requirements and has become a mode for high-speed cryptosystems [21,22]. However, the Counter mode provide only confidentiality not message authentication. So *GCM* incorporates with Counter mode and builds on it by adding a Message Authentication Code (MAC) based on universal hashing provide message authentication that can keep up with our cipher [23]. It uses Polynomial hashing in the finite field GF(2n) [24]. The multiplication in GF(2n) can be efficiently implemented using XOR and shift operation. Additionally, *GCM* also has useful properties, it can be used as an incremental MAC and stand-alone MAC. These properties of *GCM* unique among all of the proposed authenticated encryption modes.

The *GCM* associated Counter mode, changes the inputs bits of underlying block cipher serially, and it is well known that the successive block of Counter has small hamming difference underlying the block cipher, this led to concern that *Adv _{E}*rsary can obtain many plaintext pairs with a known small plaintext difference, which would facilitate the differential cryptanalysis [25]. It is the responsibility of the mode to compensate for the weak block cipher. Our work refines the privacy property of

The principal characteristics of *GCM* *offset* retain the same (like: fully parallelizable) only add a small overhead compared to conventional *GCM* mode. Now, the *GCM* *offset* combines the following features:

**Arbitrary − message length:** The *GCM* encrypt and authenticate a nonempty any length of string M ∈ {0,1}* using |M|/n + 1 block cipher invocations. The message length (|M|) need to be a multiple of n.

**Minimal requirement on counter:** Like another authenticated encryption mode *GCM* require a nonce as counter. The counter value must be non-repeating (each block cipher chooses a new counter value for every message block with restriction no counter value used twice).

** offset calculation:** We need a sequence of

**Single key:** The *GCM* *offset* used a single block cipher key. All the block cipher invocations are keyed by this one key.

The paramount contribution of this paper is the introduction of an “*offset*” mechanism to the *GCM* of authenticated encryption, aimed at significantly enhancing its resistance to differential cryptanalysis without detracting from its efficiency or simplicity. By integrating unique *offset*s in the encryption and decryption processes, this enhancement complicates the predictability upon which differential cryptanalysis relies, thereby strengthening *GCM*’s security posture within a robust security model. Through comprehensive analysis and discussion, we demonstrate the practical application of this *offset*-enhanced *GCM* in modern cryptographic systems, emphasizing its minimal overhead and retained efficiency. This advancement not only fortifies *GCM* against sophisticated cryptanalytic attacks but also underscores the feasibility of such an approach in high-speed, parallelizable cryptographic operations, marking a significant stride forward in the domain of authenticated encryption.

Let there are two integers *a* and *b*, if *a* £ *b*, then it means {*a,a + 1, …,b*}. If *i* > 0 is an integer, then *ntz*(*i*) is the trailing 0 - *bits* in the binary representation of . A string {0,1} represent the set of binary numbers and a string {0,1}* denote the set of all strings. The set {0,1}n denote all the strings of length *n*. If there is no element in the string, then it’s called the empty string denoted e. *A||B* represents the concatenation of set *A* and *B* where *A,B* Î {0,1}*. If *A* ¹ e then firstbit (A) represent the first bit of *A*, in such a way lastbit (A) denote the last bit of the *A*. Let *I* and *n* be two integers then *0i* and 1i represent the string of *0**¢**s* and *1**¢**s* respectively. If* A* Î {0,1}* then |A| represent the bit length of A while ||A||n = max{1, é|A|/nù} represent the length of *A* in *n **-** bit* block. Let *A* Î {0,1}* and t Î [0..|A|] then A[*firstbit **t*] denote first t bit of *A* and A[*lastbit **t*] denote the last *t*bit of *A *respectively. If *A,B* Î {0,1}* then *A**⊕ **B* is the bitwise XOR of *firstbit* (*A*) and* firstbit* (*B*), where |A| = |B|. If A = *an-1* …*a1a0 **Î*{0,1}nthen *stir2num* is the number . If *a* Î [0.. 2n - 1] then *num2strn*(*a*) is *n **-** bit* string *A* such that *stir2num(A) = a*. lenn(A) = *num2strn*(*|A|*). If *A* = *an-1 an-2…a1a0* Î {0,1}n then A ≪ 1 is the *n **-** bit* string *an-2…a1a0 0* which is the left shift of *A* by one bit, while *A **≫ 1* is the *n **-** bit* string 0*an-1 an-2…a1* which is the right shift of *A* by* 1 **-** bit*. The plaintext message *M* partitioned into *m1m2…mn* and |*m1*| = *n for 1 < I < n.* We partition *C* into *c1c2…cn*, where C refers to the ciphertext resulting from the encryption process. The partitioning of into multiple blocks *c1c2…cn* facilitates the processing of the ciphertext in blocks, aligning with the block cipher mode of operation used by GCM. This is crucial for both encrypting the plaintext message in blocks and subsequently or generating or verifying the authentication tag, which ensures data integrity and authenticity.

