Merge bitcoin/bitcoin#21590: Safegcd-based modular inverses in MuHash3072

f588328 Add a fuzz test for Num3072 multiplication and inversion (Pieter Wuille)
a26ce62 Safegcd based modular inverse for Num3072 (Pieter Wuille)
91ce8ce Add benchmark for MuHash finalization (Pieter Wuille)

Pull request description:

  This implements a safegcd-based modular inverse for MuHash3072. It is a fairly straightforward translation of [the libsecp256k1 implementation](bitcoin-core/secp256k1#831), with the following changes:
  * Generic for 32-bit and 64-bit
  * Specialized for the specific MuHash3072 modulus (2^3072 - 1103717).
  * A bit more C++ish
  * Far fewer sanity checks

  A benchmark is also included for MuHash3072::Finalize. The new implementation is around 100x faster on x86_64 for me (from 5.8 ms to 57 μs); for 32-bit code the factor is likely even larger.

  For more information:
    * [Original paper](https://gcd.cr.yp.to/papers.html) by Daniel J. Bernstein and Bo-Yin Yang
    * [Implementation](bitcoin-core/secp256k1#767) for libsecp256k1 by Peter Dettman; and the [final](bitcoin-core/secp256k1#831) version
    * [Explanation](https://github.com/bitcoin-core/secp256k1/blob/master/doc/safegcd_implementation.md) of the algorithm using Python snippets
    * [Analysis](https://github.com/sipa/safegcd-bounds) of the maximum number of iterations the algorithm needs
     * [Formal proof in Coq](https://medium.com/blockstream/a-formal-proof-of-safegcd-bounds-695e1735a348) by Russell O'Connor (for the 256-bit version of the algorithm; here we use a 3072-bit one).

ACKs for top commit:
  achow101:
    ACK f588328
  TheCharlatan:
    Re-ACK f588328
  dergoegge:
    tACK f588328

Tree-SHA512: 275872c61d30817a82901dee93fc7153afca55c32b72a95b8768f3fd464da1b09b36f952f30e70225e766b580751cfb9b874b2feaeb73ffaa6943c8062aee19a

Author: achow101

CMakeLists.txt

@@ -397,6 +397,7 @@ target_link_libraries(core_interface INTERFACE warn_interface)
 if(MSVC)
   try_append_cxx_flags("/W3" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("/wd4018" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("/wd4146" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("/wd4244" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("/wd4267" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("/wd4715" TARGET warn_interface SKIP_LINK)

src/arith_uint256.cpp

@@ -229,3 +229,7 @@ arith_uint256 UintToArith256(const uint256 &a)
         b.pn[x] = ReadLE32(a.begin() + x*4);
     return b;
 }
+
+// Explicit instantiations for base_uint<6144> (used in test/fuzz/muhash.cpp).
+template base_uint<6144>& base_uint<6144>::operator*=(const base_uint<6144>& b);
+template base_uint<6144>& base_uint<6144>::operator/=(const base_uint<6144>& b);

src/bench/crypto_hash.cpp

@@ -249,6 +249,19 @@ static void MuHashPrecompute(benchmark::Bench& bench)
     });
 }
 
+static void MuHashFinalize(benchmark::Bench& bench)
+{
+    FastRandomContext rng(true);
+    MuHash3072 acc{rng.randbytes(32)};
+    acc /= MuHash3072{rng.rand256()};
+
+    bench.run([&] {
+        uint256 out;
+        acc.Finalize(out);
+        acc /= MuHash3072{out};
+    });
+}
+
 BENCHMARK(BenchRIPEMD160, benchmark::PriorityLevel::HIGH);
 BENCHMARK(SHA1, benchmark::PriorityLevel::HIGH);
 BENCHMARK(SHA256_STANDARD, benchmark::PriorityLevel::HIGH);
@@ -272,3 +285,4 @@ BENCHMARK(MuHash, benchmark::PriorityLevel::HIGH);
 BENCHMARK(MuHashMul, benchmark::PriorityLevel::HIGH);
 BENCHMARK(MuHashDiv, benchmark::PriorityLevel::HIGH);
 BENCHMARK(MuHashPrecompute, benchmark::PriorityLevel::HIGH);
+BENCHMARK(MuHashFinalize, benchmark::PriorityLevel::HIGH);