1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
EME for Go [](https://github.com/rfjakob/eme/actions/workflows/ci.yml) [](https://godoc.org/github.com/rfjakob/eme) 
==========
**EME** (ECB-Mix-ECB or, clearer, **Encrypt-Mix-Encrypt**) is a wide-block
encryption mode developed by Halevi
and Rogaway in 2003 [[eme]](#eme).
EME uses multiple invocations of a block cipher to construct a new
cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
Quoting from the original [[eme]](#eme) paper:
> We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into
> a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is
> parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used
> to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption
> and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of
> modern cryptography.
Figure 2 from the [[eme]](#eme) paper shows an overview of the transformation:
[![Figure 2 from [eme]](paper-eme-fig2.png)](#)
This is an implementation of EME in Go, complete with test vectors from IEEE [[p1619-2]](#p1619-2)
and Halevi [[eme-32-testvec]](#eme-32-testvec).
It has no dependencies outside the standard library.
Is it patentend?
----------------
In 2007, the UC Davis has decided to abandon [[patabandon]](#patabandon)
the patent application [[patappl]](#patappl) for EME.
Related algorithms
------------------
**EME-32** is EME with the cipher set to AES and the length set to 512.
That is, EME-32 [[eme-32-pdf]](#eme-32-pdf) is a subset of EME.
**EME2**, also known as EME\* [[emestar]](#emestar), is an extended version of EME
that has built-in handling for data that is not a multiple of 16 bytes
long.
EME2 has been selected for standardization in IEEE P1619.2 [[p1619.2]](#p1619.2).
References
----------
#### [eme]
*A Parallelizable Enciphering Mode*
Shai Halevi, Phillip Rogaway, 28 Jul 2003
https://eprint.iacr.org/2003/147.pdf
Note: This is the original EME paper. EME is specified for an arbitrary
number of block-cipher blocks. EME-32 is a concrete implementation of
EME with a fixed length of 32 AES blocks.
#### [eme-32-email]
*Re: EME-32-AES with editorial comments*
Shai Halevi, 07 Jun 2005
http://grouper.ieee.org/groups/1619/email/msg00310.html
#### [eme-32-pdf]
*Draft Standard for Tweakable Wide-block Encryption*
Shai Halevi, 02 June 2005
http://grouper.ieee.org/groups/1619/email/pdf00020.pdf
Note: This is the latest version of the EME-32 draft that I could find. It
includes test vectors and C source code.
#### [eme-32-testvec]
*Re: Test vectors for LRW and EME*
Shai Halevi, 16 Nov 2004
http://grouper.ieee.org/groups/1619/email/msg00218.html
#### [emestar]
*EME\*: extending EME to handle arbitrary-length messages with associated data*
Shai Halevi, 27 May 2004
https://eprint.iacr.org/2004/125.pdf
#### [patabandon]
*Re: [P1619-2] Non-awareness patent statement made by UC Davis*
Mat Ball, 26 Nov 2007
http://grouper.ieee.org/groups/1619/email-2/msg00005.html
#### [patappl]
*Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher*
US patent application US20040131182
http://www.google.com/patents/US20040131182
#### [p1619-2]
*IEEE P1619.2™/D9 Draft Standard for Wide-Block Encryption for Shared Storage Media*
IEEE, Dec 2008
http://siswg.net/index2.php?option=com_docman&task=doc_view&gid=156&Itemid=41
Note: This is a draft version. The final version is not freely available
and must be bought from IEEE.
Package Changelog
-----------------
v1.1.2, 2021-06-27
* Add `go.mod` file
* Switch from Travis CI to Github Actions
* No code changes
v1.1.1, 2020-04-13
* Update `go vet` call in `test.bash` to work on recent Go versions
* No code changes
v1.1, 2017-03-05
* Add eme.New() / \*EMECipher convenience wrapper
* Improve panic message and parameter wording
v1.0, 2015-12-08
* Stable release
|