Lets *GF(2 ^{n}*) represent a field with

- As an abstract point in a field
- As an
*n − bit*string*a*_{n-1}…a1a0 Î {0,1}^{n} - As a formal polynomial
*a(x) = anxn-1 + a1x + a0*with binary coefficients. - As an integer between 0 and 2
^{n}− 1, where the string a Î {0,1}^{n}corresponding to the number*str2num(a)*.

We write *a(x)* instead of a if we wish to emphasize that we are thinking of a as a polynomial. We take XOR to add two points in *GF(2 ^{n})*, and for the multiplication of two points, we fix an irreducible polynomial

$a.x=\{\begin{array}{c}a\ll 1,iffirstbit\left(a\right)=0\\ (a\ll 1)\oplus {0}^{120}10000111,iffirstbit\left(a\right)=1\end{array}\text{(1)}$

On the other hand, in the case of divide a ∈ {0,1}^{n} by *x*, if the *last bit* of a is *0*, then *a.x ^{-1}* is a >>1. In such a way, if the last bit of

$a.{x}^{-1}=\{\begin{array}{c}a\gg 1,iflastbit\left(a\right)=0\\ (a\gg 1)\oplus {10}^{120}1000011,iflastbit\left(a\right)=1\end{array}\text{(2)}$

If *L* ∈ {0,1}^{n} and *i ≥ −1*, then *L(i)* = *L. x ^{i}*. so, we can compute from

Gray code is a sequence of
${\gamma}^{l}=({\gamma}_{0}^{l}{\gamma}_{1}^{l}\dots {\gamma}_{\text{}{2}^{l}-1}^{l})$*CPA*qaaKqzGeWdbiaadYgaaaGaeq4Sd*cwc*fa4damaaDaaaleaajugib8qacaaIXaaal8aabaqcLbsapeGaamiBaaaacqGHMacVcqaHZoWzjuaGpaWaa0baaSqaaKqzGeWdbiaabckacaaIYaqcfa4damaaCaaameqabaqcLbsapeGaamiBaaaacqGHsislcaaIXaaal8aabaqcLbsapeGaamiBaaaacaGGPaaaaa@5414@
of {0,1}^{l}, where l ≥ 1 and successive points just one bit differ. When n is a fixed number *GCM* use canonical gray code *γ = γl* from *γl = (0 1)*. So, for *l > 0*,

${\gamma}^{l+1}=(0{\gamma}_{0\text{}}^{l}\text{}0{\gamma}_{1}^{l}\dots 0{\gamma}_{\text{}{2}^{l}-2}^{l}\text{}0{\gamma}_{\text{}{2}^{l}-1}^{l}\text{}1{\gamma}_{\text{}{2}^{l}-1}^{l}\text{}1{\gamma}_{\text{}{2}^{l}-2}^{l}\dots \text{}1{\gamma}_{1}^{l}\text{}1{\gamma}_{0}^{l})\text{(3)}$

Thus, γ is a gray code, for computing successive points,

$1\le i\le {2}^{n}-1,\text{}{\gamma}_{i}={\gamma}_{i-1}\oplus ({0}^{n-1}1\ll ntz(i))$

