Expand description
Itoh-Tsujii inversion for the GHASH field GF(2^128).
For a non-zero x, the inverse is x^(2^128 - 2) = (x^(2^127 - 1))^2. The exponent 2^127 - 1
is built up with an addition chain on the powers beta_k := x^(2^k - 1), using the identity
beta_{a+b} = (beta_a)^(2^b) * beta_b.Squaring beta_a repeatedly b times (the x -> x^(2^b) power map) is an F_2-linear
transformation. We precompute each power map as a BytewiseLookupTransformation (the Method
of Four Russians), wrapped into a GhashB128 -> GhashB128 transform, and hold them in a
process-wide LazyLock so the tables are computed once and shared read-only across all
threads.
Functionsยง
- invert_
b128 - Invert each GHASH element (scalar or packed) via the Itoh-Tsujii algorithm.