<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([OCB]) is a [Block Cipher Mode] which provides [Authenticated Encryption] and is based on the [IAPM] ([Integrity Aware Parallelizable Mode])


There are a few versions of [OCB]: 
* OCB1 [2001|Year 2001]
* OCB2 [2003|Year 2003]
* OCB3 [2011|Year 2011]
OCB2 improves on OCB1 by allowing associated [data] to be included with the message (providing [AEAD]) and a new method for generating a sequence of offsets. OCB2 was originally named AEM (Authenticated-Encryption Mode, or Advanced Encryption Mode). \\
OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements.


[{$pagename}] is one of the most celebrated schemes in the [cryptography] for its beautiful and innovative architecture and [{$pagename}] is very efficient.


!! [Security Considerations]
[2018|Year 2018] Cryptanalysis of OCB2 Akiko Inoue and Kazuhiko Minematsu NEC Corporation, Japan.

presented a practical forgery [attacks] against OCB2, a high-profile, ISO standard [Authenticated Encryption] scheme. This was possible due to the discrepancy between the proof of [OCB2] and the actual construction, in particular about the interpretation of OCB2 as a mode of [TBC] which combines [XEX] and
[XE]. 

While the latest OCB3 has a superior software performance from the previous ones, and is clearly recommended by the designers, we think OCB2 is still quite influential for its simple description and the sophisticated, modular design based on TBC. 

The [attacks] show that, while the approach introduced by Rog04 is invaluable, we could not directly derive a secure AE from it without applying a fix.

they comment that, due to the errors in the proofs, provably-secure schemes can be broken, or schemes still remain secure but the proofs need to be fixed.

Even if we limit our focus to [Authenticated Encryption], we have many [examples], such as NSA’s Dual CTR [Rog04d], [DGW01], [EAX]-prime [MLMI13], [GCM] [IOM12], and some of the [Caesar Cipher] submissions [Nan14], [BS16], [SMAP15] and more. We believe our work to emphasize the quality of security proofs and their active verifications.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Cryptanalysis of OCB2|https://eprint.iacr.org/2018/1040.pdf|target='_blank'] - based on information obtained 2018-11-01- 























































































































































































</pre>