From dc0db358abe19481e475e10c32149b53370f1a1c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 30 May 2024 05:57:31 +0200 Subject: Merging upstream version 1.72.1+dfsg1. Signed-off-by: Daniel Baumann --- vendor/crypto-bigint/.cargo-checksum.json | 2 +- vendor/crypto-bigint/CHANGELOG.md | 15 ++ vendor/crypto-bigint/Cargo.toml | 4 +- vendor/crypto-bigint/SECURITY.md | 17 ++ vendor/crypto-bigint/benches/bench.rs | 205 ++++++++++++--------- vendor/crypto-bigint/src/ct_choice.rs | 10 +- vendor/crypto-bigint/src/traits.rs | 2 +- vendor/crypto-bigint/src/uint/add_mod.rs | 19 +- vendor/crypto-bigint/src/uint/div_limb.rs | 2 +- vendor/crypto-bigint/src/uint/modular.rs | 1 + .../crypto-bigint/src/uint/modular/constant_mod.rs | 20 +- vendor/crypto-bigint/src/uint/modular/div_by_2.rs | 30 +++ vendor/crypto-bigint/src/uint/modular/reduction.rs | 53 +++--- .../crypto-bigint/src/uint/modular/runtime_mod.rs | 33 +++- vendor/crypto-bigint/src/uint/shr.rs | 3 +- vendor/crypto-bigint/src/uint/sub_mod.rs | 33 ++-- vendor/crypto-bigint/tests/proptests.rs | 21 +++ 17 files changed, 313 insertions(+), 157 deletions(-) create mode 100644 vendor/crypto-bigint/SECURITY.md create mode 100644 vendor/crypto-bigint/src/uint/modular/div_by_2.rs (limited to 'vendor/crypto-bigint') diff --git a/vendor/crypto-bigint/.cargo-checksum.json b/vendor/crypto-bigint/.cargo-checksum.json index eed045a58..f3dbb6d66 100644 --- a/vendor/crypto-bigint/.cargo-checksum.json +++ b/vendor/crypto-bigint/.cargo-checksum.json @@ -1 +1 @@ -{"files":{"CHANGELOG.md":"814f556bf1cb41818e24952fa2c93c03816b58541512b4dfcc601dc388aa6803","Cargo.toml":"e65884cdbab78ae9fee2a26a34e19e7ae44807cda8c17184ac059f0a1a6587a9","LICENSE-APACHE":"a9040321c3712d8fd0b09cf52b17445de04a23a10165049ae187cd39e5c86be5","LICENSE-MIT":"90c503b61dee04e1449c323ec34c229dfb68d7adcb96c7e140ee55f70fce2d8e","README.md":"156e2a5386e3e58d81fb53755050ae8b68419ccfc7b924339fe2a03f0a891b21","benches/bench.rs":"f98350c5b814c8e81c2a149c0f160e17b214d5d176d0b07c6702ad6c91690ad8","src/array.rs":"9b18991230aa12e88ac358cdb202f4225fcee58788e29c34ab931e29ba5a92aa","src/checked.rs":"7fc5e0f6b3116178f032189c2682b5f911e142705c1b0fa1b6e607b658407111","src/ct_choice.rs":"a70284044099185d21108d7aa4763e53bbd080f722aae3eb111c743fcc10191f","src/lib.rs":"5b7ec21da96948e5616b2ad74e18328b6c628f1fb9879f9d03a04c40c6a099e3","src/limb.rs":"66b217e8eb16ad235141032396bd12c19cd7adbc07fb706131dd1d1286253207","src/limb/add.rs":"c4cfbae55657e8366dfacf2ed26cc6cf4c547f810df26566f3f23d2287697cd2","src/limb/bit_and.rs":"019f888b11e16fafbd0518eb5b583094a5e8490f59f458195db9306d86e1adaa","src/limb/bit_not.rs":"0fa7cdec58e1d3058daee88ef26f07ad0ba9e545505c97a130b47ef3fdf46c5a","src/limb/bit_or.rs":"1b5f85eac6768d460070da05b4a1257cceafff2b612b63a609aff3ff48df8480","src/limb/bit_xor.rs":"06acf291a316aa1fa2311bedd1a7aca5170564735c1f0b1103ed9e2c6f24f096","src/limb/bits.rs":"946eebb652a73809b86d2e804ed52e90bfee54db0bba3f3f10088f778d1fda51","src/limb/cmp.rs":"a59f12dccac4c482a658c9114ea8cb0a20d699cf47e85371b506811e47402cae","src/limb/encoding.rs":"29c9f0d86bfc63c8a5f510ef7f5ced1256697b8f5170ba9b98429241d1191a79","src/limb/from.rs":"7f595d9085730f95d2fe776a81e6f174061c9c4ec89a1fd85ab26feeaae0c2ad","src/limb/mul.rs":"dbfa013061fc5d8cff5bf49814d9acd3d00d386211fbd657091a813bca977820","src/limb/rand.rs":"770463d84aa86d432b294975b62fd4f95b7dbee93a78ec2c2f3e03e23ea21fdb","src/limb/shl.rs":"8d0cd4029375c7a66c0b72e21a8634a805cd5cc8c78320c1466f16ee0b16dbc7","src/limb/shr.rs":"c60b47739213722f7b4e7473d40be2f207484efbf8344cb7920558870aa5169c","src/limb/sub.rs":"2fe52b63f4876beb4d6fb44f2d04ac62231d66b7071097d592c690ceb4944764","src/nlimbs.rs":"aaa691ccb535ccee810c7d477365a0bbb1b84dc4b7d7940f38cdefa5153af160","src/non_zero.rs":"0bb0985b7c61c08a57fcb360d87aa72f14d8f8dcb05910eefde538cc2579d040","src/traits.rs":"a93779d22287a56759a9d5f35c98f9e83f04253dac4821fd0c9127ea3780c818","src/uint.rs":"a1d6dda171688909661fdc3c109aa7a1cbd41c3b19fa44a2d309a3d69930e2c0","src/uint/add.rs":"e898b553ccf6a3736acbd5fe46e81b8650da9dedd93f31afd588c6385f30337b","src/uint/add_mod.rs":"16e9016c6aaf2bf2e6ff70577dda20bdc7f61c94f49a78fe3612fc71e7c75652","src/uint/array.rs":"b67ccdddc41a155603604eff356419924628c99d38ac753e78e151715c2c06b0","src/uint/bit_and.rs":"54ebcac0e1a481d31e26a2acf3abda3de0ad6775225d02d41549aea4d1d5364a","src/uint/bit_not.rs":"b593a48c0e65849ea643f0a3624d2e8d3fc35d8f16a6b2a5e9de2728f0ad2fb4","src/uint/bit_or.rs":"0fd351e1558c7b067be8fa45329e33c0e43111b4dfa7954a0837af88a3f733e8","src/uint/bit_xor.rs":"4975f3df64a114313fd2d02993c6f7ce5ac02144534c15f2be310022261d18b6","src/uint/bits.rs":"e0e7dec077a48c6c34ad053865d249e1c0eb5aad7d259ac7405046a77247a826","src/uint/cmp.rs":"d9076c07a5202327e42a20141bee7d8d794b5c52c9ad85c4945562e87908167d","src/uint/concat.rs":"8380f869177437cec11ac8d1295f17c7f21a507a870fac458c7cfa6b7a24dd40","src/uint/div.rs":"6ad5c3df95a041e0b0a4f4a30f11cebc078fb2e98de13dfae3de68fc7b14be70","src/uint/div_limb.rs":"fd864b5ed500275b81e6e4d7a7899f9a2953dc6ab2b864f3756347f57b9a764f","src/uint/encoding.rs":"7e846d3b6a7a986a43999b19e191110249296a856a3baf492f164af997e24086","src/uint/encoding/der.rs":"0873e5f48616d297402abba5805012f6aa2c240e321bae79eb9493764