OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption


Authors: Phillip Rogaway, Mihir Bellare, and John Black

Reference: ACM Transactions on Information and System Security (TISSEC), vol. 6, no. 3, pp. 365-403, August 2003.
An earlier version of this paper, joint with Ted Krovetz, appears in Eighth ACM Conference on Computer and Communications Security (CCS-8), ACM Press, 2001.

Abstract: We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M\in{0,1}^* using \lceil |M|/n\rceil + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length, cheap offset calculations, cheap key setup, a single underlying cryptographic key, no extended-precision addition, a nearly optimal number of block-cipher calls, and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.

Note: As a later version of this mode has come to be, I now refer to the mechanism of this paper as “OCB1”.

Available as: PDF or PostScript

Further information: Visit the OCB homepage.


Rogaway's home page.