RFC/standard for AES XTS implementation


I see AES XTS support added in MBEDTLS release. Wanted to know more details about AES XTS Implementation.

  1. Can you point out to standard/RFC which is used to implement AES XTS
  2. AES XTS implementation uses GF multiplication. Can you please point out to the standard/RFC which is used to implement this.


  • GF(2^128) multiplication function
  • This function multiplies a field element by x in the polynomial field
  • representation. It uses 64-bit word operations to gain speed but compensates
  • for machine endianess and hence works correctly on both big and little
  • endian machines.
    static void mbedtls_gf128mul_x_ble( unsigned char r[16],
    const unsigned char x[16] )
    uint64_t a, b, ra, rb;GET_UINT64_LE( a, x, 0 );
    GET_UINT64_LE( b, x, 8 );ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
    rb = ( a >> 63 ) | ( b << 1 );PUT_UINT64_LE( ra, r, 0 );
    PUT_UINT64_LE( rb, r, 8 );

Hi @vikas

AES-XTS is defined in NIST 800-38E
As for your question on GF multiplication, unfortunately I don’t have a refernce for it.
Mbed TLS Support

Hi Ron,

Thanks for your answer.

Link to AES XTS implementation which you gave also has link to how multiplication should be done in references[2].

But the problem what we are facing is:
There is a standard for AES XTS IEEE P1619/D16 and that has code implementation (See Annex C) for generation of IV for the next AES block using GF(2^128) multiplication. There is a difference in multiplication operation mentioned in standard and MBEDTLS AES XTS implementation Hence if same plaintext is given to two implementations generated cipher text is different.

One difference I could see is the way multiplication is performed in both the implementations. Standard code does operation on one byte at a time whereas MBEDTLS multiplication implementation does operation on 64 bits (8 bytes). We need to know which standard/RFC followed by MBEDTLS AES XTS for multiplication which is implemented in mbedtls_gf128mul_x_ble function in aes.c file.

Can you please help us to figure out which implementation is correct and should be used?

I’ve just implemented this on our system.
From what I can see the mbedtls implementation matches that in P1619/D16.
The test vectors/keys etc in mbedtls are the same and give the same results as in the document.
Have you run the self test program to make sure nothing else is wrong ?

Thanks Paul for your response.

I will run test vectors mentioned in standard with our implementation and check if they are passing.