c6c1494","src/uint/encoding/rlp.rs":"c6fe852dc5a205adf4ad843460ddbf0340338fccbc17bf804f74f65d3b20693b","src/uint/from.rs":"6d4ff78aea799466dcdb52d8f55086a0f4a12a1bf3a07850457971d87792a0ac","src/uint/inv_mod.rs":"42294a2ddd4b7a75760707486e4f9d7259f3c7dffcabe95bc0edafd4f85367f2","src/uint/modular.rs":"4f2e7128c3f96bcb8d974c0b026f9882c8503815c993ae56da7b54f5407d24c0","src/uint/modular/add.rs":"6dd440f71305fcebe970ca51ef4a218574075978ab22ccbea7df03227a4b1dec","src/uint/modular/constant_mod.rs":"b9a041d6d8a82df71a5ba3f5a688f2652640de6bd8de68ef73bd16f5761eda3f","src/uint/modular/constant_mod/const_add.rs":"5e2acd3d079f77d31d947fb5deb0bc6a230b483604292e775381eefff8beeb3e","src/uint/modular/constant_mod/const_inv.rs":"1b102fee00c7842ede1c2daed40191efc23c810b381316b1515257ac858dbe38","src/uint/modular/constant_mod/const_mul.rs":"d5250adbc8dee03840c3cfc44c24253469605bf9e3b397e42dbd036b19b283ac","src/uint/modular/constant_mod/const_neg.rs":"29479fed061c2ba34550d098d8255b50a827c93aa6d39af0138c86e8bb006d69","src/uint/modular/constant_mod/const_pow.rs":"19dcaecdb27f60253ed9600cbc2c65738fbc016f35e95cd2674be87d8f0d9728","src/uint/modular/constant_mod/const_sub.rs":"6cc421643c7ce79a6346c83cf9caaeedcda0f3c61827f1563dad85d4595bf95e","src/uint/modular/constant_mod/macros.rs":"f96334c7f8ba107b69ee8d471422d76ec3be0b38ff61a60b13ddbd483d5347b8","src/uint/modular/inv.rs":"7b529a240694b5ed24dc51a2d7cb780877f2fc36b93e90c140ee5fc44ab8a67d","src/uint/modular/mul.rs":"366e145a5cd5af8af2e5eb831592e8df773244cb43e826863d3ed973b40404a6","src/uint/modular/pow.rs":"2387c001ccb0c395fc4e0bb9ea6bbb531674df0fdafcb92c916fb0fecd5e55ee","src/uint/modular/reduction.rs":"6b38e2434a0230416bf55a6bae6145a56a18b88dbcaef77bb5b98cd71c2a3ff8","src/uint/modular/runtime_mod.rs":"c49d735479feb3a9f804aadc9a0f6c09227c1d5cc21c35ba99033cee08da7869","src/uint/modular/runtime_mod/runtime_add.rs":"03458894be7de14f8813a5a458662cde6d62dc24fb289bf1fae2bc87a981e159","src/uint/modular/runtime_mod/runtime_inv.rs":"cf5a3776e94e9edd20934b8a4d8775a1269a69209d591ea492862d102842f841","src/uint/modular/runtime_mod/runtime_mul.rs":"6b695a9be7b766aeb592b9cfcb01f27eae7643a45062e24edf1c209ec19fa9da","src/uint/modular/runtime_mod/runtime_neg.rs":"c5948c91e82f92675357a4c53d3ebd6cda7bf4132bf36921e34ffcea530167b4","src/uint/modular/runtime_mod/runtime_pow.rs":"955d9151ca55859f4592cc9e8daf70056982d021a3ee8821ab863c8adaf07b5a","src/uint/modular/runtime_mod/runtime_sub.rs":"cfc59cacdc1a37827aaf88e0478cf0b7ede8782e2e23c22ab69c02ec0af3d4cf","src/uint/modular/sub.rs":"c50b631f9d0c3309c2e3e445a4f44050f04d9d2632547843204a8797c618cecf","src/uint/mul.rs":"82ddd89051d036e6ac8b3a8ac06728fec8f111b450d37882d6e7eb6f581e9584","src/uint/mul_mod.rs":"fc4a1dcf92a3cfb5d014d92db5c3b2d4eb5739750ec293bd74e9226c524d074e","src/uint/neg.rs":"f4845d5db7e3bc40a3038080fbf1fe44e03ccc2c13c3064c45f816299489d18c","src/uint/neg_mod.rs":"f7f0584e06d8f8838519895b2caba92687953ef4cac2a15cbfc59496378cf899","src/uint/rand.rs":"963fe09cbf41959643e8bec195c327ffc378d39d6d2ccf7848146283c1ad51c0","src/uint/resize.rs":"88990e70756fe211ca874538558a9eed7373176668aa71e81f0b1d3bae8eaf56","src/uint/shl.rs":"8c1fd3bff2b815853891dc661526122c65c8130e94b840f46ac7e62e8d7aa43b","src/uint/shr.rs":"87c02663350e15bc9abecaec1815764d4d81d62094afe89ee08d048ea1c2b5d6","src/uint/split.rs":"a24a45f5cbd5cc5e9288d772a8f7d915f989078d212064e804007b9a25975494","src/uint/sqrt.rs":"25a141df195fec13fec8a1a703600e9d6584840f2d64c7011c6a8e79b642ead1","src/uint/sub.rs":"0bb5334a1af8f33125f009cfa07473994a97ef3132c826aa88afbeac164b1915","src/uint/sub_mod.rs":"1f6ee51cc72d8d204fac27836ec087c72dbf26711ea430f77f50af6477b1088a","src/wrapping.rs":"b0a2ce171c0737bbc92535554886c5050155831dcff1f8dba53c2976bc34d981","tests/const_residue.rs":"d874022d955e065ccbade442679c4046ab47ec495411d24e128e7ea5f1296859","tests/impl_modulus.rs":"ce1d05b4ddfd71b4cb08949db4c87d937efff74b5c6fa7aaae180a5d6bc9dd65","tests/proptests.rs":"f6fb49f5636ebc6958129714756f0a5b913070b3ba81394ad7e5ba85a7f27b70"},"package":"7c2538c4e68e52548bacb3e83ac549f903d44f011ac9d5abb5e132e67d0808f7"} \ No newline at end of file +{"files":{"CHANGELOG.md":"8700a8154d741401856c51a0ba3d2aa32ee24e3cfa5c1a231280ac49ee6f8886","Cargo.toml":"406425717a8dbc10595b8bbf0e171b14cec995a43eed8833a06989ed0aa4a567","LICENSE-APACHE":"a9040321c3712d8fd0b09cf52b17445de04a23a10165049ae187cd39e5c86be5","LICENSE-MIT":"90c503b61dee04e1449c323ec34c229dfb68d7adcb96c7e140ee55f70fce2d8e","README.md":"156e2a5386e3e58d81fb53755050ae8b68419ccfc7b924339fe2a03f0a891b21","SECURITY.md":"566027e0957dcbe6245eef1df2d3f2e100f8ec60171a79943ac8c7b5a992dea8","benches/bench.rs":"7abf25e6b0426f102eaae9535f332711858028b7a500d29f66d902562537a299","src/array.rs":"9b18991230aa12e88ac358cdb202f4225fcee58788e29c34ab931e29ba5a92aa","src/checked.rs":"7fc5e0f6b3116178f032189c2682b5f911e142705c1b0fa1b6e607b658407111","src/ct_choice.rs":"14c3f078981ab721859871af1cb28a15a7179d922cdb53d7c0b7b2fc00e588fa","src/lib.rs":"5b7ec21da96948e5616b2ad74e18328b6c628f1fb9879f9d03a04c40c6a099e3","src/limb.rs":"66b217e8eb16ad235141032396bd12c19cd7adbc07fb706131dd1d1286253207","src/limb/add.rs":"c4cfbae55657e8366dfacf2ed26cc6cf4c547f810df26566f3f23d2287697cd2","src/limb/bit_and.rs":