Hi Guys,

I tried NIST XTS test vectors with your code. Not all tests have passed.
The problem with the partial block processing. In particular, your code does not perform stealing of bits when data unit length is not multiple 8 bits, i.e., not a full byte.
Your current implementation assumes that the data unit length is always multiple of 8 bits, and thus it only performs bytes stealing (if needed).

For example, your code works if data unit length is 200 bits, i.e., input data length is full 25 bytes. However, size of 25 bytes is not multiple of 16, so your code will do bytes stealing in this case.

But, if data unit length is 250 bits, i.e., 31.25 bytes, where 31 bytes are full, and the last 32nd byte is not full. This last byte is padded with '0' to be full (according to NIST description of test vectors preparation). The padded bits in that particular padded byte should be replaced by applying bits stealing.

In fact, data unit lengths such as 130, 140, and 250 (all used by NIST) are not handled by your current implementation so that all such test vectors failed to pass.

According to the XTS-AES Validation System, the successful completion of the tests is required
to be validated as conforming to the XTS-AES algorithm standard.

Please, take a note of this issue.
FYI @horrorho

Thank you.