├── .github
    └── workflows
    │   └── ci.yml
├── LICENSE
├── README.md
├── benchmark.bash
├── eme.go
├── eme32_test.go
├── eme_test.go
├── go.mod
├── paper-eme-fig2.png
└── test.bash


/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | 
 3 | on:
 4 |   push:
 5 |   pull_request:
 6 |   schedule:
 7 |     - cron:  '0 12 * * *' # Every day noon UTC
 8 | 
 9 | jobs:
10 |   build:
11 |     runs-on: ubuntu-latest
12 |     steps:
13 |     - uses: actions/checkout@v2
14 | 
15 |     - name: Set up Go
16 |       uses: actions/setup-go@v2
17 |       with:
18 |         go-version: '*' # Build on latest Go release so we catch breakage
19 | 
20 |     - name: go version
21 |       run: go version
22 | 
23 |     - name: Build & Test
24 |       run: bash -x test.bash
25 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Jakob Unterwurzacher
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | EME for Go [![CI](https://github.com/rfjakob/eme/actions/workflows/ci.yml/badge.svg)](https://github.com/rfjakob/eme/actions/workflows/ci.yml) [![Go Reference](https://pkg.go.dev/badge/github.com/rfjakob/eme.svg)](https://pkg.go.dev/github.com/rfjakob/eme) ![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)
  2 | ==========
  3 | 
  4 | **EME** (ECB-Mix-ECB or, clearer, **Encrypt-Mix-Encrypt**) is a wide-block
  5 | encryption mode developed by Halevi
  6 | and Rogaway in 2003 [[eme]](#eme).
  7 | 
  8 | EME uses multiple invocations of a block cipher to construct a new
  9 | cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
 10 | 
 11 | Quoting from the original [[eme]](#eme) paper:
 12 | 
 13 | > We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into
 14 | > a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is
 15 | > parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used
 16 | > to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption
 17 | > and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of
 18 | > modern cryptography.
 19 | 
 20 | Figure 2 from the [[eme]](#eme) paper shows an overview of the transformation:
 21 | 
 22 | [![Figure 2 from [eme]](paper-eme-fig2.png)](#)
 23 | 
 24 | This is an implementation of EME in Go, complete with test vectors from IEEE [[p1619-2]](#p1619-2)
 25 | and Halevi [[eme-32-testvec]](#eme-32-testvec).
 26 | 
 27 | It has no dependencies outside the standard library.
 28 | 
 29 | Is it patentend?
 30 | ----------------
 31 | 
 32 | In 2007, the UC Davis has decided to abandon [[patabandon]](#patabandon)
 33 | the patent application [[patappl]](#patappl) for EME.
 34 | 
 35 | Related algorithms
 36 | ------------------
 37 | 
 38 | **EME-32** is EME with the cipher set to AES and the length set to 512.
 39 | That is, EME-32 [[eme-32-pdf]](#eme-32-pdf) is a subset of EME.
 40 | 
 41 | **EME2**, also known as EME\* [[emestar]](#emestar), is an extended version of EME
 42 | that has built-in handling for data that is not a multiple of 16 bytes
 43 | long.  
 44 | EME2 has been selected for standardization in IEEE P1619.2 [[p1619.2]](#p1619.2).
 45 | 
 46 | How to use
 47 | ----------
 48 | 
 49 | Ho to use the eme in you app: Use `eme.New`: https://pkg.go.dev/github.com/rfjakob/eme#New
 50 | 
 51 | How to run the self-tests:
 52 | 
 53 | 	$ go test -v
 54 | 	=== RUN   TestEnc512
 55 | 	--- PASS: TestEnc512 (0.00s)
 56 | 	=== RUN   TestEnc512x100
 57 | 	--- PASS: TestEnc512x100 (0.00s)
 58 | 	=== RUN   TestDec512
 59 | 	--- PASS: TestDec512 (0.00s)
 60 | 	=== RUN   TestDec512x100
 61 | 	--- PASS: TestDec512x100 (0.00s)
 62 | 	=== RUN   TestEnc16
 63 | 	--- PASS: TestEnc16 (0.00s)
 64 | 	=== RUN   TestEnc2048
 65 | 	--- PASS: TestEnc2048 (0.00s)
 66 | 	PASS
 67 | 	ok  	github.com/rfjakob/eme	0.005s
 68 | 
 69 | How to run the benchmarks:
 70 | 
 71 | 	$ ./benchmark.bash
 72 | 	goos: linux
 73 | 	goarch: amd64
 74 | 	pkg: github.com/rfjakob/eme
 75 | 	cpu: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
 76 | 	BenchmarkEnc512-4   	  142634	      8161 ns/op	  62.73 MB/s
 77 | 	BenchmarkDec512-4   	  140930	      8245 ns/op	  62.09 MB/s
 78 | 	PASS
 79 | 	ok  	github.com/rfjakob/eme	2.508s
 80 | 
 81 | 
 82 | Other implementations
 83 | ---------------------
 84 | 
 85 | Some other EME implementations I am aware of (PRs for more accepted):
 86 | 
 87 | * JavaScript (library): https://github.com/fyears/eme / https://www.npmjs.com/package/@fyears/eme
 88 | * C++ (part of cppcryptfs): https://github.com/bailey27/cppcryptfs/blob/master/libcppcryptfs/crypt/eme.cpp
 89 | * Rust (library): https://github.com/B4dM4n/eme-mode-rs / https://crates.io/crates/eme-mode
 90 | * Python (part of gocryptfs-inspect): https://github.com/maxpat78/gocryptfs-inspect/blob/master/aes256eme.py
 91 | * Java (library): https://github.com/alexey-lapin/eme-java
 92 | 
 93 | References
 94 | ----------
 95 | 
 96 | #### [eme]
 97 | *A Parallelizable Enciphering Mode*  
 98 | Shai Halevi, Phillip Rogaway, 28 Jul 2003  
 99 | https://eprint.iacr.org/2003/147.pdf ([archive.org snapshot](https://web.archive.org/web/20210506160350/https://eprint.iacr.org/2003/147.pdf))
100 | 
101 | Note: This is the original EME paper. EME is specified for an arbitrary
102 | number of block-cipher blocks. EME-32 is a concrete implementation of
103 | EME with a fixed length of 32 AES blocks.
104 | 
105 | #### [eme-32-email]
106 | *Re: EME-32-AES with editorial comments* (announcement email with [[eme-32-pdf]](#eme-32-pdf) attachments)  
107 | Shai Halevi, 07 Jun 2005  
108 | ~~http://grouper.ieee.org/groups/1619/email/msg00310.html~~ (broken link as of July 2021, [archive.org snapshot](http://web.archive.org/web/20081227091850/http://grouper.ieee.org/groups/1619/email/msg00310.html)) (attachment: `EME-32-AES-Jun-05.pdf`=`pdf00020.pdf`),  
109 | ~~http://grouper.ieee.org/groups/1619/email/msg00309.html~~
110 | (broken link as of July 2021, [archive.org snapshot](http://web.archive.org/web/20081228013334/http://grouper.ieee.org/groups/1619/email/msg00309.html))
111 | (attachment: `EME-32-AES-Jun-05.doc`=`doc00011.doc`)
112 | 
113 | #### [eme-32-pdf]
114 | *Draft Standard for Tweakable Wide-block Encryption*, `EME-32-AES-Jun-05.{doc,pdf}`
115 | Shai Halevi, 02 June 2005  
116 | `EME-32-AES-Jun-05.pdf` ... ~~http://grouper.ieee.org/groups/1619/email/pdf00020.pdf~~ (broken link as of July 2021, no archive.org snapshot available)  
117 | `EME-32-AES-Jun-05.doc` ... ~~http://grouper.ieee.org/groups/1619/email/doc00011.doc~~ (broken link as of July 2021, [archive.org snapshot of external mirror](http://web.archive.org/web/20210701125726/https://samifar.in/code/crypto/eme-32-aes/doc00011.doc))
118 | 
119 | Note: This is the latest version of the EME-32 draft that I could find as of Dec 2015. It
120 | includes test vectors and C source code.