"019f888b11e16fafbd0518eb5b583094a5e8490f59f458195db9306d86e1adaa","src/limb/bit_not.rs":"0fa7cdec58e1d3058daee88ef26f07ad0ba9e545505c97a130b47ef3fdf46c5a","src/limb/bit_or.rs":"1b5f85eac6768d460070da05b4a1257cceafff2b612b63a609aff3ff48df8480","src/limb/bit_xor.rs":"06acf291a316aa1fa2311bedd1a7aca5170564735c1f0b1103ed9e2c6f24f096","src/limb/bits.rs":"946eebb652a73809b86d2e804ed52e90bfee54db0bba3f3f10088f778d1fda51","src/limb/cmp.rs":"a59f12dccac4c482a658c9114ea8cb0a20d699cf47e85371b506811e47402cae","src/limb/encoding.rs":"29c9f0d86bfc63c8a5f510ef7f5ced1256697b8f5170ba9b98429241d1191a79","src/limb/from.rs":"7f595d9085730f95d2fe776a81e6f174061c9c4ec89a1fd85ab26feeaae0c2ad","src/limb/mul.rs":"dbfa013061fc5d8cff5bf49814d9acd3d00d386211fbd657091a813bca977820","src/limb/rand.rs":"770463d84aa86d432b294975b62fd4f95b7dbee93a78ec2c2f3e03e23ea21fdb","src/limb/shl.rs":"8d0cd4029375c7a66c0b72e21a8634a805cd5cc8c78320c1466f16ee0b16dbc7","src/limb/shr.rs":"c60b47739213722f7b4e7473d40be2f207484efbf8344cb7920558870aa5169c","src/limb/sub.rs":"2fe52b63f4876beb4d6fb44f2d04ac62231d66b7071097d592c690ceb4944764","src/nlimbs.rs":"aaa691ccb535ccee810c7d477365a0bbb1b84dc4b7d7940f38cdefa5153af160","src/non_zero.rs":"0bb0985b7c61c08a57fcb360d87aa72f14d8f8dcb05910eefde538cc2579d040","src/traits.rs":"c54352bb8c85201dc2935b2749c8bfefd4ccb070e52e7409759448b4dcc0ca03","src/uint.rs":"a1d6dda171688909661fdc3c109aa7a1cbd41c3b19fa44a2d309a3d69930e2c0","src/uint/add.rs":"e898b553ccf6a3736acbd5fe46e81b8650da9dedd93f31afd588c6385f30337b","src/uint/add_mod.rs":"304bbe428121358592249149b8fc3e0daf4cf1411b08ae10be5714a72a4484ae","src/uint/array.rs":"b67ccdddc41a155603604eff356419924628c99d38ac753e78e151715c2c06b0","src/uint/bit_and.rs":"54ebcac0e1a481d31e26a2acf3abda3de0ad6775225d02d41549aea4d1d5364a","src/uint/bit_not.rs":"b593a48c0e65849ea643f0a3624d2e8d3fc35d8f16a6b2a5e9de2728f0ad2fb4","src/uint/bit_or.rs":"0fd351e1558c7b067be8fa45329e33c0e43111b4dfa7954a0837af88a3f733e8","src/uint/bit_xor.rs":"4975f3df64a114313fd2d02993c6f7ce5ac02144534c15f2be310022261d18b6","src/uint/bits.rs":"e0e7dec077a48c6c34ad053865d249e1c0eb5aad7d259ac7405046a77247a826","src/uint/cmp.rs":"d9076c07a5202327e42a20141bee7d8d794b5c52c9ad85c4945562e87908167d","src/uint/concat.rs":"8380f869177437cec11ac8d1295f17c7f21a507a870fac458c7cfa6b7a24dd40","src/uint/div.rs":"6ad5c3df95a041e0b0a4f4a30f11cebc078fb2e98de13dfae3de68fc7b14be70","src/uint/div_limb.rs":"d75011288fb20e5b8d12a9f1d03d72dd90d4921405281ac3136f83b876d903a7","src/uint/encoding.rs":"7e846d3b6a7a986a43999b19e191110249296a856a3baf492f164af997e24086","src/uint/encoding/der.rs":"0873e5f48616d297402abba5805012f6aa2c240e321bae79eb9493764c6c1494","src/uint/encoding/rlp.rs":"c6fe852dc5a205adf4ad843460ddbf0340338fccbc17bf804f74f65d3b20693b","src/uint/from.rs":"6d4ff78aea799466dcdb52d8f55086a0f4a12a1bf3a07850457971d87792a0ac","src/uint/inv_mod.rs":"42294a2ddd4b7a75760707486e4f9d7259f3c7dffcabe95bc0edafd4f85367f2","src/uint/modular.rs":"8ea4b5129312251a076b95fd84e0a41b8951ce4b443ec7dc33c08eef13721a6a","src/uint/modular/add.rs":"6dd440f71305fcebe970ca51ef4a218574075978ab22ccbea7df03227a4b1dec","src/uint/modular/constant_mod.rs":"b508df488dd880ea63408bc9622fe8de0bbe0532a7b593776257019d358e000f","src/uint/modular/constant_mod/const_add.rs":"5e2acd3d079f77d31d947fb5deb0bc6a230b483604292e775381eefff8beeb3e","src/uint/modular/constant_mod/const_inv.rs":"1b102fee00c7842ede1c2daed40191efc23c810b381316b1515257ac858dbe38","src/uint/modular/constant_mod/const_mul.rs":"d5250adbc8dee03840c3cfc44c24253469605bf9e3b397e42dbd036b19b283ac","src/uint/modular/constant_mod/const_neg.rs":"29479fed061c2ba34550d098d8255b50a827c93aa6d39af0138c86e8bb006d69","src/uint/modular/constant_mod/const_pow.rs":"19dcaecdb27f60253ed9600cbc2c65738fbc016f35e95cd2674be87d8f0d9728","src/uint/modular/constant_mod/const_sub.rs":"6cc421643c7ce79a6346c83cf9caaeedcda0f3c61827f1563dad85d4595bf95e","src/uint/modular/constant_mod/macros.rs":"f96334c7f8ba107b69ee8d471422d76ec3be0b38ff61a60b13ddbd483d5347b8","src/uint/modular/div_by_2.rs":"4ae62b414fe7a571285deda7e71ae96ca41629a463313a964b630e4390ca6fa4","src/uint/modular/inv.rs":"7b529a240694b5ed24dc51a2d7cb780877f2fc36b93e90c140ee5fc44ab8a67d","src/uint/modular/mul.rs":"366e145a5cd5af8af2e5eb831592e8df773244cb43e826863d3ed973b40404a6","src/uint/modular/pow.rs":"2387c001ccb0c395fc4e0bb9ea6bbb531674df0fdafcb92c916fb0fecd5e55ee","src/uint/modular/reduction.rs":"7ad87aa75c4d2ce07853f9cb0308e0ca1b7bb78c7572743991d9e05e5ecfcca1","src/uint/modular/runtime_mod.rs":"54146b704dc245d2d45dec5f8a6b1ee8b9991f25cd117512e27ba168695fa2de","src/uint/modular/runtime_mod/runtime_add.rs":"03458894be7de14f8813a5a458662cde6d62dc24fb289bf1fae2bc87a981e159","src/uint/modular/runtime_mod/runtime_inv.rs":"cf5a3776e94e9edd20934b8a4d8775a1269a69209d591ea492862d102842f841","src/uint/modular/runtime_mod/runtime_mul.rs":"6b695a9be7b766aeb592b9cfcb01f27eae7643a45062e24edf1c209ec19fa9da","src/uint/modular/runtime_mod/runtime_neg.rs":"c5948c91e82f92675357a4c53d3ebd6cda7bf4132bf36921e34ffcea530167b4","src/uint/modular/runtime_mod/runtime_pow.rs":"955d9151ca55859f4592cc9e8daf70056982d021a3ee8821ab863c8adaf07b5a","src/uint/modular/runtime_mod/runtime_sub.rs":"cfc59