It is based on the integrity-aware parallelizeable mode (IAPM) of authenticated encryption by Charanjit S. Jutla.
It is essentially a scheme for integrating a message authentication code (MAC) into the operation of a block cipher.
This results in lower computational cost compared to using separate encryption and authentication functions.
OCB performance overhead is minimal compared to classical, non-authenticating modes like cipher block chaining.
Since Rogaway only applied for patent protection in the U.S., the algorithm has always been free to use in software not developed and not sold inside the U.S.[9] Niels Ferguson pointed out collision attacks on OCB, which limits the amount of data that can be securely processed under a single key to about 280 terabytes.
[10][11] In October 2018, Inoue and Minematsu presented an existential forgery attack against OCB2 that requires only a single prior encryption query and almost no computational power or storage.