OCB refines a scheme, IAPM, suggested by Jutla [IACR-2000/39], who was the first to devise an authenticated-encryption mode with minimal overhead compared to standard modes. Desirable new properties of OCB include: very cheap offset calculations; operating on an arbitrary message $M\in\bits^*$; producing ciphertexts of minimal length; using a single underlying cryptographic key; making a nearly optimal number of block-cipher calls; avoiding the need for a random IV; and rendering it infeasible for an adversary to find "pretag collisions". The paper provides a full proof of security for OCB.
Category / Keywords: secret-key cryptography / AES, secret-key cryptography, modes of operation Publication Info: unpublished NIST submission Date: received 1 Apr 2001, last revised 18 Apr 2001 Contact author: rogaway at cs ucdavis edu Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20010515:150502 (All versions of this report) Short URL: ia.cr/2001/026 Discussion forum: Show discussion | Start new discussion