polyval: Refactor in prep for soft backend rewrite

This incrementally incorporates some of the refactoring changes from #7
in order to simplify the diff for that PR (and because those changes
seem generally good regardless).

Author: tarcieri

poly1305/benches/poly1305.rs

@@ -2,7 +2,7 @@
 
 extern crate test;
 
-use poly1305::{Poly1305, universal_hash::UniversalHash};
+use poly1305::{universal_hash::UniversalHash, Poly1305};
 use test::Bencher;
 
 // TODO(tarcieri): move this into the `universal-hash` crate

polyval/benches/polyval.rs

@@ -2,7 +2,7 @@
 
 extern crate test;
 
-use polyval::{Polyval, universal_hash::UniversalHash};
+use polyval::{universal_hash::UniversalHash, Polyval};
 use test::Bencher;
 
 // TODO(tarcieri): move this into the `universal-hash` crate

polyval/src/field.rs

@@ -14,8 +14,7 @@
 //!
 //! [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
 
-pub(crate) mod backend;
-mod clmul;
+pub mod backend;
 
 use self::backend::Backend;
 use core::ops::{Add, Mul};
@@ -26,12 +25,6 @@ pub const FIELD_SIZE: usize = 16;
 /// POLYVAL field element bytestrings (16-bytes)
 pub type Block = [u8; FIELD_SIZE];
 
-/// Mask value used when performing Montgomery fast reduction.
-/// This corresponds to POLYVAL's polynomial with the highest bit unset.
-///
-/// See: <https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf>
-const MASK: u128 = 1 << 127 | 1 << 126 | 1 << 121 | 1;
-
 /// POLYVAL field element.
 #[derive(Copy, Clone)]
 pub struct Element<B: Backend>(B);
@@ -46,17 +39,6 @@ impl<B: Backend> Element<B> {
     pub fn to_bytes(self) -> Block {
         self.0.into()
     }
-
-    /// Fast reduction modulo x^128 + x^127 + x^126 +x^121 + 1 (Gueron 2012)
-    /// Algorithm 4: "Montgomery reduction"
-    fn reduce(self) -> Self {
-        let mask = B::from(MASK);
-        let a = mask.clmul(self.0, 0x01);
-        let b = self.0.shuffle() ^ a;
-        let c = mask.clmul(b, 0x01);
-        let d = b.shuffle() ^ c;
-        Element(d)
-    }
 }
 
 impl<B: Backend> Default for Element<B> {
@@ -77,7 +59,7 @@ impl<B: Backend> Add for Element<B> {
     ///
     /// [RFC 8452 Section 3]: https://tools.ietf.org/html/rfc8452#section-3
     fn add(self, rhs: Self) -> Self {
-        Element(self.0 ^ rhs.0)
+        Element(self.0 + rhs.0)
     }
 }
 
@@ -99,8 +81,10 @@ impl<B: Backend> Mul for Element<B> {
         let t2 = self.0.clmul(rhs.0, 0x01);
         let t3 = self.0.clmul(rhs.0, 0x10);
         let t4 = self.0.clmul(rhs.0, 0x11);
-        let t5 = t2 ^ t3;
-        Element(t4 ^ t5.shr64()) + Element(t1 ^ t5.shl64()).reduce()
+        let t5 = t2 + t3;
+        let t6 = t4 + t5.shr64();
+        let t7 = (t1 + t5.shl64()).reduce();
+        Element(t6 + t7)
     }
 }
 

polyval/src/field/backend.rs

@@ -9,11 +9,10 @@
 mod pclmulqdq;
 
 #[cfg(feature = "insecure-soft")]
-mod soft;
+pub mod soft;
 
-use super::clmul::Clmul;
 use super::Block;
-use core::ops::BitXor;
+use core::ops::Add;
 
 #[cfg(not(any(
     all(
@@ -49,10 +48,25 @@ pub(crate) use self::pclmulqdq::M128i;
 ))]
 pub(crate) use self::soft::U64x2 as M128i;
 
