Offset codebook mode (OCB mode) is an

authenticated encryption Authenticated Encryption (AE) and Authenticated Encryption with Associated Data (AEAD) are forms of encryption which simultaneously assure the confidentiality and authenticity of data. Programming interface A typical application programming in ...

mode of operation In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...

for cryptographic

block cipher In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...

s. OCB mode was designed by

Phillip Rogaway Phillip Rogaway is a professor of computer science at the University of California, Davis. He graduated from Beverly Hills High School, and later earned a BA in computer science from UC Berkeley and completed his PhD in cryptography at MIT, in t ...

, who credits

Mihir Bellare Mihir Bellare is a cryptographer and professor at the University of California San Diego. He has published several seminal papers in the field of cryptography (notably in the area of provable security), many of which were co-written with Phillip R ...

, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the '' integrity-aware parallelizeable mode'' (IAPM) of authenticated encryption by Charanjit S. Jutla. The ''OCB2'' version was proven insecure, while the original ''OCB1'' as well as ''OCB3'' from 2011 are still considered secure.

Encryption and authentication

OCB mode was designed to provide both

message authentication In information security, message authentication or data origin authentication is a property that a message has not been modified while in transit (data integrity) and that the receiving party can verify the source of the message. Message authentica ...

and

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

. It is essentially a scheme for integrating a

message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...

(MAC) into the operation of a

. In this way, OCB mode avoids the need to use two systems: a MAC for authentication and

encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

for privacy. This results in lower computational cost compared to using separate encryption and authentication functions. There are three versions of OCB: OCB1, OCB2 and OCB3. OCB1 was published in 2001. OCB2 improves on OCB1 by allowing associated data to be included with the message, providing '' authenticated encryption with associated data'' (AEAD; that is, data that are not encrypted but should be authenticated) and a new method for generating a sequence of offsets. OCB2 was first published in 2003, originally named ''authenticated-encryption mode'', or ''advanced encryption mode'' (''AEM'') and was shown to be completely insecure in 2019. OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements. OCB mode is listed as an optional method in the

IEEE The Institute of Electrical and Electronics Engineers (IEEE) is a 501(c)(3) professional association for electronic engineering and electrical engineering (and associated disciplines) with its corporate office in New York City and its operation ...

802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer com ...

wireless security standard as an alternative to counter with CBC-MAC mode (CCM). OCB2 is standardized in ISO/IEC19772:2009 and a modified OCB3 in RFC7253. The RFC encodes the tag length into the internally formatted nonce.

Performance

OCB performance overhead is minimal compared to classical, non-authenticating modes like

cipher block chaining In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transform ...

. OCB requires one block cipher operation per block of encrypted and authenticated message, and one block cipher operation per block of associated data. There is also one extra block cipher operation required at the end of process. For comparison, CCM mode offering similar functionality requires twice as many block cipher operations per message block (associated data requires one, as in OCB).

Patents

Two U.S. patents have been issued for OCB mode. However, a special exemption is granted allowing OCB mode to be used in software licensed under the

GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...

without cost, as well as for any non-commercial, non-governmental application. This constraint has hindered approval by the

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

. Since the authors have only applied for patent protection in the U.S., the algorithm is free to use in software not developed and not sold inside the U.S. By January 2013, the author has granted a free license for any open source license certified by the

Open Source Initiative The Open Source Initiative (OSI) is the steward of the Open Source Definition, the set of rules that define open source software. It is a California public-benefit nonprofit corporation,_with_501(c)(3).html" ;"title="110. - 6910./ref> is a type o ...

. The U.S. patents were intentionally abandoned in 2021.

Attacks

Niels Ferguson pointed out collision attacks on OCB, which limits the amount of data that can be securely processed under a single key to about 280 terabytes. In October 2018, Inoue and Minematsu presented an existential forgery attack against OCB2 that requires only a single prior encryption query and almost no computational power or storage. The attack does not extend to OCB1 or OCB3, and it requires that the associated data field of the forged ciphertext be empty. Poettering and Iwata improved the forgery attack to a full plaintext recovery attack just a couple of days later. The four authors later produced a joint report.

References

External links