Expand description
POLYVAL field element implementation.
This module contains a portable pure Rust implementation which can computes carryless POLYVAL multiplication over GF (2^128) in constant time. Both 32-bit and 64-bit backends are available.
Method described at: https://www.bearssl.org/constanttime.html#ghash-for-gcm
POLYVAL multiplication is effectively the little endian equivalent of GHASH multiplication, aside from one small detail described here:
The product of two bit-reversed 128-bit polynomials yields the bit-reversed result over 255 bits, not 256. The BearSSL code ends up with a 256-bit result in zw[], and that value is shifted by one bit, because of that reversed convention issue. Thus, the code must include a shifting step to put it back where it should
This shift is unnecessary for POLYVAL (it is in fact what distinguishes POLYVAL from GHASH) and has been removed.
Modules§
- mul 🔒
- Constant-time software implementation of POLYVAL for 64-bit architectures.
Adapted from BearSSL’s
ghash_ctmul64.c: - mulx 🔒
- The
mulX_POLYVAL()function.
Structs§
- Field
Element - An element in POLYVAL’s field.
Functions§
- bmul 🔒
- Multiplication in GF(2)[X], implemented generically for use with
u32andu64.