121 | 
122 | #### [eme-32-testvec]
123 | *Re: Test vectors for LRW and EME*  
124 | Shai Halevi, 16 Nov 2004  
125 | ~~http://grouper.ieee.org/groups/1619/email/msg00218.html~~ (broken link as of July 2021, [archive.org snapshot](https://web.archive.org/web/20070305060551/http://grouper.ieee.org/groups/1619/email/msg00218.html))
126 | 
127 | #### [emestar]
128 | *EME\*: extending EME to handle arbitrary-length messages with associated data*  
129 | Shai Halevi, 27 May 2004  
130 | https://eprint.iacr.org/2004/125.pdf ([archive.org snapshot](https://web.archive.org/web/20160826083914/http://eprint.iacr.org/2004/125.pdf))
131 | 
132 | #### [patabandon]
133 | *Re: [P1619-2] Non-awareness patent statement made by UC Davis*  
134 | Mat Ball, 26 Nov 2007  
135 | ~~http://grouper.ieee.org/groups/1619/email-2/msg00005.html~~ (broken link as of July 2021, [archive.org snapshot](https://web.archive.org/web/20110611145815/http://grouper.ieee.org/groups/1619/email-2/msg00005.html))
136 | 
137 | #### [patappl]
138 | *Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher*  
139 | US patent application US20040131182  
140 | http://www.google.com/patents/US20040131182
141 | 
142 | #### [p1619-2]
143 | *IEEE P1619.2™/D9 Draft Standard for Wide-Block Encryption for Shared Storage Media*  
144 | IEEE, Dec 2008  
145 | ~~http://siswg.net/index2.php?option=com_docman&task=doc_view&gid=156&Itemid=41~~ (broken link as of July 2021, [archive.org snapshot](https://web.archive.org/web/20171018232831/http://siswg.net/index2.php?option=com_docman&task=doc_view&gid=156&Itemid=41))
146 | 
147 | Note: This is a draft version. The final version is not freely available
148 | and must be [bought from IEEE](https://ieeexplore.ieee.org/document/5729263).
149 | 
150 | Package Changelog
151 | -----------------
152 | 
153 | v1.1.2, 2021-06-27
154 | * Add `go.mod` file
155 | * Switch from Travis CI to Github Actions
156 | * No code changes
157 | 
158 | v1.1.1, 2020-04-13
159 | * Update `go vet` call in `test.bash` to work on recent Go versions
160 | * No code changes
161 | 
162 | v1.1, 2017-03-05
163 | * Add eme.New() / \*EMECipher convenience wrapper
164 | * Improve panic message and parameter wording
165 | 
166 | v1.0, 2015-12-08
167 | * Stable release
168 | 


--------------------------------------------------------------------------------
/benchmark.bash:
--------------------------------------------------------------------------------
1 | #!/bin/bash -eu
2 | 
3 | go test -bench=.
4 | 


--------------------------------------------------------------------------------
/eme.go:
--------------------------------------------------------------------------------
  1 | // EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block
  2 | // encryption mode developed by Halevi and Rogaway.
  3 | //
  4 | // It was presented in the 2003 paper "A Parallelizable Enciphering Mode" by
  5 | // Halevi and Rogaway.
  6 | //
  7 | // EME uses multiple invocations of a block cipher to construct a new cipher
  8 | // of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
  9 | package eme
 10 | 
 11 | import (
 12 | 	"crypto/cipher"
 13 | 	"log"
 14 | )
 15 | 
 16 | type directionConst bool
 17 | 
 18 | const (
 19 | 	// Encrypt "inputData"
 20 | 	DirectionEncrypt = directionConst(true)
 21 | 	// Decrypt "inputData"
 22 | 	DirectionDecrypt = directionConst(false)
 23 | )
 24 | 
 25 | // multByTwo - GF multiplication as specified in the EME-32 draft
 26 | func multByTwo(out []byte, in []byte) {
 27 | 	if len(in) != 16 {
 28 | 		panic("len must be 16")
 29 | 	}
 30 | 	tmp := make([]byte, 16)
 31 | 
 32 | 	tmp[0] = 2 * in[0]
 33 | 	if in[15] >= 128 {
 34 | 		tmp[0] = tmp[0] ^ 135
 35 | 	}
 36 | 	for j := 1; j < 16; j++ {
 37 | 		tmp[j] = 2 * in[j]
 38 | 		if in[j-1] >= 128 {
 39 | 			tmp[j] += 1
 40 | 		}
 41 | 	}
 42 | 	copy(out, tmp)
 43 | }
 44 | 
 45 | func xorBlocks(out []byte, in1 []byte, in2 []byte) {
 46 | 	if len(in1) != len(in2) {
 47 | 		log.Panicf("len(in1)=%d is not equal to len(in2)=%d", len(in1), len(in2))
 48 | 	}
 49 | 
 50 | 	for i := range in1 {
 51 | 		out[i] = in1[i] ^ in2[i]
 52 | 	}
 53 | }
 54 | 
 55 | // aesTransform - encrypt or decrypt (according to "direction") using block
 56 | // cipher "bc" (typically AES)
 57 | func aesTransform(dst []byte, src []byte, direction directionConst, bc cipher.Block) {
 58 | 	if direction == DirectionEncrypt {
 59 | 		bc.Encrypt(dst, src)
 60 | 		return
 61 | 	} else if direction == DirectionDecrypt {
 62 | 		bc.Decrypt(dst, src)
 63 | 		return
 64 | 	}
 65 | }
 66 | 
 67 | // tabulateL - calculate L_i for messages up to a length of m cipher blocks
 68 | func tabulateL(bc cipher.Block, m int) [][]byte {
 69 | 	/* set L0 = 2*AESenc(K; 0) */
 70 | 	eZero := make([]byte, 16)
 71 | 	Li := make([]byte, 16)
 72 | 	bc.Encrypt(Li, eZero)
 73 | 
 74 | 	LTable := make([][]byte, m)
 75 | 	// Allocate pool once and slice into m pieces in the loop
 76 | 	pool := make([]byte, m*16)
 77 | 	for i := 0; i < m; i++ {
 78 | 		multByTwo(Li, Li)
 79 | 		LTable[i] = pool[i*16 : (i+1)*16]
 80 | 		copy(LTable[i], Li)
 81 | 	}
 82 | 	return LTable
 83 | }
 84 | 
 85 | // Transform - EME-encrypt or EME-decrypt, according to "direction"
 86 | // (defined in the constants DirectionEncrypt and DirectionDecrypt).
 87 | // The data in "inputData" is en- or decrypted with the block ciper "bc" under
 88 | // "tweak" (also known as IV).
 89 | //
 90 | // The tweak is used to randomize the encryption in the same way as an
 91 | // IV.  A use of this encryption mode envisioned by the authors of the
 92 | // algorithm was to encrypt each sector of a disk, with the tweak
 93 | // being the sector number.  If you encipher the same data with the
 94 | // same tweak you will get the same ciphertext.
 95 | //
 96 | // The result is returned in a freshly allocated slice of the same
 97 | // size as inputData.
 98 | //
 99 | // Limitations:
100 | // * The block cipher must have block size 16 (usually AES).
101 | // * The size of "tweak" must be 16
102 | // * "inputData" must be a multiple of 16 bytes long
103 | // If any of these pre-conditions are not met, the function will panic.
104 | //
105 | // Note that you probably don't want to call this function directly and instead
106 | // use eme.New(), which provides convenient wrappers.
107 | func Transform(bc cipher.Block, tweak []byte, inputData []byte, direction directionConst) []byte {
108 | 	// In the paper, the tweak is just called "T". Call it the same here to
109 | 	// make following the paper easy.
110 | 	T := tweak
111 | 	// In the paper, the plaintext data is called "P" and the ciphertext is
112 | 	// called "C". Because encryption and decryption are virtually identical,
113 | 	// we share the code and always call the input data "P" and the output data
114 | 	// "C", regardless of the direction.
