EME (Encrypt-Mix-Encrypt) wide-block encryption for Go.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


EME for Go Build Status GoDoc MIT License

EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block encryption mode developed by Halevi and Rogaway in 2003 [eme].

EME uses multiple invocations of a block cipher to construct a new cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).

Quoting from the original [eme] paper:

We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of modern cryptography.

Figure 2 from the [eme] paper shows an overview of the transformation:

Figure 2 from [eme]

This is an implementation of EME in Go, complete with test vectors from IEEE [p1619-2] and Halevi [eme-32-testvec].

Is it patentend?

In 2007, the UC Davis has decided to abandon [patabandon] the patent application [patappl] for EME.

Related algorithms

EME-32 is EME with the cipher set to AES and the length set to 512. That is, EME-32 [eme-32-pdf] is a subset of EME.

EME2, also known as EME* [emestar], is an extended version of EME that has built-in handling for data that is not a multiple of 16 bytes long.
EME2 has been selected for standardization in IEEE P1619.2 [p1619.2].



A Parallelizable Enciphering Mode
Shai Halevi, Phillip Rogaway, 28 Jul 2003

Note: This is the original EME paper. EME is specified for an arbitrary number of block-cipher blocks. EME-32 is a concrete implementation of EME with a fixed length of 32 AES blocks.


Re: EME-32-AES with editorial comments
Shai Halevi, 07 Jun 2005


Draft Standard for Tweakable Wide-block Encryption
Shai Halevi, 02 June 2005

Note: This is the latest version of the EME-32 draft that I could find. It includes test vectors and C source code.


Re: Test vectors for LRW and EME
Shai Halevi, 16 Nov 2004


EME*: extending EME to handle arbitrary-length messages with associated data
Shai Halevi, 27 May 2004


Re: [P1619-2] Non-awareness patent statement made by UC Davis
Mat Ball, 26 Nov 2007


Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher
US patent application US20040131182


IEEE P1619.2™/D9 Draft Standard for Wide-Block Encryption for Shared Storage Media
IEEE, Dec 2008

Note: This is a draft version. The final version is not freely available and must be bought from IEEE.

Package Changelog

v1.1, 2017-03-05

  • Add eme.New() / *EMECipher convenience wrapper
  • Improve panic message and parameter wording

v1.0, 2015-12-08

  • Stable release