diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b61e341..910293b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
     - name: Install packages
-      run: sudo apt install libmbedtls-dev doctest-dev clang
+      run: sudo apt install doctest-dev clang
       if: matrix.os == 'ubuntu-latest'
 
     - uses: actions/checkout@v4
@@ -47,7 +47,7 @@ jobs:
       working-directory: ${{github.workspace}}/build/${{ matrix.build_type }}
       run: |
         if [ "$RUNNER_OS" == "Linux" ]; then
-          cmake $GITHUB_WORKSPACE -DCMAKE_CXX_COMPILER=${{ matrix.compiler }} -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} -DTESTS=ON -DOPENSSL=ON -DMBEDTLS=ON
+          cmake $GITHUB_WORKSPACE -DCMAKE_CXX_COMPILER=${{ matrix.compiler }} -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} -DTESTS=ON -DOPENSSL=ON
         else
           cmake $GITHUB_WORKSPACE -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} -DTESTS=ON
         fi
diff --git a/CMakeLists.txt b/CMakeLists.txt
index cd60a35..cd0e846 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -12,7 +12,6 @@ option(PROFILE "enable profiling" OFF)
 option(TESTS "enable testing" OFF)
 option(EVERCRYPT "enable comparison with EverCrypt Merkle trees" OFF)
 option(OPENSSL "enable OpenSSL" OFF)
-option(MBEDTLS "enable mbedTLS" OFF)
 option(TRACE "enable debug traces" OFF)
 
 add_library(merklecpp INTERFACE)
@@ -51,17 +50,6 @@ if(OPENSSL)
   target_link_libraries(merklecpp INTERFACE crypto)
 endif()
 
-if(MBEDTLS)
-  find_library(MBEDCRYPTO_LIBRARY NAMES mbedcrypto)
-  target_compile_definitions(merklecpp INTERFACE HAVE_MBEDTLS)
-  target_link_libraries(merklecpp INTERFACE mbedcrypto)
-  if (NOT MBEDCRYPTO_LIBRARY)
-    message(FATAL_ERROR "mbedTLS not found")
-  else()
-    message("-- Found mbedTLS at ${MBEDCRYPTO_LIBRARY}")
-  endif()
-endif()
-
 if(TESTS)
   enable_testing()
 
diff --git a/doc/index.rst b/doc/index.rst
index 58f5c0c..fa02e49 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -9,7 +9,7 @@ and function.
 A default implementation without further dependencies is provided as
 :cpp:type:`merkle::Tree`, which uses the SHA256 compression function
 (:cpp:func:`merkle::sha256_compress`). merklecpp also provides bindings
-for the respective OpenSSL and mbedTLS functions (see `Hash functions`_),
+for the respective OpenSSL functions (see `Hash functions`_),
 which can be specified as a template parameter as illustrated by the following
 example:
 
@@ -48,9 +48,9 @@ Hash functions
 
 By default, merklecpp uses the SHA256 compression function
 (:cpp:func:`merkle::sha256_compress`) for node hashes. For convenience,
-it also provides bindings to the SHA256 implementations in OpenSSL and mbedTLS.
-To enable these bindings, merklecpp requires the compiler macros
-:code:`HAVE_OPENSSL` and :code:`HAVE_MBEDTLS` to be defined.
+it also provides bindings to the SHA256 implementation in OpenSSL.
+To enable these bindings, merklecpp requires the compiler macro
+:code:`HAVE_OPENSSL` to be defined.
 
 .. doxygenfunction:: merkle::sha256_compress
    :project: merklecpp
@@ -58,12 +58,6 @@ To enable these bindings, merklecpp requires the compiler macros
 .. doxygenfunction:: merkle::sha256_openssl
    :project: merklecpp
 
-.. doxygenfunction:: merkle::sha256_compress_mbedtls
-   :project: merklecpp
-
-.. doxygenfunction:: merkle::sha256_mbedtls
-   :project: merklecpp
-
 .. toctree::
    :maxdepth: 2
    :caption: Contents:
diff --git a/merklecpp.h b/merklecpp.h
index ed5a975..267e4d6 100644
--- a/merklecpp.h
+++ b/merklecpp.h
@@ -21,10 +21,6 @@
 #  include <openssl/sha.h>
 #endif
 
