Skip to content

Some simplifications of vartime division#646

Merged
tarcieri merged 2 commits intoRustCrypto:masterfrom
fjarri:simplify-div
Aug 20, 2024
Merged

Some simplifications of vartime division#646
tarcieri merged 2 commits intoRustCrypto:masterfrom
fjarri:simplify-div

Conversation

@fjarri
Copy link
Contributor

@fjarri fjarri commented Aug 11, 2024
edited
Loading

  • Extract shl/shr by a limb-sized shift into separate methods
  • Add a more detailed docstring and some debug assertions in div3by2()
  • Replaced saturating_sub with wrapping_sub in several places. While logically it is the same thing (the wrapping/saturation only happens for values that are later selected out), I think there are readability advantages. First, elsewhere in the code we use wrapping ops for selected out values (meaning "perform the subtraction without any checks, since we already have a constant-time condition for that"), so saturating_sub indicates that the algorithm actually uses the saturation mechanic. Second, in case of a bug, it will be easier to spot the consequences of a "0xffff..." value than a 0.

Questions:

  • should I move the new shl/shr methods to shl.rs/shr.rs? Are they general enough?
  • should div3by2_vartime() be moved out of div_limb.rs?

andrewwhitehead
andrewwhitehead reviewed Aug 11, 2024
View reviewed changes
andrewwhitehead
andrewwhitehead reviewed Aug 11, 2024
View reviewed changes
andrewwhitehead
andrewwhitehead reviewed Aug 11, 2024
View reviewed changes
src/uint/div_limb.rs Outdated
/// so that v1 has its most significant bit set (that is, the reciprocal's `shift` is 0).
#[inline(always)]
pub(crate) const fn div3by2(
pub(crate) const fn div3by2_vartime(
Copy link
Contributor

@andrewwhitehead andrewwhitehead Aug 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also worried about the runtime of this method depending on the dividend value. Replacing it completely would also mess with my PR #643, do you want to do a quick review of that one?

Copy link
Contributor Author

@fjarri fjarri Aug 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original div3by2() can be preserved, of course, but I am worried about the connection of its contents and the original algorithm Q from the article. Could you add some explanations about why it actually does the same thing?

Copy link
Contributor

@andrewwhitehead andrewwhitehead Aug 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a PR to better align that method with the definition, as it doesn't look like overflow was being handled properly in the remainder.

Copy link
Member

@tarcieri tarcieri Aug 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewwhitehead can you take a look again now that #643 is merged?

@andrewwhitehead andrewwhitehead mentioned this pull request Aug 12, 2024
Merged
@tarcieri
Copy link
Member

tarcieri commented Aug 15, 2024
edited
Loading

It seems like we should probably get #643 merged first since it might affect this.

Edit: merged!

andrewwhitehead
andrewwhitehead reviewed Aug 20, 2024
View reviewed changes
src/uint/div_limb.rs
}

(quo, rem)
quo
Copy link
Contributor

@andrewwhitehead andrewwhitehead Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The constant-time division does use this remainder

Copy link
Member

@tarcieri tarcieri Aug 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I now see this broke the build: https://github.com/RustCrypto/crypto-bigint/actions/runs/10472862474/job/29003356626

@andrewwhitehead
Copy link
Contributor

andrewwhitehead commented Aug 20, 2024

Looks good to me.

I think at some point it would make sense to turn functions like shl_limb_vartime into methods on a struct like LimbsMut(&mut [Limb]), which might be a convenient way to collect and document them. Then once there is language support they could be const-ified and used by both Uint and BoxedUint.

@tarcieri tarcieri merged commit e7d3b16 into RustCrypto:master Aug 20, 2024
@tarcieri
Copy link
Member

tarcieri commented Aug 20, 2024
edited
Loading

Going to revert this merge as it broke the build. Edit: opened #658

tarcieri added a commit that referenced this pull request Aug 20, 2024
@tarcieri
Revert "Some simplifications of vartime division (#646)"
3c5f393 
This reverts commit e7d3b16.

This needs changes as upstream diverged.
tarcieri added a commit that referenced this pull request Aug 20, 2024
@tarcieri
Revert "Some simplifications of vartime division (#646)" (#658)
325e16b 
This reverts commit e7d3b16.

This needs changes as upstream diverged.
@fjarri fjarri deleted the simplify-div branch August 21, 2024 17:32
@fjarri fjarri mentioned this pull request Aug 21, 2024
Merged
tarcieri pushed a commit that referenced this pull request Aug 21, 2024
@fjarri
Some simplifications of vartime division (#661)
52fee04 
Second attempt at #646
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

+1 more reviewer

@andrewwhitehead andrewwhitehead andrewwhitehead left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fjarri @tarcieri @andrewwhitehead