Let L ∈ {0,1}n and *γ1. L, 2. L, 3. L,…, γm. L *are considered the problem of successive forming strings. Thus, *γ1. L = 1. L = L.* Since *γ1 = γn-1 ⨁ (0n-1 1* << ntz(i)) we know that,

${\gamma}_{i}.\text{L}={\gamma}_{i-1}\oplus \left({0}^{n-1}1\ll ntz\left(i\right)\right).\text{L(4)}$

${\gamma}_{i}.\text{L}=({\gamma}_{i-1}.\text{L})\oplus ({0}^{n-1}1\ll ntz(i))\text{(5)}$

${\gamma}_{i}.\text{L}=({\gamma}_{i-1}.\text{L})\oplus (\text{L}.{\text{x}}^{ntz\left(i\right)})\text{(6)}$

${\gamma}_{i}.\text{L}=({\gamma}_{i-1}.\text{L})\oplus \text{L}(ntz\left(i\right))\text{(7)}$

The th word can be obtained by xoring *L*(*ntz*(*i*) with previous words. The *i*th word would be obtained in the same way for *I* ³ 2 *e.i* g1. L ⨁ R*, *g2. L ⨁ R The first word in the sequence is L ⨁ R instead of *L*.

This section describes the complete definition of *GCM* with additional input *offset* for 128 − bit block ciphers. Generally, *GCM* encryption have the following inputs, each of which is a bit string:

- A plaintext M, partitioned into m1m2…mn and length of each message block exact multiple of a block cipher.
- Authenticated data, which is denoted as AD. This data just authenticates but does not encrypt.
- Secret key K, whose length is multiple of a block cipher.
- The Counter value, all that is expected of the Counter is that it be as a nonce. it is not required to be random or unpredictable.
- The
*offset*(zi) for each block cipher, such that each zi is unique.

Each different value of Counter produces a different set of* z _{i}*. Thus each offset XOR with the corresponding counter value produces an unpredictable value (comparable, to nonrandom and predictable nonce-related counter value) for the underlying block cipher. The calculation of

${L}_{0}=L={E}_{k}\left({0}^{n}\right)\text{}where{0}^{n}isconsistofnzerobits.\text{(7)}$

$R={E}_{k}\left(ctr+i\oplus L\right)\text{(8)}$

${L}_{i}=2.{L}_{i-1}\text{}1\le i\le m\text{(9)}$

$Z\left(1\right)=R\oplus L\text{(10)}$

${z}_{i}={z}_{i-1}\oplus L(ntz(i))\text{}1\le i\le m\text{(11)}$

**Initialization of L**_{0}**:** The document describes that the initial value L_{0} is derived by encrypting a block of n zero bits using the block cipher encryption function *Ek* under the secret key *K*. Mathematically, it’s represented as L_{0} = L = E_{k} (*0n*) where *0 _{n}* denotes a string of

**Calculation of ***R***:** The value *R* is computed as *R = Ek (ctr + i) **⨁ L*, where *ctr* is the counter value used in the encryption process, and *i* is an incrementing value for each block to ensure that *R* is unique for every block of data being processed.

**Sequential Calculation of ***L _{i}*

**Generation of ***Z _{i}*

**Encryption:** During the encryption process, the offset values *Z _{i}* are XORed with the counter values before they are encrypted with the block cipher under the key

**Decryption:** For decryption, the same process is mirrored. The *offset*s *Z _{i}* are recalculated in the same manner as during encryption and used to generate the keystream by XORing with the counter values and encrypting the result under

The operator “.” refers to multiplication over the finite field *GF*(*2 ^{n}*),

The plaintext consists of a sequence of *n − bit* strings (m_{1}, m_{2}, …, m_{n-1},m_{n}) that is called a data block, and the bit length of each data block is*128 bit*. Although the bit length of the last data block may not be equal to *n bit*, so we denoted the *bit* length of the last block by *u*, where 1 ≤ *u* ≤ *128*. Similarly, the corresponding ciphertext block is denoted as c_{1}, c_{2}, …, c_{n-1}, c_{n}, where the bit length of the last block is *u*. The authenticated data block *AD* denoted as *AD _{1}, AD_{2},…, AD_{n-1}, AD_{n}*, where the

