Offset Codebook Mode


Offset Codebook Mode (OCB) is a Block Cipher Mode which provides Authenticated Encryption and is based on the IAPM (Integrity Aware Parallelizable Mode)

There are a few versions of OCB:

OCB2 improves on OCB1 by allowing associated data to be included with the message (providing AEAD) and a new method for generating a sequence of offsets. OCB2 was originally named AEM (Authenticated-Encryption Mode, or Advanced Encryption Mode).
OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements.

Offset Codebook Mode is one of the most celebrated schemes in the cryptography for its beautiful and innovative architecture and Offset Codebook Mode is very efficient.

Security Considerations#

2018 Cryptanalysis of OCB2 Akiko Inoue and Kazuhiko Minematsu NEC Corporation, Japan.

presented a practical forgery attacks against OCB2, a high-profile, ISO standard Authenticated Encryption scheme. This was possible due to the discrepancy between the proof of OCB2 and the actual construction, in particular about the interpretation of OCB2 as a mode of TBC which combines XEX and XE.

While the latest OCB3 has a superior software performance from the previous ones, and is clearly recommended by the designers, we think OCB2 is still quite influential for its simple description and the sophisticated, modular design based on TBC.

The attacks show that, while the approach introduced by Rog04 is invaluable, we could not directly derive a secure AE from it without applying a fix.

they comment that, due to the errors in the proofs, provably-secure schemes can be broken, or schemes still remain secure but the proofs need to be fixed.

Even if we limit our focus to Authenticated Encryption, we have many examples, such as NSA’s Dual CTR Rog04d, DGW01, EAX-prime MLMI13, GCM IOM12, and some of the Caesar Cipher submissions Nan14, BS16, SMAP15 and more. We believe our work to emphasize the quality of security proofs and their active verifications.

More Information#

There might be more information for this subject on one of the following: