The first thing you want to know about this is that OCB3, which supersedes OCB2 and is going on 10 years old now, is not affected by this attack. The IETF RFC for OCB is OCB3.<p>Also, Internet cryptosystems generally don't use OCB at all, despite its elegance and performance, because of IPR issues.<p>The second thing you want to know (and you want to know it waaaaaay less than the first thing) is that this breaks authentication, not confidentiality; you can't use the attack to directly "decrypt" OCB2 messages, just to forge messages derived from a leaked plaintext/ciphertext pair.<p>This is a big deal for crypto people, though; see 'pbsd comment for more.
<p><pre><code> We present practical attacks against OCB2
an ISO-standard authenticated encryption (AE) scheme.
OCB2 is a highly-efficient blockcipher mode of
operation. It has been extensively studied and widely
believed to be secure thanks to the provable security
proofs.
Our attacks allows the adversary to create forgeries
with (almost-known) single encryption query.
</code></pre>
What I find most fascinating is that OCB2 is a scheme for which there has been a security proof since 2003. I am neither a cryptographer nor up-to-date with the state of the art in cryptanalysis, but at first glance, it seems like most attacks discovered these days rely on some kind of side channel or unspecified aspects of the protocol that the implementations get wrong. Even djb (cryp.to) is spooked: <a href="https://twitter.com/hashbreaker/status/1057791485016526848" rel="nofollow">https://twitter.com/hashbreaker/status/1057791485016526848</a>
So it turns out that the attack "was possible due to the discrepancy between the proof of OCB2 and the actual construction" (according to the paper). That's a scary thought.<p>I wanted to learn a little bit more about progress towards verified implementations (i.e. deriving the implementation automatically from its proof) and found a nice summary here:<p><a href="https://crypto.stackexchange.com/questions/34304/formal-verification-in-cryptography/34326#34326" rel="nofollow">https://crypto.stackexchange.com/questions/34304/formal-veri...</a>
OCB2 is not a block cipher; it is an authenticated encryption scheme built on top of one.<p>The scary thing here is not so much the error in the proof, which does not have many repercussions beyond OCB2, but that it went 14 years without being discovered. This despite the OCB2 paper, which introduced XEX, being highly influential. Every time something like this happens, confidence on the security of all "provably secure" schemes is undermined.