Encryption and authentication
OCB mode was designed to provide both authentication and privacy. It is essentially a scheme for integrating a Message Authentication Code (MAC) into the operation of a block cipher. In this way, OCB mode avoids the need to use two systems: a MAC for authentication and encryption for privacy. This results in lower computational cost compared to using separate encryption and authentication functions.
OCB mode was designed by Phillip Rogaway, who credits Mihir Bellare, John Black, and Ted Krovetz with assistance and comments on the designs. It is based on the authenticated encryption mode IAPM due to Charanjit S. Jutla (see the OCB FAQ for more details).
There are three versions of OCB: OCB1, OCB2 and OCB3. OCB1 was published in 2001. OCB2 improves on OCB1 by allowing associated data to be included with the message — that is, data that are not encrypted but should be authenticated — and a new method for generating a sequence of offsets. OCB2 was first published in 2003, originally named AEM (Authenticated-Encryption Mode, or Advanced Encryption Mode). OCB3, published in 2011, changes again the way offsets are computed and introduces minor performance improvements.
OCB performance overhead is minimal compared to classical, non-authenticating modes like CBC. OCB requires one block cipher operation per block of encrypted and authenticated message and one block cipher operation per block of associated data. There is also one extra block cipher operation required at the end of process.
For comparison, CCM mode offering similar functionality requires twice as many block cipher operations per message block (associated data requires one, as in OCB).
Two U.S. patents have been issued for OCB mode. However, a special exemption has been granted so that OCB mode can be used in software licensed under the GNU General Public License without cost, as well as for any non-commercial, non-governmental application. Since the authors have only applied for patent protection in the U.S., the algorithm is free to use in software not developed and not sold inside the U.S.
Not much cryptoanalysis has been done on OCB because of the patent situation. Niels Ferguson found collision attacks on OCB, which limits the amount of data that can be securely processed under a single key, in typical cases to not more than 64GB per key 
- Ted Krovetz, Phillip Rogaway (July 23, 2012). "The OCB Authenticated-Encryption Algorithm". Retrieved May 28, 2012.
- Phillip Rogaway. "OCB Mode". Retrieved May 28, 2012.
- "ISO/IEC 19772:2009 Information technology -- Security techniques -- Authenticated encryption". ISO. 2009-02-12. Retrieved May 28, 2012.
- "The OCB Authenticated-Encryption Algorithm". IETF. 2014.
- Phillip Rogaway. "OCB FAQ - Is OCB Patented". Retrieved May 28, 2012.
- Phillip Rogaway (29 March 2005). "OCB: Offer Letter". Retrieved May 28, 2012.
- Phillip Rogaway (9 January 2013). "OCB: free licenses".
- Niels Ferguson (2002-02-11). "Collision attacks on OCB".
- Phillip Rogaway, Mihir Bellare, John Black. OCB: A block-cipher mode of operation for efficient authenticated encryption, ACM Transactions on Information and System Security (TISSEC), Volume 6, Issue 3, pp.365-403. August 2003.
- Charanjit S. Jutla, "Encryption Modes with Almost Free Message Integrity", Proc. Eurocrypt 2001, LNCS 2045, May 2001.