Crate gf256

source · []
Expand description


A Rust library containing Galois-field types and utilities, leveraging hardware instructions when available.

This project started as a learning project to learn more about these “Galois-field thingies” after seeing them pop up in far too many subjects. So this crate may be more educational than practical.

use ::gf256::*;

let a = gf256(0xfd);
let b = gf256(0xfe);
let c = gf256(0xff);
assert_eq!(a*(b+c), a*b + a*c);

If you, like me, are interested in learning more about the fascinating utility of Galois-fields, take a look at the documentation of gf256’s modules. I’ve tried to comprehensively capture what I’ve learned, hopefully provided a decent entry point into learning more about this useful field of math.

I also want to point out that the Rust examples in each module are completely functional and tested in CI thanks to Rust’s doctest runner. Feel free to copy and tweak them to see what happens.

Reed-Solomon error-correction using gf256

                      ..:::::::::::...                  .:::....:::.:.:.'':.'.:.'::: :   :' ''  '''
                   .:::::::::::::::::::..               ::::::::::::  .:....'.. '.:...  :' :'':': .'
                 .::::::::::::::::::::::::.             ::::::::::' . :..:..:' : '.':::  :.':'' '  :
               .:::::::::::::::::::::::::::.         . ::::::::::   :: '::' .: '' ''. : :: .:..::. '
              .::::::::::::::::::::::::::::::    ... :: :'::::::'   ::':. ':' .: '.:'::'::: ': '...:
              :::::::::::::::::::::::::::::'' .. '::: '     '''     ''..:.:'.''::.   .:.' .'': '. .:
             :::::::::::::::::::::::::::''..::::: '                  : .: .'. :  :::.'.:':.:':: .. :
             :::::::::::::::::::::::'' ..:::::''                    ' :... .': ::.''':' .''. . '  ..
             :::::::::::::::::::'' ..:::::'' .                       : :..':::.:. : .:' :.   .':'.':
         ..: ::::::::::::::''' ..:::::'' ..:::                      :' . :.' .'.'::. ' ::' ':  .:.
      ..:::'  :::::::::'' ..::::::'' ..:::::::                      :' .  '.'::'.:  : .:'' .:.'.:::'
     :::'     ':::'' ...::::::''...::::::::::                        '' ' .'::...' :':...':.. . .' :
    ::'         ...::::::'' ..:::::::::::::'                        . .. ' .:::.'':::.  .':''':::...
         ....:::::::'' ..:::::::::::::::::'                         : '.'  .': :. .:.': . .'  .  ::'
    '::::::::'''    :::::::::::::::::::''                            '.. .: ::: ': ::'::. ' '.': : '
                      '':::::::::::'''                              .:.':.. '''.  : : ':'':.': '.:':

What are Galois-fields?

Galois-fields, also called finite-fields, are a finite set of “numbers” (for some definition of number), that you can do “math” on (for some definition of math).

More specifically, Galois-fields support addition, subtraction, multiplication, and division, which follow a set of rules called “field axioms”:

  1. Subtraction is the inverse of addition, and division is the inverse of multiplication:

    assert_eq!((a+b)-b, a);
    assert_eq!((a*b)/b, a);

    Except for 0, over which division is undefined:

    assert_eq!(a.checked_div(gf256(0)), None);
  2. There exists an element 0 that is the identity of addition, and an element 1 that is the identity of multiplication:

    assert_eq!(a + gf256(0), a);
    assert_eq!(a * gf256(1), a);
  3. Addition and multiplication are associative:

    assert_eq!(a+(b+c), (a+b)+c);
    assert_eq!(a*(b*c), (a*b)*c);
  4. Addition and multiplication are commutative:

    assert_eq!(a+b, b+a);
    assert_eq!(a*b, b*a);
  5. Multiplication is distributive over addition:

    assert_eq!(a*(b+c), a*b + a*c);

Keep in mind these aren’t your normal integer operations! The operations defined in a Galois-field types satisfy the above rules, but they may have unintuitive results:

assert_eq!(gf256(1) + gf256(1), gf256(0));

This also means not all of math works in a Galois-field:

assert_ne!(a + a, gf256(2)*a);

Finite-fields can be very useful for applying high-level math onto machine words, since machine words (u8, u16, u32, etc) are inherently finite. Normally we just ignore this until an integer overflow occurs and then we just wave our hands around wailing that math has failed us.

