Use Bernstein-Yang to implement (Boxed)Uint::inv_mod(_odd) (#501)

Author: tarcieri

benches/uint.rs

@@ -1,5 +1,5 @@
 use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
-use crypto_bigint::{Limb, NonZero, Random, Reciprocal, Uint, U128, U2048, U256};
+use crypto_bigint::{Limb, NonZero, Odd, Random, Reciprocal, Uint, U128, U2048, U256};
 use rand_core::OsRng;
 
 fn bench_division(c: &mut Criterion) {
@@ -170,7 +170,7 @@ fn bench_inv_mod(c: &mut Criterion) {
     group.bench_function("inv_odd_mod, U256", |b| {
         b.iter_batched(
             || {
-                let m = U256::random(&mut OsRng) | U256::ONE;
+                let m = Odd::<U256>::random(&mut OsRng);
                 loop {
                     let x = U256::random(&mut OsRng);
                     let inv_x = x.inv_odd_mod(&m);
@@ -187,7 +187,7 @@ fn bench_inv_mod(c: &mut Criterion) {
     group.bench_function("inv_mod, U256, odd modulus", |b| {
         b.iter_batched(
             || {
-                let m = U256::random(&mut OsRng) | U256::ONE;
+                let m = Odd::<U256>::random(&mut OsRng);
                 loop {
                     let x = U256::random(&mut OsRng);
                     let inv_x = x.inv_odd_mod(&m);

src/uint/add.rs

@@ -31,18 +31,6 @@ impl<const LIMBS: usize> Uint<LIMBS> {
     pub const fn wrapping_add(&self, rhs: &Self) -> Self {
         self.adc(rhs, Limb::ZERO).0
     }
-
-    /// Perform wrapping addition, returning the truthy value as the second element of the tuple
-    /// if an overflow has occurred.
-    pub(crate) const fn conditional_wrapping_add(
-        &self,
-        rhs: &Self,
-        choice: ConstChoice,
-    ) -> (Self, ConstChoice) {
-        let actual_rhs = Uint::select(&Uint::ZERO, rhs, choice);
-        let (sum, carry) = self.adc(&actual_rhs, Limb::ZERO);
-        (sum, ConstChoice::from_word_lsb(carry.0))
-    }
 }
 
 impl<const LIMBS: usize> Add for Uint<LIMBS> {

src/uint/boxed/inv_mod.rs

@@ -1,41 +1,16 @@
 //! [`BoxedUint`] modular inverse (i.e. reciprocal) operations.
 
 use crate::{
-    modular::BoxedBernsteinYangInverter, BoxedUint, ConstantTimeSelect, Integer, Odd,
+    modular::BoxedBernsteinYangInverter, BoxedUint, ConstantTimeSelect, Integer, Inverter, Odd,
     PrecomputeInverter, PrecomputeInverterWithAdjuster,
 };
 use subtle::{Choice, ConstantTimeEq, ConstantTimeLess, CtOption};
 
 impl BoxedUint {
     /// Computes the multiplicative inverse of `self` mod `modulus`.
     /// Returns `None` if an inverse does not exist.
-    pub fn inv_mod(&self, modulus: &Self) -> CtOption<Self> {
-        debug_assert_eq!(self.bits_precision(), modulus.bits_precision());
-
-        // Decompose `modulus = s * 2^k` where `s` is odd
-        let k = modulus.trailing_zeros();
-        let s = modulus >> k;
-
-        // Decompose `self` into RNS with moduli `2^k` and `s` and calculate the inverses.
-        // Using the fact that `(z^{-1} mod (m1 * m2)) mod m1 == z^{-1} mod m1`
-        let (a, a_is_some) = self.inv_odd_mod(&s);
-        let (b, b_is_some) = self.inv_mod2k(k);
-
-        // Restore from RNS:
-        // self^{-1} = a mod s = b mod 2^k
-        // => self^{-1} = a + s * ((b - a) * s^(-1) mod 2^k)
-        // (essentially one step of the Garner's algorithm for recovery from RNS).
-
-        let (m_odd_inv, _is_some) = s.inv_mod2k(k); // `s` is odd, so this always exists
-
-        // This part is mod 2^k
-        let mask = (Self::one() << k).wrapping_sub(&Self::one());
-        let t = (b.wrapping_sub(&a).wrapping_mul(&m_odd_inv)).bitand(&mask);
-
-        // Will not overflow since `a <= s - 1`, `t <= 2^k - 1`,
-        // so `a + s * t <= s * 2^k - 1 == modulus - 1`.
-        let result = a.wrapping_add(&s.wrapping_mul(&t));
-        CtOption::new(result, a_is_some & b_is_some)
+    pub fn inv_mod(&self, modulus: &Odd<Self>) -> CtOption<Self> {
+        modulus.precompute_inverter().invert(self)
     }
 
