EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 [eme].
EME uses multiple invocations of a block cipher to construct a new cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
Quoting from the original [eme] paper:
We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC . EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of modern cryptography.
Figure 2 from the [eme] paper shows an overview of the transformation:
Is it patentend?
EME-32 is EME with the cipher set to AES and the length set to 512. That is, EME-32 [eme-32-pdf] is a subset of EME.
EME2, also known as EME* [emestar], is an extended version of EME
that has built-in handling for data that is not a multiple of 16 bytes
EME2 has been selected for standardization in IEEE P1619.2 [p1619.2].
A Parallelizable Enciphering Mode
Shai Halevi, Phillip Rogaway, 28 Jul 2003
Note: This is the original EME paper. EME is specified for an arbitrary number of block-cipher blocks. EME-32 is a concrete implementation of EME with a fixed length of 32 AES blocks.
Re: EME-32-AES with editorial comments
Shai Halevi, 07 Jun 2005
Draft Standard for Tweakable Wide-block Encryption
Shai Halevi, 02 June 2005
Note: This is the latest version of the EME-32 draft that I could find. It includes test vectors and C source code.
Re: Test vectors for LRW and EME
Shai Halevi, 16 Nov 2004
EME*: extending EME to handle arbitrary-length messages with associated data
Shai Halevi, 27 May 2004
Re: [P1619-2] Non-awareness patent statement made by UC Davis
Mat Ball, 26 Nov 2007
Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher
US patent application US20040131182
IEEE P1619.2™/D9 Draft Standard for Wide-Block Encryption for Shared Storage Media
IEEE, Dec 2008
Note: This is a draft version. The final version is not freely available and must be bought from IEEE.
- Add eme.New() / *EMECipher convenience wrapper
- Improve panic message and parameter wording
- Stable release