Add Gcd::gcd_vartime (#636)

tarcieri · web-flow · commit e3fea9ca4662 · 2024-08-04T19:09:37.000-06:00
Adds a method to the `Gcd` trait for computing greatest common divisor
in variable time, permitting a faster implementation.
diff --git a/Cargo.toml b/Cargo.toml
@@ -17,7 +17,7 @@ edition = "2021"
 rust-version = "1.73"
 
 [dependencies]
-subtle = { version = "2.5", default-features = false }
+subtle = { version = "2.6", default-features = false }
 
 # optional dependencies
 der = { version = "0.7", optional = true, default-features = false }
diff --git a/src/traits.rs b/src/traits.rs
@@ -200,9 +200,10 @@ pub trait Gcd<Rhs = Self>: Sized {
     type Output;
 
     /// Compute the greatest common divisor of `self` and `rhs`.
-    ///
-    /// Returns none unless `self` is odd (`rhs` may be even or odd)`.
     fn gcd(&self, rhs: &Rhs) -> Self::Output;
+
+    /// Compute the greatest common divisor of `self` and `rhs` in variable time.
+    fn gcd_vartime(&self, rhs: &Rhs) -> Self::Output;
 }
 
 /// Trait impl'd by precomputed modular inverters obtained via the [`PrecomputeInverter`] trait.
diff --git a/src/uint/boxed/gcd.rs b/src/uint/boxed/gcd.rs
@@ -23,14 +23,12 @@ impl Gcd for BoxedUint {
         let g = Self::ct_select(&s1, &s2, s2.is_odd());
         bernstein_yang::boxed::gcd(&f, &g).overflowing_shl(k).0
     }
-}
 
-impl Odd<BoxedUint> {
-    /// Compute the greatest common divisor (GCD) of this number and another.
-    ///
-    /// Runs in variable time with respect to `rhs`.
-    pub fn gcd_vartime(&self, rhs: &BoxedUint) -> BoxedUint {
-        bernstein_yang::boxed::gcd_vartime(self, rhs)
+    fn gcd_vartime(&self, rhs: &Self) -> Self::Output {
+        match Odd::<Self>::new(self.clone()).into_option() {
+            Some(odd) => odd.gcd_vartime(rhs),
+            None => self.gcd(rhs), // TODO(tarcieri): vartime support for even `self`?
+        }
     }
 }
 
@@ -40,6 +38,10 @@ impl Gcd<BoxedUint> for Odd<BoxedUint> {
     fn gcd(&self, rhs: &BoxedUint) -> BoxedUint {
         bernstein_yang::boxed::gcd(self, rhs)
     }
+
+    fn gcd_vartime(&self, rhs: &BoxedUint) -> Self::Output {
+        bernstein_yang::boxed::gcd_vartime(self, rhs)
+    }
 }
 
 #[cfg(test)]
diff --git a/src/uint/gcd.rs b/src/uint/gcd.rs
@@ -51,6 +51,13 @@ where
     fn gcd(&self, rhs: &Self) -> Self {
         self.gcd(rhs)
     }
+
+    fn gcd_vartime(&self, rhs: &Self) -> Self::Output {
+        match Odd::<Self>::new(*self).into_option() {
+            Some(odd) => odd.gcd_vartime(rhs),
+            None => self.gcd(rhs), // TODO(tarcieri): vartime support for even `self`?
+        }
+    }
 }
 
 impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Gcd<Uint<SAT_LIMBS>> for Odd<Uint<SAT_LIMBS>>
@@ -62,6 +69,10 @@ where
     fn gcd(&self, rhs: &Uint<SAT_LIMBS>) -> Uint<SAT_LIMBS> {
         <Odd<Self> as PrecomputeInverter>::Inverter::gcd(self, rhs)
     }
+
+    fn gcd_vartime(&self, rhs: &Uint<SAT_LIMBS>) -> Self::Output {
+        <Odd<Self> as PrecomputeInverter>::Inverter::gcd_vartime(self, rhs)
+    }
 }
 
 #[cfg(test)]

Original file line number	Diff line number	Diff line change
`@@ -23,14 +23,12 @@ impl Gcd for BoxedUint {`
`23`	`23`	`let g = Self::ct_select(&s1, &s2, s2.is_odd());`
`24`	`24`	`bernstein_yang::boxed::gcd(&f, &g).overflowing_shl(k).0`
`25`	`25`	`}`
`26`		`-}`
`27`	`26`
`28`		`-impl Odd<BoxedUint> {`
`29`		`- /// Compute the greatest common divisor (GCD) of this number and another.`
`30`		`- ///`
`31`		- /// Runs in variable time with respect to `rhs`.
`32`		`- pub fn gcd_vartime(&self, rhs: &BoxedUint) -> BoxedUint {`
`33`		`- bernstein_yang::boxed::gcd_vartime(self, rhs)`
	`27`	`+ fn gcd_vartime(&self, rhs: &Self) -> Self::Output {`
	`28`	`+ match Odd::<Self>::new(self.clone()).into_option() {`
	`29`	`+ Some(odd) => odd.gcd_vartime(rhs),`
	`30`	+ None => self.gcd(rhs), // TODO(tarcieri): vartime support for even `self`?
	`31`	`+ }`
`34`	`32`	`}`
`35`	`33`	`}`
`36`	`34`
`@@ -40,6 +38,10 @@ impl Gcd<BoxedUint> for Odd<BoxedUint> {`
`40`	`38`	`fn gcd(&self, rhs: &BoxedUint) -> BoxedUint {`
`41`	`39`	`bernstein_yang::boxed::gcd(self, rhs)`
`42`	`40`	`}`
	`41`	`+`
	`42`	`+ fn gcd_vartime(&self, rhs: &BoxedUint) -> Self::Output {`
	`43`	`+ bernstein_yang::boxed::gcd_vartime(self, rhs)`
	`44`	`+ }`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`#[cfg(test)]`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,13 @@ where`
`51`	`51`	`fn gcd(&self, rhs: &Self) -> Self {`
`52`	`52`	`self.gcd(rhs)`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ fn gcd_vartime(&self, rhs: &Self) -> Self::Output {`
	`56`	`+ match Odd::<Self>::new(*self).into_option() {`
	`57`	`+ Some(odd) => odd.gcd_vartime(rhs),`
	`58`	+ None => self.gcd(rhs), // TODO(tarcieri): vartime support for even `self`?
	`59`	`+ }`
	`60`	`+ }`
`54`	`61`	`}`
`55`	`62`
`56`	`63`	`impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Gcd<Uint<SAT_LIMBS>> for Odd<Uint<SAT_LIMBS>>`
`@@ -62,6 +69,10 @@ where`
`62`	`69`	`fn gcd(&self, rhs: &Uint<SAT_LIMBS>) -> Uint<SAT_LIMBS> {`
`63`	`70`	`<Odd<Self> as PrecomputeInverter>::Inverter::gcd(self, rhs)`
`64`	`71`	`}`
	`72`	`+`
	`73`	`+ fn gcd_vartime(&self, rhs: &Uint<SAT_LIMBS>) -> Self::Output {`
	`74`	`+ <Odd<Self> as PrecomputeInverter>::Inverter::gcd_vartime(self, rhs)`
	`75`	`+ }`
`65`	`76`	`}`
`66`	`77`
`67`	`78`	`#[cfg(test)]`