**OCB mode** is a

mode of operationIn cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...

for cryptographic

block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...

s.

## Encryption and authentication

It was designed to provide both

authenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...

and

privacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

. It is essentially a scheme for integrating a

Message Authentication CodeIn cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...

(MAC) into the operation of a

block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...

. In this way, OCB mode avoids the need to use two systems; a MAC for authentication and a

block cipherIn cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...

encryptionIn cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

for privacy. This results in lower computational cost compared to the application of separate encryption and authentication functions.

OCB mode was designed by

Phillip RogawayPhillip Rogaway is a professor of computer science at the University of California, Davis. He graduated with an BA in computer science from UC Berkeley and completed his PhD in cryptography at MIT, in the Theory of Computation group. He has taught at UC Davis since 1994.Dr...

, who credits

Mihir BellareMihir Bellare is a cryptographer and professor at the University of California, San Diego. He has published several seminal papers in the field of cryptography , many coauthored with Phillip Rogaway. Bellare has published a number of papers in the field of Format-Preserving Encryption...

, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the authenticated encryption mode IAPM due to Charanjit S. Jutla (see the OCB FAQ for more details).

There are two versions of OCB: 1.0 and 2.0. OCB 2.0 improves on 1.0 by allowing associated data to be included with the message — that is, data that are not encrypted but should be authenticated — and a new method for generating a sequence of offsets. OCB 2.0 was first published in 2003, originally named AEM (Authenticated-Encryption Mode, or Advanced Encryption Mode).

OCB mode is listed as an optional method in the IEEE 802.11 wireless security standard as an alternative to

CCMCCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...

.

## Performance

OCB performance overhead is minimal comparing to classical, non-authenticating modes like CBC. OCB requires one block cipher encryption per each block of encrypted and authenticated message and one encryption per each block of additional associated data. There are also two extra encryptions required at the end of process.

For comparison,

CCM modeCCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...

offering similar functionality requires twice as many encryptions per each message block (associated data requires one as in OCB).

## Patents

Two

U.S.The United States of America is a federal constitutional republic comprising fifty states and a federal district...

patents have been issued for OCB mode.

http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm#patent:phil However, a special exemption has been granted so that OCB mode can be used in software licensed under the

GNU General Public LicenseThe GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

without cost, as well as for any non-commercial, non-governmental application. Since the authors have only applied for patent protection in the U.S., the algorithm is free to use in software not developed and not sold inside the U.S.

http://www.cs.ucdavis.edu/~rogaway/ocb/offer.htm.

## See also

- CCM mode
CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits...

- CWC mode
In cryptography, CWC Mode is an AEAD block cipher mode of operation that provides both encryption and built-in message integrity, similar to CCM and OCB modes. Designed by Tadayoshi Kohno, John Viega and Doug Whiting, NIST is CWC mode for standardization...

- EAX mode
EAX mode is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for...

- GCM mode
- PCFB mode
- XCBC mode

## External links