     /// Computes 1/`self` mod `2^k`.
@@ -69,80 +44,6 @@ impl BoxedUint {
 
         (x, is_some)
     }
-
-    /// Computes the multiplicative inverse of `self` mod `modulus`, where `modulus` is odd.
-    /// Returns `None` if an inverse does not exist.
-    pub(crate) fn inv_odd_mod(&self, modulus: &Self) -> (Self, Choice) {
-        self.inv_odd_mod_bounded(modulus, self.bits_precision(), modulus.bits_precision())
-    }
-
-    /// Computes the multiplicative inverse of `self` mod `modulus`, where `modulus` is odd.
-    /// In other words `self^-1 mod modulus`.
-    ///
-    /// `bits` and `modulus_bits` are the bounds on the bit size
-    /// of `self` and `modulus`, respectively.
-    ///
-    /// (the inversion speed will be proportional to `bits + modulus_bits`).
-    /// The second element of the tuple is the truthy value
-    /// if `modulus` is odd and an inverse exists, otherwise it is a falsy value.
-    ///
-    /// **Note:** variable time in `bits` and `modulus_bits`.
-    ///
-    /// The algorithm is the same as in GMP 6.2.1's `mpn_sec_invert`.
-    fn inv_odd_mod_bounded(&self, modulus: &Self, bits: u32, modulus_bits: u32) -> (Self, Choice) {
-        debug_assert_eq!(self.bits_precision(), modulus.bits_precision());
-
-        let bits_precision = self.bits_precision();
-
-        let mut a = self.clone();
-        let mut u = Self::one_with_precision(bits_precision);
-        let mut v = Self::zero_with_precision(bits_precision);
-        let mut b = modulus.clone();
-
-        // `bit_size` can be anything >= `self.bits()` + `modulus.bits()`, setting to the minimum.
-        let bit_size = bits + modulus_bits;
-
-        let m1hp = modulus
-            .shr1()
-            .wrapping_add(&Self::one_with_precision(bits_precision));
-
-        let modulus_is_odd = modulus.is_odd();
-
-        for _ in 0..bit_size {
-            // A sanity check that `b` stays odd. Only matters if `modulus` was odd to begin with,
-            // otherwise this whole thing produces nonsense anyway.
-            debug_assert!(bool::from(!modulus_is_odd | b.is_odd()));
-
-            let self_odd = a.is_odd();
-
-            // Set `self -= b` if `self` is odd.
-            let swap = a.conditional_sbb_assign(&b, self_odd);
-            // Set `b += self` if `swap` is true.
-            b = Self::ct_select(&b, &b.wrapping_add(&a), swap);
-            // Negate `self` if `swap` is true.
-            a = a.conditional_wrapping_neg(swap);
-
-            let mut new_u = u.clone();
-            let mut new_v = v.clone();
-            Self::ct_swap(&mut new_u, &mut new_v, swap);
-            let cy = new_u.conditional_sbb_assign(&new_v, self_odd);
-            let cyy = new_u.conditional_adc_assign(modulus, cy);
-            debug_assert!(bool::from(cy.ct_eq(&cyy)));
-
-            let (new_a, carry) = a.shr1_with_carry();
-            debug_assert!(bool::from(!modulus_is_odd | !carry));
-            let (mut new_u, cy) = new_u.shr1_with_carry();
-            let cy = new_u.conditional_adc_assign(&m1hp, cy);
-            debug_assert!(bool::from(!modulus_is_odd | !cy));
-
-            a = new_a;
-            u = new_u;
-            v = new_v;
-        }
-
-        debug_assert!(bool::from(!modulus_is_odd | a.is_zero()));
-        (v, b.is_one() & modulus_is_odd)
-    }
 }
 