The successive value of the counter (*ctr*) generated by using *incr* () function, which treat *32 lsb* (least significant bit) and increment with *modulo 2 ^{32}*. The authentication decryption process of

Generally, additional authenticated data (*AD*) and blocks of plaintext (m_{1}m_{2} … m_{n}) is shown. Here Ek denotes the block cipher encryption using the *key K*, • denotes multiplication in *GF(2 ^{128})* by the hash

The block cipher is a function *E:K × {0,1} ^{n} → {0,1}^{n}* and if it is assumed to be a secure pseudorandom permutation (

Adv = P[D\E] − P[D\R] (12)

The notation P[X] denotes the probability of event *X*. The *P[X|Y]* = *P[X ⋂ Y] / P[Y]* denotes the probability of event *x* given event *Y* equals the probability of event Y and event *X* divided by the probability of event *Y*. We make an assumption that advantage *Adv > 0*, thus the range of *Adv* between *0 and 1*. The AEAD of *GCM* follows the following security model [15]. It has the following input bit strings: *M*, *counter, AD, and Z _{i}* and return

According to the definition of privacy (confidentiality), we use the indistinguishability of ciphertext from random under a *CPA* attack and indistinguishability of plaintext from random under a CCA attack, this definition equivalent to [30]. *GCM* encryption is secure under these assumptions when *Adv _{E}*rsary presented with these oracles cannot tell if they contain

$Ad{v}_{PRF}=P\left[D\text{|}{E}_{PRF}\right]-P\left[D\text{|}{E}_{PRF}^{R}\right]\text{(13)}$

Where, E_{PRF} and
${E}_{PRF}^{R}$*CPA*qaaKqzGeWdbiaadkfaaaaaaa@3CDB@
denoted corresponding to *PRF* and *random function*. Advantage against both *PRF* and *PRP* are similar, because having similar properties.

*The advantage* *Adv _{PRF}* of an

*ramdom permutation*, and a value *q is the number of queries* to the * function oracle*.

If there is an *Adv _{E}*rsary that can distinguish

$\begin{array}{l}Ad{v}_{E}\ge Ad{v}_{GCM}-{\left(\frac{{l}_{P}}{n}+2q\right)}^{2}\\ {2}^{-n-1}-q(\left(\frac{{l}_{P}}{n}+2q\right)\frac{{l}_{ctr}}{n}+{12}^{1-n}+\frac{l}{n}+{12}^{-t})\text{(14)}\end{array}$

The formulation for the *Adv _{E}*rsary’s ability to distinguish

The formulation for *Adv _{E}* is based on several factors, including:

**The Number of Queries ( q):** This represents the number of times the

**The Total Number of Plaintext Bits Processed ( lp):** This is the cumulative length of all plaintext messages that the

Constraints on the Counter Values and the Size of the Authentication Tag (*t*): Constraints on the length of the counter and the size of the authentication tag also influence the *Adv _{E}*rsary’s advantage. For instance, a shorter authentication tag might be easier to forge or guess, potentially increasing

**Security Bounds of the Underlying Block Cipher:** The inherent security of the block cipher itself, against both known and unknown attacks, plays a critical role. The stronger the block cipher, the lower the *Adv _{E}*rsary’s advantage in distinguishing it from a random permutation.

