Some fixes for modular inversion (#159)

- Break long lines in comments and tests and fix some hardcoded bit sizes
- Fix the hardcoded `Limb` size in `inv_odd_mod()` - was set to 64 (did not
  cause errors, just made the inversion twice as slow on 32-bit targets)
- Added `inv_odd_mod_bounded()` for cases of argument/modulus known to be small
- Removed `inv_odd_mod_option()` - we do not provide such interface for other
  constant functions

Additionally:
- Introduced a `CtChoice` newtype for constant-time const fns
- Replaced some multiplications by `Word::MAX` with negations
- Normalized constant-time comparisons API in `Limb` and `Uint`: removed
  `ct_cmp()` (we never need it in constant-time context,
  `ct_gt()`/`ct_lt()`/`ct_eq()` are enough), matched const fns with `subtle`
  trait methods, matched methods between `Limb` and `Uint`
- Removed `SignedWord` and `SignedWideWord`
- `Uint` objects are taken by reference where previously taken by value.

Author: fjarri

benches/bench.rs

@@ -89,12 +89,12 @@ fn bench_modpow<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
 
     let params = moduli
         .iter()
-        .map(|modulus| DynResidueParams::new(*modulus))
+        .map(|modulus| DynResidueParams::new(modulus))
         .collect::<Vec<_>>();
     let xs_m = xs
         .iter()
         .zip(params.iter())
-        .map(|(x, p)| DynResidue::new(*x, *p))
+        .map(|(x, p)| DynResidue::new(x, *p))
         .collect::<Vec<_>>();
 
     group.bench_function("modpow, 4^4", |b| {

src/ct_choice.rs

@@ -0,0 +1,83 @@
+use subtle::Choice;
+
+use crate::Word;
+
+/// A boolean value returned by constant-time `const fn`s.
+// TODO: should be replaced by `subtle::Choice` or `CtOption`
+// when `subtle` starts supporting const fns.
+#[derive(Debug, Copy, Clone)]
+pub struct CtChoice(Word);
+
+impl CtChoice {
+    /// The falsy vaue.
+    pub const FALSE: Self = Self(0);
+
+    /// The truthy vaue.
+    pub const TRUE: Self = Self(Word::MAX);
+
+    /// Returns the truthy value if `value == Word::MAX`, and the falsy value if `value == 0`.
+    /// Panics for other values.
+    pub(crate) const fn from_mask(value: Word) -> Self {
+        debug_assert!(value == Self::FALSE.0 || value == Self::TRUE.0);
+        Self(value)
+    }
+
+    /// Returns the truthy value if `value == 1`, and the falsy value if `value == 0`.
+    /// Panics for other values.
+    pub(crate) const fn from_lsb(value: Word) -> Self {
+        debug_assert!(value == Self::FALSE.0 || value == 1);
+        Self(value.wrapping_neg())
+    }
+
+    pub(crate) const fn not(&self) -> Self {
+        Self(!self.0)
+    }
+
+    pub(crate) const fn and(&self, other: Self) -> Self {
+        Self(self.0 & other.0)
+    }
+
+    pub(crate) const fn or(&self, other: Self) -> Self {
+        Self(self.0 | other.0)
+    }
+
+    /// Return `b` if `self` is truthy, otherwise return `a`.
+    pub(crate) const fn select(&self, a: Word, b: Word) -> Word {
+        a ^ (self.0 & (a ^ b))
+    }
+
+    /// Return `x` if `self` is truthy, otherwise return 0.
+    pub(crate) const fn if_true(&self, x: Word) -> Word {
+        x & self.0
+    }
+
+    pub(crate) const fn is_true_vartime(&self) -> bool {
+        self.0 == CtChoice::TRUE.0
+    }
+}
+
+impl From<CtChoice> for Choice {
+    fn from(choice: CtChoice) -> Self {
+        Choice::from(choice.0 as u8 & 1)
+    }
+}
+
+impl From<CtChoice> for bool {
+    fn from(choice: CtChoice) -> Self {
+        choice.is_true_vartime()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::CtChoice;
+    use crate::Word;
+
+    #[test]
+    fn select() {
+        let a: Word = 1;
+        let b: Word = 2;
+        assert_eq!(CtChoice::TRUE.select(a, b), b);
+        assert_eq!(CtChoice::FALSE.select(a, b), a);
+    }
+}