cacdc1a37827aaf88e0478cf0b7ede8782e2e23c22ab69c02ec0af3d4cf","src/uint/modular/sub.rs":"c50b631f9d0c3309c2e3e445a4f44050f04d9d2632547843204a8797c618cecf","src/uint/mul.rs":"82ddd89051d036e6ac8b3a8ac06728fec8f111b450d37882d6e7eb6f581e9584","src/uint/mul_mod.rs":"fc4a1dcf92a3cfb5d014d92db5c3b2d4eb5739750ec293bd74e9226c524d074e","src/uint/neg.rs":"f4845d5db7e3bc40a3038080fbf1fe44e03ccc2c13c3064c45f816299489d18c","src/uint/neg_mod.rs":"f7f0584e06d8f8838519895b2caba92687953ef4cac2a15cbfc59496378cf899","src/uint/rand.rs":"963fe09cbf41959643e8bec195c327ffc378d39d6d2ccf7848146283c1ad51c0","src/uint/resize.rs":"88990e70756fe211ca874538558a9eed7373176668aa71e81f0b1d3bae8eaf56","src/uint/shl.rs":"8c1fd3bff2b815853891dc661526122c65c8130e94b840f46ac7e62e8d7aa43b","src/uint/shr.rs":"24e11eb24a132475aa961a61fe01c72961dd1cb67f93ce97da449d5ae139a221","src/uint/split.rs":"a24a45f5cbd5cc5e9288d772a8f7d915f989078d212064e804007b9a25975494","src/uint/sqrt.rs":"25a141df195fec13fec8a1a703600e9d6584840f2d64c7011c6a8e79b642ead1","src/uint/sub.rs":"0bb5334a1af8f33125f009cfa07473994a97ef3132c826aa88afbeac164b1915","src/uint/sub_mod.rs":"1460759db90a535d8cb7cbe89f29ccc15b3b390434ff5182fc320a7c9da89339","src/wrapping.rs":"b0a2ce171c0737bbc92535554886c5050155831dcff1f8dba53c2976bc34d981","tests/const_residue.rs":"d874022d955e065ccbade442679c4046ab47ec495411d24e128e7ea5f1296859","tests/impl_modulus.rs":"ce1d05b4ddfd71b4cb08949db4c87d937efff74b5c6fa7aaae180a5d6bc9dd65","tests/proptests.rs":"23a267c404398d80d9f7309a18c7d7be5761b8ba636f7ce2a5c5cd0f1b14b58e"},"package":"cf4c2f4e1afd912bc40bfd6fed5d9dc1f288e0ba01bfcc835cc5bc3eb13efe15"} \ No newline at end of file diff --git a/vendor/crypto-bigint/CHANGELOG.md b/vendor/crypto-bigint/CHANGELOG.md index 73c031bd8..4283f7a9e 100644 --- a/vendor/crypto-bigint/CHANGELOG.md +++ b/vendor/crypto-bigint/CHANGELOG.md @@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## 0.5.2 (2023-04-26) +### Added +- Expose residue params and modulus in `DynResidue` ([#197]) +- Impl `DefaultIsZeroes` for `Residue` ([#210]) +- `div_by_2()` method for integers in Montgomery form ([#211], [#212]) + +### Changed +- Montgomery multiplication improvements ([#203]) + +[#197]: https://github.com/RustCrypto/crypto-bigint/pull/197 +[#203]: https://github.com/RustCrypto/crypto-bigint/pull/203 +[#210]: https://github.com/RustCrypto/crypto-bigint/pull/210 +[#211]: https://github.com/RustCrypto/crypto-bigint/pull/211 +[#212]: https://github.com/RustCrypto/crypto-bigint/pull/212 + ## 0.5.1 (2023-03-13) ### Changed - Improve `Debug` impls on `Limb` and `Uint` ([#195]) diff --git a/vendor/crypto-bigint/Cargo.toml b/vendor/crypto-bigint/Cargo.toml index 8e9c2b6e5..4657189fa 100644 --- a/vendor/crypto-bigint/Cargo.toml +++ b/vendor/crypto-bigint/Cargo.toml @@ -13,7 +13,7 @@ edition = "2021" rust-version = "1.65" name = "crypto-bigint" -version = "0.5.1" +version = "0.5.2" authors = ["RustCrypto Developers"] description = """ Pure Rust implementation of a big integer library which has been designed from @@ -90,7 +90,7 @@ version = "0.4" features = ["html_reports"] [dev-dependencies.hex-literal] -version = "0.3" +version = "0.4" [dev-dependencies.num-bigint] version = "0.4" diff --git a/vendor/crypto-bigint/SECURITY.md b/vendor/crypto-bigint/SECURITY.md new file mode 100644 index 000000000..09c221b0a --- /dev/null +++ b/vendor/crypto-bigint/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Supported Versions + +Security updates are applied only to the most recent release. + +## Reporting a Vulnerability + +If you have discovered a security vulnerability in this project, please report +it privately. **Do not disclose it as a public issue.** This gives us time to +work with you to fix the issue before public exposure, reducing the chance that +the exploit will be used before a patch is released. + +Please disclose it at [security advisory](https://github.com/RustCrypto/crypto-bigint/security/advisories/new). + +This project is maintained by a team of volunteers on a reasonable-effort basis. +As such, please give us at least 90 days to work on a fix before public exposure. diff --git a/vendor/crypto-bigint/benches/bench.rs b/vendor/crypto-bigint/benches/bench.rs index e04778053..8be5f5928 100644 --- a/vendor/crypto-bigint/benches/bench.rs +++ b/vendor/crypto-bigint/benches/bench.rs @@ -1,115 +1,148 @@ use criterion::{ - criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion, + criterion_group, criterion_main, measurement::Measurement, BatchSize, BenchmarkGroup, Criterion, }; use crypto_bigint::{ modular::runtime_mod::{DynResidue, DynResidueParams}, - NonZero, Random, Reciprocal, Uint, U256, + Limb, NonZero, Random, Reciprocal, U128, U256, }; use rand_core::OsRng; -fn bench_division<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { - const TEST_SET: usize = 10; - let xs = (0..TEST_SET) - .map(|_| Uint::<4>::random(&mut OsRng)) - .collect::>(); - let ys = (0..TEST_SET) - .map(|_| NonZero::new(Uint::<2>::ZERO.concat(&Uint::<2>::random(&mut OsRng))).unwrap()) - .collect::>(); - group.bench_function("div/rem, 4/2, full size", |b| { - b.iter(|| { - xs.iter() - .zip(ys.iter()) - .map(|(x, y)| x.div_rem(y)) - .for_each(drop) - }) +fn