Expand description
Binary field implementation of GF(2^256) as a degree-two extension of the GHASH field.
Elements are pairs (a, b) representing a + b·Y, where a and b are elements of
BinaryField128bGhash. The extension is defined by the irreducible polynomial
Y² + Y + X⁻¹ over GHASH, so that Y² = Y + X⁻¹.
The field is backed by M256, with the low 128 bits holding the coefficient of 1 (a) and
the high 128 bits holding the coefficient of Y (b). This is the same layout as
PackedBinaryGhash2x128b (two GHASH lanes in an M256) and matches the {1, Y} basis used
by the ExtensionField<BinaryField128bGhash> implementation.
Multiplication uses the mul_m256i_hybrid algorithm from the binius_arith_bench::ghash_sq
module: the two GHASH products that share the AVX2 256-bit CLMUL are batched into a single
PackedBinaryGhash2x128b multiply.