Use the Hacker's Delight integer comparison for Limb's subtle impls

Author: fjarri

src/const_choice.rs

@@ -71,10 +71,19 @@ impl ConstChoice {
     /// Returns the truthy value if `x < y`, and the falsy value otherwise.
     #[inline]
     pub(crate) const fn from_word_lt(x: Word, y: Word) -> Self {
+        // See "Hacker's Delight" 2nd ed, section 2-12 (Comparison predicates)
         let bit = (((!x) & y) | (((!x) | y) & (x.wrapping_sub(y)))) >> (Word::BITS - 1);
         Self::from_word_lsb(bit)
     }
 
+    /// Returns the truthy value if `x > y`, and the falsy value otherwise.
+    #[inline]
+    pub(crate) const fn from_word_gt(x: Word, y: Word) -> Self {
+        // See "Hacker's Delight" 2nd ed, section 2-12 (Comparison predicates)
+        let bit = (((!y) & x) | (((!y) | x) & (y.wrapping_sub(x)))) >> (Word::BITS - 1);
+        Self::from_word_lsb(bit)
+    }
+
     /// Returns the truthy value if `x < y`, and the falsy value otherwise.
     #[inline]
     pub(crate) const fn from_u32_lt(x: u32, y: u32) -> Self {
@@ -169,6 +178,20 @@ mod tests {
     use super::ConstChoice;
     use crate::Word;
 
+    #[test]
+    fn from_word_lt() {
+        assert_eq!(ConstChoice::from_word_lt(4, 5), ConstChoice::TRUE);
+        assert_eq!(ConstChoice::from_word_lt(5, 5), ConstChoice::FALSE);
+        assert_eq!(ConstChoice::from_word_lt(6, 5), ConstChoice::FALSE);
+    }
+
+    #[test]
+    fn from_word_gt() {
+        assert_eq!(ConstChoice::from_word_gt(4, 5), ConstChoice::FALSE);
+        assert_eq!(ConstChoice::from_word_gt(5, 5), ConstChoice::FALSE);
+        assert_eq!(ConstChoice::from_word_gt(6, 5), ConstChoice::TRUE);
+    }
+
     #[test]
     fn select() {
         let a: Word = 1;

src/limb/cmp.rs

@@ -54,16 +54,14 @@ impl ConstantTimeEq for Limb {
 impl ConstantTimeGreater for Limb {
     #[inline]
     fn ct_gt(&self, other: &Self) -> Choice {
-        let borrow = other.sbb(*self, Limb::ZERO).1;
-        Choice::from(borrow.0 as u8 & 1)
+        ConstChoice::from_word_gt(self.0, other.0).into()
     }
 }
 
 impl ConstantTimeLess for Limb {
     #[inline]
     fn ct_lt(&self, other: &Self) -> Choice {
-        let borrow = self.sbb(*other, Limb::ZERO).1;
-        Choice::from(borrow.0 as u8 & 1)
+        ConstChoice::from_word_lt(self.0, other.0).into()
     }
 }
 

src/modular/boxed_residue/mul.rs

@@ -247,7 +247,7 @@ fn sub_vv(z: &mut [Limb], x: &[Limb], y: &[Limb]) -> Limb {
     for (i, (&xi, &yi)) in x.iter().zip(y.iter()).enumerate().take(z.len()) {
         let zi = xi.wrapping_sub(yi).wrapping_sub(c);
         z[i] = zi;
-        // see "Hacker's Delight", section 2-12 (overflow detection)
+        // See "Hacker's Delight" 2nd ed, section 2-13 (Overflow detection)
         c = ((yi & !xi) | ((yi | !xi) & zi)) >> (Word::BITS - 1)
     }