bench_division(group: &mut BenchmarkGroup<'_, M>) { + group.bench_function("div/rem, U256/U128, full size", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let y_half = U128::random(&mut OsRng); + let y: U256 = (y_half, U128::ZERO).into(); + (x, NonZero::new(y).unwrap()) + }, + |(x, y)| x.div_rem(&y), + BatchSize::SmallInput, + ) }); - group.bench_function("rem, 4/2, full size", |b| { - b.iter(|| { - xs.iter() - .zip(ys.iter()) - .map(|(x, y)| x.rem(y)) - .for_each(drop) - }) + group.bench_function("rem, U256/U128, full size", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let y_half = U128::random(&mut OsRng); + let y: U256 = (y_half, U128::ZERO).into(); + (x, NonZero::new(y).unwrap()) + }, + |(x, y)| x.rem(&y), + BatchSize::SmallInput, + ) }); - let ys = (0..TEST_SET) - .map(|_| Uint::<1>::random(&mut OsRng)) - .collect::>(); - let ys_full = ys - .iter() - .map(|y| NonZero::new(Uint::<4>::from(y.as_limbs()[0])).unwrap()) - .collect::>(); - let ys_limb = ys - .iter() - .map(|y| NonZero::new(y.as_limbs()[0]).unwrap()) - .collect::>(); - group.bench_function("div/rem, 4/1, full size", |b| { - b.iter(|| { - xs.iter() - .zip(ys_full.iter()) - .map(|(x, y)| x.div_rem(y)) - .for_each(drop) - }) + group.bench_function("div/rem, U256/Limb, full size", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let y_small = Limb::random(&mut OsRng); + let y = U256::from_word(y_small.0); + (x, NonZero::new(y).unwrap()) + }, + |(x, y)| x.div_rem(&y), + BatchSize::SmallInput, + ) }); - group.bench_function("div/rem, 4/1, single limb", |b| { - b.iter(|| { - xs.iter() - .zip(ys_limb.iter()) - .map(|(x, y)| x.div_rem_limb(*y)) - .for_each(drop) - }) + + group.bench_function("div/rem, U256/Limb, single limb", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let y = Limb::random(&mut OsRng); + (x, NonZero::new(y).unwrap()) + }, + |(x, y)| x.div_rem_limb(y), + BatchSize::SmallInput, + ) }); - let reciprocals = ys_limb - .iter() - .map(|y| Reciprocal::new(**y)) - .collect::>(); - group.bench_function("div/rem, 4/1, single limb with reciprocal", |b| { - b.iter(|| { - xs.iter() - .zip(reciprocals.iter()) - .map(|(x, r)| x.div_rem_limb_with_reciprocal(r)) - .for_each(drop) - }) + group.bench_function("div/rem, U256/Limb, single limb with reciprocal", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let y = Limb::random(&mut OsRng); + let r = Reciprocal::new(y); + (x, r) + }, + |(x, r)| x.div_rem_limb_with_reciprocal(&r), + BatchSize::SmallInput, + ) }); } -fn bench_modpow<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) { - const TEST_SET: usize = 10; - let xs = (0..TEST_SET) - .map(|_| U256::random(&mut OsRng)) - .collect::>(); - let moduli = (0..TEST_SET) - .map(|_| U256::random(&mut OsRng) | U256::ONE) - .collect::>(); - let powers = (0..TEST_SET) - .map(|_| U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1))) - .collect::>(); +fn bench_montgomery_ops(group: &mut BenchmarkGroup<'_, M>) { + let params = DynResidueParams::new(&(U256::random(&mut OsRng) | U256::ONE)); + group.bench_function("multiplication, U256*U256", |b| { + b.iter_batched( + || { + let x = DynResidue::new(&U256::random(&mut OsRng), params); + let y = DynResidue::new(&U256::random(&mut OsRng), params); + (x, y) + }, + |(x, y)| x * y, + BatchSize::SmallInput, + ) + }); + + let m = U256::random(&mut OsRng) | U256::ONE; + let params = DynResidueParams::new(&m); + group.bench_function("modpow, U256^U256", |b| { + b.iter_batched( + || { + let x = U256::random(&mut OsRng); + let x_m = DynResidue::new(&x, params); + let p = U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1)); + (x_m, p) + }, + |(x, p)| x.pow(&p), + BatchSize::SmallInput, + ) + }); +} - let params = moduli.iter().map(DynResidueParams::new).collect::>(); - let xs_m = xs - .iter() - .zip(params.iter()) - .map(|(x, p)| DynResidue::new(x, *p)) - .collect::>(); +fn bench_montgomery_conversion(group: &mut BenchmarkGroup<'_, M>) { + group.bench_function("DynResidueParams creation", |b| { + b.iter_batched( + || U256::random(&mut OsRng) | U256::ONE, + |modulus| DynResidueParams::new(&modulus), + BatchSize::SmallInput, + ) + }); - group.bench_function("modpow, 4^4", |b| { - b.iter(|| { - xs_m.iter() - .zip(powers.iter()) - .map(|(x, p)| x.pow(p)) - .for_each(drop) - }) + let params = DynResidueParams::new(&(U256::random(&mut OsRng) | U256::ONE)); + group.bench_function("DynResidue creation", |b| { + b.iter_batched( + || U256::random(&mut OsRng), + |x| DynResidue::new(&x, params), + BatchSize::SmallInput, + ) + }); + + let params = DynResidueParams::new(&(U256::random(&mut OsRng) | U256::ONE)); + group.bench_function("DynResidue retrieve", |b| { + b.iter_batched( + || DynResidue::new(&U256::random(&mut OsRng), params), + |x| x.retrieve(), + BatchSize::SmallInput, + ) }); } fn bench_wrapping_ops(c: &mut Criterion) { let mut group = c.benchmark_group("wrapping ops"); bench_division(&mut group); - bench_modpow(&mut group); group.finish(); } -criterion_group!(benches, bench_wrapping_ops); +fn bench_montgomery(c: &mut Criterion) { + let mut group = c.benchmark_group("Montgomery arithmetic"); + bench_montgomery_conversion(&mut group); + bench_montgomery_ops(&mut group); + group.finish(); +} + +criterion_group!