115 | 	P := inputData
116 | 
117 | 	if bc.BlockSize() != 16 {
118 | 		log.Panicf("Using a block size other than 16 is not implemented")
119 | 	}
120 | 	if len(T) != 16 {
121 | 		log.Panicf("Tweak must be 16 bytes long, is %d", len(T))
122 | 	}
123 | 	if len(P)%16 != 0 {
124 | 		log.Panicf("Data P must be a multiple of 16 long, is %d", len(P))
125 | 	}
126 | 	m := len(P) / 16
127 | 	if m == 0 || m > 16*8 {
128 | 		log.Panicf("EME operates on 1 to %d block-cipher blocks, you passed %d", 16*8, m)
129 | 	}
130 | 
131 | 	C := make([]byte, len(P))
132 | 
133 | 	LTable := tabulateL(bc, m)
134 | 
135 | 	PPj := make([]byte, 16)
136 | 	for j := 0; j < m; j++ {
137 | 		Pj := P[j*16 : (j+1)*16]
138 | 		/* PPj = 2**(j-1)*L xor Pj */
139 | 		xorBlocks(PPj, Pj, LTable[j])
140 | 		/* PPPj = AESenc(K; PPj) */
141 | 		aesTransform(C[j*16:(j+1)*16], PPj, direction, bc)
142 | 	}
143 | 
144 | 	/* MP =(xorSum PPPj) xor T */
145 | 	MP := make([]byte, 16)
146 | 	xorBlocks(MP, C[0:16], T)
147 | 	for j := 1; j < m; j++ {
148 | 		xorBlocks(MP, MP, C[j*16:(j+1)*16])
149 | 	}
150 | 
151 | 	/* MC = AESenc(K; MP) */
152 | 	MC := make([]byte, 16)
153 | 	aesTransform(MC, MP, direction, bc)
154 | 
155 | 	/* M = MP xor MC */
156 | 	M := make([]byte, 16)
157 | 	xorBlocks(M, MP, MC)
158 | 	CCCj := make([]byte, 16)
159 | 	for j := 1; j < m; j++ {
160 | 		multByTwo(M, M)
161 | 		/* CCCj = 2**(j-1)*M xor PPPj */
162 | 		xorBlocks(CCCj, C[j*16:(j+1)*16], M)
163 | 		copy(C[j*16:(j+1)*16], CCCj)
164 | 	}
165 | 
166 | 	/* CCC1 = (xorSum CCCj) xor T xor MC */
167 | 	CCC1 := make([]byte, 16)
168 | 	xorBlocks(CCC1, MC, T)
169 | 	for j := 1; j < m; j++ {
170 | 		xorBlocks(CCC1, CCC1, C[j*16:(j+1)*16])
171 | 	}
172 | 	copy(C[0:16], CCC1)
173 | 
174 | 	for j := 0; j < m; j++ {
175 | 		/* CCj = AES-enc(K; CCCj) */
176 | 		aesTransform(C[j*16:(j+1)*16], C[j*16:(j+1)*16], direction, bc)
177 | 		/* Cj = 2**(j-1)*L xor CCj */
178 | 		xorBlocks(C[j*16:(j+1)*16], C[j*16:(j+1)*16], LTable[j])
179 | 	}
180 | 
181 | 	return C
182 | }
183 | 
184 | // EMECipher provides EME-Encryption and -Decryption functions that are more
185 | // convenient than calling Transform directly.
186 | type EMECipher struct {
187 | 	bc cipher.Block
188 | }
189 | 
190 | // New returns a new EMECipher object. "bc" must have a block size of 16,
191 | // or subsequent calls to Encrypt and Decrypt will panic.
192 | func New(bc cipher.Block) *EMECipher {
193 | 	return &EMECipher{
194 | 		bc: bc,
195 | 	}
196 | }
197 | 
198 | // Encrypt is equivalent to calling Transform with direction=DirectionEncrypt.
199 | func (e *EMECipher) Encrypt(tweak []byte, inputData []byte) []byte {
200 | 	return Transform(e.bc, tweak, inputData, DirectionEncrypt)
201 | }
202 | 
203 | // Decrypt is equivalent to calling Transform with direction=DirectionDecrypt.
204 | func (e *EMECipher) Decrypt(tweak []byte, inputData []byte) []byte {
205 | 	return Transform(e.bc, tweak, inputData, DirectionDecrypt)
206 | }
207 | 


--------------------------------------------------------------------------------
/eme32_test.go:
--------------------------------------------------------------------------------
  1 | package eme
  2 | 
  3 | // Test using EME-32 test vectors
  4 | 
  5 | import (
  6 | 	"bytes"
  7 | 	"crypto/aes"
  8 | 	"encoding/hex"
  9 | 	"fmt"
 10 | 	"testing"
 11 | )
 12 | 
 13 | type testVec struct {
 14 | 	// direction
 15 | 	dir directionConst
 16 | 	// AES key
 17 | 	key []byte
 18 | 	// IV, in EME called tweak
 19 | 	tweak []byte
 20 | 	// input data
 21 | 	in []byte
 22 | 	// expected output data
 23 | 	out []byte
 24 | }
 25 | 
 26 | func verifyTestVec(v testVec, t *testing.T) {
 27 | 	bc, err := aes.NewCipher(v.key)
 28 | 	if err != nil {
 29 | 		t.Fatal(err)
 30 | 	}
 31 | 
 32 | 	// Transform and check expected data
 33 | 	out := Transform(bc, v.tweak, v.in, v.dir)
 34 | 	if bytes.Compare(v.out, out) != 0 {
 35 | 		fmt.Println(hex.EncodeToString(out))
 36 | 		t.Errorf("Different content in forward verify")
 37 | 	}
 38 | 	// Transform the other way and check that we get back the original data
 39 | 	in := Transform(bc, v.tweak, out, !v.dir)
 40 | 	if bytes.Compare(v.in, in) != 0 {
 41 | 		fmt.Println(hex.EncodeToString(out))
 42 | 		t.Errorf("Different content in reverse verify")
 43 | 	}
 44 | 
 45 | 	// Once more using the eme.New() interface.
 46 | 	e := New(bc)
 47 | 	if v.dir == DirectionDecrypt {
 48 | 		out = e.Decrypt(v.tweak, v.in)
 49 | 		in = e.Encrypt(v.tweak, out)
 50 | 	} else {
 51 | 		out = e.Encrypt(v.tweak, v.in)
 52 | 		in = e.Decrypt(v.tweak, out)
 53 | 	}
 54 | 	if bytes.Compare(v.out, out) != 0 {
 55 | 		fmt.Println(hex.EncodeToString(out))
