polyval: DRY out bmul* mask calculation (#271)

tarcieri · web-flow · commit 53f9e2c5b2c6 · 2026-01-25T11:43:20.000-07:00
It can be calculated from a single value
diff --git a/polyval/src/backend/soft.rs b/polyval/src/backend/soft.rs
@@ -16,7 +16,7 @@ use crate::{BLOCK_SIZE, Block, Key, Tag};
 use core::{
     fmt::{self, Debug},
     num::Wrapping,
-    ops::{Add, BitAnd, BitOr, BitXor, Mul},
+    ops::{Add, BitAnd, BitOr, BitXor, Mul, Shl},
 };
 use soft_impl::{karatsuba, mont_reduce};
 use universal_hash::{
@@ -229,21 +229,22 @@ impl Zeroize for FieldElement {
 
 /// Multiplication in GF(2)[X], implemented generically and wrapped as `bmul32` and `bmul64`.
 ///
-/// Uses "holes" (sequences of zeroes) to avoid carry spilling, as specified in the four masking
-/// operands (`m0`-`m4`), which should have full-width values with the following bit patterns:
+/// Uses "holes" (sequences of zeroes) to avoid carry spilling, as specified in the mask operand
+/// `m0` which should have a full-width value with the following bit pattern:
 ///
-/// - `m0`: `0b100010001...0001` (e.g. `0x1111_1111u32`)
-/// - `m1`: `0b100010001...00010` (e.g. `0x2222_2222u32`)
-/// - `m2`: `0b100010001...000100` (e.g. `0x4444_4444u32`)
-/// - `m3`: `0b100010001...0001000` (e.g. `0x8888_8888u32`)
+/// `0b100010001...0001` (e.g. `0x1111_1111u32`)
 ///
 /// When carries do occur, they wind up in a "hole" and are subsequently masked out of the result.
 #[inline]
-fn bmul<T>(x: T, y: T, m0: T, m1: T, m2: T, m3: T) -> T
+fn bmul<T>(x: T, y: T, m0: T) -> T
 where
-    T: BitAnd<Output = T> + BitOr<Output = T> + Copy,
+    T: BitAnd<Output = T> + BitOr<Output = T> + Copy + Shl<u32, Output = T>,
     Wrapping<T>: BitXor<Output = Wrapping<T>> + Mul<Output = Wrapping<T>>,
 {
+    let m1 = m0 << 1;
+    let m2 = m1 << 1;
+    let m3 = m2 << 1;
+
     let x0 = Wrapping(x & m0);
     let x1 = Wrapping(x & m1);
     let x2 = Wrapping(x & m2);
diff --git a/polyval/src/backend/soft/soft32.rs b/polyval/src/backend/soft/soft32.rs
@@ -144,7 +144,7 @@ pub(super) fn karatsuba(h: U32x4, y: U32x4) -> U32x8 {
 /// Carryless multiplication in GF(2)[X], truncated to the low 32-bits.
 #[inline]
 fn bmul32(x: u32, y: u32) -> u32 {
-    super::bmul(x, y, 0x1111_1111, 0x2222_2222, 0x4444_4444, 0x8888_8888)
+    super::bmul(x, y, 0x1111_1111)
 }
 
 /// Reduce the 256-bit carryless product of Karatsuba modulo the POLYVAL polynomial.
diff --git a/polyval/src/backend/soft/soft64.rs b/polyval/src/backend/soft/soft64.rs
@@ -73,14 +73,7 @@ pub(super) fn karatsuba(h: U64x2, y: U64x2) -> U64x4 {
 /// Carryless multiplication in GF(2)[X], truncated to the low 64-bits.
 #[inline]
 fn bmul64(x: u64, y: u64) -> u64 {
-    super::bmul(
-        x,
-        y,
-        0x1111_1111_1111_1111,
-        0x2222_2222_2222_2222,
-        0x4444_4444_4444_4444,
-        0x8888_8888_8888_8888,
-    )
+    super::bmul(x, y, 0x1111_1111_1111_1111)
 }
 
 /// Reduce the 256-bit carryless product of Karatsuba modulo the POLYVAL polynomial.

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ pub(super) fn karatsuba(h: U32x4, y: U32x4) -> U32x8 {`
`144`	`144`	`/// Carryless multiplication in GF(2)[X], truncated to the low 32-bits.`
`145`	`145`	`#[inline]`
`146`	`146`	`fn bmul32(x: u32, y: u32) -> u32 {`
`147`		`- super::bmul(x, y, 0x1111_1111, 0x2222_2222, 0x4444_4444, 0x8888_8888)`
	`147`	`+ super::bmul(x, y, 0x1111_1111)`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`/// Reduce the 256-bit carryless product of Karatsuba modulo the POLYVAL polynomial.`