Boxed uintlike coverage

[xuganyu96]

This is an attempt to implement for BoxedUint the missing arithmetic needed for crypto-primes (see entropyxyz/crypto-primes#37 (comment)).

This is the continuation of #428.

[xuganyu96]

@tarcieri @fjarri this PR it ready for review. Thank you!

[tarcieri]

BoxedUint can't be instantiated in a const fn context because it's heap-allocated

[xuganyu96]

When should a function return (Value, Choice) instead of CtChoice(Value)?

In boxed/sqrt.rs the implementation of sqrt uses a NonZero::<BoxedUint>::new(x) whose value needs to be used whether x is zero or not, but BoxedUint is not ConditionallySelectable so I can't use CtChoice's map and unwrap_or. It seems like having a NonZero::<BoxedUint>::new that returns (NonZero<BoxedUint>, Choice) would be necessary, but the current new's signature doesn't work this way, and such a new is definitely not const_new.

[tarcieri]

The (hopefully temporary) workaround for that sort of thing is BoxedUint::conditional_map.

I'm trying to find an upstream solution in subtle but it may be necessary to define traits shaped like the ones in that PR in crypto-bigint as a stopgap (and a CtOption-alike type, possibly ConstCtOption) /cc @fjarri

[xuganyu96]

I saw the ConstantTimeSelect trait and will use ct_select and ct_assign where appropriate. Thank you for the implementation!

[tarcieri]

This is already impl'd as BoxedUint::conditional_select. You can use Into to convert from ConstChoice to Choice.

[tarcieri]

This is already impl'd as BoxedUint::ct_gt. Really there's not a lot of point in supporting ConstChoice with BoxedUint, and the least-common-denominator trait API should use Choice instead (which provides an optimization barrier in non-const fn contexts, which is the only place BoxedUint can be used)

[tarcieri]

This is fine to get this implemented, but in a followup PR (which I'm happy to do) it should probably get a similar macro treatment to the multiply functions so Uint and BoxedUint can share a common implementation.

[xuganyu96]

Note to myself:

• use conditional_map in BoxedUint::sqrt

Edit: this is no longer needed; we can now use <BoxedUint as ConstantTimeSelect>::ct_select

[tarcieri]

This is a little confusing due to the name clash which makes it almost look like it's going to recurse, although it's hard to suggest something better

[xuganyu96]

What about using fully qualified namespace like div_by_2::boxed::div_by_2?

[tarcieri]

Sure, sounds good

[xuganyu96]

Newest commits:

• Used ConstantTimeSelect::{ct_assign, ct_select} where appropriate (see boxed/sqrt.rs and div_by_2)
• Added ConstCtOption<NonZero<Limb>>::expect (for use in crypto-primes)

[tarcieri]

Suggested change

	let mut b = 0;
	let mut i = 0;
	while i < self.limbs.len() {
	b |= self.limbs[i].0;
	i += 1;
	}
	Limb(b).is_nonzero().into()
	let choice = Choice::from(1u8);
	for limb in &self.limbs {
	choice &= limb.ct_eq(&Limb::ZERO);
	}
	choice

[xuganyu96]

How about just !self.is_zero()? The logic suggested above is basically what is_zero uses but backwards.

[tarcieri]

I mean, we can do that, but other instances can be replaced with !x.is_zero() too. It makes less sense when const fn isn't required

[tarcieri]

I factored these into methods on e.g. in this case BoxedUint: #484

You can use ConstCtChoice now.

[tarcieri]

Since these can't be constructed at compile-time, it would probably be good to make it fallible

[tarcieri]

?

[xuganyu96]

I originally made them to accommodate the requirement from crypto-primes, but now I realized I can use overflowing_shl/overflowing_shr to achieve the same thing, so I felt no need to add shl_vartime/shr_vartime for BoxedUint.

[tarcieri]

Err, I added shl_vartime in #330. The reason we have *_vartime equivalents of the sh* methods is because they can be quite a bit faster.

[fjarri]

Oh now I see the reason for all the replaced _vartime methods previously. Yes, we should keep these.

[tarcieri]

?

[xuganyu96]

Same as above.

[tarcieri]

@xuganyu96 sorry about the rebase you're gonna have to do after #485, but we'll try to get this merged ASAP once you do!

[xuganyu96]

@xuganyu96 sorry about the rebase you're gonna have to do after #485, but we'll try to get this merged ASAP once you do!

Totally not an issue. Thank you for being so thorough with my PR!

[fjarri]

Why the change here? And if you're benchmarking overflowing_shl now, the string label should be changed too.

[xuganyu96]

Yeah sorry I think I got really confused between the various shl/shr functions.

[fjarri]

There would be no need for clone if it was an inplace method, but if it creates a new number, I think cloning is unavoidable.

[tarcieri]

When std is available they're stored as an Arc, so cloning is cheap (incrementing an atomic reference counter)

[fjarri]

I think putting different variants of this function in modules is a bit of an overcomplication, perhaps just different suffixes would suffice.

[fjarri]

Any specific reason for the change here?

[xuganyu96]

Another instance of me being confused. Will restore back to its original state.

[fjarri]

I have a feeling that using comparisons between limbs instead of subtraction may be faster. Put a TODO perhaps?

[fjarri]

It's a vartime method, no need to use a constant-time overflowing_shl here

[fjarri]

Same as above, no need for a constant-time shift here.

[fjarri]

This should reference the paper the algorithm was taken from.

[fjarri]

Since this test tests a function from uint::reciprocal, perhaps it should be located there.

[xuganyu96]

This test is actually an exact copy of the same test in uint::div_limb. I will delete this one in boxed/div_limb.rs.

[fjarri]

lt and select should really be moved to ConstChoice - forgot to do that in #458

[xuganyu96]

I've added them as TODO's.

[xuganyu96]

@tarcieri @fjarri sorry but I felt I lost track of where I made changes that overrode your work (e.g. shl_vartime and shr_vartime). I've opened another PR #489.