Reference: Manuscript, June 2003, and the Cryptology ePrint Archive (eprint.iacr.org), Report 2003/147, July 2003.
We describe a block-cipher mode of operation, EME, that turns an
n-bit block cipher into a tweakable enciphering scheme that acts
on strings of mn bits, where m is in [1..n].
The mode is parallelizable, but as serial-efficient as the
non-parallelizable mode CMC from CRYPTO '03.
EME can be used to solve
the disk-sector encryption problem. The algorithm entails two layers
of ECB encryption and a "lightweight mixing" in between.
We prove EME secure, in the reduction-based sense of modern cryptography.
We motivate some of the design choices in EME by showing that a few
simple modifications of this mode are insecure.
Availability: pdf or ps
Rogaway's home page.