src/lib.rs

@@ -161,6 +161,7 @@ mod nlimbs;
 #[cfg(feature = "generic-array")]
 mod array;
 mod checked;
+mod ct_choice;
 mod limb;
 mod non_zero;
 mod traits;
@@ -169,6 +170,7 @@ mod wrapping;
 
 pub use crate::{
     checked::Checked,
+    ct_choice::CtChoice,
     limb::{Limb, WideWord, Word},
     non_zero::NonZero,
     traits::*,
@@ -178,8 +180,6 @@ pub use crate::{
 };
 pub use subtle;
 
-pub(crate) use limb::{SignedWord, WideSignedWord};
-
 #[cfg(feature = "generic-array")]
 pub use {
     crate::array::{ArrayDecoding, ArrayEncoding, ByteArray},

src/limb.rs

@@ -38,18 +38,10 @@ compile_error!("this crate builds on 32-bit and 64-bit platforms only");
 #[cfg(target_pointer_width = "32")]
 pub type Word = u32;
 
-/// Signed integer type that corresponds to [`Word`].
-#[cfg(target_pointer_width = "32")]
-pub(crate) type SignedWord = i32;
-
 /// Unsigned wide integer type: double the width of [`Word`].
 #[cfg(target_pointer_width = "32")]
 pub type WideWord = u64;
 
-/// Signed wide integer type: double the width of [`Limb`].
-#[cfg(target_pointer_width = "32")]
-pub(crate) type WideSignedWord = i64;
-
 //
 // 64-bit definitions
 //
@@ -58,18 +50,10 @@ pub(crate) type WideSignedWord = i64;
 #[cfg(target_pointer_width = "64")]
 pub type Word = u64;
 
-/// Signed integer type that corresponds to [`Word`].
-#[cfg(target_pointer_width = "64")]
-pub(crate) type SignedWord = i64;
-
 /// Wide integer type: double the width of [`Word`].
 #[cfg(target_pointer_width = "64")]
 pub type WideWord = u128;
 
-/// Signed wide integer type: double the width of [`SignedWord`].
-#[cfg(target_pointer_width = "64")]
-pub(crate) type WideSignedWord = i128;
-
 /// Highest bit in a [`Limb`].
 pub(crate) const HI_BIT: usize = Limb::BITS - 1;
 
@@ -106,14 +90,6 @@ impl Limb {
     /// Size of the inner integer in bytes.
     #[cfg(target_pointer_width = "64")]
     pub const BYTES: usize = 8;
-
-    /// Return `a` if `c`==0 or `b` if `c`==`Word::MAX`.
-    ///
-    /// Const-friendly: we can't yet use `subtle` in `const fn` contexts.
-    #[inline]
-    pub(crate) const fn ct_select(a: Self, b: Self, c: Word) -> Self {
-        Self(a.0 ^ (c & (a.0 ^ b.0)))
-    }
 }
 
 impl Bounded for Limb {

src/limb/cmp.rs

@@ -1,6 +1,7 @@
 //! Limb comparisons
 
-use super::{Limb, SignedWord, WideSignedWord, Word, HI_BIT};
+use super::HI_BIT;
+use crate::{CtChoice, Limb};
 use core::cmp::Ordering;
 use subtle::{Choice, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess};
 
@@ -24,58 +25,45 @@ impl Limb {
         self.0 == other.0
     }
 
-    /// Returns all 1's if `a`!=0 or 0 if `a`==0.
-    ///
-    /// Const-friendly: we can't yet use `subtle` in `const fn` contexts.
+    /// Return `b` if `c` is truthy, otherwise return `a`.
     #[inline]
-    pub(crate) const fn is_nonzero(self) -> Word {
-        let inner = self.0 as SignedWord;
-        ((inner | inner.saturating_neg()) >> HI_BIT) as Word
+    pub(crate) const fn ct_select(a: Self, b: Self, c: CtChoice) -> Self {
+        Self(c.select(a.0, b.0))
     }
 
