Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ocb]

The Offset CodeBook Mode, an authenticated encryption mode of operation for a block cipher.

The OCB mode is a single pass authenticated encryption mode of operation for a block cipher. It takes a block cipher as a primitive, and provides both privacy and integrity services for arbitrary messages.

See the wikipedia page for more information.

18 questions
21
votes
4 answers

Why is OCB-AES mode not becoming a standard for authenticated encryption?

The OCB mode of authenticated encryption (used for example with AES) is the fastest way to provide authenticity and confidentiality without having to strive into questions like: Encrypt then MAC, MAC then encrypt, Encrypt and MAC. So why it is not…
curious
  • 6,280
  • 6
  • 34
  • 48
19
votes
1 answer

What is the new attack on OCB2 and how does it work?

OCB2 is proposed by Rogaway, Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , and it is standardized in ISO/IEC 19772:2009. The author also provided a proof by security reductions, that is, a break of OCB2…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
8
votes
1 answer

Is the risk of a collision for OCB mode mitigated by upping the block size of the cipher?

A paper published by Niels Furguson Collision attacks on OCB indicates that processing large amounts of data (somewhere on the order of $2^{32}$ 128-bit blocks) with a single encryption operation (same key and nonce) makes it probable that an…
K3rb3ros
  • 143
  • 4
7
votes
2 answers

OCB and GCM security

Is OCB as secure as GCM or CCM ? Since OCB design is quite different from GCM and CCM, I was wondering if the security properties of these latters are satisfied by OCB, as well.
Dingo13
  • 2,917
  • 3
  • 29
  • 46
4
votes
1 answer

Proper uses for CTR and CBC AES block cipher modes

Assuming the following: Key is randomly generated is being used (32 bytes+) IV is also randomly generated Crypto random key generator is used Data being encrypted contains common bytes like { } and " and keys (like JSON) Which of these modes (CTR,…
Luke
  • 339
  • 1
  • 9
4
votes
0 answers

OCB design questions and possible simplification from a security perspective

OCB (Offset Codebook Mode) for block ciphers is a very interesting approach to solving authentication with what appears to be the absolute minimal performance impact possible (for AE under a block cipher requirement). All the OCB versions use Gray…
VeronicaL86
  • 41
  • 2
3
votes
1 answer

OCB - brute force against unknown IV

I read that brute force attacks against a plaintext encrypted in OCB with unknown key and IV has approximately the same complexity as an attack where only the key is unknown. Why is that? Is there a description of this attack? If not, could you…
yawn
  • 33
  • 4
2
votes
1 answer

In what paper was OCB2 introduced?

I've been working through "Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality" 1 from earlier this year. My knowledge of OCB2 is pretty shallow though, and so I'm keen to study the scheme in depth before I continue. From citations…
djwj
  • 23
  • 3
2
votes
1 answer

Why is the second XOR operation in OCB mode necessary?

In Rogaway's OCB mode, the offset (derived from the key) ist XOR-added twice: Once to the plaintext block, and a second time after the Encryption. I am wondering, why the second XOR operation is necessary. The design is I believe inspired by the…
mat
  • 2,558
  • 1
  • 14
  • 28
2
votes
0 answers

AES OCB with Argon2 KDF for keyring file encryption

I've just released a python keyring companion package to encrypt the passwords in a file, available here. Description The project is mainly targeted to provide a sufficiently secure storage for plain text passwords (keyring) in a simple portable…
frispete
  • 41
  • 2
2
votes
0 answers

Is OCB the state of the art in authenticated encryption modes of operation for block ciphers?

OCB mode seems to represent the state of the art in authenticated encryption modes, largely due to its speed – it is faster than GCM even when GCM has hardware support. Its only drawbacks seem to be that it requires frequent rekeying ( every…
Demi
  • 4,853
  • 1
  • 22
  • 40
2
votes
2 answers

OCB nonce usage

I've just come across this piece of code in Bouncy Castle's implementation of OCB Mode: if (N.length > 16 || (N.length == 16 && (N[0] & 0x80) != 0)) { /* * NOTE: We don't just ignore bit 128 because it would hide from the…
hunter
  • 4,051
  • 6
  • 29
  • 42
2
votes
1 answer

Can you make an OCB type AEAD using a stream cipher?

This is a hypothetical question. Is it possible to use a stream cipher instead of a block cipher for an OCB type single pass AEAD? The xor of the plaintext blocks for the authentication tag can't work because a change in the ciphertext doesn't…
Nigel
  • 21
  • 1
1
vote
1 answer

How do I safely encrypt a file for transport and storage?

So I need to encrypt a file server-side for transport from server to client and storage on client-side. I'm quite confused as to what I have to watch out for, as it seems like it's insanely easy to screw up really bad. The files I need to…
thebear8
  • 123
  • 5
1
vote
2 answers

Semantic security of the OCB mode

As defined in the specification of OCB, the tag depends only on the checksum (that is just the binary sum of plain blocs), so if we construct two messages that have the same sum (this is very easy to do), we can get two different ciphertexts that…
Kamel Mohamed
  • 67
  • 5
1
2