/rust/registry/src/index.crates.io-1949cf8c6b5b557f/polyval-0.5.3/src/backend/soft64.rs

Source
//! Constant-time software implementation of POLYVAL for 64-bit architectures.
//! Adapted from BearSSL's `ghash_ctmul64.c`:
//!
//! <https://bearssl.org/gitweb/?p=BearSSL;a=blob;f=src/hash/ghash_ctmul64.c;hb=4b6046412>
//!
//! Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>

use crate::{Block, Key};
use core::{
    convert::TryInto,
    num::Wrapping,
    ops::{Add, Mul},
};
use universal_hash::{consts::U16, NewUniversalHash, Output, UniversalHash};

#[cfg(feature = "zeroize")]
use zeroize::Zeroize;

/// **POLYVAL**: GHASH-like universal hash over GF(2^128).
#[derive(Clone)]
pub struct Polyval {
    /// GF(2^128) field element input blocks are multiplied by
    h: U64x2,

    /// Field element representing the computed universal hash
    s: U64x2,
}

impl NewUniversalHash for Polyval {
    type KeySize = U16;

    /// Initialize POLYVAL with the given `H` field element
    fn new(h: &Key) -> Self {
        Self {
            h: h.into(),
            s: U64x2::default(),
        }
    }
}

impl UniversalHash for Polyval {
    type BlockSize = U16;

    /// Input a field element `X` to be authenticated
    fn update(&mut self, x: &Block) {
        let x = U64x2::from(x);
        self.s = (self.s + x) * self.h;
    }

    /// Reset internal state
    fn reset(&mut self) {
        self.s = U64x2::default();
    }

    /// Get POLYVAL result (i.e. computed `S` field element)
    fn finalize(self) -> Output<Self> {
        let mut block = Block::default();

        for (chunk, i) in block.chunks_mut(8).zip(&[self.s.0, self.s.1]) {
            chunk.copy_from_slice(&i.to_le_bytes());
        }

        Output::new(block)
    }
}

#[cfg(feature = "zeroize")]
impl Drop for Polyval {
    fn drop(&mut self) {
        self.h.zeroize();
        self.s.zeroize();
    }
}

/// 2 x `u64` values
#[derive(Copy, Clone, Debug, Default, Eq, PartialEq)]
struct U64x2(u64, u64);

impl From<&Block> for U64x2 {
    fn from(bytes: &Block) -> U64x2 {
        U64x2(
            u64::from_le_bytes(bytes[..8].try_into().unwrap()),
            u64::from_le_bytes(bytes[8..].try_into().unwrap()),
        )
    }
}

#[allow(clippy::suspicious_arithmetic_impl)]
impl Add for U64x2 {
    type Output = Self;

    /// Adds two POLYVAL field elements.
    fn add(self, rhs: Self) -> Self::Output {
        U64x2(self.0 ^ rhs.0, self.1 ^ rhs.1)
    }
}

#[allow(clippy::suspicious_arithmetic_impl)]
impl Mul for U64x2 {
    type Output = Self;

    /// Computes carryless POLYVAL multiplication over GF(2^128) in constant time.
    ///
    /// Method described at:
    /// <https://www.bearssl.org/constanttime.html#ghash-for-gcm>
    ///
    /// POLYVAL multiplication is effectively the little endian equivalent of
    /// GHASH multiplication, aside from one small detail described here:
    ///
    /// <https://crypto.stackexchange.com/questions/66448/how-does-bearssls-gcm-modular-reduction-work/66462#66462>
    ///
    /// > The product of two bit-reversed 128-bit polynomials yields the
    /// > bit-reversed result over 255 bits, not 256. The BearSSL code ends up
    /// > with a 256-bit result in zw[], and that value is shifted by one bit,
    /// > because of that reversed convention issue. Thus, the code must
    /// > include a shifting step to put it back where it should
    ///
    /// This shift is unnecessary for POLYVAL and has been removed.
    fn mul(self, rhs: Self) -> Self {
        let h0 = self.0;
        let h1 = self.1;
        let h0r = rev64(h0);
        let h1r = rev64(h1);
        let h2 = h0 ^ h1;
        let h2r = h0r ^ h1r;

        let y0 = rhs.0;
        let y1 = rhs.1;
        let y0r = rev64(y0);
        let y1r = rev64(y1);
        let y2 = y0 ^ y1;
        let y2r = y0r ^ y1r;
        let z0 = bmul64(y0, h0);
        let z1 = bmul64(y1, h1);