+    /// Returns the truthy value if `self != 0` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_cmp(lhs: Self, rhs: Self) -> SignedWord {
-        let a = lhs.0 as WideSignedWord;
-        let b = rhs.0 as WideSignedWord;
-        let gt = ((b - a) >> Limb::BITS) & 1;
-        let lt = ((a - b) >> Limb::BITS) & 1 & !gt;
-        (gt as SignedWord) - (lt as SignedWord)
+    pub(crate) const fn ct_is_nonzero(&self) -> CtChoice {
+        let inner = self.0;
+        CtChoice::from_lsb((inner | inner.wrapping_neg()) >> HI_BIT)
     }
 
-    /// Returns `Word::MAX` if `lhs == rhs` and `0` otherwise.
+    /// Returns the truthy value if `lhs == rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_eq(lhs: Self, rhs: Self) -> Word {
+    pub(crate) const fn ct_eq(lhs: Self, rhs: Self) -> CtChoice {
         let x = lhs.0;
         let y = rhs.0;
 
-        // c == 0 if and only if x == y
-        let c = x ^ y;
-
-        // If c == 0, then c and -c are both equal to zero;
-        // otherwise, one or both will have its high bit set.
-        let d = (c | c.wrapping_neg()) >> (Limb::BITS - 1);
-
-        // Result is the opposite of the high bit (now shifted to low).
-        // Convert 1 to Word::MAX.
-        (d ^ 1).wrapping_neg()
+        // x ^ y == 0 if and only if x == y
+        Self(x ^ y).ct_is_nonzero().not()
     }
 
-    /// Returns `Word::MAX` if `lhs < rhs` and `0` otherwise.
+    /// Returns the truthy value if `lhs < rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_lt(lhs: Self, rhs: Self) -> Word {
+    pub(crate) const fn ct_lt(lhs: Self, rhs: Self) -> CtChoice {
         let x = lhs.0;
         let y = rhs.0;
         let bit = (((!x) & y) | (((!x) | y) & (x.wrapping_sub(y)))) >> (Limb::BITS - 1);
-        bit.wrapping_neg()
+        CtChoice::from_lsb(bit)
     }
 
-    /// Returns `Word::MAX` if `lhs <= rhs` and `0` otherwise.
+    /// Returns the truthy value if `lhs <= rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_le(lhs: Self, rhs: Self) -> Word {
+    pub(crate) const fn ct_le(lhs: Self, rhs: Self) -> CtChoice {
         let x = lhs.0;
         let y = rhs.0;
         let bit = (((!x) | y) & ((x ^ y) | !(y.wrapping_sub(x)))) >> (Limb::BITS - 1);
-        bit.wrapping_neg()
+        CtChoice::from_lsb(bit)
     }
 }
 

src/uint/add.rs

@@ -1,6 +1,6 @@
 //! [`Uint`] addition operations.
 
-use crate::{Checked, CheckedAdd, Limb, Uint, Word, Wrapping, Zero};
+use crate::{Checked, CheckedAdd, CtChoice, Limb, Uint, Wrapping, Zero};
 use core::ops::{Add, AddAssign};
 use subtle::CtOption;
 
@@ -37,12 +37,16 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         self.adc(rhs, Limb::ZERO).0
     }
 
-    /// Perform wrapping addition, returning the overflow bit as a `Word` that is either 0...0 or 1...1.
-    pub(crate) const fn conditional_wrapping_add(&self, rhs: &Self, choice: Word) -> (Self, Word) {
-        let actual_rhs = Uint::ct_select(Uint::ZERO, *rhs, choice);
+    /// Perform wrapping addition, returning the truthy value as the second element of the tuple
+    /// if an overflow has occurred.
+    pub(crate) const fn conditional_wrapping_add(
+        &self,
+        rhs: &Self,
+        choice: CtChoice,
+    ) -> (Self, CtChoice) {
+        let actual_rhs = Uint::ct_select(&Uint::ZERO, rhs, choice);
         let (sum, carry) = self.adc(&actual_rhs, Limb::ZERO);
-
-        (sum, carry.0.wrapping_mul(Word::MAX))
+        (sum, CtChoice::from_lsb(carry.0))
     }
 }