 /// Precompute a Bernstein-Yang inverter using `self` as the modulus.

src/uint/boxed/neg.rs

@@ -1,14 +1,8 @@
 //! [`BoxedUint`] negation operations.
 
-use crate::{BoxedUint, ConstantTimeSelect, Limb, WideWord, Word, WrappingNeg};
-use subtle::Choice;
+use crate::{BoxedUint, Limb, WideWord, Word, WrappingNeg};
 
 impl BoxedUint {
-    /// Negates based on `choice` by wrapping the integer.
-    pub(crate) fn conditional_wrapping_neg(&self, choice: Choice) -> BoxedUint {
-        Self::ct_select(self, &self.wrapping_neg(), choice)
-    }
-
     /// Perform wrapping negation.
     pub fn wrapping_neg(&self) -> Self {
         let mut ret = vec![Limb::ZERO; self.nlimbs()];

src/uint/cmp.rs

@@ -22,14 +22,6 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         Uint { limbs }
     }
 
-    #[inline]
-    pub(crate) const fn swap(a: &Self, b: &Self, c: ConstChoice) -> (Self, Self) {
-        let new_a = Self::select(a, b, c);
-        let new_b = Self::select(b, a, c);
-
-        (new_a, new_b)
-    }
-
     /// Returns the truthy value if `self`!=0 or the falsy value otherwise.
     #[inline]
     pub(crate) const fn is_nonzero(&self) -> ConstChoice {

src/uint/inv_mod.rs

@@ -1,5 +1,6 @@
 use super::Uint;
-use crate::{ConstChoice, ConstCtOption};
+use crate::modular::BernsteinYangInverter;
+use crate::{ConstChoice, ConstCtOption, Odd, PrecomputeInverter};
 
 impl<const LIMBS: usize> Uint<LIMBS> {
     /// Computes 1/`self` mod `2^k`.
@@ -79,96 +80,33 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         ConstCtOption::new(x, is_some)
     }
 