-#ifdef HAVE_MBEDTLS
-#  include <mbedtls/sha256.h>
-#endif
-
 #ifdef MERKLECPP_TRACE_ENABLED
 // Hashes in the trace output are truncated to TRACE_HASH_SIZE bytes.
 #  define TRACE_HASH_SIZE 3
@@ -1917,45 +1913,6 @@ namespace merkle
   }
 #endif
 
-#ifdef HAVE_MBEDTLS
-  /// @brief mbedTLS SHA256 compression function
-  /// @param l Left node hash
-  /// @param r Right node hash
-  /// @param out Output node hash
-  /// @note Technically, mbedtls_internal_sha256_process is marked for internal
-  /// use only.
-  static inline void sha256_compress_mbedtls(
-    const HashT<32>& l, const HashT<32>& r, HashT<32>& out)
-  {
-    unsigned char block[32 * 2];
-    memcpy(&block[0], l.bytes, 32);
-    memcpy(&block[32], r.bytes, 32);
-
-    mbedtls_sha256_context ctx;
-    mbedtls_sha256_init(&ctx);
-    mbedtls_sha256_starts_ret(&ctx, false);
-    mbedtls_internal_sha256_process(&ctx, &block[0]);
-
-    for (int i = 0; i < 8; i++)
-      ((uint32_t*)out.bytes)[i] = htobe32(ctx.state[i]);
-  }
-
-  /// @brief mbedTLS SHA256
-  /// @param l Left node hash
-  /// @param r Right node hash
-  /// @param out Output node hash
-  static inline void sha256_mbedtls(
-    const merkle::HashT<32>& l,
-    const merkle::HashT<32>& r,
-    merkle::HashT<32>& out)
-  {
-    uint8_t block[32 * 2];
-    memcpy(&block[0], l.bytes, 32);
-    memcpy(&block[32], r.bytes, 32);
-    mbedtls_sha256_ret(block, sizeof(block), out.bytes, false);
-  }
-#endif
-
   /// @brief Type of hashes in the default tree type
   typedef HashT<32> Hash;
 
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index c2a0768..230e095 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -34,7 +34,6 @@ if(TARGET evercrypt.host)
 endif()
 
 if(OPENSSL
-   OR MBEDTLS
    OR EVERCRYPT
 )
   add_merklecpp_test(compare_hash_functions compare_hash_functions.cpp)
diff --git a/test/compare_hash_functions.cpp b/test/compare_hash_functions.cpp
index 94d80e7..8d275bd 100644
--- a/test/compare_hash_functions.cpp
+++ b/test/compare_hash_functions.cpp
@@ -50,11 +50,6 @@ typedef merkle::TreeT<32, sha256_evercrypt> EverCryptFullTree;
 typedef merkle::TreeT<32, merkle::sha256_openssl> OpenSSLFullTree;
 #endif
 
-#ifdef HAVE_MBEDTLS
-typedef merkle::TreeT<32, merkle::sha256_compress_mbedtls> MbedTLSTree;
-typedef merkle::TreeT<32, merkle::sha256_mbedtls> MbedTLSFullTree;
-#endif
-
 template <
   void (*HF1)(
     const merkle::HashT<32>& l,
@@ -102,10 +97,6 @@ void compare_compression_hashes()
     EverCryptTree mte;
 #endif
 
-#ifdef HAVE_MBEDTLS
-    MbedTLSTree mtm;
-#endif
-
     // Build trees with k+1 leaves
     int j = 0;
     auto hashes = make_hashes(k + 1);
@@ -118,10 +109,6 @@ void compare_compression_hashes()
       mte.insert(h);
 #endif
 
-#ifdef HAVE_MBEDTLS
-      mtm.insert(h);
-#endif
-
       total_inserts++;
 
       if ((j++ % root_interval) == 0)
@@ -130,10 +117,6 @@ void compare_compression_hashes()
         compare_roots(mt, mte, "EverCrypt");
 #endif
 