The specific formulation of *Adv _{E}* provided in the document considers these and potentially other factors, such as the parallelizability of the

*GCM* encryption security also depends on the authentication tag size but it’s relatively weak. In the bound on *Adv _{E}* contain 2-t not dominate that value as long as t is greater than about
$n-\text{lg}(q\frac{l}{n}+\frac{{l}_{ctr}}{n})$

In the presence of *CPA* attack for MAC security we use the standard model and give access to the *Adv _{E}*rsary to tag generation oracle and tag verification oracle. The

*Adv _{E}*rsary with F

$\begin{array}{l}{F}_{GCM}-{\left(\frac{{l}_{P}}{n}+2q\right)}^{2}\\ {2}^{-n-1}-q(\left(\frac{{l}_{P}}{n}+2q+1\right)\frac{{l}_{ctr}}{n}+{12}^{1-n}+\frac{l}{n}+{12}^{-t})\text{(15)}\end{array}$

In this section, we discuss the characteristics of *GCM offset* with respect to another authenticated encryption mode. Our proposal extends by feature to the NIST recommended

- Assuming underlying block cipher is a good
and authenticated*PRP**tag length t*equal to the block length*n*thenprovable secure up to birthday bound.*GCM**offset* - When encrypting the plaintext and getting the corresponding ciphertext, then we have the same length of the plaintext and authentication tag
*t*. - We used nonce (each value used at most once in a given session, having the property of counter); it is not required to be random or unpredictable.
- The
is unpredictable input underlying the block cipher, which is XOR with corresponding counter value, each input value of*offset*used at most once in a given session.*offset* *GCM*use the forward direction of the block cipher. This saves chip area compared to AEAD constructions. So, for*offset**AHED descryption*require the block cipher backward direction.*GCM*is fully parallelizable, enabling hardware throughput. Which is not limited by beneﬁting software embodiments and block cipher latency.*offset*- The authenticity of the data after decryption can be verified from the recovery of the conﬁdential data. The invalid data cannot be processed without counter mode decrypting them.
- The confidential portion of
is a counter mode with extra input that is*GCM*is a simple and efficient for hardware to construct*offset**GF(2128) multiplier.*Overall, in hardware,is unrivaled by any*GCM**authenticated encryption*scheme. - As well as it can also be efficient for software.
is online and no one needs to know the message length in advance of processing it. However, need to know the*GCM**AD*and its length before processing the message. This makes thesuitable for networking applications and incremental*GCM**API*(Application Programmers Interface) where,*M*,*C*, or*AD*provided incrementally in chunks.

The characteristics of fully parallelizable authenticated encryption modes of operation are summarized in Table 1. The remaining serial modes are described in Table 2. The modes that come with security proof are based on the assumption that the underlying block cipher is secure. The confidentiality and authenticity of each mode proved together with the fact that no attacker can get a significant advantage to distinguish between a random stream and ciphertext. There are some provably secure modes, and some are not proven both characteristics mentioned in Tables 1,2.

Some characteristics definitions are the following:

**Patent:**Provably secure authentication encryption modes are patent (*i.e*), and some modes trying to e patent aware.*GCM*, OCB,*XCBC*, IAPM**Provably Secure:**If the underlying block cipher is a secureand modes come with the proof of security and give message privacy and authenticity then modes are known as provably secure.*PRP***Parallelizability:**For a high-speed environment we use parallelize mode, where encryption/decryption can be done parallel (Table 1). In the case of parallelizable authenticated encryption modes, both (encryption and authentication) are parallelizable denoted as*A*+*E*.**Associated data authentication:**The unencrypted data that is used for protection of ciphertext, where authenticated data is denoted as*AD*. The*AD*typically used is to encode header information in a networking context.**Ciphertext Expansion:**Many modes of operation expand message up to*authentication tag length*, so for the short message this property is important where can overcome a length of the original message.**Online message processing:**this is an important property for memory memory-restricted environment, where the possibility to encrypt or decrypt a message without obtaining all messages,have this property.*GCM***Endian dependency:**the modes of operation that use the integer*multiplication/ addition*are endian dependent. All the discussed (in this section) modes are endian dependent other than*OCB*mode.**Incremental***MAC***:**In the application data set frequently changes and must be authenticated remote database or recalculating an authenticator for all data cannot be efficient.

The Differential Distribution Table (DDT) is a crucial tool in differential cryptanalysis, as it maps the difference between two inputs to the difference between the corresponding outputs for each possible input pair. DDT is used to identify differential characteristics with high probabilities that can be exploited in attacks. The probability of a differential characteristic, which can be derived from the DDT, is a measure of how likely it is that a specific input difference will lead to a specific output difference after going through the cipher.

