OCB: Documentation

The following papers of mine, listed in reverse-chronological order, describe OCB and the theory behind it.


Ted Krovetz and Phillip Rogaway. [RFC7253]
The OCB Authenticated-Encryption Algorithm.
RFC 7253, Internet Engineering Task Force (IETF), May 2014.
Definitive OCB specification.
Ted Krovetz and Phillip Rogaway. [KR11]
The Software Performance of Authenticated-Encryption Modes.
Fast Software Encryption 2011 (FSE 2011).
Lecture Notes in Computer Science, Springer, 2011.
Defines the final version of OCB, denoted OCB3, and compares the performance of CCM, GCM, and (all versions of) OCB.
Phillip Rogaway. [R04]
Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.
Advances in Cryptology — ASIACRYPT 2004.
Lecture Notes in Computer Science, vol. 3329, Springer, pp. 16-31, 2004.
Uses the idea of tweakable blockciphers (due to [Liskov, Rivest, Wagner]) to simplify the original design of OCB. The version of OCB in this document we now denote OCB2.
Phillip Rogaway. [R02]
Authenticated-Encryption with Associated-Data.
ACM Conference on Computer and Communications Security 2002 (CCS ’02 ), ACM Press, pp. 98-107, September 2002.
Treats the problem of handling a “header”—associated data—that should be authenticated but not encrypted.

John Black and Phillip Rogaway. [BR02]
A Block-Cipher Mode of Operation for Parallelizable Message Authentication.
Advances in Cryptology — EUROCRYPT '02.
Lecture Notes in Computer Science, vol. 2332, pp. 384-397, Springer, 2002.
Describes a parallelizable message authentication code, PMAC, whose design shaped the treatment of associated data in OCB.
Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. [RBBK01]
OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption.
ACM Conference on Computer and Communications Security (CCS ’01), ACM Press, pp. 196-205, 2001.
Journal version: ACM Transactions on Information and System Security (TISSEC), vol. 6, no. 3, pp. 365-403, August 2003.
Specifies the original version of the OCB algorithm, now denoted OCB1, before the addition of associated data.

Back to the OCB home page