Abstract

We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M # {0, 1} # using #|M |/n# + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. e-mail: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. e-mail: mihir@cs.ucsd.edu web: www-cse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. e-mail: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. e-mail: tdk@acm.org 1

Citations