For those who are unfamiliar, the "pitch" of OCB mode is that it's fast everywhere: on servers, desktops, smartphones, and low-power IoT devices with some sort of hardware-accelerated block cipher, whereas currently GCM is popular on higher-power devices like servers/desktops/smartphones whereas the IoT/embedded space frequently uses CCM to be able to offload encryption onto hardware accelerators instead of an MCU (where OCB would double performance by cutting the number of block cipher invocations in half).
This draft to add OCB ciphersuites to TLS expired in 2016: https://datatracker.ietf.org/doc/html/draft-zauner-tls-aes-ocb However, in the intervening time, the IPR story around OCB (its former biggest drawback, IMO) has become significantly clearer. OCB's creator Phil Rogaway has disavowed or intentionally allowed all of his patents to lapse. "OCB is Free" declares his licensing page, which notes all of his IP is now in the public domain: https://www.cs.ucdavis.edu/~rogaway/ocb/license.htm This Jutla/IBM patent expired in 2022: https://patents.google.com/patent/US6963976B1/en Given that, I'm curious if this resolves IPR concerns around OCB, and if it does, if there are other concerns beyond those. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
