A Parallelizable Enciphering Mode

Authors: Shai Halevi and Phillip Rogaway

Reference: Manuscript, June 2003, and the Cryptology ePrint Archive (eprint.iacr.org), Report 2003/147, July 2003.

Abstract: We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m is in [1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC from CRYPTO '03. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a "lightweight mixing" in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate some of the design choices in EME by showing that a few simple modifications of this mode are insecure.

Availability: pdf or ps

Rogaway's home page.