-    /// Computes the multiplicative inverse of `self` mod `modulus`, where `modulus` is odd.
-    /// In other words `self^-1 mod modulus`.
-    /// `bits` and `modulus_bits` are the bounds on the bit size
-    /// of `self` and `modulus`, respectively
-    /// (the inversion speed will be proportional to `bits + modulus_bits`).
-    /// The second element of the tuple is the truthy value
-    /// if `modulus` is odd and an inverse exists, otherwise it is a falsy value.
-    ///
-    /// **Note:** variable time in `bits` and `modulus_bits`.
-    ///
-    /// The algorithm is the same as in GMP 6.2.1's `mpn_sec_invert`.
-    pub const fn inv_odd_mod_bounded(
-        &self,
-        modulus: &Self,
-        bits: u32,
-        modulus_bits: u32,
-    ) -> ConstCtOption<Self> {
-        let mut a = *self;
-
-        let mut u = Uint::ONE;
-        let mut v = Uint::ZERO;
-
-        let mut b = *modulus;
-
-        // `bit_size` can be anything >= `self.bits()` + `modulus.bits()`, setting to the minimum.
-        let bit_size = bits + modulus_bits;
-
-        let m1hp = modulus.shr1().wrapping_add(&Uint::ONE);
-
-        let modulus_is_odd = modulus.is_odd();
-
-        let mut i = 0;
-        while i < bit_size {
-            // A sanity check that `b` stays odd. Only matters if `modulus` was odd to begin with,
-            // otherwise this whole thing produces nonsense anyway.
-            debug_assert!(modulus_is_odd.not().or(b.is_odd()).is_true_vartime());
-
-            let self_odd = a.is_odd();
-
-            // Set `self -= b` if `self` is odd.
-            let (new_a, swap) = a.conditional_wrapping_sub(&b, self_odd);
-            // Set `b += self` if `swap` is true.
-            b = Uint::select(&b, &b.wrapping_add(&new_a), swap);
-            // Negate `self` if `swap` is true.
-            a = new_a.conditional_wrapping_neg(swap);
-
-            let (new_u, new_v) = Uint::swap(&u, &v, swap);
-            let (new_u, cy) = new_u.conditional_wrapping_sub(&new_v, self_odd);
-            let (new_u, cyy) = new_u.conditional_wrapping_add(modulus, cy);
-            debug_assert!(cy.is_true_vartime() == cyy.is_true_vartime());
-
-            let (new_a, carry) = a.shr1_with_carry();
-            debug_assert!(modulus_is_odd.not().or(carry.not()).is_true_vartime());
-            let (new_u, cy) = new_u.shr1_with_carry();
-            let (new_u, cy) = new_u.conditional_wrapping_add(&m1hp, cy);
-            debug_assert!(modulus_is_odd.not().or(cy.not()).is_true_vartime());
-
-            a = new_a;
-            u = new_u;
-            v = new_v;
-
-            i += 1;
-        }
-
-        debug_assert!(modulus_is_odd
-            .not()
-            .or(a.is_nonzero().not())
-            .is_true_vartime());
-
-        ConstCtOption::new(v, Uint::eq(&b, &Uint::ONE).and(modulus_is_odd))
-    }
-
     /// Computes the multiplicative inverse of `self` mod `modulus`, where `modulus` is odd.
     /// Returns `(inverse, ConstChoice::TRUE)` if an inverse exists,
     /// otherwise `(undefined, ConstChoice::FALSE)`.
-    pub const fn inv_odd_mod(&self, modulus: &Self) -> ConstCtOption<Self> {
-        self.inv_odd_mod_bounded(modulus, Uint::<LIMBS>::BITS, Uint::<LIMBS>::BITS)
+    pub const fn inv_odd_mod<const UNSAT_LIMBS: usize>(
+        &self,
+        modulus: &Odd<Self>,
+    ) -> ConstCtOption<Self>
+    where
+        Odd<Self>: PrecomputeInverter<Inverter = BernsteinYangInverter<LIMBS, UNSAT_LIMBS>>,
+    {
+        BernsteinYangInverter::<LIMBS, UNSAT_LIMBS>::new(modulus, &Uint::ONE).inv(self)
     }
 
     /// Computes the multiplicative inverse of `self` mod `modulus`.
     /// Returns `(inverse, ConstChoice::TRUE)` if an inverse exists,
     /// otherwise `(undefined, ConstChoice::FALSE)`.
-    pub const fn inv_mod(&self, modulus: &Self) -> ConstCtOption<Self> {
+    pub const fn inv_mod<const UNSAT_LIMBS: usize>(&self, modulus: &Self) -> ConstCtOption<Self>
+    where
+        Odd<Self>: PrecomputeInverter<Inverter = BernsteinYangInverter<LIMBS, UNSAT_LIMBS>>,
+    {
         // Decompose `modulus = s * 2^k` where `s` is odd
         let k = modulus.trailing_zeros();
         let s = modulus.overflowing_shr(k).unwrap_or(Self::ZERO);
 
         // Decompose `self` into RNS with moduli `2^k` and `s` and calculate the inverses.
         // Using the fact that `(z^{-1} mod (m1 * m2)) mod m1 == z^{-1} mod m1`
-        let maybe_a = self.inv_odd_mod(&s);
+        let maybe_a = self.inv_odd_mod(&Odd(s));
         let maybe_b = self.inv_mod2k(k);
         let is_some = maybe_a.is_some().and(maybe_b.is_some());
 
