Cryptanalysis of the EMD Mode of Operation

  • Antoine Joux
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


In this paper, we study the security of the Encrypt-Mask-Decrypt mode of operation, also called EMD, which was recently proposed for applications such as disk-sector encryption. The EMD mode transforms an ordinary block cipher operating on n-bit blocks into a tweakable block cipher operating on large blocks of size nm bits. We first show that EMD is not a secure tweakable block cipher and then describe efficient attacks in the context of disk-sector encryption. We note that the parallelizable variant of EMD, called EME that was proposed at the same time is also subject to these attacks.

In the course of developing one of the attacks, we revisit Wagner’s generalized birthday algorithm and show that in some special cases it performs much more efficiently than in the general case. Due to the large scope of applicability of this algorithm, even when restricted to these special cases, we believe that this result is of independent interest.


Block Cipher Malicious User Sector Number Blind Signature Scheme Heuristic Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. In L. Knudsen, editor, Advances in Cryptology — Eurocrypt’2002, volume 2332 of Lectures Notes in Computer Science, pages 384–397. Springer, 2002.Google Scholar
  2. 2.
    S. Halevi. An Observation regarding Jutla’s modes of operation. Crytology ePrint archive, Report 2001/015, available at
  3. 3.
    C. Jutla. Encryption modes with almost free message integrity. In B. Pfitzmann, editor, Advances in Cryptology — Eurocrypt’01, volume 2045 of Lectures Notes in Computer Science. Springer-Verlag, 2001.Google Scholar
  4. 4.
    M. Liskov, R. Rivest, and D. Wagner. Tweakable block ciphers. In M. Yung, editor, Advances in Cryptology — Crypto’2002, volume 2442 of Lectures Notes in Computer Science, pages 31–46. Springer, 2002.Google Scholar
  5. 5.
    P. Rogaway. The EMD mode of operation (a tweaked, wide-blocksize, strong PRP), September 26th, 2002. Crytology ePrint archive, Report 2002/148, available at
  6. 6.
    D. Wagner. A generalized birthday problem. In M. Yung, editor, Advances in Cryptology — Crypto’2002, volume 2442 of Lectures Notes in Computer Science, pages 288–303. Springer, 2002.Google Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Antoine Joux
    • 1
  1. 1.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations