Skip to main content

Module intrinsics_impl

Module intrinsics_impl 

Source
Expand description

VPCLMULQDQ optimized POLYVAL implementation using R/F Algorithm Adapted from the implementation in the Apache 2.0 + MIT-licensed HPCrypt library Copyright (c) 2024 HPCrypt Contributors

Uses the R/F algorithm from “Efficient GHASH Implementation Using CLMUL”:

  • 4 CLMULs per block for multiplication (R and F terms)
  • 1 CLMUL for reduction (Lemma 3)
  • 4-block aggregated processing with single reduction

Key equations:

  • D = swap(H) ⊕ (H0 × P1)
  • R = M0×D1 ⊕ M1×H1
  • F = M0×D0 ⊕ M1×H0
  • Result = R ⊕ F1 ⊕ (x^64×F0) ⊕ (P1×F0)

POLYVAL operates in GF(2^128) with polynomial x^128 + x^127 + x^126 + x^121 + 1 Unlike GHASH, POLYVAL uses little-endian byte ordering (no byte swap needed).

https://eprint.iacr.org/2025/2171.pdf

Modules§

clmul 🔒

Constants§

P1 🔒
P1 polynomial: x^63 + x^62 + x^57 = 0xC200000000000000

Functions§

compute_d 🔒
Compute D from H using the R/F algorithm
expand_key 🔒
Create a new POLYVAL key with R/F algorithm
gf128_mul_rf 🔒
Complete R/F multiplication with reduction (5 CLMULs total)
load_bytes 🔒
Convert 16 bytes into __m128i.
proc_block 🔒
Update with a single block (5 CLMULs)
proc_par_blocks 🔒
Process 4 blocks with R/F algorithm and aggregated reduction
reduce_rf 🔒
Reduction using Lemma 3: Result = R ⊕ F1 ⊕ (x^64×F0) ⊕ (P1×F0)
rf_mul_unreduced 🔒
R/F multiplication using 4 CLMULs per block

Type Aliases§

ByteArray 🔒
Byte array which is the inner type of FieldElement