RFC/standard for AES XTS implementation

vikas · October 16, 2019, 7:08am

Hello,

I see AES XTS support added in MBEDTLS release. Wanted to know more details about AES XTS Implementation.

Can you point out to standard/RFC which is used to implement AES XTS
AES XTS implementation uses GF multiplication. Can you please point out to the standard/RFC which is used to implement this.

/*

GF(2^128) multiplication function
This function multiplies a field element by x in the polynomial field
representation. It uses 64-bit word operations to gain speed but compensates
for machine endianess and hence works correctly on both big and little
endian machines.
*/
static void mbedtls_gf128mul_x_ble( unsigned char r[16],
const unsigned char x[16] )
{
uint64_t a, b, ra, rb;GET_UINT64_LE( a, x, 0 );
GET_UINT64_LE( b, x, 8 );ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
rb = ( a >> 63 ) | ( b << 1 );PUT_UINT64_LE( ra, r, 0 );
PUT_UINT64_LE( rb, r, 8 );
}

roneld01 · October 17, 2019, 3:06pm

AES-XTS is defined in NIST 800-38E
As for your question on GF multiplication, unfortunately I don’t have a refernce for it.
Regards,
Mbed TLS Support
Ron

vikas · October 17, 2019, 3:45pm

Hi Ron,

Thanks for your answer.

Link to AES XTS implementation which you gave also has link to how multiplication should be done in references[2].

But the problem what we are facing is:
There is a standard for AES XTS IEEE P1619/D16 and that has code implementation (See Annex C) for generation of IV for the next AES block using GF(2^128) multiplication. There is a difference in multiplication operation mentioned in standard and MBEDTLS AES XTS implementation Hence if same plaintext is given to two implementations generated cipher text is different.

One difference I could see is the way multiplication is performed in both the implementations. Standard code does operation on one byte at a time whereas MBEDTLS multiplication implementation does operation on 64 bits (8 bytes). We need to know which standard/RFC followed by MBEDTLS AES XTS for multiplication which is implemented in mbedtls_gf128mul_x_ble function in aes.c file.

Can you please help us to figure out which implementation is correct and should be used?

Paul1962 · October 21, 2019, 1:52pm

I’ve just implemented this on our system.
From what I can see the mbedtls implementation matches that in P1619/D16.
The test vectors/keys etc in mbedtls are the same and give the same results as in the document.
Have you run the self test program to make sure nothing else is wrong ?

vikas · October 22, 2019, 8:11am

Thanks Paul for your response.

I will run test vectors mentioned in standard with our implementation and check if they are passing.

Topic		Replies	Views
RFC/Standard for AES XTS Crypto and SSL questions	1	657	October 17, 2019
Performance improvement with ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA Crypto and SSL questions	4	1337	December 16, 2018
AES-128-CBC encryption on data including NULL byte Crypto and SSL questions	1	943	April 5, 2019
STM32F7 hardware acceleration support in Mbed TLS for CRYPT and HASH peripherals Platform specific questions	3	4501	January 9, 2024
Mbed TLS hardware acceleration for GCM on STM32F7 Mbed OS	0	1087	August 8, 2018

RFC/standard for AES XTS implementation

Related topics