Paper 2001/026

OCB Mode

Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz

Abstract

This paper was prepared for NIST, which is considering new block-cipher modes of operation. It describes a parallelizable mode of operation that simultaneously provides both privacy and authenticity. "OCB mode" encrypts-and-authenticates an arbitrary message $M\in\bits^*$ using only $\lceil |M|/n\rceil + 2$ block-cipher invocations, where $n$ is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [IACR-2000/39], who was the first to devise an authenticated-encryption mode with minimal overhead compared to standard modes. Desirable new properties of OCB include: very cheap offset calculations; operating on an arbitrary message $M\in\bits^*$; producing ciphertexts of minimal length; using a single underlying cryptographic key; making a nearly optimal number of block-cipher calls; avoiding the need for a random IV; and rendering it infeasible for an adversary to find "pretag collisions". The paper provides a full proof of security for OCB.

Metadata
Available format(s)
PDF PS
Category
Secret-key cryptography
Publication info
Published elsewhere. unpublished NIST submission
Keywords
AESsecret-key cryptographymodes of operation
Contact author(s)
rogaway @ cs ucdavis edu
History
2001-04-18: revised
2001-04-03: received
See all versions
Short URL
https://ia.cr/2001/026
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2001/026,
      author = {Phillip Rogaway and Mihir Bellare and John Black and Ted Krovetz},
      title = {OCB Mode},
      howpublished = {Cryptology ePrint Archive, Paper 2001/026},
      year = {2001},
      note = {\url{https://eprint.iacr.org/2001/026}},
      url = {https://eprint.iacr.org/2001/026}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.