 56 | 		t.Errorf("Different content in forward verify")
 57 | 	}
 58 | 	if bytes.Compare(v.in, in) != 0 {
 59 | 		fmt.Println(hex.EncodeToString(out))
 60 | 		t.Errorf("Different content in reverse verify")
 61 | 	}
 62 | }
 63 | 
 64 | // EME-32 encryption test vector from http://grouper.ieee.org/groups/1619/email/pdf00020.pdf
 65 | var buf9F2E = []byte{
 66 | 	0x9F, 0x2E, 0x6C, 0x3D, 0xAE, 0xCA, 0xE7, 0x9E, 0x88, 0x39, 0xB0, 0x58, 0x8F, 0xF3, 0x78, 0xCD,
 67 | 	0x06, 0x68, 0x97, 0x0B, 0x95, 0x69, 0x1C, 0xB0, 0x01, 0x82, 0xB9, 0xE3, 0x4C, 0xD6, 0x58, 0xED,
 68 | 	0x3C, 0x9C, 0x27, 0x68, 0x38, 0xCC, 0x5E, 0x14, 0x11, 0xFC, 0xB8, 0xCF, 0x3D, 0xA1, 0xC0, 0xF3,
 69 | 	0x08, 0x75, 0x80, 0x4C, 0x9D, 0xF5, 0x11, 0x57, 0xB0, 0x79, 0x11, 0x00, 0xD2, 0x55, 0x13, 0x34,
 70 | 	0x83, 0x4C, 0xF4, 0x02, 0x4F, 0x6B, 0x71, 0x8F, 0xBC, 0x7D, 0xAB, 0xA0, 0x7D, 0x14, 0xEB, 0x7C,
 71 | 	0xBC, 0x79, 0xC2, 0x61, 0xB1, 0xEB, 0x03, 0x6D, 0x0C, 0x9F, 0x85, 0xB9, 0x14, 0x38, 0x58, 0x40,
 72 | 	0x72, 0x72, 0x84, 0x00, 0x5F, 0x06, 0xA9, 0xC1, 0x62, 0x7C, 0x0B, 0x7F, 0xB1, 0x2A, 0x1F, 0x81,
 73 | 	0xFA, 0x83, 0xC4, 0xB0, 0x35, 0xDB, 0x00, 0x6C, 0xCE, 0x84, 0x6D, 0x07, 0x56, 0xDB, 0x9F, 0xB2,
 74 | 	0x44, 0x8E, 0xE5, 0x62, 0x8D, 0x23, 0x76, 0xEE, 0x13, 0x95, 0x42, 0x13, 0xDB, 0x3D, 0xCA, 0x72,
 75 | 	0x5F, 0x2C, 0x67, 0x95, 0x0E, 0xAF, 0x2C, 0xDA, 0xC8, 0xA2, 0x7A, 0x04, 0x33, 0xA1, 0x4C, 0x96,
 76 | 	0x92, 0x7D, 0x91, 0x45, 0xDD, 0x93, 0xE0, 0xB4, 0x6E, 0x67, 0x0F, 0x6C, 0x4D, 0xB8, 0xAD, 0xD0,
 77 | 	0x14, 0xB8, 0x88, 0x0E, 0xFB, 0x9A, 0x97, 0xBE, 0xC5, 0xCD, 0x05, 0xBB, 0xA4, 0x3D, 0xCC, 0x35,
 78 | 	0x05, 0x80, 0x45, 0xAE, 0x81, 0x68, 0xDF, 0x6E, 0x67, 0x77, 0x91, 0x98, 0xFC, 0xC7, 0x28, 0x08,
 79 | 	0xCE, 0x29, 0xC7, 0xB5, 0xAE, 0xFD, 0xBC, 0x9E, 0x3E, 0xE6, 0x51, 0x17, 0x28, 0x3B, 0xFA, 0x2E,
 80 | 	0x19, 0x5F, 0x82, 0xCE, 0x19, 0x62, 0xDD, 0x81, 0x12, 0xCB, 0x57, 0xE8, 0x04, 0x0D, 0x77, 0x67,
 81 | 	0x33, 0xD3, 0xBB, 0x33, 0x1E, 0xA6, 0x30, 0x0F, 0x91, 0xDE, 0xE0, 0xCB, 0xEB, 0x2F, 0xC9, 0xAF,
 82 | 	0xD3, 0x41, 0xF5, 0x51, 0x5E, 0x22, 0x37, 0x1E, 0x44, 0x2B, 0x86, 0xE7, 0x02, 0x87, 0x54, 0x6A,
 83 | 	0x16, 0x6E, 0xC2, 0xAE, 0xF8, 0x9F, 0x29, 0x1B, 0xE6, 0x2A, 0xFC, 0x2A, 0x96, 0x89, 0x1E, 0x44,
 84 | 	0x6E, 0xF6, 0xF1, 0x62, 0x73, 0x55, 0x74, 0xD1, 0x0C, 0xFF, 0x4A, 0x18, 0x3D, 0xE2, 0x76, 0x0B,
 85 | 	0x5E, 0x14, 0x5D, 0xEA, 0xAD, 0x3E, 0xFD, 0xE1, 0xDA, 0x4B, 0x28, 0x36, 0xC6, 0x65, 0xC5, 0xEC,
 86 | 	0x4B, 0x54, 0xCB, 0x98, 0x9D, 0x27, 0x73, 0x11, 0xC4, 0x2D, 0xB4, 0x86, 0x2D, 0xB2, 0x92, 0x0C,
 87 | 	0x39, 0x42, 0x95, 0x8E, 0x54, 0xF6, 0x4E, 0x36, 0x5E, 0x52, 0x19, 0x0E, 0xD8, 0x1A, 0x02, 0xD7,
 88 | 	0x3B, 0xF7, 0x8A, 0x8A, 0xE5, 0xCC, 0x83, 0xE0, 0x32, 0x03, 0xEF, 0x42, 0x16, 0x14, 0xB7, 0x9A,
 89 | 	0xE9, 0x84, 0xB6, 0x7E, 0xE9, 0x34, 0x83, 0xD5, 0xEB, 0x1E, 0xA7, 0xB4, 0xFD, 0x95, 0x4C, 0xC3,
 90 | 	0x50, 0x59, 0xBD, 0x4D, 0x93, 0x2E, 0xF3, 0x42, 0x71, 0x82, 0x50, 0x45, 0xD7, 0x3E, 0xFF, 0xEF,
 91 | 	0x2E, 0xD3, 0x48, 0x98, 0x71, 0xFD, 0xA2, 0xCC, 0x73, 0x92, 0x4B, 0x4D, 0x45, 0x9D, 0x1C, 0x6E,
 92 | 	0xE5, 0x25, 0x42, 0x1E, 0x05, 0x50, 0xD3, 0xAB, 0x87, 0x6F, 0x61, 0x53, 0x95, 0xAC, 0x4A, 0x54,
 93 | 	0xD2, 0x04, 0x78, 0xA4, 0x42, 0xD8, 0x5C, 0x9A, 0x3C, 0x9C, 0x7F, 0xA1, 0x48, 0xF2, 0xB9, 0xDC,
 94 | 	0xAD, 0xAA, 0x83, 0xCF, 0x40, 0xE9, 0xE4, 0x64, 0xDA, 0x60, 0x36, 0xA5, 0x5C, 0xDB, 0x87, 0x3B,
 95 | 	0x50, 0xC1, 0x06, 0x0E, 0xCC, 0x27, 0xB4, 0x8D, 0xC0, 0xAF, 0xC7, 0x6E, 0xF7, 0x3F, 0x14, 0x89,
 96 | 	0x28, 0x1C, 0x08, 0xEF, 0xCE, 0x7F, 0xEC, 0x47, 0xED, 0xD8, 0x23, 0xF2, 0xF5, 0x62, 0xB3, 0x33,
 97 | 	0xAC, 0x20, 0x9C, 0x2C, 0xD3, 0xCC, 0x57, 0x7C, 0x28, 0xEE, 0xDA, 0xAF, 0xCE, 0xDD, 0x89, 0xA6}
 98 | 
 99 | func TestEnc512(t *testing.T) {
100 | 	var v testVec
101 | 	v.dir = DirectionEncrypt
102 | 	v.key = make([]byte, 32)   // all-zero
103 | 	v.tweak = make([]byte, 16) // all-zero
104 | 	v.in = make([]byte, 512)   // all-zero
105 | 	v.out = buf9F2E
106 | 	verifyTestVec(v, t)
107 | }
108 | 
109 | // Test vectors from http://grouper.ieee.org/groups/1619/email/msg00218.html
110 | // Encrypt 100 times
111 | func TestEnc512x100(t *testing.T) {
112 | 	var v testVec
113 | 	v.dir = DirectionEncrypt
114 | 	v.key = []byte{
115 | 		0x9F, 0x2E, 0x6C, 0x3D, 0xAE, 0xCA, 0xE7, 0x9E, 0x88, 0x39, 0xB0, 0x58, 0x8F, 0xF3, 0x78, 0xCD,
116 | 		0x06, 0x68, 0x97, 0x0B, 0x95, 0x69, 0x1C, 0xB0, 0x01, 0x82, 0xB9, 0xE3, 0x4C, 0xD6, 0x58, 0xED}
117 | 	v.tweak = []byte{
118 | 		0x3C, 0x9C, 0x27, 0x68, 0x38, 0xCC, 0x5E, 0x14, 0x11, 0xFC, 0xB8, 0xCF, 0x3D, 0xA1, 0xC0, 0xF3}
119 | 	v.in = buf9F2E
120 | 	v.out = []byte{
121 | 		0x36, 0x00, 0x8C, 0x95, 0xE7, 0x32, 0xA2, 0x31, 0x94, 0x93, 0x7C, 0xC4, 0xDD, 0xED, 0x30, 0xFF,