-#ifdef HAVE_MBEDTLS
-        compare_roots(mt, mtm, "mbedTLS");
-#endif
-
         total_roots++;
       }
     }
@@ -142,9 +125,6 @@ void compare_compression_hashes()
     compare_roots(mt, mte, "EverCrypt");
 #endif
 
-#ifdef HAVE_MBEDTLS
-    compare_roots(mt, mtm, "mbedTLS");
-#endif
   }
 
   std::cout << num_trees << " trees, " << total_inserts << " inserts, "
@@ -152,7 +132,7 @@ void compare_compression_hashes()
             << std::endl;
 }
 
-#if defined(HAVE_OPENSSL) && (defined(HAVE_EVERCRYPT) || defined(HAVE_MBEDTLS))
+#if defined(HAVE_OPENSSL) && defined(HAVE_EVERCRYPT)
 void compare_full_hashes()
 {
 #  ifndef NDEBUG
@@ -173,10 +153,6 @@ void compare_full_hashes()
     merkle::TreeT<32, sha256_evercrypt> mte;
 #  endif
 
-#  ifdef HAVE_MBEDTLS
-    MbedTLSFullTree mtm;
-#  endif
-
     // Build trees with k+1 leaves
     int j = 0;
     auto hashes = make_hashes(k + 1);
@@ -189,10 +165,6 @@ void compare_full_hashes()
       mte.insert(h);
 #  endif
 
-#  ifdef HAVE_MBEDTLS
-      mtm.insert(h);
-#  endif
-
       total_inserts++;
 
       if ((j++ % root_interval) == 0)
@@ -201,10 +173,6 @@ void compare_full_hashes()
         compare_roots(mto, mte, "EverCrypt");
 #  endif
 
-#  ifdef HAVE_MBEDTLS
-        compare_roots(mto, mtm, "mbedTLS");
-#  endif
-
         total_roots++;
       }
     }
@@ -213,9 +181,6 @@ void compare_full_hashes()
     compare_roots(mto, mte, "OpenSSL");
 #  endif
 
-#  ifdef HAVE_MBEDTLS
-    compare_roots(mto, mtm, "mbedTLS");
-#  endif
   }
 
   std::cout << num_trees << " trees, " << total_inserts << " inserts, "
@@ -293,7 +258,7 @@ int main()
 
     compare_compression_hashes();
 
-#if defined(HAVE_EVERCRYPT) && (defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS))
+#if defined(HAVE_EVERCRYPT) && defined(HAVE_OPENSSL)
     compare_full_hashes();
 #endif
 
@@ -312,10 +277,6 @@ int main()
 
     bench<merkle::Tree>(hashes, "merklecpp", root_interval);
 
-#ifdef HAVE_MBEDTLS
-    bench<MbedTLSTree>(hashes, "mbedTLS", root_interval);
-#endif
-
 #ifdef HAVE_EVERCRYPT
     bench<EverCryptTree>(hashes, "EverCrypt", root_interval);
 #endif
@@ -326,10 +287,6 @@ int main()
     bench<OpenSSLFullTree>(hashes, "OpenSSL", root_interval);
 #endif
 
-#ifdef HAVE_MBEDTLS
-    bench<MbedTLSFullTree>(hashes, "mbedTLS", root_interval);
-#endif
-
 #ifdef HAVE_EVERCRYPT
     bench<EverCryptFullTree>(hashes, "EverCrypt", root_interval);
 #endif
diff --git a/test/demo_tree.cpp b/test/demo_tree.cpp
index b99f90f..2707072 100644
--- a/test/demo_tree.cpp
+++ b/test/demo_tree.cpp
@@ -67,19 +67,6 @@ int main()
     }
 #endif
 
-#ifdef HAVE_MBEDTLS
-    {
-      auto hashes = make_hashes(num_leaves);
-      /// SNIPPET_START: mbedTLS-SHA256
-      merkle::TreeT<32, merkle::sha256_openssl> tree;
-      for (auto h : hashes)
-        tree.insert(h);
-      auto root = tree.root();
-      auto path = tree.path(hashes.size() - 1);
-      assert(path->verify(root));
-      /// SNIPPET_END: mbedTLS-SHA256
-    }
-#endif
   }
   catch (std::exception& ex)
   {