The implementation of an *offset* in the improved *GCM* aims to make the prediction of output differences harder by introducing an additional layer of unpredictability into the encryption process. By XORing each block cipher input with a unique *offset*, the improved scheme aims to disrupt the predictability that differential cryptanalysis relies on. This unpredictability complicates the construction of a DDT with high probability differential characteristics that are useful for an attacker.

In terms of the results of attacks against the improved *GCM*, including the number of rounds of the block cipher attacked and the complexity of these attacks, such specifics would typically result from extensive cryptanalytic research. The document mentions improvements to privacy and a theoretical resistance to differential cryptanalysis but does not provide detailed results of attacks, such as specific numbers of rounds that can be securely encrypted or the exact complexity of potential attacks against the improved mode.

In general, the resistance of a cryptographic algorithm or mode of operation to differential cryptanalysis (or any other form of cryptanalysis) is evaluated based on:

The Number of Rounds: More rounds generally increase security against differential cryptanalysis, as they make it more difficult to find useful differential paths that cover the entire cipher.

**Data Complexity:** This refers to the amount of plaintext-ciphertext pairs an attacker needs to analyze to successfully exploit a differential characteristic. The introduction of *offset*s aims to increase the data complexity required for a successful attack.

**Attack Complexity:** This encompasses both the computational resources and the data required for an attack to be feasible. Ideally, the complexity should be close to or exceed brute-force search complexity, making the attack impractical.

For detailed cryptanalytic results, including specific vulnerabilities and the resistance of the improved *GCM* to differential cryptanalysis, one would look to specialized cryptographic literature and research that conducts a thorough analysis of the scheme, including practical and theoretical attacks. Without explicit results in the provided document, it’s recommended to consult further cryptographic analysis and peer-reviewed research for a comprehensive understanding of the improved *GCM*’s resistance to differential cryptanalysis and other cryptographic attacks.

Furthermore, the improved *GCM* “*offset*” mechanism is designed to enhance the mode’s privacy and resistance to differential cryptanalysis. This modification is pivotal in the realm of authenticated encryption, where the quest for both robust security and high performance is incessant. To appreciate the value brought by the improved *GCM*, it’s essential to compare it with other authenticated encryption modes such as CBC-MAC (Cipher Block Chaining Message Authentication Code) and CCM (Counter with Cipher Block Chaining-Message Authentication Code), focusing on their security features and performance metrics.

Starting with the core of its enhancement, the improved *GCM* integrates an *offset* into the encryption process, which is a strategic move to complicate the predictability that differential cryptanalysis exploits. This means that for each block encrypted, a unique *offset* is applied, significantly obstructing the ability of an attacker to use differential techniques to infer key information or plaintext. This addition does not notably impact the operational efficiency of *GCM*, which is renowned for its parallel processing capabilities. The ability to process multiple encryption and authentication operations in parallel is a crucial determinant of performance in high-speed network environments, making the improved *GCM* exceptionally well-suited for applications requiring rapid data processing without compromising security.

On the other hand, CBC-MAC, an older mode of authenticated encryption, employs a sequential block cipher operation to provide message integrity and authenticity. While CBC-MAC is fundamentally secure under certain conditions, its security model is contingent upon the proper management of keys and initialization vectors. Specifically, if a key is reused across different sessions or improperly managed, the security of CBC-MAC can be compromised, making it susceptible to forgery attacks. Furthermore, the inherent sequential processing of CBC-MAC limits its throughput and efficiency, especially in comparison to modes like *GCM* that excel in parallel processing.

CCM mode, another contender in the realm of authenticated encryption, combines the Counter mode of encryption with CBC-MAC for authentication. This dual approach necessitates a unique nonce for each message to ensure security, introducing complexities in nonce management that can be problematic in systems where nonce reuse might occur. Additionally, CCM operates in two passes over the data—one for authentication and one for encryption—which inherently doubles the processing requirement for any given message. This two-pass process significantly affects performance, particularly in systems where latency and throughput are critical factors.