122 | 		0xEE, 0x0F, 0xF6, 0x00, 0xF3, 0xEE, 0x87, 0x96, 0xA5, 0x8A, 0xF9, 0xBB, 0x12, 0x4A, 0xD0, 0x28,
123 | 		0x50, 0xFB, 0x30, 0xFA, 0xC7, 0x83, 0x16, 0xA6, 0x46, 0x93, 0xAC, 0xD3, 0x86, 0x02, 0xE4, 0xC7,
124 | 		0x04, 0xA4, 0x15, 0x2F, 0xB2, 0xD4, 0x38, 0x3E, 0xEB, 0x1D, 0x85, 0xB1, 0x0F, 0x9E, 0x39, 0xBE,
125 | 		0x8D, 0x61, 0x9F, 0x68, 0x93, 0x03, 0xA5, 0xB9, 0xC3, 0xF7, 0xD8, 0x9B, 0xAA, 0x6F, 0x2E, 0x43,
126 | 		0xAF, 0xAA, 0x0B, 0xD2, 0xAC, 0x34, 0x52, 0xDA, 0x6A, 0xA2, 0x0F, 0xFF, 0x33, 0xED, 0xB8, 0xF3,
127 | 		0x07, 0x24, 0x7D, 0x05, 0x5E, 0xCB, 0xB6, 0xE4, 0xB5, 0x39, 0xC2, 0xC5, 0x30, 0x88, 0xDD, 0xA4,
128 | 		0x99, 0xB5, 0xD9, 0x67, 0xF9, 0x8B, 0xCE, 0xC4, 0xA5, 0x4F, 0x4D, 0x27, 0x26, 0x43, 0xE1, 0x3C,
129 | 		0x42, 0x26, 0xF6, 0x9E, 0xE6, 0x27, 0xA0, 0x4F, 0x3A, 0xAE, 0xA0, 0x7E, 0x03, 0x3D, 0x3C, 0x4F,
130 | 		0x88, 0xA6, 0x50, 0x9C, 0x72, 0x75, 0x88, 0xB1, 0x52, 0xCA, 0x41, 0x41, 0x5D, 0x69, 0x7F, 0xDF,
131 | 		0xDD, 0x44, 0x0B, 0x23, 0x86, 0xBB, 0x9A, 0x57, 0x70, 0xCA, 0x28, 0x1C, 0x22, 0x07, 0xD3, 0xEB,
132 | 		0x9B, 0x27, 0xFC, 0x6A, 0x2E, 0x48, 0x2E, 0x79, 0x95, 0x88, 0xC7, 0x7B, 0x6B, 0xA3, 0xA1, 0xA4,
133 | 		0x66, 0x0E, 0x77, 0xED, 0x70, 0x8A, 0x65, 0xDF, 0x22, 0x86, 0x37, 0x04, 0xBB, 0xE9, 0x44, 0x29,
134 | 		0x21, 0x78, 0x36, 0x28, 0x92, 0x86, 0x48, 0x62, 0xD3, 0xC9, 0xA1, 0x8D, 0xD7, 0x04, 0x20, 0xC8,
135 | 		0x87, 0xE9, 0x58, 0xA4, 0x30, 0x6E, 0xC8, 0x4F, 0xE7, 0xF6, 0x6D, 0xDC, 0xDE, 0xBA, 0x5B, 0xEE,
136 | 		0xDA, 0xB0, 0x32, 0xFB, 0xE8, 0xD4, 0xDD, 0xC4, 0x5B, 0xD4, 0x84, 0x34, 0x9F, 0xD4, 0xCF, 0xF5,
137 | 		0xD7, 0x29, 0x90, 0x5F, 0xB5, 0x60, 0xAC, 0x02, 0xBA, 0x1C, 0x83, 0xD8, 0xC5, 0xB7, 0x1F, 0x70,
138 | 		0x72, 0x8F, 0x90, 0xD1, 0xD3, 0x5D, 0xB3, 0x65, 0x1A, 0x30, 0x3F, 0x9D, 0xB9, 0xB5, 0x3F, 0xEB,
139 | 		0x99, 0x19, 0x44, 0x05, 0xA0, 0x85, 0xF5, 0x43, 0x4E, 0xD1, 0xBB, 0x4E, 0x07, 0x17, 0x22, 0x37,
140 | 		0x61, 0x31, 0x63, 0x38, 0x27, 0xC5, 0x4B, 0x86, 0x15, 0x3C, 0x79, 0x28, 0xE5, 0xD9, 0xE5, 0x83,
141 | 		0x58, 0xEF, 0x4A, 0x2E, 0xFE, 0xFE, 0x16, 0x5E, 0x94, 0xFE, 0xC5, 0xC2, 0xF0, 0x69, 0x91, 0xD9,
142 | 		0xF6, 0x1E, 0xB4, 0xD0, 0xE6, 0xFA, 0x5A, 0x28, 0xD6, 0xED, 0x62, 0x21, 0x6E, 0x4A, 0xDC, 0x2B,
143 | 		0x50, 0x7A, 0xE2, 0x3F, 0x25, 0x61, 0x88, 0xE7, 0x40, 0xD4, 0x25, 0xFD, 0xC8, 0x6E, 0x9B, 0x22,
144 | 		0x6C, 0xA8, 0xF0, 0x2F, 0x9D, 0x74, 0x60, 0xEE, 0x10, 0xCE, 0xB0, 0xCE, 0x73, 0x06, 0x90, 0x2B,
145 | 		0xB5, 0x39, 0x3E, 0x4C, 0x1F, 0xCF, 0xD9, 0x22, 0x6C, 0x57, 0x2C, 0x16, 0x96, 0xE1, 0x5F, 0xFC,
146 | 		0xBB, 0xE8, 0x9A, 0x9E, 0xA3, 0xE0, 0x9C, 0xFA, 0x2A, 0xB4, 0x63, 0xA3, 0x7B, 0xA6, 0xEB, 0xED,
147 | 		0xCC, 0x02, 0x59, 0x79, 0xFB, 0xC0, 0xED, 0xA8, 0x88, 0xDB, 0x93, 0xEC, 0xAA, 0xC4, 0x48, 0x69,
148 | 		0xA1, 0x76, 0xA9, 0x4E, 0x59, 0x56, 0x4E, 0xAF, 0xC8, 0xE9, 0x78, 0x1D, 0xDB, 0xCE, 0x6B, 0x74,
149 | 		0xC9, 0x84, 0xEC, 0x1F, 0x27, 0xF7, 0xB9, 0xC0, 0xE4, 0xAE, 0xB7, 0x14, 0xB1, 0x47, 0xE2, 0x79,
150 | 		0x34, 0xBF, 0x09, 0xA1, 0x5F, 0x90, 0x13, 0x29, 0x9A, 0x2D, 0x32, 0x07, 0x2A, 0x7C, 0x11, 0x2D,
151 | 		0x06, 0x48, 0x52, 0xE0, 0xC3, 0x34, 0x5D, 0x88, 0x34, 0xF1, 0x6F, 0x1F, 0xB2, 0x80, 0xB9, 0xEA,
152 | 		0xF8, 0x8C, 0xAD, 0xD4, 0x0C, 0xA2, 0x9C, 0x42, 0x86, 0x66, 0xCF, 0x53, 0x3F, 0xB0, 0x5C, 0x1E}
153 | 
154 | 	bc, err := aes.NewCipher(v.key)
155 | 	if err != nil {
156 | 		t.Fatal(err)
157 | 	}
158 | 	out := v.in
159 | 	for i := 0; i < 100; i++ {
160 | 		out = Transform(bc, v.tweak, out, v.dir)
161 | 	}
162 | 	if bytes.Compare(v.out, out) != 0 {
163 | 		t.Errorf("Different content")
164 | 	}
165 | }
166 | 
167 | // EME-32 decryption test vector from http://grouper.ieee.org/groups/1619/email/pdf00020.pdf
168 | var buf0809 = []byte{
169 | 	0x08, 0x09, 0x05, 0xDE, 0xE8, 0xEB, 0xCC, 0x89, 0xF6, 0x8B, 0xD1, 0xAF, 0x63, 0x5D, 0xB3, 0xF5,
170 | 	0xB6, 0x0C, 0x2F, 0x13, 0xF7, 0xC7, 0x68, 0xFC, 0xEB, 0x12, 0x20, 0xF6, 0xC2, 0x27, 0xFD, 0x83,
171 | 	0x5F, 0x29, 0x3E, 0x85, 0xF1, 0xEA, 0xA8, 0xEE, 0x23, 0x22, 0xF5, 0x42, 0x91, 0xBF, 0x05, 0x1E,
172 | 	0x7B, 0x15, 0xAF, 0x84, 0xC7, 0xEA, 0xA4, 0xE8, 0x51, 0x58, 0xAF, 0x7F, 0x4E, 0x6F, 0xF2, 0x4A,
173 | 	0x62, 0xBA, 0xCF, 0xF6, 0xDB, 0xF9, 0x1F, 0x43, 0x3F, 0x3B, 0xD5, 0x64, 0xDF, 0xFB, 0xE9, 0xFE,
174 | 	0x1B, 0x0E, 0x14, 0xD2, 0x76, 0x87, 0x58, 0x94, 0x98, 0xD5, 0xE8, 0xCA, 0x11, 0xAC, 0xBA, 0x2B,
175 | 	0xC6, 0x01, 0x6D, 0x78, 0x23, 0xE3, 0x03, 0x6C, 0x61, 0xCE, 0x97, 0x77, 0xEC, 0x24, 0x45, 0x89,
176 | 	0x07, 0x79, 0x02, 0x7F, 0x7D, 0x49, 0x48, 0x93, 0xD9, 0x2F, 0x19, 0xBD, 0xFE, 0x16, 0x0E, 0xF8,
177 | 	0x2C, 0x36, 0x06, 0x9C, 0xA8, 0x87, 0xD8, 0x4E, 0xA0, 0x0C, 0xCC, 0x40, 0x13, 0x0C, 0xF7, 0xC4,
178 | 	0x11, 0x8C, 0x5D, 0x08, 0x22, 0xA5, 0xE1, 0xF4, 0x93, 0xCD, 0xAE, 0x96, 0xF5, 0x75, 0x20, 0x31,