(benches, bench_wrapping_ops, bench_montgomery); criterion_main!(benches); diff --git a/vendor/crypto-bigint/src/ct_choice.rs b/vendor/crypto-bigint/src/ct_choice.rs index 1308dd328..56bb79d82 100644 --- a/vendor/crypto-bigint/src/ct_choice.rs +++ b/vendor/crypto-bigint/src/ct_choice.rs @@ -9,10 +9,10 @@ use crate::Word; pub struct CtChoice(Word); impl CtChoice { - /// The falsy vaue. + /// The falsy value. pub const FALSE: Self = Self(0); - /// The truthy vaue. + /// The truthy value. pub const TRUE: Self = Self(Word::MAX); /// Returns the truthy value if `value == Word::MAX`, and the falsy value if `value == 0`. @@ -25,7 +25,7 @@ impl CtChoice { /// Returns the truthy value if `value == 1`, and the falsy value if `value == 0`. /// Panics for other values. pub(crate) const fn from_lsb(value: Word) -> Self { - debug_assert!(value == Self::FALSE.0 || value == 1); + debug_assert!(value == 0 || value == 1); Self(value.wrapping_neg()) } @@ -37,10 +37,6 @@ impl CtChoice { Self(self.0 & other.0) } - pub(crate) const fn or(&self, other: Self) -> Self { - Self(self.0 | other.0) - } - /// Return `b` if `self` is truthy, otherwise return `a`. pub(crate) const fn select(&self, a: Word, b: Word) -> Word { a ^ (self.0 & (a ^ b)) diff --git a/vendor/crypto-bigint/src/traits.rs b/vendor/crypto-bigint/src/traits.rs index 3ace16c4a..da9b9b646 100644 --- a/vendor/crypto-bigint/src/traits.rs +++ b/vendor/crypto-bigint/src/traits.rs @@ -177,7 +177,7 @@ pub trait CheckedMul: Sized { fn checked_mul(&self, rhs: Rhs) -> CtOption; } -/// Checked substraction. +/// Checked subtraction. pub trait CheckedSub: Sized { /// Output type. type Output; diff --git a/vendor/crypto-bigint/src/uint/add_mod.rs b/vendor/crypto-bigint/src/uint/add_mod.rs index bfdda6ff5..70674f5e8 100644 --- a/vendor/crypto-bigint/src/uint/add_mod.rs +++ b/vendor/crypto-bigint/src/uint/add_mod.rs @@ -16,19 +16,9 @@ impl Uint { // If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise // borrow = 0x000...000. Thus, we use it as a mask to conditionally add the // modulus. - let mut i = 0; - let mut res = Self::ZERO; - let mut carry = Limb::ZERO; - - while i < LIMBS { - let rhs = p.limbs[i].bitand(borrow); - let (limb, c) = w.limbs[i].adc(rhs, carry); - res.limbs[i] = limb; - carry = c; - i += 1; - } - - res + let mask = Uint::from_words([borrow.0; LIMBS]); + + w.wrapping_add(&p.bitand(&mask)) } /// Computes `self + rhs mod p` in constant time for the special modulus @@ -43,8 +33,7 @@ impl Uint { // for the overflow. Otherwise, we need to subtract `c` again, which // in that case cannot underflow. let l = carry.0.wrapping_sub(1) & c.0; - let (out, _) = out.sbb(&Uint::from_word(l), Limb::ZERO); - out + out.wrapping_sub(&Uint::from_word(l)) } } diff --git a/vendor/crypto-bigint/src/uint/div_limb.rs b/vendor/crypto-bigint/src/uint/div_limb.rs index 9bbd828e4..c00bc77c9 100644 --- a/vendor/crypto-bigint/src/uint/div_limb.rs +++ b/vendor/crypto-bigint/src/uint/div_limb.rs @@ -147,7 +147,7 @@ const fn div2by1(u1: Word, u0: Word, reciprocal: &Reciprocal) -> (Word, Word) { let r = Limb::ct_select(Limb(r), Limb(r.wrapping_add(d)), r_gt_q0).0; // If this was a normal `if`, we wouldn't need wrapping ops, because there would be no overflow. - // But since we caluculate both results either way, have to wrap. + // But since we calculate both results either way, we have to wrap. // Added an assert to still check the lack of overflow in debug mode. debug_assert!(r < d || q1 < Word::MAX); let r_ge_d = Limb::ct_le(Limb(d), Limb(r)); diff --git a/vendor/crypto-bigint/src/uint/modular.rs b/vendor/crypto-bigint/src/uint/modular.rs index ff20f443d..cd560aa38 100644 --- a/vendor/crypto-bigint/src/uint/modular.rs +++ b/vendor/crypto-bigint/src/uint/modular.rs @@ -6,6 +6,7 @@ pub mod constant_mod; pub mod runtime_mod; mod add; +mod div_by_2; mod inv; mod mul; mod pow; diff --git a/vendor/crypto-bigint/src/uint/modular/constant_mod.rs b/vendor/crypto-bigint/src/uint/modular/constant_mod.rs index f94e4c475..3e9b522ef 100644 --- a/vendor/crypto-bigint/src/uint/modular/constant_mod.rs +++ b/vendor/crypto-bigint/src/uint/modular/constant_mod.rs @@ -4,7 +4,7 @@ use subtle::{Choice, ConditionallySelectable, ConstantTimeEq}; use crate::{Limb, Uint, Zero}; -use super::{reduction::montgomery_reduction, Retrieve}; +use super::{div_by_2::div_by_2, reduction::montgomery_reduction, Retrieve}; #[cfg(feature = "rand_core")] use crate::{rand_core::CryptoRngCore, NonZero, Random, RandomMod}; @@ -67,6 +67,12 @@ where phantom: PhantomData, } +#[cfg(feature = "zeroize")] +impl, const LIMBS: usize> zeroize::DefaultIsZeroes + for Residue +{ +} + impl, const LIMBS: usize> Residue { /// The representation of 0 mod `MOD`. pub const ZERO: Self = Self { @@ -100,6 +106,18 @@ impl, const LIMBS: usize> Residue { MOD::MOD_NEG_INV, ) } + + /// Performs the modular division by 2, that is for given `x` returns `y` + /// such that `y * 2 = x mod p`. This means: + /// - if `x` is even, returns `x / 2`, + /// - if `x` is odd, returns `(x + p) / 2` + /// (since the modulus `p` in Montgomery form is always odd, this divides entirely). + pub fn div_by_2(&self) -> Self { + Self { + montgomery_form: