crypto_bigint/uint/rand.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
//! Random number generator support
use super::UInt;
use crate::{Limb, NonZero, Random, RandomMod};
use rand_core::{CryptoRng, RngCore};
use subtle::ConstantTimeLess;
#[cfg_attr(docsrs, doc(cfg(feature = "rand_core")))]
impl<const LIMBS: usize> Random for UInt<LIMBS> {
/// Generate a cryptographically secure random [`UInt`].
fn random(mut rng: impl CryptoRng + RngCore) -> Self {
let mut limbs = [Limb::ZERO; LIMBS];
for limb in &mut limbs {
*limb = Limb::random(&mut rng)
}
limbs.into()
}
}
#[cfg_attr(docsrs, doc(cfg(feature = "rand_core")))]
impl<const LIMBS: usize> RandomMod for UInt<LIMBS> {
/// Generate a cryptographically secure random [`UInt`] which is less than
/// a given `modulus`.
///
/// This function uses rejection sampling, a method which produces an
/// unbiased distribution of in-range values provided the underlying
/// [`CryptoRng`] is unbiased, but runs in variable-time.
///
/// The variable-time nature of the algorithm should not pose a security
/// issue so long as the underlying random number generator is truly a
/// [`CryptoRng`], where previous outputs are unrelated to subsequent
/// outputs and do not reveal information about the RNG's internal state.
fn random_mod(mut rng: impl CryptoRng + RngCore, modulus: &NonZero<Self>) -> Self {
let mut n = Self::ZERO;
// TODO(tarcieri): use `div_ceil` when available
// See: https://github.com/rust-lang/rust/issues/88581
let mut n_limbs = modulus.bits_vartime() / Limb::BIT_SIZE;
if n_limbs < LIMBS {
n_limbs += 1;
}
// Compute the highest limb of `modulus` as a `NonZero`.
// Add one to ensure `Limb::random_mod` returns values inclusive of this limb.
let modulus_hi =
NonZero::new(modulus.limbs[n_limbs.saturating_sub(1)].saturating_add(Limb::ONE))
.unwrap(); // Always at least one due to `saturating_add`
loop {
for i in 0..n_limbs {
n.limbs[i] = if (i + 1 == n_limbs) && (*modulus_hi != Limb::MAX) {
// Highest limb
Limb::random_mod(&mut rng, &modulus_hi)
} else {
Limb::random(&mut rng)
}
}
if n.ct_lt(modulus).into() {
return n;
}
}
}
}
#[cfg(test)]
mod tests {
use crate::{NonZero, RandomMod, U256};
use rand_core::SeedableRng;
#[test]
fn random_mod() {
let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
// Ensure `random_mod` runs in a reasonable amount of time
let modulus = NonZero::new(U256::from(42u8)).unwrap();
let res = U256::random_mod(&mut rng, &modulus);
// Sanity check that the return value isn't zero
assert_ne!(res, U256::ZERO);
// Ensure `random_mod` runs in a reasonable amount of time
// when the modulus is larger than 1 limb
let modulus = NonZero::new(U256::from(0x10000000000000001u128)).unwrap();
let res = U256::random_mod(&mut rng, &modulus);
// Sanity check that the return value isn't zero
assert_ne!(res, U256::ZERO);
}
}