Comparatively, the improved *GCM*, with its *offset* mechanism, not only enhances security by thwarting differential cryptanalysis but also maintains high performance through its parallelizable architecture. This unique blend of security and efficiency is not as pronounced in CBC-MAC and CCM. The sequential nature of CBC-MAC’s operation and CCM’s two-pass requirement for encryption and authentication translate into inherent performance bottlenecks. These limitations become increasingly significant in the context of high-speed data transmission and processing, where delays, even milliseconds in length, can be detrimental.

In terms of security, the improved *GCM*’s *offset* mechanism offers a tangible advantage by increasing the complexity for attackers attempting to leverage cryptanalysis techniques. Unlike CBC-MAC, where security can be undermined by key management issues, or CCM, which requires stringent nonce management to avoid security pitfalls, the improved *GCM* provides a robust security model that is less susceptible to such operational hazards. This makes the improved *GCM* a more resilient choice for environments where the integrity and confidentiality of data are paramount, and where the operational context might not always guarantee perfect key or nonce management.

From a performance standpoint, the improved *GCM*’s ability to leverage parallel processing stands in stark contrast to the inherently sequential CBC-MAC and the two-pass CCM mode. This architectural advantage enables the improved *GCM* to achieve higher throughput rates and lower latency, making it exceptionally well-suited for high-performance computing environments, real-time applications, and large-scale data processing scenarios. Furthermore, the minimal overhead introduced by the *offset* mechanism ensures that the improved *GCM* maintains its performance advantages without incurring significant computational costs.

In conclusion, while CBC-MAC and CCM have played pivotal roles in the development of authenticated encryption, the *Adv _{E}*nt of the improved

In conclusion, this research paper introduces a significant enhancement to the *GCM* mode of authenticated encryption through the incorporation of an “*offset*” mechanism, aimed at augmenting privacy and bolstering resistance against differential cryptanalysis. The modified *GCM* mode retains its original advantages, such as high efficiency, simplicity, and the use of a single cryptographic key, while the introduction of unique *offset*s complicates the predictability that underpins differential cryptanalysis. This innovation ensures that the improved *GCM* stands as a formidable option for applications requiring authenticated encryption, especially in scenarios where high-speed, parallelizable cryptographic operations are paramount.

The detailed analysis and discussions presented in the paper highlight the practicality of the *offset*-enhanced *GCM* in contemporary cryptographic applications. By maintaining the mode’s original features and adding minimal overhead, the paper convincingly argues for the enhanced mode’s suitability in securing high-speed networks and systems against sophisticated cryptanalytic attacks, without compromising on efficiency or security.

Moreover, the paper’s exploration into the operational framework, including the meticulous integration and computation of *offset*s in both encryption and decryption processes, underscores the thoughtful approach taken to improve *GCM*. The security proofs and theoretical discussions further solidify the enhanced *GCM*’s stance as a robust, secure, and efficient mode of operation that can significantly contribute to the field of cryptography.

Future research could potentially explore the practical implications of this enhancement in real-world applications, examining its performance and security in diverse scenarios. Additionally, the adaptability of the *offset* mechanism in other cryptographic modes and its potential to enhance the security of existing protocols could offer exciting avenues for further exploration. Overall, this paper not only contributes to the cryptographic community by presenting a more secure and efficient version of *GCM* but also sets the stage for future advancements in the field of authenticated encryption.

