I hadn't heard about OBC being unpatented, but then the Wikipedia pointed me to this email to the ietf cryptography forum: https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3...

So... yes... it looks like OCB is no longer encumbered.

I am curious why GCM was hard. Hard to do without side-channel leaks I can understand, but 800-38D seemed straight-forward.

A GCM software implementation can be simple, fast, or secure against side-channel attacks: you can only pick two.

OCB (RFC7253) is indeed much simpler and it really deserves more popularity.

I think it would have been far more popular if Rogaway hadn't kept it patented well beyond the point where it was clear patented crypto had no future. It's a pretty neat solution to the problem and the continued insistence on restricting its usage with a patent is one of the more baffling things I've seen in the crypto world.

I have no mathematical background at all (I am an orchestra musician), and I did get it to mostly work. It was just that it didn't work for some inputs, and I could never figure out why despite having access to a proper debugger and a good repl (in scheme).

OCB was a breeze in comparison.

Caveat: I never understood the birthday attack from Ferguson on OCB and why it doesn't work on GCM, so I am really not the right person to make any recommendations