@@ -262,7 +200,9 @@ mod tests {
             "37BFE27A9AC9EEA2969B357ABC5C0EE214BE16A7D4C58FC620D5B5A20AFF001A",
             "D198D3155E5799DC4EA76652D64983A7E130B5EACEBAC768D28D589C36EC749C",
             "558D0B64E37CD0775C0D0104AE7D98BA23C815185DD43CD8B16292FD94156767"
-        ]);
+        ])
+        .to_odd()
+        .unwrap();
         let expected = U1024::from_be_hex(concat![
             "B03623284B0EBABCABD5C5881893320281460C0A8E7BF4BFDCFFCBCCBF436A55",
             "D364235C8171E46C7D21AAD0680676E57274A8FDA6D12768EF961CACDD2DAE57",
@@ -273,10 +213,6 @@ mod tests {
         let res = a.inv_odd_mod(&m).unwrap();
         assert_eq!(res, expected);
 
-        // Check that trying to pass an even modulus results in `None`
-        let res = a.inv_odd_mod(&(m.wrapping_add(&U1024::ONE)));
-        assert!(res.is_none().is_true_vartime());
-
         // Even though it is less efficient, it still works
         let res = a.inv_mod(&m).unwrap();
         assert_eq!(res, expected);
@@ -291,7 +227,7 @@ mod tests {
         let p2 =
             U256::from_be_hex("00000000000000000000000000000000ffffffffffffffffffffffffffffff53");
 
-        let m = p1.wrapping_mul(&p2);
+        let m = p1.wrapping_mul(&p2).to_odd().unwrap();
 
         // `m` is a multiple of `p1`, so no inverse exists
         let res = p1.inv_odd_mod(&m);
@@ -323,36 +259,10 @@ mod tests {
         assert_eq!(res, expected);
     }
 
-    #[test]
-    fn test_invert_bounded() {
-        let a = U1024::from_be_hex(concat![
-            "0000000000000000000000000000000000000000000000000000000000000000",
-            "347A412B065B75A351EA9719E2430D2477B11CC9CF9C1AD6EDEE26CB15F463F8",
-            "BCC72EF87EA30288E95A48AA792226CEC959DCB0672D8F9D80A54CBBEA85CAD8",
-            "382EC224DEB2F5784E62D0CC2F81C2E6AD14EBABE646D6764B30C32B87688985"
-        ]);
-        let m = U1024::from_be_hex(concat![
-            "0000000000000000000000000000000000000000000000000000000000000000",
-            "0000000000000000000000000000000000000000000000000000000000000000",
-            "D198D3155E5799DC4EA76652D64983A7E130B5EACEBAC768D28D589C36EC749C",
-            "558D0B64E37CD0775C0D0104AE7D98BA23C815185DD43CD8B16292FD94156767"
-        ]);
-
-        let res = a.inv_odd_mod_bounded(&m, 768, 512).unwrap();
-
-        let expected = U1024::from_be_hex(concat![
-            "0000000000000000000000000000000000000000000000000000000000000000",
-            "0000000000000000000000000000000000000000000000000000000000000000",
-            "0DCC94E2FE509E6EBBA0825645A38E73EF85D5927C79C1AD8FFE7C8DF9A822FA",
-            "09EB396A21B1EF05CBE51E1A8EF284EF01EBDD36A9A4EA17039D8EEFDD934768"
-        ]);
-        assert_eq!(res, expected);
-    }
-
     #[test]
     fn test_invert_small() {
         let a = U64::from(3u64);
-        let m = U64::from(13u64);
+        let m = U64::from(13u64).to_odd().unwrap();
 
         let res = a.inv_odd_mod(&m).unwrap();
         assert_eq!(U64::from(9u64), res);
@@ -361,7 +271,7 @@ mod tests {
     #[test]
     fn test_no_inverse_small() {
         let a = U64::from(14u64);
-        let m = U64::from(49u64);
+        let m = U64::from(49u64).to_odd().unwrap();
 
         let res = a.inv_odd_mod(&m);
         assert!(res.is_none().is_true_vartime());