div_by_2(&self.montgomery_form, &MOD::MODULUS), + phantom: PhantomData, + } + } } impl + Copy, const LIMBS: usize> ConditionallySelectable diff --git a/vendor/crypto-bigint/src/uint/modular/div_by_2.rs b/vendor/crypto-bigint/src/uint/modular/div_by_2.rs new file mode 100644 index 000000000..20c0a5d86 --- /dev/null +++ b/vendor/crypto-bigint/src/uint/modular/div_by_2.rs @@ -0,0 +1,30 @@ +use crate::Uint; + +pub(crate) fn div_by_2(a: &Uint, modulus: &Uint) -> Uint { + // We are looking for such `x` that `x * 2 = y mod modulus`, + // where the given `a = M(y)` is the Montgomery representation of some `y`. + // This means that in Montgomery representation it would still apply: + // `M(x) + M(x) = a mod modulus`. + // So we can just forget about Montgomery representation, and return whatever is + // `a` divided by 2, and this will be the Montgomery representation of `x`. + // (Which means that this function works regardless of whether `a` + // is in Montgomery representation or not, but the algorithm below + // does need `modulus` to be odd) + + // Two possibilities: + // - if `a` is even, we can just divide by 2; + // - if `a` is odd, we divide `(a + modulus)` by 2. + // To stay within the modulus we open the parentheses turning it into `a / 2 + modulus / 2 + 1` + // ("+1" because both `a` and `modulus` are odd, we lose 0.5 in each integer division). + // This will not overflow, so we can just use wrapping operations. + + let (half, is_odd) = a.shr_1(); + let half_modulus = modulus.shr_vartime(1); + + let if_even = half; + let if_odd = half + .wrapping_add(&half_modulus) + .wrapping_add(&Uint::::ONE); + + Uint::::ct_select(&if_even, &if_odd, is_odd) +} diff --git a/vendor/crypto-bigint/src/uint/modular/reduction.rs b/vendor/crypto-bigint/src/uint/modular/reduction.rs index d3543bf97..b206ae32f 100644 --- a/vendor/crypto-bigint/src/uint/modular/reduction.rs +++ b/vendor/crypto-bigint/src/uint/modular/reduction.rs @@ -1,4 +1,14 @@ -use crate::{CtChoice, Limb, Uint, WideWord, Word}; +use crate::{Limb, Uint, WideWord, Word}; + +/// Returns `(hi, lo)` such that `hi * R + lo = x * y + z + w`. +#[inline(always)] +const fn muladdcarry(x: Word, y: Word, z: Word, w: Word) -> (Word, Word) { + let res = (x as WideWord) + .wrapping_mul(y as WideWord) + .wrapping_add(z as WideWord) + .wrapping_add(w as WideWord); + ((res >> Word::BITS) as Word, res as Word) +} /// Algorithm 14.32 in Handbook of Applied Cryptography pub const fn montgomery_reduction( @@ -8,49 +18,38 @@ pub const fn montgomery_reduction( ) -> Uint { let (mut lower, mut upper) = *lower_upper; - let mut meta_carry: WideWord = 0; + let mut meta_carry = Limb(0); + let mut new_sum; let mut i = 0; while i < LIMBS { - let u = (lower.limbs[i].0.wrapping_mul(mod_neg_inv.0)) as WideWord; + let u = lower.limbs[i].0.wrapping_mul(mod_neg_inv.0); - let new_limb = - (u * modulus.limbs[0].0 as WideWord).wrapping_add(lower.limbs[i].0 as WideWord); - let mut carry = new_limb >> Word::BITS; + let (mut carry, _) = muladdcarry(u, modulus.limbs[0].0, lower.limbs[i].0, 0); + let mut new_limb; let mut j = 1; while j < (LIMBS - i) { - let new_limb = (u * modulus.limbs[j].0 as WideWord) - .wrapping_add(lower.limbs[i + j].0 as WideWord) - .wrapping_add(carry); - carry = new_limb >> Word::BITS; - lower.limbs[i + j] = Limb(new_limb as Word); - + (carry, new_limb) = muladdcarry(u, modulus.limbs[j].0, lower.limbs[i + j].0, carry); + lower.limbs[i + j] = Limb(new_limb); j += 1; } while j < LIMBS { - let new_limb = (u * modulus.limbs[j].0 as WideWord) - .wrapping_add(upper.limbs[i + j - LIMBS].0 as WideWord) - .wrapping_add(carry); - carry = new_limb >> Word::BITS; - upper.limbs[i + j - LIMBS] = Limb(new_limb as Word); - + (carry, new_limb) = + muladdcarry(u, modulus.limbs[j].0, upper.limbs[i + j - LIMBS].0, carry); + upper.limbs[i + j - LIMBS] = Limb(new_limb); j += 1; } - let new_sum = (upper.limbs[i].0 as WideWord) - .wrapping_add(carry) - .wrapping_add(meta_carry); - meta_carry = new_sum >> Word::BITS; - upper.limbs[i] = Limb(new_sum as Word); + (new_sum, meta_carry) = upper.limbs[i].adc(Limb(carry), meta_carry); + upper.limbs[i] = new_sum; i += 1; } // Division is simply taking the upper half of the limbs - // Final reduction (at this point, the value is at most 2 * modulus) - let must_reduce = CtChoice::from_lsb(meta_carry as Word).or(Uint::ct_gt(modulus, &upper).not()); - upper = upper.wrapping_sub(&Uint::ct_select(&Uint::ZERO, modulus, must_reduce)); + // Final reduction (at this point, the value is at most 2 * modulus, + // so `meta_carry` is either 0 or 1) - upper + upper.sub_mod_with_carry(meta_carry, modulus, modulus) } diff --git a/vendor/crypto-bigint/src/uint/modular/runtime_mod.rs b/vendor/crypto-bigint/src/uint/modular/runtime_mod.rs index 72f1094cf..84622d167 100644 --- a/vendor/crypto-bigint/src/uint/modular/runtime_mod.rs +++ b/vendor/crypto-bigint/src/uint/modular/runtime_mod.rs @@ -1,6 +1,6 @@ use crate::{Limb, Uint, Word}; -use super::{reduction::montgomery_reduction, Retrieve}; +use super::{div_by_2::div_by_2, reduction::montgomery_reduction, Retrieve}; /// Additions between residues with a modulus set at runtime mod runtime_add; @@ -33,11 +33,16 @@ pub struct