Skip to main content

Module field_element

Module field_element 

Source
Expand description

POLYVAL field element implementation.

This module contains a portable pure Rust implementation which can computes carryless POLYVAL multiplication over GF (2^128) in constant time. Both 32-bit and 64-bit backends are available.

Method described at: https://www.bearssl.org/constanttime.html#ghash-for-gcm

POLYVAL multiplication is effectively the little endian equivalent of GHASH multiplication, aside from one small detail described here:

https://crypto.stackexchange.com/questions/66448/how-does-bearssls-gcm-modular-reduction-work/66462#66462

The product of two bit-reversed 128-bit polynomials yields the bit-reversed result over 255 bits, not 256. The BearSSL code ends up with a 256-bit result in zw[], and that value is shifted by one bit, because of that reversed convention issue. Thus, the code must include a shifting step to put it back where it should

This shift is unnecessary for POLYVAL (it is in fact what distinguishes POLYVAL from GHASH) and has been removed.

Modules§

mul 🔒
Constant-time software implementation of POLYVAL for 64-bit architectures. Adapted from BearSSL’s ghash_ctmul64.c:
mulx 🔒
The mulX_POLYVAL() function.

Structs§

FieldElement
An element in POLYVAL’s field.

Functions§

bmul 🔒
Multiplication in GF(2)[X], implemented generically for use with u32 and u64.