        let mut z2 = bmul64(y2, h2);
        let mut z0h = bmul64(y0r, h0r);
        let mut z1h = bmul64(y1r, h1r);
        let mut z2h = bmul64(y2r, h2r);

        z2 ^= z0 ^ z1;
        z2h ^= z0h ^ z1h;
        z0h = rev64(z0h) >> 1;
        z1h = rev64(z1h) >> 1;
        z2h = rev64(z2h) >> 1;

        let v0 = z0;
        let mut v1 = z0h ^ z2;
        let mut v2 = z1 ^ z2h;
        let mut v3 = z1h;

        v2 ^= v0 ^ (v0 >> 1) ^ (v0 >> 2) ^ (v0 >> 7);
        v1 ^= (v0 << 63) ^ (v0 << 62) ^ (v0 << 57);
        v3 ^= v1 ^ (v1 >> 1) ^ (v1 >> 2) ^ (v1 >> 7);
        v2 ^= (v1 << 63) ^ (v1 << 62) ^ (v1 << 57);

        U64x2(v2, v3)
    }
}

#[cfg(feature = "zeroize")]
impl Zeroize for U64x2 {
    fn zeroize(&mut self) {
        self.0.zeroize();
        self.1.zeroize();
    }
}

/// Multiplication in GF(2)[X], truncated to the low 64-bits, with “holes”
/// (sequences of zeroes) to avoid carry spilling.
///
/// When carries do occur, they wind up in a "hole" and are subsequently masked
/// out of the result.
fn bmul64(x: u64, y: u64) -> u64 {
    let x0 = Wrapping(x & 0x1111_1111_1111_1111);
    let x1 = Wrapping(x & 0x2222_2222_2222_2222);
    let x2 = Wrapping(x & 0x4444_4444_4444_4444);
    let x3 = Wrapping(x & 0x8888_8888_8888_8888);
    let y0 = Wrapping(y & 0x1111_1111_1111_1111);
    let y1 = Wrapping(y & 0x2222_2222_2222_2222);
    let y2 = Wrapping(y & 0x4444_4444_4444_4444);
    let y3 = Wrapping(y & 0x8888_8888_8888_8888);

    let mut z0 = ((x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)).0;
    let mut z1 = ((x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)).0;
    let mut z2 = ((x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)).0;
    let mut z3 = ((x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)).0;

    z0 &= 0x1111_1111_1111_1111;
    z1 &= 0x2222_2222_2222_2222;
    z2 &= 0x4444_4444_4444_4444;
    z3 &= 0x8888_8888_8888_8888;

    z0 | z1 | z2 | z3
}

/// Bit-reverse a `u64` in constant time
fn rev64(mut x: u64) -> u64 {
    x = ((x & 0x5555_5555_5555_5555) << 1) | ((x >> 1) & 0x5555_5555_5555_5555);
    x = ((x & 0x3333_3333_3333_3333) << 2) | ((x >> 2) & 0x3333_3333_3333_3333);
    x = ((x & 0x0f0f_0f0f_0f0f_0f0f) << 4) | ((x >> 4) & 0x0f0f_0f0f_0f0f_0f0f);
    x = ((x & 0x00ff_00ff_00ff_00ff) << 8) | ((x >> 8) & 0x00ff_00ff_00ff_00ff);
    x = ((x & 0xffff_0000_ffff) << 16) | ((x >> 16) & 0xffff_0000_ffff);
    (x << 32) | (x >> 32)
}

