[openssl-users] issue with EVP_EncryptUpdate in XTS mode?

Matt Caswell matt at openssl.org
Tue Oct 1 08:11:25 UTC 2019

On 25/01/2019 20:16, Andrew Tucker wrote:
> I was doing some comparisons of XTS and GCM mode using the EVP APIs and found a
> discrepancy that seems to be an issue with XTS.
> In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or with
> several calls with smaller buffers the resulting ciphertext is the same, as I
> would expect.   With XTS mode, calling EVP_EncryptUpdate results in the same
> ciphertext for the same plaintext and does not match the results when the buffer
> is encrypted with one call to EVP_EncryptUpdate.
> I would expect that the counter is incremented in both XTS and GCM mode in the
> same way and that in both cases the output would match regardless of the
> encryption block size.
> A simple repro test is attached.    If you run it you can see that the output
> "GCM in one block" matches the output for "GCM in 16 byte blocks" and the
> outputs do not match for XTS.
> I am using OpenSSL v1.02p but I have tried with other versions and got the same
> results.
> Am I misunderstanding the use of XTS mode or is this an issue with OpenSSL?

Please see my previous post on this topic here:


PRs welcome to improve the documentation in this area.


More information about the openssl-users mailing list