-/// Trait representing the arithmetic operations we expect on the XMM registers
-pub trait Backend:
-    BitXor<Output = Self> + Clmul + Copy + From<Block> + Into<Block> + From<u128>
-{
+/// Field arithmetic backend
+pub trait Backend: Add<Output = Self> + Copy + From<Block> + Into<Block> + From<u128> {
+    /// Fast reduction modulo x^128 + x^127 + x^126 +x^121 + 1 (Gueron 2012)
+    /// Algorithm 4: "Montgomery reduction"
+    ///
+    /// See: <https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf>
+    fn reduce(self) -> Self {
+        // Mask value used when performing Montgomery fast reduction.
+        // This corresponds to POLYVAL's polynomial with the highest bit unset.
+        let mask = Self::from(1 << 127 | 1 << 126 | 1 << 121 | 1);
+        let a = mask.clmul(self, 0x01);
+        let b = self.shuffle() + a;
+        let c = mask.clmul(b, 0x01);
+        b.shuffle() + c
+    }
+
+    /// Carryless multiplication
+    fn clmul(self, rhs: Self, imm: u8) -> Self;
+
     /// Swap the hi and low 64-bit halves of the register
     fn shuffle(self) -> Self;
 

polyval/src/field/backend/pclmulqdq.rs

@@ -10,11 +10,8 @@ use core::arch::x86::*;
 use core::arch::x86_64::*;
 
 use super::Backend;
-use crate::field::{
-    clmul::{self, Clmul},
-    Block,
-};
-use core::ops::BitXor;
+use crate::field::Block;
+use core::ops::Add;
 
 /// Wrapper for `__m128i` - a 128-bit XMM register (SSE2)
 #[repr(align(16))]
@@ -45,24 +42,21 @@ impl From<u128> for M128i {
     }
 }
 
-impl BitXor for M128i {
+impl Add for M128i {
     type Output = Self;
 
-    fn bitxor(self, rhs: Self) -> Self::Output {
+    /// Adds two POLYVAL field elements.
+    fn add(self, rhs: Self) -> Self {
         M128i(unsafe { xor(self.0, rhs.0) })
     }
 }
 
-impl Clmul for M128i {
-    fn clmul<I>(self, rhs: Self, imm: I) -> Self
-    where
-        I: Into<clmul::PseudoOp>,
-    {
-        M128i(unsafe { pclmulqdq(self.0, rhs.0, imm.into()) })
+impl Backend for M128i {
+    /// Wrapper for PCLMULQDQ
+    fn clmul(self, rhs: Self, imm: u8) -> Self {
+        M128i(unsafe { pclmulqdq(self.0, rhs.0, imm) })
     }
-}
 
-impl Backend for M128i {
     fn shuffle(self) -> Self {
         M128i(unsafe { shufpd1(self.0) })
     }
@@ -99,11 +93,20 @@ unsafe fn psrldq8(a: __m128i) -> __m128i {
 
 // TODO(tarcieri): _mm256_clmulepi64_epi128 (vpclmulqdq)
 #[target_feature(enable = "pclmulqdq", enable = "sse2", enable = "sse4.1")]
-unsafe fn pclmulqdq(a: __m128i, b: __m128i, op: clmul::PseudoOp) -> __m128i {
-    match op {
-        clmul::PseudoOp::PCLMULLQLQDQ => _mm_clmulepi64_si128(a, b, 0x00),
-        clmul::PseudoOp::PCLMULHQLQDQ => _mm_clmulepi64_si128(a, b, 0x01),
-        clmul::PseudoOp::PCLMULLQHQDQ => _mm_clmulepi64_si128(a, b, 0x10),
-        clmul::PseudoOp::PCLMULHQHQDQ => _mm_clmulepi64_si128(a, b, 0x11),
+unsafe fn pclmulqdq(a: __m128i, b: __m128i, imm: u8) -> __m128i {
+    match imm {
+        // Low-Low: `clmul(a[0..8], b[0..8])` (PCLMULLQLQDQ)
+        0x00 => _mm_clmulepi64_si128(a, b, 0x00),
+
+        // High-Low: `clmul(a[8..16], b[0..8])` (PCLMULHQLQDQ)
+        0x01 => _mm_clmulepi64_si128(a, b, 0x01),
+
+        // Low-High: `clmul(a[0..8], b[8..16])` (PCLMULLQHQDQ)
+        0x10 => _mm_clmulepi64_si128(a, b, 0x10),
+
+        // High-High: `clmul(a[8..16], b[8..16])` (PCLMULHQHQDQ)
+        0x11 => _mm_clmulepi64_si128(a, b, 0x11),
+
+        _ => unreachable!(),
     }
 }

polyval/src/field/backend/soft.rs

@@ -6,22 +6,19 @@
 // See: <https://bearssl.org/gitweb/?p=BearSSL;a=blob;f=src/hash/ghash_ctmul64.c>
 
 use super::Backend;
-use crate::field::{
-    clmul::{self, Clmul},
-    Block,
-};
-use core::{convert::TryInto, ops::BitXor};
+use crate::field::Block;
+use core::{convert::TryInto, ops::Add};
 
