Crude implementation of sqrt_vartime

xuganyu96 · xuganyu96 · commit 703c42e61422 · 2023-12-14T13:47:42.000-05:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -39,7 +39,7 @@ rand_core = { version = "0.6", features = ["std"] }
 rand_chacha = "0.3"
 
 [features]
-default = ["rand"]
+default = ["rand", "alloc"]
 alloc = ["serdect?/alloc"]
 std = ["alloc"]
 
diff --git a/src/uint/boxed.rs b/src/uint/boxed.rs
@@ -15,6 +15,7 @@ mod mul_mod;
 mod neg;
 mod shl;
 mod shr;
+mod sqrt;
 mod sub;
 mod sub_mod;
 
@@ -91,6 +92,11 @@ impl BoxedUint {
             .fold(Choice::from(1), |acc, limb| acc & limb.is_zero())
     }
 
+    /// Is this [`BoxedUint`] non-zero?
+    pub fn is_nonzero(&self) -> Choice {
+        !self.is_zero()
+    }
+
     /// Is this [`BoxedUint`] equal to one?
     pub fn is_one(&self) -> Choice {
         let mut iter = self.limbs.iter();
diff --git a/src/uint/boxed/sqrt.rs b/src/uint/boxed/sqrt.rs
@@ -0,0 +1,117 @@
+//! [`Uint`] square root operations.
+use crate::{BoxedUint, NonZero};
+
+impl BoxedUint {
+    /// Computes √(`self`) in constant time.
+    ///
+    /// Callers can check if `self` is a square by squaring the result
+    pub const fn sqrt(&self) -> Self {
+        todo!();
+    }
+
+    /// Computes √(`self`)
+    ///
+    /// Callers can check if `self` is a square by squaring the result
+    pub fn sqrt_vartime(&self) -> Self {
+        // Uses Brent & Zimmermann, Modern Computer Arithmetic, v0.5.9, Algorithm 1.13
+
+        // The initial guess: `x_0 = 2^ceil(b/2)`, where `2^(b-1) <= self < b`.
+        // Will not overflow since `b <= BITS`.
+        let (mut x, _overflow) =
+            Self::one_with_precision(self.bits_precision()).shl((self.bits() + 1) >> 1); // ≥ √(`self`)
+
+        // Stop right away if `x` is zero to avoid divizion by zero.
+        // TODO: is it kay to use cmp instead of implementing cmp_vartime?
+        while !x
+            .cmp(&Self::zero_with_precision(self.bits_precision()))
+            .is_eq()
+        {
+            // Calculate `x_{i+1} = floor((x_i + self / x_i) / 2)`
+
+            // TODO: is using wrapping_div instead of wrapping_div_vartime ok?
+            let q = self.wrapping_div(&NonZero::<Self>::new(x.clone()).expect("division by 0"));
+            let t = x.wrapping_add(&q);
+            let next_x = t.shr1();
+
+            // If `next_x` is the same as `x` or greater, we reached convergence
+            // (`x` is guaranteed to either go down or oscillate between
+            // `sqrt(self)` and `sqrt(self) + 1`)
+            if !x.cmp(&next_x).is_gt() {
+                break;
+            }
+
+            x = next_x;
+        }
+
+        if self.is_nonzero().into() {
+            x
+        } else {
+            Self::zero_with_precision(self.bits_precision())
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::Limb;
+
+    #[test]
+    fn edge_vartime() {
+        let zero = BoxedUint::zero_with_precision(256);
+        let one = BoxedUint::one_with_precision(256);
+        let max = !zero.clone();
+        assert_eq!(zero.sqrt_vartime(), zero);
+        assert_eq!(one.sqrt_vartime(), one);
+        let mut half = zero;
+        for i in 0..half.limbs.len() / 2 {
+            half.limbs[i] = Limb::MAX;
+        }
+        assert_eq!(max.sqrt_vartime(), half);
+    }
+
+    #[test]
+    fn simple() {
+        let tests = [
+            (4u8, 2u8),
+            (9, 3),
+            (16, 4),
+            (25, 5),
+            (36, 6),
+            (49, 7),
+            (64, 8),
+            (81, 9),
+            (100, 10),
+            (121, 11),
+            (144, 12),
+            (169, 13),
+        ];
+        for (a, e) in &tests {
+            let l = BoxedUint::from(*a);
+            let r = BoxedUint::from(*e);
+            // assert_eq!(l.sqrt(), r);
+            assert_eq!(l.sqrt_vartime(), r);
+            // assert_eq!(l.checked_sqrt().is_some().unwrap_u8(), 1u8);
+            // assert_eq!(l.checked_sqrt_vartime().is_some().unwrap_u8(), 1u8);
+        }
+    }
+
+    #[test]
+    fn nonsquares_vartime() {
+        assert_eq!(BoxedUint::from(2u8).sqrt_vartime(), BoxedUint::from(1u8));
+        // assert_eq!(
+        //     BoxedUint::from(2u8).checked_sqrt_vartime().is_some().unwrap_u8(),
+        //     0
+        // );
+        assert_eq!(BoxedUint::from(3u8).sqrt_vartime(), BoxedUint::from(1u8));
+        // assert_eq!(
+        //     BoxedUint::from(3u8).checked_sqrt_vartime().is_some().unwrap_u8(),
+        //     0
+        // );
+        assert_eq!(BoxedUint::from(5u8).sqrt_vartime(), BoxedUint::from(2u8));
+        assert_eq!(BoxedUint::from(6u8).sqrt_vartime(), BoxedUint::from(2u8));
+        assert_eq!(BoxedUint::from(7u8).sqrt_vartime(), BoxedUint::from(2u8));
+        assert_eq!(BoxedUint::from(8u8).sqrt_vartime(), BoxedUint::from(2u8));
+        assert_eq!(BoxedUint::from(10u8).sqrt_vartime(), BoxedUint::from(3u8));
+    }
+}
