A Parallelizable Enciphering Mode

  • Shai Halevi
  • Phillip Rogaway
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where [1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate some of the design choices in EME by showing that a few simple modifications of this mode are insecure.


Block Cipher Query Complexity Message Space ePrint Archive Oracle Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996), Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3), 362–399,
  3. 3.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Crowley, P.: Mercy: A fast large block cipher for disk sector encryption. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  5. 5.
    Duplichan, S.: A primitive polynomial search program. Web document (2003), Available at
  6. 6.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003), Full version available on the ePrint archive, CrossRefGoogle Scholar
  7. 7.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode (2003), Full version available on the ePrint archive,
  8. 8.
    Hughes, J.: Personal communication (2002)Google Scholar
  9. 9.
    IEEE. Security in Storage Working Group (SISWG) (May 2002), See and
  10. 10.
    Joux, A.: Cryptanalysis of the EMD mode of operation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 1–16. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Jutla, C.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. Journal of Cryptology 14(1), 17–35 (2001); Earlier version in McCurley, K.S., Ziegler, C.D. (eds.): Advances in Cryptology 1981 - 1997. LNCS, vol. 1440. Springer, Heidelberg (1999),
  13. 13.
    Liskov, M., Rivest, R., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002), CrossRefGoogle Scholar
  14. 14.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. of Computation 17(2) (April 1988)Google Scholar
  15. 15.
    Naor, M., Reingold, O.: A pseudo-random encryption mode. Manuscript, available from
  16. 16.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999); Earlier version in STOC 1997 (1997), Available from Google Scholar
  17. 17.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: Eighth ACM Conference on Computer and Communications Security (CCS-8), pp. 196–205. ACM Press, New York (2001)CrossRefGoogle Scholar
  18. 18.
    Schroeppel, R.: The hasty pudding cipher. AES candidate submitted to NIST (1999),
  19. 19.
    Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Shai Halevi
    • 1
  • Phillip Rogaway
    • 2
    • 3
  1. 1.IBM T.J. Watson Research CenterYorktown-HeightsUSA
  2. 2.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Dept. of Computer Science, Fac. of ScienceChiang Mai UniversityThailand

Personalised recommendations