XTS, as given by the below equation, is a mode of operation primarily targeting full-disk encryption scenarios.
By the way it works it also doubles the keylength although a meet-in-the-middle attack applies (by enumerating all the whitening values). However one only needs to calculate the whitening value once per sector.
So is there any way to break XTS or a double application thereof in less time and/or space than expected?
The expected time for standard XTS is time $2^{512}$ for 256-bit AES and $2^{513}$ time and $2^{512}$ space for double encryption.
Relation to the title:
XTS is the most well-known / used scheme for turning a 256-bit cipher into a 512-bit mode. It does this in such a way that each block requires merely one finite field multiplication and one encryption operation and every few blocks (e.g. 32+) require one additional encryption operation which means it should be a very "cheap" way of doing double encryption. So the question: Is this as good as it sounds?
The equation as documented by VeraCrypt:
$$C_1=E_{K_1}(P_1\oplus(E_{K_2}(n)\otimes\alpha^i))\oplus(E_{K_2}(n)\otimes\alpha^i)$$
with $C_1$ being the ciphertext, $P_1$ being the plaintext, $K_1$ and $K_2$ being the keys, $n$ being the sector index, $i$ being the block index within the sector, $\oplus$ denoting bitwise XOR, $\otimes$ denoting multiplication in the binary Field $GF(2)\bmod x^{128}+x^7+x^2+x+1$ and $(E_{K_2}(n)\otimes\alpha^i)$ being called "the whitening value".
Justification of the expected time / space values:
Single Encryption case:
This is essentially "single-key" XEX, providing 256-bit security combined with a 256-bit keyed permutation, one needs $2^{512}$ to find the correct whitening key and the correct permutation.
Double Encryption case:
Standard meet-in-the-middle attack: Enumerate all the possible intermediate values ($2^{512}$ time and space) and then try decrypting all the ciphertexts with all possible keys, looking for intermediate matches.