179 | 	0xB4, 0x53, 0xE4, 0xCB, 0x86, 0x08, 0xC8, 0xF2, 0xBA, 0x2C, 0x78, 0xC9, 0x41, 0x12, 0x4C, 0x18,
180 | 	0xE3, 0x9F, 0x50, 0xAB, 0x74, 0xB8, 0x31, 0x47, 0xAA, 0x3F, 0xB8, 0x00, 0x53, 0x7E, 0xB9, 0xAC,
181 | 	0x55, 0xD7, 0x37, 0x55, 0x2E, 0x05, 0x03, 0x75, 0xF6, 0x07, 0xC5, 0x9B, 0x42, 0x13, 0xD8, 0x7E,
182 | 	0x58, 0xE8, 0xDA, 0x6E, 0x23, 0x02, 0x9C, 0x9C, 0xB8, 0x07, 0xAC, 0x63, 0x13, 0x3B, 0x9F, 0xDD,
183 | 	0xDA, 0xD8, 0x71, 0x2B, 0xD7, 0x82, 0x11, 0x37, 0xD9, 0xF8, 0xFD, 0xC3, 0xE2, 0x8A, 0xEB, 0x08,
184 | 	0xEE, 0x2F, 0xAE, 0x3E, 0xC1, 0xF8, 0x0D, 0x91, 0x26, 0xA3, 0xD2, 0xD0, 0xE4, 0xE4, 0xF1, 0xC6,
185 | 	0x42, 0x4C, 0xE6, 0xB5, 0xE9, 0x73, 0xE5, 0x27, 0x03, 0xAF, 0xB3, 0x1C, 0xEE, 0x79, 0x90, 0xDA,
186 | 	0x82, 0xB3, 0x16, 0x18, 0x9A, 0xD1, 0x6F, 0xE0, 0x59, 0x92, 0x1C, 0x60, 0xA9, 0x5A, 0x12, 0x08,
187 | 	0x71, 0x06, 0x5B, 0x9E, 0xD6, 0x49, 0xD2, 0x11, 0x7D, 0xFB, 0x0C, 0xE5, 0xB5, 0x35, 0x95, 0x11,
188 | 	0x9F, 0x21, 0x77, 0xBE, 0xA4, 0x62, 0xF7, 0x66, 0x60, 0xC6, 0xA0, 0x7C, 0x81, 0x0D, 0x21, 0xE1,
189 | 	0x85, 0xE2, 0xDA, 0xE5, 0x59, 0xC2, 0x7F, 0x14, 0x09, 0x3F, 0x21, 0xA9, 0x6D, 0x4E, 0x2A, 0x81,
190 | 	0x41, 0xD7, 0x6A, 0x3F, 0x96, 0x4A, 0xA7, 0x0B, 0xF7, 0xE9, 0x29, 0xE7, 0x32, 0x24, 0xBD, 0x9F,
191 | 	0x17, 0x19, 0xFD, 0xFF, 0x96, 0xBF, 0x4C, 0xA5, 0xDB, 0x51, 0x66, 0x27, 0x22, 0x57, 0x60, 0xF3,
192 | 	0xD2, 0xD8, 0x67, 0x0A, 0x4B, 0x82, 0xE1, 0x6A, 0x8B, 0x43, 0x58, 0xEC, 0xD7, 0x81, 0xB0, 0xEE,
193 | 	0xA2, 0x2A, 0x29, 0xD0, 0x76, 0x44, 0x24, 0xE9, 0x1E, 0x3D, 0xC7, 0xA6, 0xA1, 0xCE, 0xDD, 0x14,
194 | 	0x8C, 0x4B, 0xBB, 0x1B, 0x52, 0x4B, 0x9C, 0x8D, 0xD3, 0xF3, 0xD1, 0x53, 0x40, 0x77, 0x5F, 0xE9,
195 | 	0xC9, 0x8E, 0xEC, 0x22, 0x0B, 0x52, 0x4A, 0x8D, 0x95, 0x95, 0xD2, 0xF4, 0x3C, 0x67, 0x83, 0xE6,
196 | 	0x03, 0xA3, 0x5B, 0x8D, 0xF9, 0x6A, 0x16, 0x89, 0x75, 0xAC, 0xF5, 0xAC, 0x4E, 0xA4, 0x7E, 0x02,
197 | 	0xB7, 0x3A, 0x8C, 0xE6, 0xAF, 0xF8, 0xE5, 0x2D, 0xAD, 0x76, 0x89, 0x79, 0xBD, 0x73, 0x92, 0xB3,
198 | 	0x05, 0x0D, 0xD3, 0xB4, 0xE4, 0x79, 0x0E, 0x25, 0xE9, 0xA3, 0x4E, 0xE6, 0x07, 0xDB, 0x5A, 0x58,
199 | 	0x5D, 0x16, 0xCA, 0x6B, 0x16, 0xAA, 0x76, 0x37, 0x2A, 0xB4, 0x9E, 0x31, 0xDF, 0x48, 0x65, 0x07,
200 | 	0x3A, 0xF8, 0x04, 0xA5, 0xC9, 0xDA, 0xB3, 0x44, 0x20, 0xF2, 0x60, 0xE4, 0xBD, 0x84, 0x08, 0x29}
201 | 
202 | func TestDec512(t *testing.T) {
203 | 	var v testVec
204 | 	v.dir = DirectionDecrypt
205 | 	v.key = make([]byte, 32)   // all-zero
206 | 	v.tweak = make([]byte, 16) // all-zero
207 | 	v.in = make([]byte, 512)   // all-zero
208 | 	v.out = buf0809
209 | 	verifyTestVec(v, t)
210 | }
211 | 
212 | // Test vectors from http://grouper.ieee.org/groups/1619/email/msg00218.html
213 | // Decrypt 100 times
214 | func TestDec512x100(t *testing.T) {
215 | 	var v testVec
216 | 	v.dir = DirectionDecrypt
217 | 	v.key = []byte{
218 | 		0x08, 0x09, 0x05, 0xDE, 0xE8, 0xEB, 0xCC, 0x89, 0xF6, 0x8B, 0xD1, 0xAF, 0x63, 0x5D, 0xB3, 0xF5,
219 | 		0xB6, 0x0C, 0x2F, 0x13, 0xF7, 0xC7, 0x68, 0xFC, 0xEB, 0x12, 0x20, 0xF6, 0xC2, 0x27, 0xFD, 0x83}
220 | 	v.tweak = []byte{
221 | 		0x5F, 0x29, 0x3E, 0x85, 0xF1, 0xEA, 0xA8, 0xEE, 0x23, 0x22, 0xF5, 0x42, 0x91, 0xBF, 0x05, 0x1E}
222 | 	v.in = buf0809
223 | 	v.out = []byte{
224 | 		0x78, 0xD8, 0xF9, 0xC2, 0xBA, 0xAE, 0xBC, 0xB9, 0x7C, 0x39, 0x14, 0xFE, 0x4F, 0xD9, 0xB9, 0xED,
225 | 		0x1B, 0x0F, 0xD0, 0x8C, 0x64, 0xCE, 0x0F, 0x7F, 0xA4, 0x40, 0xC2, 0xB2, 0x31, 0x7C, 0xAC, 0xC6,
226 | 		0x10, 0xE7, 0x5A, 0xE2, 0x26, 0xA6, 0x4C, 0x8D, 0xE4, 0x27, 0x36, 0x86, 0x7D, 0xBC, 0x5F, 0xE2,
227 | 		0xAC, 0x66, 0x3B, 0x6D, 0xB5, 0x55, 0xD7, 0x9D, 0xC4, 0x80, 0xB7, 0x07, 0xC1, 0x04, 0x11, 0xB8,
228 | 		0x31, 0xAA, 0x3E, 0xAA, 0x5A, 0x30, 0x6F, 0xDF, 0x95, 0xC4, 0xEA, 0x06, 0x84, 0xB7, 0x8B, 0xD6,
229 | 		0x24, 0x52, 0x75, 0xB5, 0xBC, 0x24, 0x57, 0x58, 0xB2, 0x38, 0x27, 0x4C, 0x2B, 0x7D, 0x7B, 0x8F,
230 | 		0xD1, 0xB9, 0x0E, 0x39, 0x0C, 0xD1, 0x0E, 0xD5, 0x4A, 0xD7, 0xD7, 0x22, 0x1A, 0x1A, 0xAE, 0x56,
231 | 		0xF8, 0x15, 0xF7, 0x02, 0x6D, 0x3E, 0xE3, 0xFB, 0x12, 0x32, 0xF8, 0x5E, 0x50, 0x0A, 0xE8, 0x75,
232 | 		0x6A, 0x53, 0xE2, 0x40, 0x38, 0xE9, 0xD2, 0x54, 0xB4, 0xF0, 0x94, 0x86, 0xF9, 0x5C, 0xAB, 0x88,
233 | 		0x25, 0x02, 0xB7, 0x7C, 0x95, 0x79, 0x55, 0x14, 0x90, 0x92, 0x60, 0x31, 0x4F, 0xEB, 0xDF, 0x2A,
234 | 		0xC0, 0xD4, 0xFD, 0x47, 0xF5, 0xD6, 0xFD, 0xA2, 0xBA, 0x66, 0xD1, 0xB1, 0x25, 0xA9, 0x00, 0xD7,
235 | 		0x8C, 0xAB, 0x58, 0xBF, 0x8E, 0xB9, 0xF2, 0x41, 0xD0, 0x80, 0x06, 0x1A, 0x2E, 0x46, 0xBE, 0x3C,
236 | 		0x21, 0xF7, 0x48, 0x45, 0x94, 0x26, 0xF7, 0x9B, 0x61, 0x9E, 0x8C, 0x81, 0x25, 0xF0, 0x6A, 0x60,
237 | 		0x7C, 0x9A, 0x55, 0xE4, 0xFD, 0x12, 0xE8, 0x17, 0xE3, 0x90, 0xFB, 0x5F, 0x8C, 0x5A, 0x05, 0x76,
