ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
OCB: a block-cipher mode of operation for efficient authenticated encryption
Full text PdfPdf (285 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 8th ACM conference on Computer and Communications Security table of contents
Philadelphia, PA, USA
Session: Cryptosystems table of contents
Pages: 196 - 205  
Year of Publication: 2001
ISBN:1-58113-385-5
Authors
Phillip Rogaway  Univ. of California, Davis, CA & Chiang Mai University, Chiang Mai, Thailand
Mihir Bellare  Univ. of California at San Diego, La Jolla, CA
John Black  Univ. of Nevada, Reno, NV
Ted Krovetz  Digital Fountain, San Francisco, CA
Sponsor
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 8,   Downloads (12 Months): 55,   Citation Count: 14
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/501983.502011
What is a DOI?

ABSTRACT

We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M &egr; {0,1}• using \lceil |M|/n\rceil + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap offset calculations; cheap session setup; a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Jee Hea An , Mihir Bellare, Does Encryption with Redundancy Provide Authenticity?, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.512-528, May 06-10, 2001
 
2
K.Aoki and H.Lipmaa.Fast implementations f AES candidates.Third AES Candidate Conference, New York City,USA,Apr 2000,pp.106 -120. www.tml.hut../ ~helger
 
3
Mihir Bellare , Anand Desai , Eron Jokipii , Phillip Rogaway, A Concrete Security Treatment of Symmetric Encryption, Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS '97), p.394, October 19-22, 1997
 
4
Mihir Bellare , Anand Desai , David Pointcheval , Phillip Rogaway, Relations Among Notions of Security for Public-Key Encryption Schemes, Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology, p.26-45, August 23-27, 1998
 
5
Mihir Bellare , Roch Guérin , Phillip Rogaway, XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions, Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology, p.15-28, August 27-31, 1995
 
6
Mihir Bellare , Joe Kilian , Phillip Rogaway, The security of the cipher block chaining message authentication code, Journal of Computer and System Sciences, v.61 n.3, p.362-399, Dec. 2000  [doi>10.1006/jcss.1999.1694]
 
7
Mihir Bellare , Chanathip Namprempre, Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.531-545, December 03-07, 2000
 
8
Mihir Bellare , Phillip Rogaway, Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.317-330, December 03-07, 2000
 
9
Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology, p.1-12, August 23-27, 1998
 
10
Danny Dolev , Cynthia Dwork , Moni Naor, Nonmalleable Cryptography, SIAM Journal on Computing, v.30 n.2, p.391-437, 2000  [doi>10.1137/S0097539795291562]
 
11
Virgil D. Gligor , Pompiliu Donescu, Integrity-Aware PCBC Encryption Schemes, Proceedings of the 7th International Workshop on Security Protocols, p.153-171, April 19-21, 1999
 
12
V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Manuscript,Aug 18,2000. Frmerly available from www.eng.umd.edu/ ~gligor.
 
13
V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Contribution t NIST,Oct 27, 2000.csrc.nist.gov/encryption/aes/modes
 
14
V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Contribution t NIST.Mar 30, 2001,rev.Apr 20,2001. csrc.nist.gov/encryption/modes/prop sedmodes
 
15
Virgil D. Gligor , Pompiliu Donescu, Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes, Revised Papers from the 8th International Workshop on Fast Software Encryption, p.92-108, April 02-04, 2001
 
16
S.Goldwasser and S.Micali.Probabilistic encryption.Journal of Computer and System Sciences vol.28,Apr 1984,pp.270 -299.
 
17
S.Halevi.An observation regarding Jutla 's m des of operation.Cryptology ePrint archive,reference number 2001/015,submitted Feb 22,2001,revised Apr 2,2001.eprint.iacr.org
 
18
C.Jutla.Encryption modes with almost free message integrity.Cryptology ePrint archive,rep rt 2000/039, Aug 1,2000.eprint.iacr.org
 
19
C.Jutla.Encryption modes with almost free message integrity.Contribution t NIST.Undated manuscript, appearing Oct 2000 at csrc.nist.gov/encryption/modes/workshop1
 
20
C.Jutla.Encryption modes with almost free message integrity.Contribution t NIST.P sted May 24,2001 at csrc.nist.gov/encryption/modes/proposedmodes
 
21
Charanjit S. Jutla, Encryption Modes with Almost Free Message Integrity, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.529-544, May 06-10, 2001
 
22
Jonathan Katz , Moti Yung, Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation, Proceedings of the 7th International Workshop on Fast Software Encryption, p.284-299, April 10-12, 2000
23
Jonathan Katz , Moti Yung, Complete characterization of security notions for probabilistic private-key encryption, Proceedings of the thirty-second annual ACM symposium on Theory of computing, p.245-254, May 21-23, 2000, Portland, Oregon, United States  [doi>10.1145/335305.335335]
 
24
Hugo Krawczyk, The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?), Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, p.310-331, August 19-23, 2001
 
25
H.Lipmaa.Personal communications,Jul 2001. Further information at www.tcs.hut../ ~helger
 
26
Michael Luby , Charles Rackoff, How to construct pseudorandom permutations from pseudorandom functions, SIAM Journal on Computing, v.17 n.2, p.373-386, April 1988  [doi>10.1137/0217022]
 
27
M.Matyas and S.Matyas.Cryptography: A new dimension in computer data security. John Wiley & Sons,New Y rk,1982.
 
28
RSA Laboratories.PKCS #1:RSA encryption standard,Version 1.5,Nov 1993;and PKCS #1:RSA cryptography speci .cations,Version 2.0,Sep 1998, B.Kaliski and J.Staddon. www.rsasecurity.com/rsalabs/pkcs/pkcs-1
 
29
J.Steiner,C.Neuman,and J.Schiller.Kerberos:an authentication service for open network systems. Proceedings of the Winter 1988 Usenix Conference pp.191 -201,1988.
 
