Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing". This is the generalization of the XEX mode. This implementation is limited to an 8-bits (1 byte) boundary, which doesn't seem to be what was thought considering some test vectors [1]. This commit comes with tests, extracted from [1], and benchmarks. Although, benchmarks aren't really nice here, as they work with a buffer of a multiple of 16 bytes, which isn't a challenge for XTS compared to XEX. [1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2025-12-24 08:16:33 +01:00 · 2016-06-09 23:22:58 +02:00 · 2016-06-09 23:22:58 +02:00 · 5f77801ac3
commit 5f77801ac3
parent 380162c34c
8 changed files with 4483 additions and 5 deletions
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@ -99,8 +99,8 @@ int main( void )
 #define OPTIONS                                                         \
    "md4, md5, ripemd160, sha1, sha256, sha512,\n"                      \
    "arc4, des3, des, camellia, blowfish,\n"                            \
-    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,\n"        \
-    "havege, ctr_drbg, hmac_drbg\n"                                     \
+    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,\n"          \
+    "des3_cmac, havege, ctr_drbg, hmac_drbg\n"                          \
    "rsa, dhm, ecdsa, ecdh.\n"

 #if defined(MBEDTLS_ERROR_C)
@ -233,8 +233,8 @@ unsigned char buf[BUFSIZE];
 typedef struct {
    char md4, md5, ripemd160, sha1, sha256, sha512,
         arc4, des3, des,
-         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,
-         aria, camellia, blowfish,
+         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,
+         des3_cmac, aria, camellia, blowfish,
         havege, ctr_drbg, hmac_drbg,
         rsa, dhm, ecdsa, ecdh;
 } todo_list;
@ -281,6 +281,8 @@ int main( int argc, char *argv[] )
                todo.aes_cbc = 1;
            else if( strcmp( argv[i], "aes_xex" ) == 0 )
                todo.aes_xex = 1;
+            else if( strcmp( argv[i], "aes_xts" ) == 0 )
+                todo.aes_xts = 1;
            else if( strcmp( argv[i], "aes_gcm" ) == 0 )
                todo.aes_gcm = 1;
            else if( strcmp( argv[i], "aes_ccm" ) == 0 )
@ -451,6 +453,29 @@ int main( int argc, char *argv[] )
        mbedtls_aes_free( &tweak_ctx );
    }
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( todo.aes_xts )
+    {
+        int keysize;
+        mbedtls_aes_context crypt_ctx, tweak_ctx;
+        mbedtls_aes_init( &crypt_ctx );
+        mbedtls_aes_init( &tweak_ctx );
+        for( keysize = 128; keysize <= 256; keysize += 64 )
+        {
+            mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
+
+            memset( buf, 0, sizeof( buf ) );
+            memset( tmp, 0, sizeof( tmp ) );
+            mbedtls_aes_setkey_enc( &crypt_ctx, tmp, keysize );
+            mbedtls_aes_setkey_enc( &tweak_ctx, tmp, keysize );
+
+            TIME_AND_TSC( title,
+                mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE * 8, tmp, buf, buf ) );
+        }
+        mbedtls_aes_free( &crypt_ctx );
+        mbedtls_aes_free( &tweak_ctx );
+    }
+#endif
 #if defined(MBEDTLS_GCM_C)
    if( todo.aes_gcm )
    {