 /// 2 x `u64` values emulating an XMM register
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub struct U64x2([u64; 2]);
+pub struct U64x2(u64, u64);
 
 impl From<Block> for U64x2 {
     fn from(bytes: Block) -> U64x2 {
-        U64x2([
+        U64x2(
             u64::from_le_bytes(bytes[..8].try_into().unwrap()),
             u64::from_le_bytes(bytes[8..].try_into().unwrap()),
-        ])
+        )
     }
 }
 
@@ -36,66 +33,63 @@ impl From<u128> for U64x2 {
     fn from(x: u128) -> U64x2 {
         let lo = (x & 0xFFFF_FFFFF) as u64;
         let hi = (x >> 64) as u64;
-        U64x2([lo, hi])
+        U64x2(lo, hi)
     }
 }
 
 impl From<U64x2> for u128 {
     fn from(u64x2: U64x2) -> u128 {
-        u128::from(u64x2.0[0]) | (u128::from(u64x2.0[1]) << 64)
+        u128::from(u64x2.0) | (u128::from(u64x2.1) << 64)
     }
 }
 
-impl BitXor for U64x2 {
+impl Add for U64x2 {
     type Output = Self;
 
-    fn bitxor(self, rhs: Self) -> Self::Output {
-        U64x2([self.0[0] ^ rhs.0[0], self.0[1] ^ rhs.0[1]])
+    /// Adds two POLYVAL field elements.
+    fn add(self, rhs: Self) -> Self {
+        U64x2(self.0 ^ rhs.0, self.1 ^ rhs.1)
     }
 }
 
-impl Clmul for U64x2 {
-    fn clmul<I>(self, other: Self, imm: I) -> Self
-    where
-        I: Into<clmul::PseudoOp>,
-    {
+impl Backend for U64x2 {
+    fn clmul(self, other: Self, imm: u8) -> Self {
         let (a, b) = match imm.into() {
-            clmul::PseudoOp::PCLMULLQLQDQ => (self.0[0], other.0[0]),
-            clmul::PseudoOp::PCLMULHQLQDQ => (self.0[1], other.0[0]),
-            clmul::PseudoOp::PCLMULLQHQDQ => (self.0[0], other.0[1]),
-            clmul::PseudoOp::PCLMULHQHQDQ => (self.0[1], other.0[1]),
+            0x00 => (self.0, other.0),
+            0x01 => (self.1, other.0),
+            0x10 => (self.0, other.1),
+            0x11 => (self.1, other.1),
+            _ => unreachable!(),
         };
 
-        let mut result = [0u64; 2];
+        let mut result = U64x2(0, 0);
 
         for i in 0..64 {
             if b & (1 << i) != 0 {
-                result[1] ^= a;
+                result.1 ^= a;
             }
 
-            result[0] >>= 1;
+            result.0 >>= 1;
 
-            if result[1] & 1 != 0 {
-                result[0] ^= 1 << 63;
+            if result.1 & 1 != 0 {
+                result.0 ^= 1 << 63;
             }
 
-            result[1] >>= 1;
+            result.1 >>= 1;
         }
 
-        U64x2(result)
+        result
     }
-}
 
-impl Backend for U64x2 {
     fn shuffle(self) -> Self {
-        U64x2([self.0[1], self.0[0]])
+        U64x2(self.1, self.0)
     }
 
     fn shl64(self) -> Self {
-        U64x2([0, self.0[0]])
+        U64x2(0, self.0)
     }
 
     fn shr64(self) -> Self {
-        U64x2([self.0[1], 0])
+        U64x2(self.1, 0)
     }
 }

polyval/src/field/clmul.rs

@@ -14,7 +14,7 @@
 //! ## Requirements
 //!
 //! - Rust 1.34.0 or newer
-//! - `RUSTFLAGS` with `-Ctarget-cpu` and `-Ctarget-feature`:
+//! - Recommended: `RUSTFLAGS` with `-Ctarget-cpu` and `-Ctarget-feature`:
 //!   - x86(-64) CPU: `target-cpu=sandybridge` or newer
 //!   - SSE2 + SSE4.1: `target-feature=+sse2,+sse4.1`
 //!