Montgomery form arithmetic improvements (#664)

Signed-off-by: Andrew Whitehead <[email protected]>

Author: andrewwhitehead

benches/boxed_monty.rs

@@ -19,7 +19,69 @@ fn to_biguint(uint: &BoxedUint) -> BigUint {
 fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     let params = BoxedMontyParams::new(Odd::<BoxedUint>::random(&mut OsRng, UINT_BITS));
 
-    group.bench_function("invert, 4096-bit", |b| {
+    group.bench_function(format!("add, {UINT_BITS}-bit"), |b| {
+        b.iter_batched(
+            || {
+                let a = BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                );
+                let b = BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                );
+                (a, b)
+            },
+            |(a, b)| black_box(a).add(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function(format!("double, {UINT_BITS}-bit"), |b| {
+        b.iter_batched(
+            || {
+                BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                )
+            },
+            |a| black_box(a).double(),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function(format!("sub, {UINT_BITS}-bit"), |b| {
+        b.iter_batched(
+            || {
+                let a = BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                );
+                let b = BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                );
+                (a, b)
+            },
+            |(a, b)| black_box(a).sub(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function(format!("neg, {UINT_BITS}-bit"), |b| {
+        b.iter_batched(
+            || {
+                BoxedMontyForm::new(
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params.clone(),
+                )
+            },
+            |a| black_box(a).neg(),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function(format!("invert, {UINT_BITS}-bit"), |b| {
         b.iter_batched(
             || {
                 BoxedMontyForm::new(
@@ -36,11 +98,11 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
         b.iter_batched(
             || {
                 let x = BoxedMontyForm::new(
-                    BoxedUint::random_bits(&mut OsRng, UINT_BITS),
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
                     params.clone(),
                 );
                 let y = BoxedMontyForm::new(
-                    BoxedUint::random_bits(&mut OsRng, UINT_BITS),
+                    BoxedUint::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
                     params.clone(),
                 );
                 (x, y)

benches/const_monty.rs

@@ -2,7 +2,9 @@ use criterion::{
     black_box, criterion_group, criterion_main, measurement::Measurement, BatchSize,
     BenchmarkGroup, Criterion,
 };
-use crypto_bigint::{impl_modulus, modular::ConstMontyParams, Invert, Inverter, Random, U256};
+use crypto_bigint::{
+    impl_modulus, modular::ConstMontyParams, Invert, Inverter, Random, RandomMod, U256,
+};
 use rand_core::OsRng;
 
 #[cfg(feature = "alloc")]
@@ -19,25 +21,65 @@ type ConstMontyForm = crypto_bigint::modular::ConstMontyForm<Modulus, { U256::LI
 fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("ConstMontyForm creation", |b| {
         b.iter_batched(
-            || U256::random(&mut OsRng),
+            || U256::random_mod(&mut OsRng, Modulus::MODULUS.as_nz_ref()),
             |x| black_box(ConstMontyForm::new(&x)),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("ConstMontyForm retrieve", |b| {
         b.iter_batched(
-            || ConstMontyForm::new(&U256::random(&mut OsRng)),
+            || ConstMontyForm::random(&mut OsRng),
             |x| black_box(x.retrieve()),
             BatchSize::SmallInput,
         )
     });
 }
 
 fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
+    group.bench_function("add, U256", |b| {
+        b.iter_batched(
+            || {
+                let a = ConstMontyForm::random(&mut OsRng);
+                let b = ConstMontyForm::random(&mut OsRng);
+                (a, b)
+            },
+            |(a, b)| black_box(a).add(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("double, U256", |b| {
+        b.iter_batched(
+            || ConstMontyForm::random(&mut OsRng),
+            |a| black_box(a).double(),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("sub, U256", |b| {
+        b.iter_batched(
+            || {
+                let a = ConstMontyForm::random(&mut OsRng);
+                let b = ConstMontyForm::random(&mut OsRng);
+                (a, b)
+            },
+            |(a, b)| black_box(a).sub(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("neg, U256", |b| {
+        b.iter_batched(
+            || ConstMontyForm::random(&mut OsRng),
+            |a| black_box(a).neg(),
+            BatchSize::SmallInput,
+        )
+    });
+
     group.bench_function("invert, U256", |b| {
         b.iter_batched(
-            || ConstMontyForm::new(&U256::random(&mut OsRng)),
+            || ConstMontyForm::random(&mut OsRng),
             |x| black_box(x).invert(),
             BatchSize::SmallInput,
         )
@@ -46,7 +88,7 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("Bernstein-Yang invert, U256", |b| {
         b.iter_batched(
             || {
-                let x = ConstMontyForm::new(&U256::random(&mut OsRng));
+                let x = ConstMontyForm::random(&mut OsRng);
                 let inverter = Modulus::precompute_inverter();
                 (x, inverter)
             },
@@ -58,20 +100,27 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("multiplication, U256*U256", |b| {
         b.iter_batched(
             || {
-                let x = ConstMontyForm::new(&U256::random(&mut OsRng));
-                let y = ConstMontyForm::new(&U256::random(&mut OsRng));
+                let x = ConstMontyForm::random(&mut OsRng);
+                let y = ConstMontyForm::random(&mut OsRng);
                 (x, y)
             },
-            |(x, y)| black_box(x * y),
+            |(x, y)| black_box(x).mul(&black_box(y)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("squaring, U256*U256", |b| {
+        b.iter_batched(
+            || ConstMontyForm::random(&mut OsRng),
+            |x| black_box(x).square(),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("modpow, U256^U256", |b| {
         b.iter_batched(
             || {
-                let x = U256::random(&mut OsRng);
-                let x_m = ConstMontyForm::new(&x);
+                let x_m = ConstMontyForm::random(&mut OsRng);
                 let p = U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1));
                 (x_m, p)
             },
@@ -89,8 +138,7 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
                     || {
                         let bases_and_exponents: Vec<(ConstMontyForm, U256)> = (1..=i)
                             .map(|_| {
-                                let x = U256::random(&mut OsRng);
-                                let x_m = ConstMontyForm::new(&x);
+                                let x_m = ConstMontyForm::random(&mut OsRng);
                                 let p = U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1));
                                 (x_m, p)
                             })

