OCB mode


OCB mode is an authenticated encryption mode of operation for cryptographic block ciphers. OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the authenticated encryption mode IAPM due to Charanjit S. Jutla. Its version OCB2 has proven insecure, while the original OCB1 as well as OCB3 from 2011 are still considered secure.

Encryption and authentication

OCB mode was designed to provide both message authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code into the operation of a block cipher. In this way, OCB mode avoids the need to use two systems: a MAC for authentication and encryption for privacy. This results in lower computational cost compared to using separate encryption and authentication functions.
There are three versions of OCB: OCB1, OCB2 and OCB3. OCB1 was published in 2001. OCB2 improves on OCB1 by allowing associated data to be included with the message — that is, data that are not encrypted but should be authenticated — and a new method for generating a sequence of offsets. OCB2 was first published in 2003, originally named AEM and was shown to be completely insecure in 2019. OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements.
OCB mode is listed as an optional method in the IEEE 802.11 wireless security standard as an alternative to CCM. OCB2 is standardized in ISO/IEC 19772:2009 and a modified OCB3 in RFC 7253. The RFC encodes the tag length into the internally formatted nonce.

Performance

OCB performance overhead is minimal compared to classical, non-authenticating modes like CBC. OCB requires one block cipher operation per block of encrypted and authenticated message, and one block cipher operation per block of associated data. There is also one extra block cipher operation required at the end of process.
For comparison, CCM mode offering similar functionality requires twice as many block cipher operations per message block.

Patents

Two U.S. patents have been issued for OCB mode. However, a special exemption is granted allowing OCB mode to be used in software licensed under the GNU General Public License without cost, as well as for any non-commercial, non-governmental application. This constraint has hindered approval by the US Federal Govt.
Since the authors have only applied for patent protection in the U.S., the algorithm is free to use in software not developed and not sold inside the U.S.
By January 2013, the author has granted a free license for any open source license certified by the Open Source Initiative.

Attacks

pointed out collision attacks on OCB, which limits the amount of data that can be securely processed under a single key to about 280 terabytes.
In October 2018, Inoue and Minematsu presented an existential forgery attack against OCB2 that requires only a single prior encryption query and almost no computational power or storage. The attack does not extend to OCB1 or OCB3, and it requires that the associated data field of the forged ciphertext be empty. Poettering and Iwata improved the forgery attack to a full plaintext recovery attack just a couple of days later. The four authors later produced a joint report.