ctutils: delegate CtAssign/CtEq for [T] to cmov (#1376)

`cmov` now contains optimized implementations of its `Cmov` and `CmovEq`
traits for the following slice types:

- `[i8]`, `[i16]`, `[i32]`, `[i64]`, `[i128]`
- `[u8]`, `[u16]`, `[u32]`, `[u64]`, `[u128]`

These impls coalesce the inputs into word-size chunks and perform the
underlying predication/equality testing operation on words, whereas the
generic implementation in this crate previously would widen each array
element to a word and perform the operation, which is much less
efficient.

We'd previously added duplicated specialized traits for operating on
bytes which called the fast path for `[u8]` in #1359, but not only are
the redundant traits annoying but such an optimization is useful for any
integer type smaller than the word size.

This commit removes the generic trait impls of `CtAssign`, `CtEq`, and
`CtSelect` for arrays and slices, factoring them into free functions in
the `array` and `slice` modules so they're still available, just not via
a trait-based interface.

Next, the existing macros for delegating to `cmov` like
`impl_ct_assign_with_cmov!` are used to delegate to the above slice
types. The array impls have been changed to be generic around when the
underlying slice type impls the same trait.

This means we have a bunch of specialized impls of these traits for the
core integer types which are always fast, instead of a leaky generic
implementation which is potentially quite slow. It means users may need
to add their own concrete impls where the generic impl would've
previously sufficed, but they can call into the generic implementations
in `array` and `slice` for that, and if it's too annoying we can add a
macro to write the impl for them.

The impl of `CtSelect` for `[T; N]` has been changed to bound on `T:
Clone` and `[T]: CtAssign`, but should perform well, and this is
actually more consistent with the impls on `Box` and `Vec`. The old
generic implementation which avoids a clone bound by using
`core::array::from_fn` is retained in the new `array` module.

Since the impls of `CtAssign` and `CtEq` for `[T]` and `[T; N]` should
now be fast (along with the `CtSelect` impl for `[T; N]`), this removes
the `BytesCt*` traits since they're no longer needed.

Author: tarcieri

ctutils/src/array.rs

@@ -0,0 +1,89 @@
+//! Array helpers: generic selection/equality operations for arrays.
+//!
+//! Use these in the event there isn't an impl of a given trait for `[T; N]`. If there is, however,
+//! you should prefer that for performance reasons.
+
+use crate::{Choice, CtAssign, CtEq, CtSelect, slice};
+
+/// Generic implementation of conditional assignment for arrays which works with any type which
+/// impls `CtSelect`. Useful in the event there isn't a `CtAssign` impl for `[T; N]`.
+///
+/// Assigns `src` to `dst` in constant-time when `choice` is [`Choice::TRUE`].
+///
+/// Unfortunately we can't provide this as a trait impl without specialization, since it would
+/// overlap with the optimized type-specific impls we provide.
+#[inline]
+pub fn ct_assign<T, const N: usize>(dst: &mut [T; N], src: &[T; N], choice: Choice)
+where
+    T: CtAssign,
+{
+    slice::ct_assign(dst, src, choice);
+}
+
+/// Generic implementation of constant-time equality testing for arrays which works with any type
+/// which impls `CtEq`. Useful in the event there isn't a `CtEq` impl for `[T; N]`.
+#[inline]
+pub fn ct_eq<T, const N: usize>(a: &[T; N], b: &[T; N]) -> Choice
+where
+    T: CtEq,
+{
+    let mut ret = Choice::TRUE;
+    for (a, b) in a.iter().zip(b.iter()) {
+        ret &= a.ct_eq(b);
+    }
+    ret
+}
+
+/// Generic implementation of conditional selection for arrays which works with any type which
+/// impls `CtSelect`. Useful in the event there isn't a `CtSelect` impl for `[T; N]`.
+///
+/// Selects `a` if `choice` is `Choice::FALSE`, and `b` if `choice` is `Choice::TRUE`.
+///
+/// Unfortunately we can't provide this as a trait impl without specialization, since it would
+/// overlap with the optimized type-specific impls we provide.
+#[inline]
+pub fn ct_select<T, const N: usize>(a: &[T; N], b: &[T; N], choice: Choice) -> [T; N]
+where
+    T: CtSelect,
+{
+    core::array::from_fn(|i| T::ct_select(&a[i], &b[i], choice))
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::Choice;
+
+    // Note: this violates our own advice not to use these functions with e.g. `[u8; N]` but this
+    // is just for testing purposes
+    const EXAMPLE_A: [u8; 3] = [1, 2, 3];
+    const EXAMPLE_B: [u8; 3] = [4, 5, 6];
+
+    #[test]
+    fn ct_assign() {
+        let mut x = EXAMPLE_A;
+
+        super::ct_assign(&mut x, &EXAMPLE_B, Choice::FALSE);
+        assert_eq!(EXAMPLE_A, x);
+
+        super::ct_assign(&mut x, &EXAMPLE_B, Choice::TRUE);
+        assert_eq!(EXAMPLE_B, x);
+    }
+
+    #[test]
+    fn ct_eq() {
+        assert!(super::ct_eq(&EXAMPLE_A, &EXAMPLE_A).to_bool());
+        assert!(!super::ct_eq(&EXAMPLE_A, &EXAMPLE_B).to_bool());
+    }
+
+    #[test]
+    fn ct_select() {
+        assert_eq!(
+            EXAMPLE_A,
+            super::ct_select(&EXAMPLE_A, &EXAMPLE_B, Choice::FALSE)
+        );
+        assert_eq!(
+            EXAMPLE_B,
+            super::ct_select(&EXAMPLE_A, &EXAMPLE_B, Choice::TRUE)
+        );
+    }
+}