DynResidueParams { impl DynResidueParams { /// Instantiates a new set of `ResidueParams` representing the given `modulus`. - pub fn new(modulus: &Uint) -> Self { + pub const fn new(modulus: &Uint) -> Self { let r = Uint::MAX.const_rem(modulus).0.wrapping_add(&Uint::ONE); let r2 = Uint::const_rem_wide(r.square_wide(), modulus).0; + + // Since we are calculating the inverse modulo (Word::MAX+1), + // we can take the modulo right away and calculate the inverse of the first limb only. + let modulus_lo = Uint::<1>::from_words([modulus.limbs[0].0]); let mod_neg_inv = - Limb(Word::MIN.wrapping_sub(modulus.inv_mod2k(Word::BITS as usize).limbs[0].0)); + Limb(Word::MIN.wrapping_sub(modulus_lo.inv_mod2k(Word::BITS as usize).limbs[0].0)); + let r3 = montgomery_reduction(&r2.square_wide(), modulus, mod_neg_inv); Self { @@ -48,6 +53,11 @@ impl DynResidueParams { mod_neg_inv, } } + + /// Returns the modulus which was used to initialize these parameters. + pub const fn modulus(&self) -> &Uint { + &self.modulus + } } /// A residue represented using `LIMBS` limbs. The odd modulus of this residue is set at runtime. @@ -97,6 +107,23 @@ impl DynResidue { residue_params, } } + + /// Returns the parameter struct used to initialize this residue. + pub const fn params(&self) -> &DynResidueParams { + &self.residue_params + } + + /// Performs the modular division by 2, that is for given `x` returns `y` + /// such that `y * 2 = x mod p`. This means: + /// - if `x` is even, returns `x / 2`, + /// - if `x` is odd, returns `(x + p) / 2` + /// (since the modulus `p` in Montgomery form is always odd, this divides entirely). + pub fn div_by_2(&self) -> Self { + Self { + montgomery_form: div_by_2(&self.montgomery_form, &self.residue_params.modulus), + residue_params: self.residue_params, + } + } } impl Retrieve for DynResidue { diff --git a/vendor/crypto-bigint/src/uint/shr.rs b/vendor/crypto-bigint/src/uint/shr.rs index 071788fb4..3698b970b 100644 --- a/vendor/crypto-bigint/src/uint/shr.rs +++ b/vendor/crypto-bigint/src/uint/shr.rs @@ -5,7 +5,8 @@ use crate::{limb::HI_BIT, CtChoice, Limb}; use core::ops::{Shr, ShrAssign}; impl Uint { - /// Computes `self >> 1` in constant-time, returning the overflowing bit as a `Word` that is either 0...0 or 1...1. + /// Computes `self >> 1` in constant-time, returning [`CtChoice::TRUE`] if the overflowing bit + /// was set, and [`CtChoice::FALSE`] otherwise. pub(crate) const fn shr_1(&self) -> (Self, CtChoice) { let mut shifted_bits = [0; LIMBS]; let mut i = 0; diff --git a/vendor/crypto-bigint/src/uint/sub_mod.rs b/vendor/crypto-bigint/src/uint/sub_mod.rs index 728a92760..b32babb89 100644 --- a/vendor/crypto-bigint/src/uint/sub_mod.rs +++ b/vendor/crypto-bigint/src/uint/sub_mod.rs @@ -7,21 +7,31 @@ impl Uint { /// /// Assumes `self - rhs` as unbounded signed integer is in `[-p, p)`. pub const fn sub_mod(&self, rhs: &Uint, p: &Uint) -> Uint { - let (mut out, borrow) = self.sbb(rhs, Limb::ZERO); + let (out, borrow) = self.sbb(rhs, Limb::ZERO); // If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise // borrow = 0x000...000. Thus, we use it as a mask to conditionally add the modulus. - let mut carry = Limb::ZERO; - let mut i = 0; + let mask = Uint::from_words([borrow.0; LIMBS]); + + out.wrapping_add(&p.bitand(&mask)) + } - while i < LIMBS { - let (l, c) = out.limbs[i].adc(p.limbs[i].bitand(borrow), carry); - out.limbs[i] = l; - carry = c; - i += 1; - } + /// Returns `(self..., carry) - (rhs...) mod (p...)`, where `carry <= 1`. + /// Assumes `-(p...) <= (self..., carry) - (rhs...) < (p...)`. + #[inline(always)] + pub(crate) const fn sub_mod_with_carry(&self, carry: Limb, rhs: &Self, p: &Self) -> Self { + debug_assert!(carry.0 <= 1); + + let (out, borrow) = self.sbb(rhs, Limb::ZERO); + + // The new `borrow = Word::MAX` iff `carry == 0` and `borrow == Word::MAX`. + let borrow = (!carry.0.wrapping_neg()) & borrow.0; + + // If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise + // borrow = 0x000...000. Thus, we use it as a mask to conditionally add the modulus. + let mask = Uint::from_words([borrow; LIMBS]); - out + out.wrapping_add(&p.bitand(&mask)) } /// Computes `self - rhs mod p` in constant time for the special modulus @@ -35,8 +45,7 @@ impl Uint { // the underflow. This cannot underflow due to the assumption // `self - rhs >= -p`. let l = borrow.0 & c.0; - let (out, _) = out.sbb(&Uint::from_word(l), Limb::ZERO); - out + out.wrapping_sub(&Uint::from_word(l)) } } diff --git a/vendor/crypto-bigint/tests/proptests.rs b/vendor/crypto-bigint/tests/proptests.rs index 9f489f0a8..572d990d1 100644 --- a/vendor/crypto-bigint/tests/proptests.rs +++ b/vendor/crypto-bigint/tests/proptests.rs @@ -282,4 +282,25 @@ proptest! { assert_eq!(expected, actual); } + + #[test] + fn residue_div_by_2(a in uint_mod_p(P)) { + let a_bi = to_biguint(&a); + let p_bi = to_biguint(&P); + let two = BigUint::from(2u32); + + let expected = if a_bi.is_even() { + &a_bi / two + } + else { + (&a_bi + &p_bi) / two + }; + let expected = to_uint(expected); + + let params = DynResidueParams::new(&P); + let a_m = DynResidue::new(&a, params); + let actual = a_m.div_by_2().retrieve(); + + assert_eq!(expected, actual); + } } -- cgit v1.2.3