30
Bart Preneel, Cryptographic Primitives for Information Authentication - State of the Art, State of the Art in Applied Cryptography, Course on Computer Security and Industrial Cryptography - Revised Lectures, p.49-104, June 03-06, 1997
 
31
P.Rogaway.OCB m de:Parallelizable authenticated encryption.Contribution t NIST,Oct 16,2000. (Preliminary version of the OCB algorithm.) csrc.nist.gov/encryption/modes/workshop1
 
32
P.Rogaway (submitter)and M.Bellare,J.Black, and T.Krovetz (auxiliary submitters).OCB m de. Contribution t NIST.Cryptology ePrint archive, rep rt 2001/26,Apr 1,2001,revised Apr 18,2001. ePrint.iacr.org and csrc.nist.gov/encryption/modes/proposedmodes.
33
Phillip Rogaway , Mihir Bellare , John Black , Ted Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA  [doi>10.1145/501983.502011]
 
34
US National Institute f Standards.Specification for the Advanced Encryption Standard (AES).Draft Federal Information Processing Standards,Feb 28, 2001.Based n:J.Daemen and V.Rijmen,AES Proposal:Rijndael.Sep 3,1999.www.nist.gov/aes

CITED BY  14
Phillip Rogaway , Mihir Bellare , John Black , Ted Krovetz, OCB: a block-cipher mode of operation for efficient authenticated encryption, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA
Laurent Eschenauer , Virgil D. Gligor, A key-management scheme for distributed sensor networks, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
Hao-hua Chu , Henry Song , Candy Wong , Shoji Kurakake , Masaji Katagiri, Roam, a seamless application framework, Journal of Systems and Software, v.69 n.3, p.209-226, 15 January 2004
Mihir Bellare , Tadayoshi Kohno , Chanathip Namprempre, Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
Mihir Bellare , Tadayoshi Kohno , Chanathip Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm, ACM Transactions on Information and System Security (TISSEC), v.7 n.2, p.206-241, May 2004
Hamdy S. Soliman , Mohammed Omari, Application of synchronous dynamic encryption system in mobile wireless domains, Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks, October 13-13, 2005, Montreal, Quebec, Canada
Haowen Chan , Virgil D. Gligor , Adrian Perrig , Gautam Muralidharan, On the Distribution and Revocation of Cryptographic Keys in Sensor Networks, IEEE Transactions on Dependable and Secure Computing, v.2 n.3, p.233-247, July 2005
Phillip Rogaway , Mihir Bellare , John Black, OCB: A block-cipher mode of operation for efficient authenticated encryption, ACM Transactions on Information and System Security (TISSEC), v.6 n.3, p.365-403, August 2003
Bart Preneel, A survey of recent developments in cryptographic algorithms for smart cards, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.9, p.2223-2233, June, 2007
Timothy Roscoe , Steven Hand, Palimpsest: soft-capacity storage for planetary-scale services, Proceedings of the 9th conference on Hot Topics in Operating Systems, p.22-22, May 18-21, 2003, Lihue, Hawaii
Zachary N. J. Peterson , Randal Burns , Joe Herring , Adam Stubblefield , Aviel D. Rubin, Secure deletion for a versioning file system, Proceedings of the 4th conference on USENIX Conference on File and Storage Technologies, p.11-11, December 13-16, 2005, San Francisco, CA
John Black , Hector Urtubia, Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption, Proceedings of the 11th USENIX Security Symposium, p.327-338, August 05-09, 2002
Lauri I. W. Pesonen , David M. Eyers , Jean Bacon, Encryption-enforced access control in dynamic multi-domain publish/subscribe networks, Proceedings of the 2007 inaugural international conference on Distributed event-based systems, June 20-22, 2007, Toronto, Ontario, Canada
Dennis K. Nilsson , Tanya Roosta , Ulf Lindqvist , Alfonso Valdes, Key management and secure software updates in wireless process control environments, Proceedings of the first ACM conference on Wireless network security, March 31-April 02, 2008, Alexandria, VA, USA

INDEX TERMS

Primary Classification:
  E. Data
  E.3 DATA ENCRYPTION
      Subjects: Public key cryptosystems

Additional Classification:
  E. Data
  E.4 CODING AND INFORMATION THEORY
      Subjects: Error control codes

  F. Theory of Computation
  F.2 ANALYSIS OF ALGORITHMS AND PROBLEM COMPLEXITY
      F.2.2 Nonnumerical Algorithms and Problems
          Subjects: Computations on discrete structures


General Terms:
Algorithms, Performance, Security


Keywords:
AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards

Collaborative Colleagues:
Phillip Rogaway: colleagues
Mihir Bellare: colleagues
John Black: colleagues
Ted Krovetz: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player