Coverage Report

Created: 2025-12-31 06:43

Line	Count	Source
1		//! Constant-time software implementation of POLYVAL for 64-bit architectures.
2		//! Adapted from BearSSL's `ghash_ctmul64.c`:
3		//!
4		//! <https://bearssl.org/gitweb/?p=BearSSL;a=blob;f=src/hash/ghash_ctmul64.c;hb=4b6046412>
5		//!
6		//! Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
7
8		use crate::{Block, Key};
9		use core::{
10		convert::TryInto,
11		num::Wrapping,
12		ops::{Add, Mul},
13		};
14		use universal_hash::{consts::U16, NewUniversalHash, Output, UniversalHash};
15
16		#[cfg(feature = "zeroize")]
17		use zeroize::Zeroize;
18
19		/// POLYVAL: GHASH-like universal hash over GF(2^128).
20		#[derive(Clone)]
21		pub struct Polyval {
22		/// GF(2^128) field element input blocks are multiplied by
23		h: U64x2,
24
25		/// Field element representing the computed universal hash
26		s: U64x2,
27		}
28
29		impl NewUniversalHash for Polyval {
30		type KeySize = U16;
31
32		/// Initialize POLYVAL with the given `H` field element
33	0	fn new(h: &Key) -> Self {
34	0	Self {
35	0	h: h.into(),
36	0	s: U64x2::default(),
37	0	}
38	0	}
39		}
40
41		impl UniversalHash for Polyval {
42		type BlockSize = U16;
43
44		/// Input a field element `X` to be authenticated
45	0	fn update(&mut self, x: &Block) {
46	0	let x = U64x2::from(x);
47	0	self.s = (self.s + x) * self.h;
48	0	}
49
50		/// Reset internal state
51	0	fn reset(&mut self) {
52	0	self.s = U64x2::default();
53	0	}
54
55		/// Get POLYVAL result (i.e. computed `S` field element)
56	0	fn finalize(self) -> Output<Self> {
57	0	let mut block = Block::default();
58
59	0	for (chunk, i) in block.chunks_mut(8).zip(&[self.s.0, self.s.1]) {
60	0	chunk.copy_from_slice(&i.to_le_bytes());
61	0	}
62
63	0	Output::new(block)
64	0	}
65		}
66
67		#[cfg(feature = "zeroize")]
68		impl Drop for Polyval {
69		fn drop(&mut self) {
70		self.h.zeroize();
71		self.s.zeroize();
72		}
73		}
74
75		/// 2 x `u64` values
76		#[derive(Copy, Clone, Debug, Default, Eq, PartialEq)]
77		struct U64x2(u64, u64);
78
79		impl From<&Block> for U64x2 {
80	0	fn from(bytes: &Block) -> U64x2 {
81	0	U64x2(
82	0	u64::from_le_bytes(bytes[..8].try_into().unwrap()),
83	0	u64::from_le_bytes(bytes[8..].try_into().unwrap()),
84	0	)
85	0	}
86		}
87
88		#[allow(clippy::suspicious_arithmetic_impl)]
89		impl Add for U64x2 {
90		type Output = Self;
91
92		/// Adds two POLYVAL field elements.
93	0	fn add(self, rhs: Self) -> Self::Output {
94	0	U64x2(self.0 ^ rhs.0, self.1 ^ rhs.1)
95	0	}
96		}
97
98		#[allow(clippy::suspicious_arithmetic_impl)]
99		impl Mul for U64x2 {
100		type Output = Self;
101
102		/// Computes carryless POLYVAL multiplication over GF(2^128) in constant time.
103		///
104		/// Method described at:
105		/// <https://www.bearssl.org/constanttime.html#ghash-for-gcm>
106		///
107		/// POLYVAL multiplication is effectively the little endian equivalent of
108		/// GHASH multiplication, aside from one small detail described here:
109		///
110		/// <https://crypto.stackexchange.com/questions/66448/how-does-bearssls-gcm-modular-reduction-work/66462#66462>
111		///
112		/// > The product of two bit-reversed 128-bit polynomials yields the
113		/// > bit-reversed result over 255 bits, not 256. The BearSSL code ends up