- Rogaway P. Evaluation of some blockcipher modes of operation. Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan. 2011.
- Bellare M, Rogaway P, Wagner D. A conventional authenticated-encryption mode. Manuscript. 2003.
- Švenda P. Basic comparison of Modes for Authenticated-Encryption (IAPM,
*XCBC*, OCB, CCM,*EAX*,*cwc*,*GCM*, PCFB, CS). - Jutla CS. Parallelizable encryption mode with almost free message integrity. Contribution to NIST. 2000.
- Rogaway PM. Bellare, and J. Black, OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security (TISSEC). 2003; 6(3): 365-403.
- Krovetz T, Rogaway P. The OCB authenticated-encryption algorithm. 2014.
- Rogaway P. Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. in International Conference on the Theory and Application of Cryptology and Information Security. 2004. Springer.
- Krovetz T, Rogaway P. The software performance of authenticated-encryption modes. in International Workshop on Fast Software Encryption. 2011. Springer.
- Black J, Rogaway P. A block-cipher mode of operation for parallelizable message authentication. In International Conference on the Theory and Applications of Cryptographic Techniques. 2002. Springer.
- Iwata T. New blockcipher modes of operation with beyond the birthday bound security. In International Workshop on Fast Software Encryption. 2006. Springer.
- Dworkin M. Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. 2004. National Institute of Standards and Technology.
- Iwata T, Kurosawa K. Omac: One-key cbc mac. In International Workshop on Fast Software Encryption. 2003. Springer.
- Wegman MN, Carter JL. New hash functions and their use in authentication and set equality. Journal of computer and system sciences. 1981; 22(3): 265-279.
- Kohno T, Viega J, Whiting D. The
*cwc*authenticated encryption (associated data) mode. ePrint Archives. 2003. - Rogaway P. Authenticated-encryption with associated-data. in Proceedings of the 9th ACM conference on Computer and communications security. 2002. ACM.
- Szalachowski P, Ksiezopolski B, Kotulski Z. CMAC, CCM and
*GCM*/GMAC: Advanced modes of operation of symmetric block ciphers in wireless sensor networks. Information Processing Letters. 2010; 110(7): 247-251. - Housley R. Using AES-CCM and AES-
*GCM*Authenticated Encryption in the Cryptographic Message Syntax (CMS). 2007. - Hiller J. Improving functionality, efficiency, and trustworthiness of secure communication on an internet diversified by mobile devices and the internet of things. 2023, Dissertation, RWTH Aachen University, 2022.
- McGrew D, Viega J. The Galois/counter mode of operation (
*GCM*). Submission to NIST Modes of Operation Process. 2004; 20. - Miao X. Bit-Sliced Implementation of SM4 and New Performance Records. 2023.
- Lipmaa H, Rogaway P, Wagner D. CTR-mode encryption. In First NIST Workshop on Modes of Operation. 2000. Citeseer.
- McGrew DA. Counter mode security: Analysis and recommendations. Cisco Systems. 2002; 2(4).
- Gueron S, Jha A, Nandi M. COMET: COunter Mode Encryption with authentication Tag. 2019.
- Saarinen MJO. Cycling attacks on
*GCM*, GHASH and other polynomial MACs and hashes. In International Workshop on Fast Software Encryption. 2012. Springer. - Lipmaa H, Wagner D, Rogaway P. Comments to NIST concerning AES modes of operation: CTR-mode encryption. 2000.
- Gligor VD, Donescu P. Fast encryption and authentication:
*XCBC*encryption and XECB authentication modes. in International Workshop on Fast Software Encryption. 2001. Springer. - Jutla CS. Encryption modes with almost free message integrity. In International Conference on the Theory and Applications of Cryptographic Techniques. 2001. Springer.
- Benvenuto CJ. Galois field in cryptography. University of Washington. 2012.
- Aljohani M. Performance Analysis of Cryptographic Pseudorandom Number Generators. IEEE Access. 2019; 7: 39794-39805.
- Bellare M. A concrete security treatment of symmetric encryption. In Proceedings 38th Annual Symposium on Foundations of Computer Science. 1997. IEEE.
- Bellare M, Kilian J, Rogaway P. The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences. 2000; 61(3): 362-399.
- Goldreich O, Goldwasser S, Micali S. How to construct random functions. Journal of the ACM (JACM). 1986; 33(4): 792-807.

Subscribe to our articles alerts and stay tuned.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Help ?

**PTZ:** We're glad you're here. Please click "create a new query" if you are a new visitor to our website and need further information from us.

If you are already a member of our network and need to keep track of any developments regarding a question you have already submitted, click "take me to my Query."