Use rem_wide_vartime in Uint::mul_mod_vartime (#669)

Also adds benchmarks for Uint modular multiplication. Signed-off-by: Andrew Whitehead <cywolf@gmail.com>
RustCrypto · Sep 6, 2024 · db9d587 · db9d587
1 parent 3e15431
commit db9d587
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 11 deletions.
diff --git a/benches/uint.rs b/benches/uint.rs
@@ -1,5 +1,7 @@
 use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
-use crypto_bigint::{Limb, NonZero, Odd, Random, Reciprocal, Uint, U128, U2048, U256, U4096};
+use crypto_bigint::{
+ Limb, NonZero, Odd, Random, RandomMod, Reciprocal, Uint, U128, U2048, U256, U4096,
+};
 use rand_core::OsRng;
 
 fn bench_mul(c: &mut Criterion) {
@@ -36,6 +38,42 @@ fn bench_mul(c: &mut Criterion) {
  BatchSize::SmallInput,
  )
  });
+
+ group.bench_function("mul_mod, U256", |b| {
+ b.iter_batched(
+ || {
+ let m = Odd::<U256>::random(&mut OsRng);
+ let x = U256::random_mod(&mut OsRng, m.as_nz_ref());
+ (m.to_nz().unwrap(), x)
+ },
+ |(m, x)| black_box(x).mul_mod(black_box(&x), &m),
+ BatchSize::SmallInput,
+ )
+ });
+
+ group.bench_function("mul_mod_vartime, U256", |b| {
+ b.iter_batched(
+ || {
+ let m = Odd::<U256>::random(&mut OsRng);
+ let x = U256::random_mod(&mut OsRng, m.as_nz_ref());
+ (m.to_nz().unwrap(), x)
+ },
+ |(m, x)| black_box(x).mul_mod_vartime(black_box(&x), &m),
+ BatchSize::SmallInput,
+ )
+ });
+
+ group.bench_function("mul_mod_special, U256", |b| {
+ b.iter_batched(
+ || {
+ let m = Limb::random(&mut OsRng);
+ let x = U256::random(&mut OsRng);
+ (m, x)
+ },
+ |(m, x)| black_box(x).mul_mod_special(black_box(&x), m),
+ BatchSize::SmallInput,
+ )
+ });
 }
 
 fn bench_division(c: &mut Criterion) {

diff --git a/src/uint/mul_mod.rs b/src/uint/mul_mod.rs
@@ -30,17 +30,9 @@ impl<const LIMBS: usize> Uint<LIMBS> {
  }
 
  /// Computes `self * rhs mod p` for odd `p` in variable time with respect to `p`.
- ///
- /// Panics if `p` is even. (TODO: support even `p`)
  pub fn mul_mod_vartime(&self, rhs: &Uint<LIMBS>, p: &NonZero<Uint<LIMBS>>) -> Uint<LIMBS> {
- // NOTE: the overhead of converting to Montgomery form to perform this operation and then
- // immediately converting out of Montgomery form after just a single operation is likely to
- // be higher than other possible implementations of this function, such as using a
- // Barrett reduction instead.
- //
- // It's worth potentially exploring other approaches to improve efficiency.
- let params = MontyParams::new_vartime(p.to_odd().expect("p should be odd"));
- (MontyForm::new(self, params) * MontyForm::new(rhs, params)).retrieve()
+ let lo_hi = self.split_mul(rhs);
+ Self::rem_wide_vartime(lo_hi, p)
  }
 
  /// Computes `self * rhs mod p` for the special modulus