114		/// > with a 256-bit result in zw[], and that value is shifted by one bit,
115		/// > because of that reversed convention issue. Thus, the code must
116		/// > include a shifting step to put it back where it should
117		///
118		/// This shift is unnecessary for POLYVAL and has been removed.
119	0	fn mul(self, rhs: Self) -> Self {
120	0	let h0 = self.0;
121	0	let h1 = self.1;
122	0	let h0r = rev64(h0);
123	0	let h1r = rev64(h1);
124	0	let h2 = h0 ^ h1;
125	0	let h2r = h0r ^ h1r;
126
127	0	let y0 = rhs.0;
128	0	let y1 = rhs.1;
129	0	let y0r = rev64(y0);
130	0	let y1r = rev64(y1);
131	0	let y2 = y0 ^ y1;
132	0	let y2r = y0r ^ y1r;
133	0	let z0 = bmul64(y0, h0);
134	0	let z1 = bmul64(y1, h1);
135
136	0	let mut z2 = bmul64(y2, h2);
137	0	let mut z0h = bmul64(y0r, h0r);
138	0	let mut z1h = bmul64(y1r, h1r);
139	0	let mut z2h = bmul64(y2r, h2r);
140
141	0	z2 ^= z0 ^ z1;
142	0	z2h ^= z0h ^ z1h;
143	0	z0h = rev64(z0h) >> 1;
144	0	z1h = rev64(z1h) >> 1;
145	0	z2h = rev64(z2h) >> 1;
146
147	0	let v0 = z0;
148	0	let mut v1 = z0h ^ z2;
149	0	let mut v2 = z1 ^ z2h;
150	0	let mut v3 = z1h;
151
152	0	v2 ^= v0 ^ (v0 >> 1) ^ (v0 >> 2) ^ (v0 >> 7);
153	0	v1 ^= (v0 << 63) ^ (v0 << 62) ^ (v0 << 57);
154	0	v3 ^= v1 ^ (v1 >> 1) ^ (v1 >> 2) ^ (v1 >> 7);
155	0	v2 ^= (v1 << 63) ^ (v1 << 62) ^ (v1 << 57);
156
157	0	U64x2(v2, v3)
158	0	}
159		}
160
161		#[cfg(feature = "zeroize")]
162		impl Zeroize for U64x2 {
163		fn zeroize(&mut self) {
164		self.0.zeroize();
165		self.1.zeroize();
166		}
167		}
168
169		/// Multiplication in GF(2)[X], truncated to the low 64-bits, with “holes”
170		/// (sequences of zeroes) to avoid carry spilling.
171		///
172		/// When carries do occur, they wind up in a "hole" and are subsequently masked
173		/// out of the result.
174	0	fn bmul64(x: u64, y: u64) -> u64 {
175	0	let x0 = Wrapping(x & 0x1111_1111_1111_1111);
176	0	let x1 = Wrapping(x & 0x2222_2222_2222_2222);
177	0	let x2 = Wrapping(x & 0x4444_4444_4444_4444);
178	0	let x3 = Wrapping(x & 0x8888_8888_8888_8888);
179	0	let y0 = Wrapping(y & 0x1111_1111_1111_1111);
180	0	let y1 = Wrapping(y & 0x2222_2222_2222_2222);
181	0	let y2 = Wrapping(y & 0x4444_4444_4444_4444);
182	0	let y3 = Wrapping(y & 0x8888_8888_8888_8888);
183
184	0	let mut z0 = ((x0 * y0) ^ (x1 * y3) ^ (x2 * y2) ^ (x3 * y1)).0;
185	0	let mut z1 = ((x0 * y1) ^ (x1 * y0) ^ (x2 * y3) ^ (x3 * y2)).0;
186	0	let mut z2 = ((x0 * y2) ^ (x1 * y1) ^ (x2 * y0) ^ (x3 * y3)).0;
187	0	let mut z3 = ((x0 * y3) ^ (x1 * y2) ^ (x2 * y1) ^ (x3 * y0)).0;
188
189	0	z0 &= 0x1111_1111_1111_1111;
190	0	z1 &= 0x2222_2222_2222_2222;
191	0	z2 &= 0x4444_4444_4444_4444;
192	0	z3 &= 0x8888_8888_8888_8888;
193
194	0	z0 \| z1 \| z2 \| z3
195	0	}
196
197		/// Bit-reverse a `u64` in constant time
198	0	fn rev64(mut x: u64) -> u64 {
199	0	x = ((x & 0x5555_5555_5555_5555) << 1) \| ((x >> 1) & 0x5555_5555_5555_5555);
200	0	x = ((x & 0x3333_3333_3333_3333) << 2) \| ((x >> 2) & 0x3333_3333_3333_3333);
201	0	x = ((x & 0x0f0f_0f0f_0f0f_0f0f) << 4) \| ((x >> 4) & 0x0f0f_0f0f_0f0f_0f0f);
202	0	x = ((x & 0x00ff_00ff_00ff_00ff) << 8) \| ((x >> 8) & 0x00ff_00ff_00ff_00ff);
203	0	x = ((x & 0xffff_0000_ffff) << 16) \| ((x >> 16) & 0xffff_0000_ffff);
204	0	(x << 32) \| (x >> 32)
205	0	}