### 1. Introduction

### 2. Related Work

### 2.1 CBC Mode of Operation

*m*bytes based on the block size of the encryption algorithm. For example, if the DES or AES128 algorithm is used,

*m*will be 8 or 16, respectively. Then, the data blocks are chained together. Here, the ciphertext has a fixed size to eliminate the risk of including the message size in the message itself, which can be useful to an attacker. Therefore, the final data block must be padded if the size of the last block is less than the block size. The CBC mode uses an IV to provide chain dependency between ciphertext blocks (i.e., block

*n*depends on block

*n–*1, which in turn depends on block

*n–*2, and so on, until the first block that is dependent on the IV is reached. Since the CBC mode uses the IV with all messages, it will produce the same ciphertext for the same message encrypted with the same encryption key and IV. This shortcoming is addressed in the design of the CC mode by changing the IV for each message. As a result, the produced ciphertext will be different each time, even if the same message is encrypted again. This improves the security of the CC over the CBC. Another drawback of the CBC mode is error propagation. This error propagation range in CBC is one block. This means that one bit error in a ciphertext block affects the corresponding plaintext block, as well as the following block.

### 2.2. CTR Mode of Operation

### 2.3 CCM Mode of Operation

▪ CCM is only defined for use with 128-bit block ciphers, such as AES.

▪ CCM is not suited to high-speed implementations because CBC-MAC is neither pipelinable nor parallelizable.

▪ Typically, CCM is double the computational cost of the one-pass AES.

▪ CCM is not an online scheme (i.e., it needs to know the lengths of both the plaintext and the associated data before one can proceed with encryption). Hence, CCM does not allow for the preprocessing of static associated data.

▪ CCM uses a nonce, which means that its length is restricted in such a way that it may not provide adequate security when a nonce is randomly chosen.

▪ Finally, CCM implementations could suffer performance hits because the associated algorithm can disrupt word alignment in the associated data.

### 3. Proposed Counter Chain Mode of Operation

*M*is divided into a sequence of

*l*blocks:

*M*=

*M*

_{1}*M*

_{2}*…M*

*such that the length of each block*

_{l}*M*

*is equal to the block size of the block cipher encryption algorithm that will be used for encryption, where*

_{i}*i*= 1, 2, …,

*l*and

*M*

*is padded if required. For example, the length of*

_{l}*M*

*denoted by |*

_{i}*M*

*| is 64 or 128 when using DES or AES encryption algorithms [14], respectively. To provide parallelism in the CC mode, the*

_{i}*l*plaintext blocks are grouped into a sequence of

*t*processes:

*p*=

*p*

_{1}*p*

_{2}*…p*

*such that process*

_{t}*p*

*has*

_{j}*n*plaintext blocks

*,*where1 ≤

*j*≤

*t–*1; while the last process

*p*

*has*

_{t}*n*

*plaintext blocks such that 1 <*

_{t}*n*

*≤*

_{t}*n.*The values of

*n*and

*n*

*are computed according to Eqs. (1) and (2), respectively.*

_{t}*M*

*and*

_{i}*C*

*are the plaintext block number*

_{i}*i*and its corresponding ciphertext block, respectively, and

*i*= 1, 2, 3, …,

*l*. The equation shows that the ciphertext block of the first block in each process

*p*

*is the encryption of the XOR of the first plaintext block in process*

_{j}*p*

*and the initialization vector*

_{j}*IV*

*, such that*

_{j}*j*is equal to ceiling of

*i*divided by

*n*(i.e.,

*j*= ⌈

*i*/

*n*⌉). The first plaintext block in each process is recognized when the modals value of (

*i*mod

*n*) is equal to one. The ciphertext block

*C*

*of any other plaintext blocks is the encryption of the XOR of the corresponding plaintext block*

_{i}*M*

*and the preceding ciphertext block*

_{i}*C*

_{i}_{−1}(e.g.,

*C*

*=*

_{i}*E*

*(*

_{k}*C*

_{i}_{−1}⊕

*M*

*), where*

_{i}*i*does not refer to the first plaintext block in any process. Also, the value of

*IV*

*is computed according to Eq. (4). The counter is encrypted to overcome different attacks such as differential analysis attack [15,16] that might be introduced from using a counter.*

_{j}*IV*

*by encrypting the value that resulted from adding a secret counter*

_{j}*CT*and the value of

*j*, where

*j*= 1, 2, 3, …,

*t*and 1 ≤

*t*≤ 16. The counter

*CT*has the same length as the block size and it is constructed from the concatenation of two parts. The left or most significant part represents the number of processes that is going to be used. It has four bits to represent up to 16 processes. Our experiments show that dividing a plaintext into a maximum of sixteen processes is a good choice. For example, the code of one process is 0000, the code of two processes is 0001, and so on until the code of 16 processes is 1111. The right or least significant part is a positive random number that has a length equal to the block size minus four bits. When adding a value to the

*CT*, the value will be added to the right part, which is the random value.

*CT*is encrypted and its corresponding ciphertext

*C*

_{0}is concatenated with the other ciphertext, as depicted in Fig. 1(a). As noted in Eq. (3), the input for the encryption algorithm for each plaintext block has no fixed relationship to the plaintext block. Accordingly, the ciphertext blocks of the repeated plaintext blocks are different.