238 | 		0xCF, 0xD2, 0x5F, 0x5E, 0x0A, 0xCB, 0x9D, 0xC0, 0x80, 0xB9, 0xC0, 0x1C, 0x7C, 0x9A, 0x41, 0x27,
239 | 		0x15, 0x9B, 0x8A, 0x4C, 0xD0, 0xCF, 0xFA, 0xE0, 0xF2, 0x41, 0xBF, 0xBF, 0x8E, 0x41, 0xF2, 0x4D,
240 | 		0x50, 0x68, 0xBD, 0x34, 0x54, 0xA9, 0xBE, 0x8E, 0x4F, 0x99, 0x88, 0x1A, 0x7F, 0x6F, 0xF2, 0x1E,
241 | 		0x3A, 0x7A, 0x33, 0x70, 0x0F, 0xC1, 0xF8, 0x2B, 0x64, 0x13, 0xE3, 0xF9, 0x72, 0x21, 0xA6, 0x17,
242 | 		0x16, 0x15, 0x54, 0x49, 0xCF, 0xE8, 0x7A, 0x3D, 0x57, 0x49, 0xF3, 0x91, 0x96, 0x11, 0xDE, 0xF9,
243 | 		0x5D, 0x58, 0xE4, 0x2B, 0xD6, 0xD8, 0x91, 0x43, 0xE3, 0xA0, 0xCA, 0x58, 0x8A, 0x59, 0xB7, 0x9A,
244 | 		0x55, 0x06, 0x32, 0xFE, 0xDD, 0x84, 0x62, 0x9A, 0x70, 0x75, 0xB0, 0x89, 0xF2, 0xB0, 0x80, 0x2B,
245 | 		0x69, 0xB8, 0x2E, 0xE0, 0xF6, 0x03, 0xF0, 0x3E, 0x99, 0x26, 0x3F, 0xB6, 0x95, 0x19, 0x91, 0xD8,
246 | 		0x80, 0x49, 0x63, 0xED, 0xA1, 0x23, 0x1B, 0x25, 0x0D, 0xF5, 0x5E, 0xF7, 0x9E, 0xEF, 0xDE, 0x3C,
247 | 		0x99, 0xB9, 0xCD, 0x91, 0xEA, 0xA7, 0x95, 0x63, 0xA9, 0xCD, 0x16, 0x13, 0x6D, 0xB2, 0x43, 0x6F,
248 | 		0x4D, 0x72, 0x1F, 0x91, 0x23, 0x94, 0x8A, 0xFC, 0x0B, 0x63, 0x33, 0xCF, 0x2E, 0xD4, 0xCA, 0xAB,
249 | 		0xA3, 0x40, 0x4E, 0xDD, 0x2D, 0xE8, 0xF6, 0x55, 0x66, 0x77, 0xC9, 0xB2, 0x86, 0xA2, 0x06, 0x34,
250 | 		0x39, 0x4C, 0xB7, 0xEA, 0x72, 0xDD, 0x7E, 0xE3, 0x65, 0x7D, 0x6E, 0xE1, 0xCF, 0xED, 0x8C, 0x3B,
251 | 		0x94, 0xB8, 0xBC, 0xC5, 0x78, 0x47, 0x02, 0x57, 0x7F, 0xE4, 0x00, 0xB3, 0x8A, 0x7B, 0x08, 0x95,
252 | 		0x74, 0x73, 0xCB, 0x57, 0xEF, 0xB8, 0x61, 0xF2, 0xEB, 0x9E, 0xEC, 0x5A, 0x12, 0x00, 0xCB, 0xD7,
253 | 		0x5B, 0x41, 0x43, 0x3F, 0xF1, 0x75, 0x6C, 0xE7, 0x29, 0x88, 0xCA, 0x9A, 0x69, 0x0F, 0x65, 0x97,
254 | 		0xCA, 0x0E, 0x8C, 0x98, 0xA1, 0x5C, 0x8B, 0x54, 0x71, 0xBC, 0x11, 0x67, 0x97, 0x8E, 0xC8, 0x3B,
255 | 		0xC5, 0xB5, 0x66, 0x0B, 0x4B, 0xC9, 0x93, 0x8A, 0x41, 0xDB, 0xCF, 0x8F, 0xCE, 0x32, 0x1D, 0x1F}
256 | 
257 | 	bc, err := aes.NewCipher(v.key)
258 | 	if err != nil {
259 | 		t.Fatal(err)
260 | 	}
261 | 	out := v.in
262 | 	for i := 0; i < 100; i++ {
263 | 		out = Transform(bc, v.tweak, out, v.dir)
264 | 	}
265 | 	if bytes.Compare(v.out, out) != 0 {
266 | 		t.Errorf("Different content")
267 | 	}
268 | }
269 | 
270 | func BenchmarkEnc512(b *testing.B) {
271 | 	var v testVec
272 | 	v.dir = DirectionEncrypt
273 | 	v.key = make([]byte, 32)
274 | 	v.tweak = make([]byte, 16)
275 | 	v.in = make([]byte, 512)
276 | 	b.SetBytes(int64(len(v.in)))
277 | 
278 | 	bc, err := aes.NewCipher(v.key)
279 | 	if err != nil {
280 | 		b.Fatal(err)
281 | 	}
282 | 
283 | 	b.ResetTimer()
284 | 	for n := 0; n < b.N; n++ {
285 | 		Transform(bc, v.tweak, v.in, v.dir)
286 | 	}
287 | }
288 | 
289 | func BenchmarkDec512(b *testing.B) {
290 | 	var v testVec
291 | 	v.dir = DirectionDecrypt
292 | 	v.key = make([]byte, 32)
293 | 	v.tweak = make([]byte, 16)
294 | 	v.in = make([]byte, 512)
295 | 	b.SetBytes(int64(len(v.in)))
296 | 
297 | 	bc, err := aes.NewCipher(v.key)
298 | 	if err != nil {
299 | 		b.Fatal(err)
300 | 	}
301 | 
302 | 	b.ResetTimer()
303 | 	for n := 0; n < b.N; n++ {
304 | 		Transform(bc, v.tweak, v.in, v.dir)
305 | 	}
306 | }
307 | 


--------------------------------------------------------------------------------
/eme_test.go:
--------------------------------------------------------------------------------
 1 | package eme
 2 | 
 3 | // Test other data lengths using self-generated test vectors
 4 | 
 5 | import (
 6 | 	"encoding/hex"
 7 | 	"strings"
 8 | 	"testing"
 9 | )
10 | 
11 | // unhex - strip newlines and decode hex
12 | func unhex(s string) []byte {
13 | 	b, err := hex.DecodeString(strings.Replace(s, "\n", "", -1))
14 | 	if err != nil {
15 | 		panic(err)
16 | 	}
17 | 	return b
18 | }
19 | 
20 | func TestEnc16(t *testing.T) {
21 | 	var v testVec
22 | 	v.dir = DirectionEncrypt
23 | 	v.key = make([]byte, 32)   // all-zero
24 | 	v.tweak = make([]byte, 16) // all-zero
25 | 	v.in = make([]byte, 16)    // all-zero
26 | 	v.out = unhex("f1b9ce8ca15a4ba9fb476905434b9fd3")
27 | 	verifyTestVec(v, t)
28 | }
29 | 
30 | func TestEnc2048(t *testing.T) {
31 | 	var v testVec
32 | 	v.dir = DirectionEncrypt
33 | 	v.key = make([]byte, 32)   // all-zero
34 | 	v.tweak = make([]byte, 16) // all-zero
35 | 	v.in = make([]byte, 2048)  // all-zero
36 | 	v.out = unhex(`
37 | 630500884158a8d41216aaa6351e92ea7ca540a949e73f1d6069afef372eae226d426d8f4dbbce5
38 | 05051fcd596e7b32cdd1e44a40bcce0887ebbc160f779dafbb68bc25a40040987cdb5aba19b956e1
39 | 1dd69d7ce74d1d8788903254217300f3afd9a92cea395a89fd842256d3919ac303c1d1a21ec44cb2
40 | 898acabb3d0e04e05845e9183a64b4148f9614f62f79fa971799c896c58cd2b285cb00e40720b5c1
41 | 18ef1c0dbf5e51f09cd10db672b9c22c53d4bf5dabf16cfcbc382e3209e7ba27955b2afa055924d2