benches/monty.rs

@@ -4,7 +4,7 @@ use criterion::{
 };
 use crypto_bigint::{
     modular::{MontyForm, MontyParams},
-    Invert, Inverter, Odd, PrecomputeInverter, Random, U256,
+    Invert, Inverter, Odd, PrecomputeInverter, Random, RandomMod, U256,
 };
 use rand_core::OsRng;
 
@@ -31,7 +31,7 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
     let params = MontyParams::new_vartime(Odd::<U256>::random(&mut OsRng));
     group.bench_function("MontyForm::new", |b| {
         b.iter_batched(
-            || Odd::<U256>::random(&mut OsRng),
+            || U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
             |x| black_box(MontyForm::new(&x, params)),
             BatchSize::SmallInput,
         )
@@ -40,7 +40,12 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
     let params = MontyParams::new_vartime(Odd::<U256>::random(&mut OsRng));
     group.bench_function("MontyForm retrieve", |b| {
         b.iter_batched(
-            || MontyForm::new(&U256::random(&mut OsRng), params),
+            || {
+                MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                )
+            },
             |x| black_box(x.retrieve()),
             BatchSize::SmallInput,
         )
@@ -50,9 +55,76 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
 fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     let params = MontyParams::new_vartime(Odd::<U256>::random(&mut OsRng));
 
+    group.bench_function("add, U256", |b| {
+        b.iter_batched(
+            || {
+                let a = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
+                let b = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
+                (a, b)
+            },
+            |(a, b)| black_box(a).add(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("double, U256", |b| {
+        b.iter_batched(
+            || {
+                MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                )
+            },
+            |a| black_box(a).double(),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("sub, U256", |b| {
+        b.iter_batched(
+            || {
+                let a = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
+                let b = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
+                (a, b)
+            },
+            |(a, b)| black_box(a).sub(&black_box(b)),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("neg, U256", |b| {
+        b.iter_batched(
+            || {
+                MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                )
+            },
+            |a| black_box(a).neg(),
+            BatchSize::SmallInput,
+        )
+    });
+
     group.bench_function("invert, U256", |b| {
         b.iter_batched(
-            || MontyForm::new(&U256::random(&mut OsRng), params),
+            || {
+                MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                )
+            },
             |x| black_box(x).invert(),
             BatchSize::SmallInput,
         )
@@ -61,7 +133,10 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("Bernstein-Yang invert, U256", |b| {
         b.iter_batched(
             || {
-                let x = MontyForm::new(&U256::random(&mut OsRng), params);
+                let x = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
                 let inverter = x.params().precompute_inverter();
                 (x, inverter)
             },
@@ -73,8 +148,14 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("multiplication, U256*U256", |b| {
         b.iter_batched(
             || {
-                let x = MontyForm::new(&U256::random(&mut OsRng), params);
-                let y = MontyForm::new(&U256::random(&mut OsRng), params);
+                let x = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
+                let y = MontyForm::new(
+                    &U256::random_mod(&mut OsRng, params.modulus().as_nz_ref()),
+                    params,
+                );
                 (x, y)
             },
             |(x, y)| black_box(x * y),
@@ -85,9 +166,10 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("modpow, U256^U256", |b| {
         b.iter_batched(
             || {
-                let x = U256::random(&mut OsRng);
+                let x = U256::random_mod(&mut OsRng, params.modulus().as_nz_ref());
                 let x_m = MontyForm::new(&x, params);
-                let p = U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1));
+                let p = U256::random_mod(&mut OsRng, params.modulus().as_nz_ref())
+                    | (U256::ONE << (U256::BITS - 1));
                 (x_m, p)
             },
             |(x, p)| black_box(x.pow(&p)),
@@ -104,9 +186,10 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
                     || {
                         let bases_and_exponents: Vec<(MontyForm<{ U256::LIMBS }>, U256)> = (1..=i)
                             .map(|_| {
-                                let x = U256::random(&mut OsRng);
+                                let x = U256::random_mod(&mut OsRng, params.modulus().as_nz_ref());
                                 let x_m = MontyForm::new(&x, params);
-                                let p = U256::random(&mut OsRng) | (U256::ONE << (U256::BITS - 1));
+                                let p = U256::random_mod(&mut OsRng, params.modulus().as_nz_ref())
+                                    | (U256::ONE << (U256::BITS - 1));
                                 (x_m, p)
                             })
                             .collect();

src/limb/shl.rs

@@ -11,6 +11,12 @@ impl Limb {
     pub const fn shl(self, shift: u32) -> Self {
         Limb(self.0 << shift)
     }
+
+    /// Computes `self << 1` and return the result and the carry (0 or 1).
+    #[inline(always)]
+    pub(crate) const fn shl1(self) -> (Self, Self) {
+        (Self(self.0 << 1), Self(self.0 >> Self::HI_BIT))
+    }
 }
 
 macro_rules! impl_shl {