Skip to main content
Article thumbnail
Location of Repository

OCB: a block-cipher mode of operation for efficient authenticated encryption

By Phillip Rogaway, Mihir Bellare and John Black


We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ∈{0, 1} ∗ using ⌈|M|/n ⌉ + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length, cheap offset calculations, cheap key setup, a single underlying cryptographic key, no extended-precision addition, a nearly optimal number of block-cipher calls, and no requirement for a random IV. We prove OCB secure, quantifying the adversary’s ability to violate the mode’s privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively

Topics: Categories and Subject Descriptors, E.3 [Data Encryption, Standards General Terms, Security, Performance, Theory Additional Key Words and Phrases, AES, authenticity, block-cipher usage, cryptography, encryption, integrity, modes of operation, provable security, standards
Year: 2003
OAI identifier: oai:CiteSeerX.psu:
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • (external link)
  • (external link)
  • Suggested articles

    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.