42 | 155319205f964492e0e88172f4ffadca35cd3e694fd3d803f610edc1696113996749bdb2a2dfb8fb
43 | d92f0ef723146f93d969d1de4cc1c19efa33785f135a1203005ba2208fcd6b9f0d0e942993671b0c
44 | 5baefe7ed0bbfe070a9e1d26eed37228ceda64b70c25a59fd040703acc385c6e4093a8e258984371
45 | c2d811c01723b87c820a55470501b245d97a0c7564c44e1e31a89457c1125198d27ac2dec67f7237
46 | c781f9f622e420da471af577fa6ad8014bb1dad52dc450e37ebeeb1f1b7ba3c3d5796c6646bd052f
47 | e66cf61d22f6e58efcbf0328d3b6e1088603e54bfd2da241c970fec58c7d21fc2b2f1b4b79552a92
48 | 500a7e6848a22ec47ee362cef9787af3b26439470992c8d103997395aefeff10802673d4630009e4
49 | e5ed26038d5f05c589e64046274d5ff133398e4bab08ca71c0ce93dbd0657785b150c9e418339e8e
50 | 47d02ae7322b5b55364dfe10dd02d54dc5f2dbe82e55bcf0503b30d709301fc7f63cd15e7e124518
51 | 9405b1364b6074c0e493f7beb273859864e95643c7d914279d95f220247618b7a5c896d604e9ce88
52 | e0a3ab434cfe97cabc520b20e2fffee958972e82e98b952cbf3567be560a8385e520b636829252ca
53 | e16ac882d1d3dde447a90af52be7967f357a36382c9672a659ed0ffae9ee7b969c8c788f982fbd52
54 | 4efb6b852f65be5f371032691e9ef6e5a217607cf990e5351b251f841834045d9bd54633e8bb0d19
55 | 569377f805857a503a2642dfc06e2063dfd465dcae83b1e362394cdf20bd6a6d5dd0bacad7f2d407
56 | e597b004e90683bfc23b92796bb0cdf67752765dbba2d1332848adcb83e60b7f3f8c397a3aa5de08
57 | bf491676a18ee4a6ed9b342b33c081794365a72668f273a655e150fa36686aa5dfbc87ccda9cbe79
58 | 82e531044cd9fcea68ca1a5034ee64e0558b7c6af56808c0343506dccf39e4ca8634518e6420c107
59 | b7d5fe89943e9f40044b2ae7f047d97275ec4763b41416fb3faff897e6ee0047f97b215b02ee09a3
60 | f533cba2ee131a0aa68772860759325ea4dc7ab86528d0aff55f96d00a908ea32f9fa8bd0640d632
61 | bf0d812f43beb03e6c6d4a654b41f27143fde4aa7ed16ae4bba939fbed8ae28dace83fcb49fd3ca9
62 | 10512902fc696419968e260901796f3af75d059c6e93a8f53b445f921e60d9429007c78107309a86
63 | 102b923dbb2f1fa04f84539c7c58ed45b40d4b267541d8f2f932ae75dfc13ef906089e1c847635aa
64 | ada201e32301f326a733f4a99caa56fa00ccd6de2752a4495408bb4c930eaf84c97a28767a036f65
65 | 627efa868adeee1cf47840e67ac4489381da1513dd3d1707a5ad91ac4ba1c35714b1cd77e0555161
66 | 2cdfb88187a5a39afd5b2a54f88aeb9605c1e01cd7a976a168c6e40eddcb20f09fe54a07a7c971ed
67 | a08789b41e450f46a30c2b3494f30a06073631d151ae048793fe32ff08a08b8693d1da71451f7ff2
68 | 438d7a521f8c97e4bc8ee744c1574d296c799d3f94e81522ce81def780660cee061d3110c1f18133
69 | dca1daabb2268aad76327f3cb6ae8c96fc66b5506f5644f2652d022d7b616209970f78b8e5c9a74f
70 | 5d1fc31037d01733bff097a661d4331adc087b84e32afb9d82a0614ea459022918f8ca60e74b7c68
71 | 65d3e86e6ae4acf9546985dc5ccf242dd9ab0486bde99a1e656499cbfceef8de5beafda89965bf20
72 | 8c70f4a0f8f677792962b09e0a355d53bbacb4a7acc16e50aa483994d85ca7e28a34ee52843d4f27
73 | acfb3b5347b89099fd01642b605f87f82283bb146aa319048462fe11a71d0fa064e825f69a502ae5
74 | 39240b13a2568383f80c30ebb9a29d2de4c45e6405bd8d1586fe5eef0477d3c21434b3471c0f864d
75 | d4c2f135278645ef1b1ebb4d6954f92763d787ad3d0bb48409782cd803a877027ae105511cdaefe0
76 | 110f9f6c65f2a34ad12532f4715c0341346dc06bcc4bb0e5c04ffdfd3f625e7e3811a760a2cfa9cb
77 | e1c2914882c192b793aeeb3ab8b03fd8be7e248fc9e5aa0c651d4bb5318c8a266b735ddc167d8374
78 | 99a3b38dcdfe188e25172eb974eb0eff20cc5c6e42e505fea7a3b6edfdf93b7062737ea00f72a415
79 | c4dfd3cd4fab2dad812d88d02690f606b52dcfb0ab220dc65a7dee6f31e951324a1c442adfe9cf67
80 | 2646876bedc2c2cb71bac583f3cf4ea6769eb54d22bf22b0d908a297caa13767ed14c44b738799e8
81 | 21885b2b2988a9b88a2f35bf8d307543af9007fadcfcc273f8029c2fe3d59449c5f193ca7f8986ca
82 | 7451d9a3ee14335b10868421b64ea1605d48d4fc22e378f82b7fe3e88aada30b4c545408b87b2451
83 | 1e371f25d1a94e7b78a6a7aec848e6f82614f96ef5ed8705e0adec0f889c1860cf8211d716fddf31
84 | 9862290019a4387fb77c89a5ae7d0074fa72024f2e5096d39ebac8e8ed02191879585394987fea3a
85 | 07a720d6880910629cdcd83a02ffd98830d2f57ee6c53b5cfedb42ec7c3d925cf3080c343f21711a
86 | 90f117e9eaf91402d09b83e83bd18d1c4e3d165a8b9bac7adca12cb0147bfc4c6e2166c57b8182e6
87 | 3fbc698881ed5b329eb491eb98050a922c15804021013bf08942db9ee6d8f2a2c4eb93771340ed9e
88 | 323d09e4256b7e5ac`)
89 | 	verifyTestVec(v, t)
90 | }
91 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/rfjakob/eme
2 | 
3 | go 1.16
4 | 


--------------------------------------------------------------------------------
/paper-eme-fig2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rfjakob/eme/6fd604b08f7942c0549d3b451044217c2d3346df/paper-eme-fig2.png


--------------------------------------------------------------------------------
/test.bash:
--------------------------------------------------------------------------------
1 | #!/bin/bash -eu
2 | 
3 | go build
4 | go test -v "$@"
5 | go vet -all .
6 | 


--------------------------------------------------------------------------------