In Rust this has the fun side-effect that the Galois-field types are incapable of overflowing, so Galois-field types don’t need the set of overflowing operations normally found in other Rust types:

let a = (u8::MAX).checked_add(1);  // overflows          :(
let b = gf256(u8::MAX) + gf256(1); // does not overflow  :)

For more information on Galois-fields and how we construct them, see the relevant documentation in gf’s module-level documentation.

Included in gf256

gf256 contains a bit more than the Galois-field types. It also contains a number of other utilities that rely on the math around finite-fields:

  • Polynomial types

    use ::gf256::*;
    let a = p32(0x1234);
    let b = p32(0x5678);
    assert_eq!(a+b, p32(0x444c));
    assert_eq!(a*b, p32(0x05c58160));
  • Galois-field types

    use ::gf256::*;
    let a = gf256(0xfd);
    let b = gf256(0xfe);
    let c = gf256(0xff);
    assert_eq!(a*(b+c), a*b + a*c);
  • LFSR structs (requires feature lfsr)

    use gf256::lfsr::Lfsr16;
    let mut lfsr = Lfsr16::new(1);
    assert_eq!(, 0x0001);
    assert_eq!(, 0x002d);
    assert_eq!(, 0x0451);
    assert_eq!(, 0xbdad);
    assert_eq!(lfsr.prev(16), 0xbdad);
    assert_eq!(lfsr.prev(16), 0x0451);
    assert_eq!(lfsr.prev(16), 0x002d);
    assert_eq!(lfsr.prev(16), 0x0001);
  • CRC functions (requires feature crc)

    use gf256::crc::crc32c;
    assert_eq!(crc32c(b"Hello World!", 0), 0xfe6cf1dc);
  • Shamir secret-sharing functions (requires features shamir and thread-rng)

    use gf256::shamir::shamir;
    // generate shares
    let shares = shamir::generate(b"secret secret secret!", 5, 4);
    // <4 can't reconstruct secret
    assert_ne!(shamir::reconstruct(&shares[..1]), b"secret secret secret!");
    assert_ne!(shamir::reconstruct(&shares[..2]), b"secret secret secret!");
    assert_ne!(shamir::reconstruct(&shares[..3]), b"secret secret secret!");
    // >=4 can reconstruct secret
    assert_eq!(shamir::reconstruct(&shares[..4]), b"secret secret secret!");
    assert_eq!(shamir::reconstruct(&shares[..5]), b"secret secret secret!");
  • RAID-parity functions (requires feature raid)

    use gf256::raid::raid7;
    // format
    let mut buf = b"Hello World!".to_vec();
    let mut parity1 = vec![0u8; 4];
    let mut parity2 = vec![0u8; 4];
    let mut parity3 = vec![0u8; 4];
    let slices = buf.chunks(4).collect::<Vec<_>>();
    raid7::format(&slices, &mut parity1, &mut parity2, &mut parity3);
    // corrupt
    // repair
    let mut slices = buf.chunks_mut(4).collect::<Vec<_>>();
    raid7::repair(&mut slices, &mut parity1, &mut parity2, &mut parity3, &[0, 1]);
    assert_eq!(&buf, b"Hello World!");
  • Reed-Solomon error-correction functions (requires feature rs)

    use gf256::rs::rs255w223;
    // encode
    let mut buf = b"Hello World!".to_vec();
    buf.resize(buf.len()+32, 0u8);
    rs255w223::encode(&mut buf);
    // corrupt
    // correct
    rs255w223::correct_errors(&mut buf)?;
    assert_eq!(&buf[0..12], b"Hello World!");

Since this math depends on some rather arbitrary constants, each of these utilities is available as both a normal Rust API, defined using reasonable defaults, and as a highly configurable proc_macro:

use gf256::gf::gf;

#[gf(polynomial=0x11b, generator=0x3)]
type gf256_rijndael;

let a = gf256_rijndael(0xfd);
let b = gf256_rijndael(0xfe);
let c = gf256_rijndael(0xff);
assert_eq!(a*(b+c), a*b + a*c);

Hardware support

Most modern 64-bit hardware contains instructions for accelerating this sort of math. This usually comes in the form of a carry-less multiplication instruction.

Carry-less multiplication, also called polynomial multiplication and xor multiplication, is the multiplication analog for xor. Where traditional multiplication can be implemented as a series of shifts and adds, carry-less multiplication can be implemented as a series of shifts and xors:


1011 * 1101 =  1011
            +   1011
            +     1011
            = 10001111

Carry-less multiplication:

1011 * 1101 =  1011
            ^   1011
            ^     1011
            = 01111111

64-bit carry-less multiplication is available on x86_64 with the pclmulqdq, and on aarch64 with the slightly less wordy pmull instruction.

gf256 takes advantage of these instructions when possible. However, at the time of writing, pmull support in Rust is only available on nightly.

