Skip to content

Add DivRemLimb and RemLimb traits#496

Merged
tarcieri merged 5 commits intoRustCrypto:masterfrom
fjarri:uint-adjustments
Dec 23, 2023
Merged

Add DivRemLimb and RemLimb traits#496
tarcieri merged 5 commits intoRustCrypto:masterfrom
fjarri:uint-adjustments

Conversation

@fjarri
Copy link
Contributor

@fjarri fjarri commented Dec 23, 2023
edited
Loading

This is the next step for entropyxyz/crypto-primes#36

  • add more bounds on Monty::Params (goes in line with the bounds on Monty and Integer);
  • add From<Limb> bound for Integer;
  • use original num-bigint instead of num-bigint-dig for compatibility with num-modular (used in tests);
  • fix some vartime usage in constant time division methods
  • add DivRemLimb and RemLimb traits (and separate rem_limb() methods - there's a significant speedup, and these are the ones I actually use in crypto-primes)

@fjarri fjarri marked this pull request as draft December 23, 2023 00:20
@fjarri
Copy link
Contributor Author

fjarri commented Dec 23, 2023
edited
Loading

Making a draft temporarily, need to add comments about the unwraps. Also probably a good idea for it to be a draft until we figure out what the API should be.

@tarcieri
Copy link
Member

tarcieri commented Dec 23, 2023
edited
Loading

I don't need gcd_vartime() for crypto-primes, it was just added for completeness sake.

Since we have Bernstein-Yang now defined on both Uint and BoxedUint (just landed in #497), perhaps it's unnecessary?

I can add a trait for computing GCD and bound Integer on it.

If you do want to include it for completeness, it'd be good to check if it's actually faster than the constant-time implementation (Bernstein-Yang is surprisingly fast), and then I'd prefer it be exposed as a provided Integer::gcd_vartime method (though the implementation could look like it does now, just pub(crate))

@fjarri
Copy link
Contributor Author

fjarri commented Dec 23, 2023
edited
Loading

Since we have Bernstein-Yang now defined on both Uint and BoxedUint (just landed in #497), perhaps it's unnecessary?

But that's constant-time, correct? I'm using it in a vartime context, so running the constant time thing would lead to performance degradatation.

Let me run some benchmarks.

tarcieri
tarcieri reviewed Dec 23, 2023
View reviewed changes
@fjarri
Copy link
Contributor Author

fjarri commented Dec 23, 2023

Actually let me roll it back. There are a few assorted considerations:

  • The GCD and Jacobi symbol functions I need are somewhat specialized, and if Integer provides the required functionality, I can just keep them in crypto-primes for now. Plus I'm not exactly sure how to implement Jacobi symbol in terms of Bernstein-Yang (although I remember reading that it's possible).
  • The vartime division algorithm we have is super inefficient, I want to make a separate PR for it.
  • Vartime division-by-limb can be added, but that's also a separate PR (although the constant-time one is already fast enough since in my application I only need to do it once).

@fjarri fjarri changed the title Vartime GCD and Jacobi Add DivRemLimb and RemLimb traits Dec 23, 2023
@fjarri fjarri marked this pull request as ready for review December 23, 2023 06:30
@tarcieri tarcieri merged commit 7c65c66 into RustCrypto:master Dec 23, 2023
@fjarri fjarri deleted the uint-adjustments branch December 23, 2023 20:14
@tarcieri tarcieri mentioned this pull request Jan 22, 2025
Merged
@daxpedda
Copy link
Contributor

daxpedda commented Sep 3, 2025

  • Plus I'm not exactly sure how to implement Jacobi symbol in terms of Bernstein-Yang (although I remember reading that it's possible).

@fjarri just stumbled on https://www.shiftleft.org/papers/byj/byj.pdf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fjarri @tarcieri @daxpedda