Expand description
VPCLMULQDQ optimized POLYVAL implementation using R/F Algorithm Adapted from the implementation in the Apache 2.0 + MIT-licensed HPCrypt library Copyright (c) 2024 HPCrypt Contributors
Uses the R/F algorithm from “Efficient GHASH Implementation Using CLMUL”:
- 4 CLMULs per block for multiplication (R and F terms)
- 1 CLMUL for reduction (Lemma 3)
- 4-block aggregated processing with single reduction
Key equations:
- D = swap(H) ⊕ (H0 × P1)
- R = M0×D1 ⊕ M1×H1
- F = M0×D0 ⊕ M1×H0
- Result = R ⊕ F1 ⊕ (x^64×F0) ⊕ (P1×F0)
POLYVAL operates in GF(2^128) with polynomial x^128 + x^127 + x^126 + x^121 + 1 Unlike GHASH, POLYVAL uses little-endian byte ordering (no byte swap needed).
Modules§
- clmul 🔒
Constants§
- P1 🔒
- P1 polynomial: x^63 + x^62 + x^57 = 0xC200000000000000
Functions§
- compute_
d 🔒 ⚠ - Compute D from H using the R/F algorithm
- expand_
key 🔒 ⚠ - Create a new POLYVAL key with R/F algorithm
- gf128_
mul_ 🔒 ⚠rf - Complete R/F multiplication with reduction (5 CLMULs total)
- load_
bytes 🔒 ⚠ - Convert 16 bytes into
__m128i. - proc_
block 🔒 ⚠ - Update with a single block (5 CLMULs)
- proc_
par_ 🔒 ⚠blocks - Process 4 blocks with R/F algorithm and aggregated reduction
- reduce_
rf 🔒 ⚠ - Reduction using Lemma 3: Result = R ⊕ F1 ⊕ (x^64×F0) ⊕ (P1×F0)
- rf_
mul_ 🔒 ⚠unreduced - R/F multiplication using 4 CLMULs per block
Type Aliases§
- Byte
Array 🔒 - Byte array which is the inner type of
FieldElement