*p*

*is chosen as an example. Since*

_{2}*p*

*is the second process and each process has*

_{2}*n*plaintext blocks, it is assigned the plaintext blocks from

*M*

_{n}_{+1}to

*M*

*. So, the corresponding ciphertext blocks are*

_{2n}*C*

_{n}_{+1}to

*C*

*. In this case, the*

_{2n}*M*

_{n}_{+1}is the first plaintext block in the process

*p*

*because the value of ((*

_{2}*n*+1) mod

*n*) is one. Therefore,

*C*

_{n}_{+1}is equal to

*E*

*(*

_{k}*IV*

_{(}

_{n}_{+1)/}

*⊕*

_{n}*M*

_{n}_{+1}). Since the value of (

*n*+1)/

*n*is greater than 1 and less than 2, its ceiling will be 2 (i.e.,

*C*

_{n}_{+1}=

*E*

*(*

_{k}*IV*

_{2}⊕

*M*

_{n}_{+1})). On the other hand, each ciphertext block

*C*

_{n}_{+}

*corresponding to the plaintext block*

_{i}*M*

_{n}_{+}

*such that 2 ≤*

_{i}*i*≤

*n*is equal to the encryption of XORing

*C*

_{n}_{+}

_{i}_{−1}and

*M*

_{n}_{+}

*(i.e.,*

_{i}*C*

_{n}_{+}

*=*

_{i}*E*

*(*

_{k}*C*

_{n}_{+}

_{i}_{−1}⊕

*M*

_{n}_{+i}), since the value of (

*n*+

*i*) mod

*n*≠ 1).

*C*

_{0}to recover the counter

*CT*and the number of processes

*t*used during the encryption operation. Then, in the same way, the ciphertext blocks from

*C*

_{1}to

*C*

*are divided into the same sequences of*

_{l}*t*processes; each has

*n*ciphertext blocks, except the last process has

*n*

*ciphertext blocks.*

_{t}*C*

*refers to the first block in any process (i.e., when*

_{i}*i*mod

*n*= 1), recovering the plaintext block

*M*

*is obtained by XORing*

_{i}*IV*

_{⌈(}

_{i}_{)/}

_{n}_{⌉}and the decryption of

*C*

*. Otherwise, the plaintext block*

_{i}*M*

*is recovered by XORing the ciphertext block*

_{i}*C*

_{i}_{−1}and the decryption of

*C*

*. To demonstrate this operation, the process*

_{i}*p*

_{2}is chosen as an example. In this case, the process

*p*

_{2}has the ciphertext blocks from

*C*

_{n}_{+1}to

*C*

*and their corresponding plaintext blocks are*

_{2n}*M*

_{n}_{+1}to

*M*

*. This indicates that*

_{2n}*C*

_{n}_{+1}is the first ciphertext block in the process

*p*

*because the value of (*

_{2}*n*+1) mod

*n*is 1. Therefore,

*M*

_{n}_{+1}is recovered by XORing the decryption of

*C*

_{n}_{+1}and the initial vector

*IV*

_{2}(since the ceiling of (

*n*+1)/

*n*is 2) associated with the process

*p*

_{2}(i.e.,

*M*

_{n}_{+1}=

*D*

*(*

_{k}*C*

_{n}_{+1}) ⊕

*IV*

_{2}). On the other hand, each of the other plaintext blocks (i.e., all blocks

*M*

_{n}_{+}

*where 2 ≤*

_{i}*i*≤

*n*) is recovered by XORing the ciphertext block

*C*

_{n}_{+}

_{i}_{−1}and the decryption of

*C*

_{n}_{+}

_{i}*.*In other words,

*M*

_{n}_{+}

*is recovered as*

_{i}*M*

_{n}_{+}

*=*

_{i}*C*

_{n}_{+}

_{i}_{−1}⊕

*D*

*(*

_{k}*C*

_{n}_{+}

*). This is because that the value of (*

_{i}*n*+

*i*) mod

*n*is not equal to 1.

*i*= 1, 2, 3,…,

*l*and

*n*is the number of blocks in each process

*p*

*such that*

_{j}*j*= 1, 2,…,

*t–*1. Also,

*D*

*refers to the decryption operation using the block cipher algorithm with the key*

_{k}*k*.

*CC*

_{1}by encrypting the XORing of

*C*

*and the counter*

_{n}*CT*. The

*CC*

_{2}is obtained from the encryption of XORing

*C*

_{2}

*and*

_{n}*CC*

_{1}. This operation is continued until the

*CC*

_{t}_{−1}is obtained, and it is clearly defined in Eq. (6).

*CC*

_{t}_{−1}and the last ciphertext block

*C*

*, as described by Eq. (7).*

_{l}*t*is the number of processes used in the encryption and

*CC*

_{t}_{−}

*is the encryption of the XOR of the ciphertext block*

_{1}*C*

_{(t}_{−}

*and*

_{1)n}*CC*

_{t}_{−}

*, as shown in Fig. 2. This shows that before finding the MAC,*

_{2}*CC*

_{t}_{−}

*needs to be obtained, which in turn needs*

_{1}*CC*

_{t}_{−}

*and so on until finding*

_{2}*CC*

*. Therefore, Eq. (6) is formulated to obtain*

_{1}*CC*

*as a function of the*

_{i}*C*

*and*

_{i*n}*CC*

_{i}_{−}

*. The generated MAC is attached to the ciphertext obtained during the encryption operation.*

_{1}### 4. Discussion

*.*Since the two phases are executed one after another, the total encryption time is equal to the summation of the time spent by both phases, which is 3,000 ms. By executing the two phases in parallel, this result can be improved to be 2,000 ms since we have two processors and the CCM architecture allows this.