ctutils/src/bytes.rs

@@ -162,7 +162,7 @@ impl<T> CtOption<T> {
     /// Conditionally inserts `value` into the [`CtOption`] if the given condition holds.
     pub fn insert_if(&mut self, value: &T, condition: Choice)
     where
-        T: CtSelect,
+        T: CtAssign,
     {
         self.value.ct_assign(value, condition);
         self.is_some.ct_assign(&Choice::TRUE, condition);

ctutils/src/ct_option.rs

@@ -91,12 +91,13 @@
 #[cfg(feature = "alloc")]
 extern crate alloc;
 
-mod bytes;
+pub mod array;
+pub mod slice;
+
 mod choice;
 mod ct_option;
 mod traits;
 
-pub use bytes::{BytesCtAssign, BytesCtEq, BytesCtSelect};
 pub use choice::Choice;
 pub use ct_option::CtOption;
 pub use traits::{

ctutils/src/lib.rs

@@ -0,0 +1,82 @@
+//! Slice helpers: generic selection/equality operations for slices.
+//!
+//! Use these in the event there isn't an impl of a given trait for `[T]`. If there is, however,
+//! you should prefer that for performance reasons.
+
+use crate::{Choice, CtAssign, CtEq};
+
+/// Generic implementation of conditional assignment for slices which works with any type which
+/// impls `CtSelect`. Useful in the event there isn't a `CtAssign` impl for `[T]`.
+///
+/// Assigns `src` to `dst` in constant-time when `choice` is [`Choice::TRUE`], like a conditional
+/// version of `[T]::copy_from_slice`.
+///
+/// Unfortunately we can't provide this as a trait impl without specialization, since it would
+/// overlap with the optimized type-specific impls we provide.
+///
+/// # Panics
+/// - If the two slices have unequal lengths
+#[inline]
+pub fn ct_assign<T>(dst: &mut [T], src: &[T], choice: Choice)
+where
+    T: CtAssign,
+{
+    assert_eq!(
+        dst.len(),
+        src.len(),
+        "source slice length ({}) does not match destination slice length ({})",
+        src.len(),
+        dst.len()
+    );
+
+    for (a, b) in dst.iter_mut().zip(src) {
+        a.ct_assign(b, choice)
+    }
+}
+
+/// Generic implementation of constant-time equality testing for slices which works with any type
+/// which impls `CtEq`. Useful in the event there isn't a `CtEq` impl for `[T]`.
+// NOTE: `cfg` gated because it uses the `CtEq` impl on `usize`
+#[cfg(any(
+    target_pointer_width = "16",
+    target_pointer_width = "32",
+    target_pointer_width = "64"
+))]
+#[inline]
+pub fn ct_eq<T>(a: &[T], b: &[T]) -> Choice
+where
+    T: CtEq,
+{
+    let mut ret = a.len().ct_eq(&b.len());
+    for (a, b) in a.iter().zip(b.iter()) {
+        ret &= a.ct_eq(b);
+    }
+    ret
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::Choice;
+
+    // Note: this violates our own advice not to use these functions with e.g. `[u8]` but this
+    // is just for testing purposes
+    const EXAMPLE_A: &[u8] = &[1, 2, 3];
+    const EXAMPLE_B: &[u8] = &[4, 5, 6];
+
+    #[test]
+    fn ct_assign() {
+        let mut x = [0u8; 3];
+
+        super::ct_assign(&mut x, EXAMPLE_A, Choice::FALSE);
+        assert_eq!([0u8; 3], x);
+
+        super::ct_assign(&mut x, EXAMPLE_A, Choice::TRUE);
+        assert_eq!(EXAMPLE_A, x);
+    }
+
+    #[test]
+    fn ct_eq() {
+        assert!(super::ct_eq(EXAMPLE_A, EXAMPLE_A).to_bool());
+        assert!(!super::ct_eq(EXAMPLE_A, EXAMPLE_B).to_bool());
+    }
+}