crypto_bigint/uint/
sub_mod.rs

1//! [`UInt`] subtraction modulus operations.
2
3use crate::{Limb, SubMod, UInt};
4
5impl<const LIMBS: usize> UInt<LIMBS> {
6    /// Computes `self - rhs mod p` in constant time.
7    ///
8    /// Assumes `self - rhs` as unbounded signed integer is in `[-p, p)`.
9    pub const fn sub_mod(&self, rhs: &UInt<LIMBS>, p: &UInt<LIMBS>) -> UInt<LIMBS> {
10        let (mut out, borrow) = self.sbb(rhs, Limb::ZERO);
11
12        // If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise
13        // borrow = 0x000...000. Thus, we use it as a mask to conditionally add the modulus.
14        let mut carry = Limb::ZERO;
15        let mut i = 0;
16
17        while i < LIMBS {
18            let (l, c) = out.limbs[i].adc(p.limbs[i].bitand(borrow), carry);
19            out.limbs[i] = l;
20            carry = c;
21            i += 1;
22        }
23
24        out
25    }
26
27    /// Computes `self - rhs mod p` in constant time for the special modulus
28    /// `p = MAX+1-c` where `c` is small enough to fit in a single [`Limb`].
29    ///
30    /// Assumes `self - rhs` as unbounded signed integer is in `[-p, p)`.
31    pub const fn sub_mod_special(&self, rhs: &Self, c: Limb) -> Self {
32        let (out, borrow) = self.sbb(rhs, Limb::ZERO);
33
34        // If underflow occurred, then we need to subtract `c` to account for
35        // the underflow. This cannot underflow due to the assumption
36        // `self - rhs >= -p`.
37        let l = borrow.0 & c.0;
38        let (out, _) = out.sbb(&UInt::from_word(l), Limb::ZERO);
39        out
40    }
41}
42
43impl<const LIMBS: usize> SubMod for UInt<LIMBS> {
44    type Output = Self;
45
46    fn sub_mod(&self, rhs: &Self, p: &Self) -> Self {
47        debug_assert!(self < p);
48        debug_assert!(rhs < p);
49        self.sub_mod(rhs, p)
50    }
51}
52
53#[cfg(all(test, feature = "rand"))]
54mod tests {
55    use crate::{Limb, NonZero, Random, RandomMod, UInt};
56    use rand_core::SeedableRng;
57
58    macro_rules! test_sub_mod {
59        ($size:expr, $test_name:ident) => {
60            #[test]
61            fn $test_name() {
62                let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
63                let moduli = [
64                    NonZero::<UInt<$size>>::random(&mut rng),
65                    NonZero::<UInt<$size>>::random(&mut rng),
66                ];
67
68                for p in &moduli {
69                    let base_cases = [
70                        (1u64, 0u64, 1u64.into()),
71                        (0, 1, p.wrapping_sub(&1u64.into())),
72                        (0, 0, 0u64.into()),
73                    ];
74                    for (a, b, c) in &base_cases {
75                        let a: UInt<$size> = (*a).into();
76                        let b: UInt<$size> = (*b).into();
77
78                        let x = a.sub_mod(&b, p);
79                        assert_eq!(*c, x, "{} - {} mod {} = {} != {}", a, b, p, x, c);
80                    }
81
82                    if $size > 1 {
83                        for _i in 0..100 {
84                            let a: UInt<$size> = Limb::random(&mut rng).into();
85                            let b: UInt<$size> = Limb::random(&mut rng).into();
86                            let (a, b) = if a < b { (b, a) } else { (a, b) };
87
88                            let c = a.sub_mod(&b, p);
89                            assert!(c < **p, "not reduced");
90                            assert_eq!(c, a.wrapping_sub(&b), "result incorrect");
91                        }
92                    }
93
94                    for _i in 0..100 {
95                        let a = UInt::<$size>::random_mod(&mut rng, p);
96                        let b = UInt::<$size>::random_mod(&mut rng, p);
97
98                        let c = a.sub_mod(&b, p);
99                        assert!(c < **p, "not reduced: {} >= {} ", c, p);
100
101                        let x = a.wrapping_sub(&b);
102                        if a >= b && x < **p {
103                            assert_eq!(c, x, "incorrect result");
104                        }
105                    }
106                }
107            }
108        };
109    }
110
111    macro_rules! test_sub_mod_special {
112        ($size:expr, $test_name:ident) => {
113            #[test]
114            fn $test_name() {
115                let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
116                let moduli = [
117                    NonZero::<Limb>::random(&mut rng),
118                    NonZero::<Limb>::random(&mut rng),
119                ];
120
121                for special in &moduli {
122                    let p = &NonZero::new(UInt::ZERO.wrapping_sub(&UInt::from_word(special.0)))
123                        .unwrap();
124
125                    let minus_one = p.wrapping_sub(&UInt::ONE);
126
127                    let base_cases = [
128                        (UInt::ZERO, UInt::ZERO, UInt::ZERO),
129                        (UInt::ONE, UInt::ZERO, UInt::ONE),
130                        (UInt::ZERO, UInt::ONE, minus_one),
131                        (minus_one, minus_one, UInt::ZERO),
132                        (UInt::ZERO, minus_one, UInt::ONE),
133                    ];
134                    for (a, b, c) in &base_cases {
135                        let x = a.sub_mod_special(&b, *special.as_ref());
136                        assert_eq!(*c, x, "{} - {} mod {} = {} != {}", a, b, p, x, c);
137                    }
138
139                    for _i in 0..100 {
140                        let a = UInt::<$size>::random_mod(&mut rng, p);
141                        let b = UInt::<$size>::random_mod(&mut rng, p);
142
143                        let c = a.sub_mod_special(&b, *special.as_ref());
144                        assert!(c < **p, "not reduced: {} >= {} ", c, p);
145
146                        let expected = a.sub_mod(&b, p);
147                        assert_eq!(c, expected, "incorrect result");
148                    }
149                }
150            }
151        };
152    }
153
154    // Test requires 1-limb is capable of representing a 64-bit integer
155    #[cfg(target_pointer_width = "64")]
156    test_sub_mod!(1, sub1);
157
158    test_sub_mod!(2, sub2);
159    test_sub_mod!(3, sub3);
160    test_sub_mod!(4, sub4);
161    test_sub_mod!(5, sub5);
162    test_sub_mod!(6, sub6);
163    test_sub_mod!(7, sub7);
164    test_sub_mod!(8, sub8);
165    test_sub_mod!(9, sub9);
166    test_sub_mod!(10, sub10);
167    test_sub_mod!(11, sub11);
168    test_sub_mod!(12, sub12);
169
170    test_sub_mod_special!(1, sub_mod_special_1);
171    test_sub_mod_special!(2, sub_mod_special_2);
172    test_sub_mod_special!(3, sub_mod_special_3);
173    test_sub_mod_special!(4, sub_mod_special_4);
174    test_sub_mod_special!(5, sub_mod_special_5);
175    test_sub_mod_special!(6, sub_mod_special_6);
176    test_sub_mod_special!(7, sub_mod_special_7);
177    test_sub_mod_special!(8, sub_mod_special_8);
178    test_sub_mod_special!(9, sub_mod_special_9);
179    test_sub_mod_special!(10, sub_mod_special_10);
180    test_sub_mod_special!(11, sub_mod_special_11);
181    test_sub_mod_special!(12, sub_mod_special_12);
182}