// uses carry-less multiplication instructions if available
let a = p32(0b1011);
let b = p32(0b1101);
assert_eq!(a * b, p32(0b01111111));

gf256 also exposes the flag HAS_XMUL, which can be used to choose algorithms based on whether or not hardware accelerated carry-less multiplication is available:

let a = p32(0b1011);
let b = if gf256::HAS_XMUL {
    a * p32(0b11)
} else {
    (a << 1) ^ a

gf256 also leverages the hardware accelerated carry-less addition instructions, sometimes called polynomial addition, or simply xor. But this is much less notable.

const fn support

Due to the use of traits and intrinsics, it’s not possible to use the polynomial/Galois-field operators in const fns.

As an alternative, gf256 provides a set of “naive” functions, which provide less efficient, well, naive, implementations that can be used in const fns.

These are very useful for calculating complex constants at compile-time, which is common in these sort of algorithms:

const POLYNOMIAL: p64 = p64(0x104c11db7);
const CRC_TABLE: [u32; 256] = {
    let mut table = [0; 256];
    let mut i = 0;
    while i < table.len() {
        let x = (i as u32).reverse_bits();
        let x = p64((x as u64) << 8).naive_rem(POLYNOMIAL).0 as u32;
        table[i] = x.reverse_bits();
        i += 1;

no_std support

gf256 is just a pile of math, so it is mostly no_std compatible.

The exceptions are the extra utilities rs and shamir, which currently require alloc.


gf256 provides “best-effort” constant-time implementations for certain useful operations. Though it should be emphasized this was primarily an educational project, so the constant-time properties should be externally evaluated before use, and you use this library at your own risk.

  • Polynomial multiplication

    Polynomial multiplication in gf256 should always be constant-time.

    The assumption is that any hardware accelerated carry-less multiplication instructions complete in a fixed number of cycles, which is generally true.

    If carry-less multiplication instructions are not available, a branch-less loop implementation of carry-less multiplication is used.

  • Galois-field operations

    Galois-field types in barret mode rely only on carry-less multiplication and xors, and should always execute in constant time.

    The other Galois-field implementations are NOT constant-time due to the use of lookup tables, which may be susceptible to cache-timing attacks. Note that the default Galois-field types likely use a table-based implementation.

    You will need to declare a custom Galois-field type using barret mode if you want constant-time finite-field operations:

    use gf256::gf::gf;
    #[gf(polynomial=0x11b, generator=0x3, barret)]
    type gf256_rijndael;
  • Shamir secret-sharing

    The default Shamir secret-sharing implementation internally uses a custom Galois-field type in barret mode and should (keyword should) be constant-time.


  • no-xmul - Disables carry-less multiplication instructions, forcing the use of naive bitwise implementations

    This is mostly available for testing/benchmarking purposes.

  • no-tables - Disables lookup tables, relying only on hardware instructions or naive implementations

    This may be useful on memory constrained devices

  • small-tables - Limits lookup tables to “small tables”, tables with <=16 elements

    This provides a compromise between full 256-byte tables and no-tables, which may be useful on memory constrained devices

  • thread-rng - Enables features that depend on ThreadRng

    Note this requires std

    This is used to provide a default Rng implementation for Shamir’s secret-sharing implementations

  • lfsr - Makes LFSR structs and macros available

  • crc - Makes CRC functions and macros available

  • shamir - Makes Shamir secret-sharing functions and macros available

    Note this requires alloc and rand

    You may also want to enable the thread-rng feature, which is required for a default rng

  • raid - Makes RAID-parity functions and macros available

  • rs - Makes Reed-Solomon functions and macros available

    Note this requires alloc


gf256 comes with a number of tests implemented in Rust’s test runner, these can be run with make:

make test

Additionally all of the code samples in these docs can be ran with Rust’s doctest runner:

make docs


gf256 also has a number of benchmarks implemented in Criterion. These were used to determine the best default implementations, and can be ran with make:

make bench

A full summary of the benchmark results can be found in


pub use p::*;
pub use gf::*;
pub use internal::xmul::HAS_XMUL;


CRC functions

Galois-field types

Re-exports for proc_macros

LFSR structs

Polynomial types

RAID-parity structs

Reed-Solomon error-correction

Shamir secret-sharing

Extra traits Common traits