|
Bouncy Castle Cryptography Library 1.85 | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Objectorg.bouncycastle.math.raw.GF256AES
Constant-time GF(2^8) primitives over the AES reduction polynomial x^8 + x^4 + x^3 + x + 1 (0x11b).
The suffix names that specific irreducible polynomial: GF(2^8) is a single field up to isomorphism but admits many representations, and the AES choice is by far the most common (also used by SM4, GHASH's sibling fields, etc.). The polynomial alone pins down the arithmetic — e.g. Rainbow's GF(2^8) uses a tower basis whose products differ, so it deliberately does not share this class. Callers relying on the AES element encoding should depend on the name, not just "GF(256)".
Shared home for the word-parallel bitsliced scalar-times-vector multiply used
by the multivariate / MPC-in-the-head schemes (SDitH, UOV, []). Companion to
GF16 for the GF(2^4) nibble field.
| Method Summary | |
static int |
inv(int a)
Constant-time GF(256) multiplicative inverse over 0x11b via the Fermat addition chain (since for nonzero ). |
static int |
mul(int a,
int b)
Constant-time GF(256) scalar multiply over the AES polynomial 0x11b: returns . |
static long |
mulFx8(int s,
long v)
Word-parallel constant-time GF(256) scalar-times-vector multiply: returns where packs eight GF(256) elements, one per byte lane, and the result packs the eight products in the same lanes. |
static int |
sqr(int a)
Constant-time GF(256) squaring over 0x11b. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Method Detail |
public static int mul(int a,
int b)
mulFx8(int, long) and is byte-identical to the per-scheme forms it
replaces (UOV's mul256, SDitH's mulNaive, MQOM's gf256Mult).
public static int sqr(int a)
public static int inv(int a)
sqr(int); the four genuine products
through mul(int, int).
public static long mulFx8(int s,
long v)
Algorithm: over the 8 bits of the scalar, where is -fold GF(256) doubling (xtime) of every lane. xtime is the branchless SWAR step , and each scalar bit selects via the mask (0 or -1). No table and no data-dependent branch, so it is safe to feed secret scalars (the operand of a secret-share multiply-accumulate).
|
Bouncy Castle Cryptography Library 1.85 | |||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||