![]() As with many modes of operation, security degrades quadratically in the number of blocks processed. OCB enjoys provable security: the mode is a secure AE scheme, under the standard definition , assuming that the underlying blockcipher E is secure as a strong pseudorandom permutation (PRP). ![]() Computational work beyond blockcipher calls is restricted to a small number of logical operations per call. OCB is fully parallelizable: almost all of its blockcipher calls can be performed simultaneously. OCB is online in the sense that one need not know the length of A or M to proceed with encryption, nor need one know the length of A or the ciphertext C to proceed with decryption. OCB requires a single key K for the underlying blockcipher, and all blockcipher calls are keyed with it. If the AD is fixed during a session, then after processing it the first time, there is effectively no computational cost for subsequent authentications of it and the addend of a should be ignored. If the nonce is implemented as a counter and the implementation caches a secret 16-byte value with each message encrypted, then \(63/64\approx 98\%\) of the time the number of blockcipher calls can be reduced to \(m+a+1\). Encryption needs at most \(m+a+2\) blockcipher calls, where \(m = \lceil |M|/128\rceil \) is the block size of the plaintext and \(a = \lceil |A|/128\rceil \) is the block size of the AD. OCB does its work using a 128-bit blockcipher E. The nonce, a string of 120 or fewer bits, must be unique to each encryption call. OCB encryption protects both the confidentiality and authenticity of a plaintext M and, additionally, the authenticity of an associated data A and nonce N. When we speak of OCB in this paper, we will henceforth mean OCB3. We update the proceedings paper on OCB3, freshening all of the experimental results, expanding the proof, and placing the entire enterprise in context. This paper is about OCB3: its definition, development, security, and software performance. It is specified in RFC 7253 and was selected for the CAESAR final portfolio. ![]() The final version of OCB, called OCB3 (2011) , corrected some missteps taken with OCB2 and achieved the best performance yet. OCB2 was recently found to have a disastrous bug . A second version, now called OCB2 (2004) , added support for associated data (AD) and redeveloped the mode using the idea of a tweakable blockcipher . The first, now called OCB1 (2001) , was motivated by Charanjit Jutla’s IAPM . It is a blockcipher mode of operation, the blockcipher usually being AES. OCB is a well-known algorithm for achieving this aim. Schemes for authenticated encryption (AE) symmetrically encrypt a message in a way that ensures both its confidentiality and authenticity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |