Feature request: EME (ECB-Mix-ECB)

[itpropro]

Hi,
thanks for your work on noble-ciphers, it is a fantastic library and in my opinion the best JS crypto implementations currently available.
Is there any chance you could add EME (ECB-Mix-ECB; https://github.com/rfjakob/eme) to the implemented encryption modes?

[paulmillr]

What do you need it for? Why is it useful?

[itpropro]

There are some projects like gocryptfs (https://nuetzlich.net/gocryptfs/forward_mode_crypto/) that use EME for encryption of file and/or folder names for example. If you work on JS tooling that wants to be compatible to these solutions, EME would be needed.
As I or others would already be using noble libraries in such a scenario, it would help having a EME implementation done by someone who is as competent as you in implementing ciphers and hashes.
As far as I understand, as ECB is already implemented, it would be the mix between the two ECBs that is missing to get EME.

[timdream]

rclone (also written in go) also happen to use EME for file/folder name encryption.

[paulmillr]

duplicate of #12

[itpropro]

duplicate of #12

Thanks for your reply @paulmillr, but in that issue there is only a reference implementation linked for AEGIS. What would be your recommended implementation of EME in the JS/TS world?
Like I said, it would really help a lot of people working with file systems, if there would be an EME implementation from a trusted source to avoid people implementing their own versions and thereby creating security issues.

[paulmillr]

#12 is not a list of trusted implementations. It's just a list of random packages i've searched.

There is no trusted dep I can recommend for this.

[itpropro]

#12 is not a list of trusted implementations. It's just a list of random packages i've searched.

There is no trusted dep I can recommend for this.

I understand that. Would you be open to a PR for an EME implementation in noble-ciphers or would you only accept your own code?
I think we all would like to avoid the need for people to implement things like EME themselves, as that would increase the chance of implementation errors.
I am just trying to find a way to have a secure reference implementation that people can rely on, which would help make the software world a little bit more secure :)

[paulmillr]

I am, of course, open to new contributions! One rule: they should not change old / audited code much. So, like, new "EME" method is cool. Changing internal AES stuff (unless something like a small refactoring) isn't.

[itpropro]

I am, of course, open to new contributions! One rule: they should not change old / audited code much. So, like, new "EME" method is cool. Changing internal AES stuff (unless something like a small refactoring) isn't.

Great to know, I would not attempt to change old code, I would just be dependent on your review and your input, especially on performance optimization.
I hope I find the time soon to open a draft request!