Add constant-time MontyParams::new (#518)

Adds a constant-time equivalent to `MontyParams::new_vartime`

Author: tarcieri

src/modular/monty_form.rs

@@ -13,7 +13,7 @@ use super::{
     reduction::montgomery_reduction,
     Retrieve,
 };
-use crate::{Limb, Monty, Odd, Uint, Word};
+use crate::{Concat, Limb, Monty, NonZero, Odd, Split, Uint, Word};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 
 /// Parameters to efficiently go to/from the Montgomery form for an odd modulus provided at runtime.
@@ -33,6 +33,42 @@ pub struct MontyParams<const LIMBS: usize> {
 }
 
 impl<const LIMBS: usize> MontyParams<LIMBS> {
+    /// Instantiates a new set of `MontyParams` representing the given odd `modulus`.
+    pub fn new<const WIDE_LIMBS: usize>(modulus: Odd<Uint<LIMBS>>) -> Self
+    where
+        Uint<LIMBS>: Concat<Output = Uint<WIDE_LIMBS>>,
+        Uint<WIDE_LIMBS>: Split<Output = Uint<LIMBS>>,
+    {
+        // `R mod modulus` where `R = 2^BITS`.
+        // Represents 1 in Montgomery form.
+        let one = Uint::MAX.rem(modulus.as_nz_ref()).wrapping_add(&Uint::ONE);
+
+        // `R^2 mod modulus`, used to convert integers to Montgomery form.
+        let r2 = one
+            .square()
+            .rem(&NonZero(Uint::<LIMBS>::ZERO.concat(&modulus.0)))
+            .split()
+            .1;
+
+        // The modular inverse should always exist, because it was ensured odd above, which also ensures it's non-zero
+        let inv_mod = modulus
+            .inv_mod2k(Word::BITS)
+            .expect("modular inverse should exist");
+
+        let mod_neg_inv = Limb(Word::MIN.wrapping_sub(inv_mod.limbs[0].0));
+
+        // `R^3 mod modulus`, used for inversion in Montgomery form.
+        let r3 = montgomery_reduction(&r2.square_wide(), &modulus, mod_neg_inv);
+
+        Self {
+            modulus,
+            one,
+            r2,
+            r3,
+            mod_neg_inv,
+        }
+    }
+
     /// Instantiates a new set of `MontyParams` representing the given odd `modulus`.
     pub fn new_vartime(modulus: Odd<Uint<LIMBS>>) -> Self {
         // `R mod modulus` where `R = 2^BITS`.

tests/monty_form.proptest-regressions

@@ -0,0 +1,7 @@
+# Seeds for failure cases proptest has generated in the past. It is
+# automatically read and these particular cases re-run before any
+# novel cases are generated.
+#
+# It is recommended to check this file in to source control so that
+# everyone who runs the test benefits from these saved cases.
+cc 19eef79040418fc32c4437caa30b98e5676e64e06ddf9afbd3eac59fb144577a # shrinks to n = MontyParams { modulus: Odd(Uint(0x0100000000000000000000000000000000000000000000000000000000000001)), one: Uint(0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF01), r2: Uint(0x0000000000000000000000000000000000000000000000000000000000010000), r3: Uint(0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000001), mod_neg_inv: Limb(0xFFFFFFFFFFFFFFFF) }

tests/monty_form.rs

@@ -37,6 +37,12 @@ prop_compose! {
 }
 
 proptest! {
+    #[test]
+    fn new(n in modulus()) {
+        let n2 = MontyParams::new(*n.modulus());
+        prop_assert_eq!(n, n2);
+    }
+
     #[test]
     fn inv(x in uint(), n in modulus()) {
         let x = reduce(&x, n.clone());