International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

OCB Mode

Authors:
Phillip Rogaway
Mihir Bellare
John Black
Ted Krovetz
Download:
URL: http://eprint.iacr.org/2001/026
Search ePrint
Search Google
Abstract: This paper was prepared for NIST, which is considering new block-cipher modes of operation. It describes a parallelizable mode of operation that simultaneously provides both privacy and authenticity. "OCB mode" encrypts-and-authenticates an arbitrary message $M\in\bits^*$ using only $\lceil |M|/n\rceil + 2$ block-cipher invocations, where $n$ is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [IACR-2000/39], who was the first to devise an authenticated-encryption mode with minimal overhead compared to standard modes. Desirable new properties of OCB include: very cheap offset calculations; operating on an arbitrary message $M\in\bits^*$; producing ciphertexts of minimal length; using a single underlying cryptographic key; making a nearly optimal number of block-cipher calls; avoiding the need for a random IV; and rendering it infeasible for an adversary to find "pretag collisions". The paper provides a full proof of security for OCB.
BibTeX
@misc{eprint-2001-11438,
  title={OCB Mode},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / AES, secret-key cryptography, modes of operation},
  url={http://eprint.iacr.org/2001/026},
  note={unpublished NIST submission rogaway@cs.ucdavis.edu 11430 received 1 Apr 2001, last revised 18 Apr 2001},
  author={Phillip Rogaway and Mihir Bellare and John Black and Ted Krovetz},
  year=2001
}