Skip to content

AES-XTS Ciphertext_stealing safety proofs#367

Draft
nebeid wants to merge 136 commits intoawslabs:mainfrom
nebeid:aes-xts-safety
Draft

AES-XTS Ciphertext_stealing safety proofs#367
nebeid wants to merge 136 commits intoawslabs:mainfrom
nebeid:aes-xts-safety

Conversation

@nebeid
Copy link
Copy Markdown
Contributor

@nebeid nebeid commented Mar 10, 2026
edited
Loading

Note: To be rebased on #331 after it's merged. This PR adds only 2 commits.

Description of changes:
Constant-time and Memory Safety properties for AES-XTS Ciphertext-stealing in both decrypt (by @aqjune-aws) and encrypt. The encrypt proof follows the same structure as the decrypt proof with some changes to adapt to the difference in implementation.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

pennyannn and others added 30 commits December 23, 2025 00:47
@pennyannn
aes-xts experiments
c474e65
@pennyannn
More experiments
00a95b3
@nebeid @pennyannn
Add Decrypt function- its instructions are all understood by the deco…
19f9d1c 
…der.

"Remove `.size` as not passing on MacOS with this build.
@nebeid @pennyannn
The decrypt version is now from linux-aarch64.
8579d6a 
It's from AWS-LC's
generated-src/linux-aarch64/crypto/fipsmodule/aesv8-armx.S
It was previously taken from win-aarch64.
@nebeid @pennyannn
enable stopping at first error.
b246573
@nebeid @pennyannn
Save decoded output to a text file.
e17e788
@nebeid @pennyannn
Update decoded output after adding post-index register offset to the …
2397213 
…decoder.
@nebeid @pennyannn
New decoded output after shuffling around some instructions.
cc7f0a2 
In some places, only comments are different after the decoder was updated.
@pennyannn
Start proof for AES256 encrypt
9eb985e
@nebeid @pennyannn
Continuing the AES specification.
3639711
@nebeid @pennyannn
The spec test vector succeeds after converting the inputs to little e…
9b134b2 
…ndian representation.
@nebeid @pennyannn
Post conditions and MAYCHANGE for an AES block encryption proof.
69dab0b
@nebeid @pennyannn
Proof of AES encryption of one block.
4bd82d1
@pennyannn
Add aes-xts decrypt programs
a1c9c3c
@pennyannn
Add aes program and spec
c558535
@pennyannn
Symbolic simulation and fixed a bug in code
1e8932b
@pennyannn
Finish the proof for aes-xts-decrypt
8649a9c
@pennyannn
Fix a bug
5b951ab
@pennyannn
Set up for aes-xts one block proof
684f3f7
@pennyannn
Define spec for one block xts and define conversion
3dde459
@pennyannn
Add proof for one block xts
aadaeae
@pennyannn
Update one block proof to use more clean version
0379411
@pennyannn
WIP: define XTS full specification
70a24e0
@pennyannn
Experiment with conversions
31fccb6
@pennyannn
Fix type issue in cipher stealing
424ddb5
@pennyannn
Write conversions and add tests
d981037
@pennyannn
The ultimate clean up
ebb74f2
@pennyannn
The ultimate ultimate clean up to fix perror
52f494b
@pennyannn
Update the specification to match the standard for tweak calculation
ec3b91e
@pennyannn
Update clean version of xts decrypt
937ec02
nebeid and others added 28 commits December 23, 2025 00:47
@nebeid @pennyannn
Adjust 1-block proof to the code after the W19 fix.
f13b9fe
@nebeid @pennyannn
Use the updated tactic name.
9f8f791
@pennyannn
Clean up Makefiles and rename files to keep consistency
7067386
@pennyannn
Refactor the structure of files
9d64670
@pennyannn
Put AES encrypt and decrypt proofs in tutorial
1efe5ed
@pennyannn
Integrate assembly
3d02501
@pennyannn
Fix issue in collect-signatures
c49f61e
@pennyannn
Add benchmark for AES-XTS
71bbe67
@pennyannn
Fix missing sematest for ldrb shifted register variant
8940450
@pennyannn
Rename AES_KEY as s2n_bignum_AES_KEY
b5607f8
@pennyannn
Fix benchmark platform check
cc064b8
@pennyannn
Add sematest for strb shifted register no shift
f34f3b1
@pennyannn
Update signature
3e4f514
@pennyannn
Rename aes_hw_xts_encrypt to aes_xts_encrypt and similarly for decrypt
5c072d5
@nebeid
Merge branch 'main' into aes-xts
33cb597
@nebeid
Added explanation to encrypt tutorial.
32349ca
@nebeid
Put AES encrypt and decrypt proofs in one file in the tutorial, with …
d3035e8 
…explanation.
@nebeid
Merge remote-tracking branch 'upstream/main' into aes-xts
c2541e2
@nebeid
Revert "Put AES encrypt and decrypt proofs in one file in the tutoria…
45f4e61 
…l, with explanation."

This reverts commit d3035e8.
@nebeid
Added explanation to the decrypt tutorial.
f958559
@nebeid
Add banners and remove print function in collect-signatures.py.
a124e9b
@nebeid
Put AES encrypt and decrypt proofs in one file in the tutorial (2nd a…
58c21b5 
…ttempt).
@nebeid
Merge remote-tracking branch 'upstream/main' into aes-xts
f6cffa6
@nebeid
Put specs for list and tweak calculation in a common spec file.
d196208 
Add ASCII drawing to explain the cipher-stealing loop invariant.
Address comments on decrypt proof.
@nebeid
Update the name of the encrypt subroutine theorem to match the decryp…
2d46477 
…t one.
@nebeid
Merge branch 'main' into aes-xts
97ae2a7
@aqjune-aws
Prove CIPHER_STEALING_SAFE of aes-xts decrypt
1a615ae 
Special thanks to Opus.

Also, add abbrevs_unfold_before_f_events_tac to DISCHARGE_SAFETY_PROPERTY_TAC
@nebeid
Prove CIPHER_STEALING_SAFE of aes-xts encrypt
2e362c7
@nebeid nebeid requested review from aqjune-aws and jargh March 10, 2026 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aqjune-aws aqjune-aws Awaiting requested review from aqjune-aws

@jargh jargh Awaiting requested review from jargh

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nebeid @pennyannn @aqjune-aws