Classes
struct	Block128
	128-bit value stored as two big-endian uint64_t halves. More...

struct	GHashTable
	4-bit precomputed table for constant-time GHASH multiplication. More...

Functions
Block128	load_block (const uint8_t src[16])
	Load a 16-byte array into a Block128 (big-endian byte order).

void	store_block (uint8_t dst[16], const Block128 &b)
	Store a Block128 into a 16-byte array (big-endian byte order).

Block128	xor_blocks (const Block128 &a, const Block128 &b)
	XOR two Block128 values.

Block128	gf128_double (const Block128 &V)
	"Doubling" in GF(2^128): multiply by x (shift right by 1 in GCM bit ordering).

Block128	ct_table_lookup (const Block128 table[16], uint8_t index)
	Constant-time 16-entry Block128 table lookup.

uint64_t	ct_reduce4 (uint8_t index)
	Constant-time 4-bit reduction table lookup.

uint8_t	rev4 (uint8_t n)
	Bit-reverse a 4-bit nibble value.

Block128	gf128_mul_ct (const GHashTable &table, const Block128 &X)
	Constant-time GF(2^128) multiplication using the 4-bit precomputed table.

Block128	gf128_mul (const Block128 &X, const Block128 &Y)
	Multiply two elements in GF(2^128) using the schoolbook algorithm.

Block128	ghash (const Block128 &H, const uint8_t *data, size_t data_size)
	GHASH: Compute the GHASH function over data using hash subkey H.

void	inc32 (uint8_t counter[16])
	Increment the rightmost 32 bits of a 16-byte counter block (big-endian).

void	gctr (const Aes256 &cipher, const uint8_t icb[16], const uint8_t input, size_t input_size, uint8_t output)
	GCTR: AES-CTR encryption with the given initial counter block.

Function Documentation

◆ ct_reduce4()

uint64_t signet::forge::crypto::detail::gcm::ct_reduce4 ( uint8_t index )

inline

Constant-time 4-bit reduction table lookup.

When right-shifting a GF(2^128) element by 4 bits, the 4 bits that fall off the LSB end each contribute a shifted copy of the reducing polynomial R = 0xe1 << 56. This table precomputes the XOR of those contributions for every possible 4-bit value.

Definition at line 181 of file aes_gcm.hpp.

◆ ct_table_lookup()

Block128 signet::forge::crypto::detail::gcm::ct_table_lookup	(	const Block128	table[16],
		uint8_t	index
	)

inline

Constant-time 16-entry Block128 table lookup.

Scans all 16 entries on every call, selecting the entry at index via data-independent masking. Prevents cache-timing side channels.

Definition at line 162 of file aes_gcm.hpp.

◆ gctr()

void signet::forge::crypto::detail::gcm::gctr	(	const Aes256 &	cipher,
		const uint8_t	icb[16],
		const uint8_t *	input,
		size_t	input_size,
		uint8_t *	output
	)

inline

GCTR: AES-CTR encryption with the given initial counter block.

For each 16-byte block of data:

Encrypt the counter block with AES
XOR the encrypted counter with the data block
Increment the counter

The last block may be partial (only XOR the relevant bytes).

Note: This function returns void and silently returns if the counter would wrap (> 2^32-2 blocks). Callers MUST enforce MAX_GCM_PLAINTEXT (< 64 GB) before calling gctr() to ensure this path is never reached. AesGcm::encrypt()/decrypt() enforce this limit at lines 470-473.

Definition at line 350 of file aes_gcm.hpp.

◆ gf128_double()

Block128 signet::forge::crypto::detail::gcm::gf128_double ( const Block128 & V )

inline

"Doubling" in GF(2^128): multiply by x (shift right by 1 in GCM bit ordering).

If the LSB (bit 127 in GCM ordering) was set, XOR with the reducing polynomial R = 0xe1 << 56. Constant-time: no branches on the input.

Definition at line 118 of file aes_gcm.hpp.

◆ gf128_mul()

Block128 signet::forge::crypto::detail::gcm::gf128_mul	(	const Block128 &	X,
		const Block128 &	Y
	)

inline

Multiply two elements in GF(2^128) using the schoolbook algorithm.

Note: This function branches on X and is NOT constant-time. It is used ONLY during table precomputation (where X is a small public index, not secret data) and for the standalone ghash() helper. The AesGcm class uses gf128_mul_ct() on the hot path.

Definition at line 268 of file aes_gcm.hpp.

◆ gf128_mul_ct()

Block128 signet::forge::crypto::detail::gcm::gf128_mul_ct	(	const GHashTable &	table,
		const Block128 &	X
	)

inline

Constant-time GF(2^128) multiplication using the 4-bit precomputed table.

Processes X nibble-by-nibble using reversed Horner evaluation: bytes are iterated from LAST to FIRST (byte 15 → byte 0), and within each byte the low nibble (higher polynomial degrees) is processed before the high nibble. Both nibble values AND the 4-bit reduction remainder are bit-reversed before table lookup to account for GCM's reflected bit ordering (NIST SP 800-38D §6.2).

All table lookups and shifts are data-independent — no branches or variable-time memory accesses on secret data.

Ref: NIST SP 800-38D §6.3, CWE-208.

Definition at line 229 of file aes_gcm.hpp.

◆ ghash()

Block128 signet::forge::crypto::detail::gcm::ghash	(	const Block128 &	H,
		const uint8_t *	data,
		size_t	data_size
	)

inline

GHASH: Compute the GHASH function over data using hash subkey H.

GHASH processes 16-byte blocks: X_0 = 0 X_i = (X_{i-1} ^ A_i) * H for each block A_i

The input data is padded with zeros to a multiple of 16 bytes.

Definition at line 305 of file aes_gcm.hpp.

◆ inc32()

void signet::forge::crypto::detail::gcm::inc32 ( uint8_t counter[16] )

inline

Increment the rightmost 32 bits of a 16-byte counter block (big-endian).

Definition at line 330 of file aes_gcm.hpp.

◆ load_block()

Block128 signet::forge::crypto::detail::gcm::load_block ( const uint8_t src[16] )

inline

Load a 16-byte array into a Block128 (big-endian byte order).

Definition at line 88 of file aes_gcm.hpp.

◆ rev4()

uint8_t signet::forge::crypto::detail::gcm::rev4 ( uint8_t n )

inline

Bit-reverse a 4-bit nibble value.

GCM uses a reflected bit ordering where bit 0 of a byte is the MSB (coefficient of x^0). When extracting nibbles from a byte or from the low 4 bits of Z.lo, the bit positions within the nibble are reversed relative to the GF(2^128) polynomial basis used by the precomputed tables (both the H-multiple table and the reduction table). This function maps the nibble back to the correct table index.

Definition at line 211 of file aes_gcm.hpp.

◆ store_block()

void signet::forge::crypto::detail::gcm::store_block	(	uint8_t	dst[16],
		const Block128 &	b
	)

inline

Store a Block128 into a 16-byte array (big-endian byte order).

Definition at line 102 of file aes_gcm.hpp.

◆ xor_blocks()

Block128 signet::forge::crypto::detail::gcm::xor_blocks	(	const Block128 &	a,
		const Block128 &	b
	)

inline

XOR two Block128 values.

Definition at line 110 of file aes_gcm.hpp.

Classes

Functions

Function Documentation

◆ ct_reduce4()

◆ ct_table_lookup()

◆ gctr()

◆ gf128_double()

◆ gf128_mul()

◆ gf128_mul_ct()

◆ ghash()

◆ inc32()

◆ load_block()

◆ rev4()

◆ store_block()

◆ xor_blocks()