Split Uint::mul_mod and Uint::mul_mod_vartime (#623)

The previous `mul_mod` was variable-time with respect to the modulus.

This adds a proper constant-time version.

It also changes the `p` argument to be `NonZero<Self>`.

Author: tarcieri

Cargo.lock

@@ -3,28 +3,44 @@
 use crate::{
     modular::{MontyForm, MontyParams},
     primitives::mul_rem,
-    Limb, MulMod, Uint, WideWord, Word,
+    Concat, Limb, MulMod, NonZero, Split, Uint, WideWord, Word,
 };
 
 impl<const LIMBS: usize> Uint<LIMBS> {
     /// Computes `self * rhs mod p` for odd `p`.
     ///
-    /// Panics if `p` is even.
-    // TODO(tarcieri): support for even `p`?
-    pub fn mul_mod(&self, rhs: &Uint<LIMBS>, p: &Uint<LIMBS>) -> Uint<LIMBS> {
+    /// Panics if `p` is even. (TODO: support even `p`)
+    pub fn mul_mod<const WIDE_LIMBS: usize>(
+        &self,
+        rhs: &Uint<LIMBS>,
+        p: &NonZero<Uint<LIMBS>>,
+    ) -> Uint<LIMBS>
+    where
+        Uint<LIMBS>: Concat<Output = Uint<WIDE_LIMBS>>,
+        Uint<WIDE_LIMBS>: Split<Output = Uint<LIMBS>>,
+    {
         // NOTE: the overhead of converting to Montgomery form to perform this operation and then
         // immediately converting out of Montgomery form after just a single operation is likely to
         // be higher than other possible implementations of this function, such as using a
         // Barrett reduction instead.
         //
         // It's worth potentially exploring other approaches to improve efficiency.
-        match p.to_odd().into() {
-            Some(odd_p) => {
-                let params = MontyParams::new_vartime(odd_p);
-                (MontyForm::new(self, params) * MontyForm::new(rhs, params)).retrieve()
-            }
-            None => todo!("even moduli are currently unsupported"),
-        }
+        let params = MontyParams::new(p.to_odd().expect("p should be odd"));
+        (MontyForm::new(self, params) * MontyForm::new(rhs, params)).retrieve()
+    }
+
+    /// Computes `self * rhs mod p` for odd `p` in variable time with respect to `p`.
+    ///
+    /// Panics if `p` is even. (TODO: support even `p`)
+    pub fn mul_mod_vartime(&self, rhs: &Uint<LIMBS>, p: &NonZero<Uint<LIMBS>>) -> Uint<LIMBS> {
+        // NOTE: the overhead of converting to Montgomery form to perform this operation and then
+        // immediately converting out of Montgomery form after just a single operation is likely to
+        // be higher than other possible implementations of this function, such as using a
+        // Barrett reduction instead.
+        //
+        // It's worth potentially exploring other approaches to improve efficiency.
+        let params = MontyParams::new_vartime(p.to_odd().expect("p should be odd"));
+        (MontyForm::new(self, params) * MontyForm::new(rhs, params)).retrieve()
     }
 
     /// Computes `self * rhs mod p` for the special modulus
@@ -64,7 +80,7 @@ impl<const LIMBS: usize> MulMod for Uint<LIMBS> {
     type Output = Self;
 
     fn mul_mod(&self, rhs: &Self, p: &Self) -> Self {
-        self.mul_mod(rhs, p)
+        self.mul_mod_vartime(rhs, &NonZero::new(*p).expect("p should be non-zero"))
     }
 }
 

src/uint/mul_mod.rs

@@ -188,7 +188,7 @@ proptest! {
         let p_bi = to_biguint(&P);
 
         let expected = to_uint((a_bi * b_bi) % p_bi);
-        let actual = a.mul_mod(&b, &P);
+        let actual = a.mul_mod_vartime(&b, P.as_nz_ref());
 
         assert!(expected < P);
         assert!(actual < P);