Variable-time modular inversion support (#731)

Adds (back) support for computing modular inversions in variable-time
with respect to the value being inverted, which computes the specific
number of safegcd divsteps to perform based on the input, as opposed to
using a worst case number based on the bit length.

Closes #728

Author: tarcieri

src/modular/boxed_monty_form/inv.rs

@@ -10,19 +10,34 @@ use core::fmt;
 use subtle::CtOption;
 
 impl BoxedMontyForm {
-    /// Computes `self^-1` representing the multiplicative inverse of `self`.
-    /// I.e. `self * self^-1 = 1`.
+    /// Computes `self^-1` representing the multiplicative inverse of `self`,
+    /// i.e. `self * self^-1 = 1`.
     pub fn invert(&self) -> CtOption<Self> {
         let inverter = self.params.precompute_inverter();
         inverter.invert(self)
     }
+
+    /// Computes `self^-1` representing the multiplicative inverse of `self`,
+    /// i.e. `self * self^-1 = 1`.
+    ///
+    /// This version is variable-time with respect to the value of `self`, but constant-time with
+    /// respect to `self`'s `params`.
+    pub fn invert_vartime(&self) -> CtOption<Self> {
+        let inverter = self.params.precompute_inverter();
+        inverter.invert_vartime(self)
+    }
 }
 
 impl Invert for BoxedMontyForm {
     type Output = CtOption<Self>;
+
     fn invert(&self) -> Self::Output {
         self.invert()
     }
+
+    fn invert_vartime(&self) -> Self::Output {
+        self.invert_vartime()
+    }
 }
 
 impl PrecomputeInverter for BoxedMontyParams {
@@ -62,6 +77,20 @@ impl Inverter for BoxedMontyFormInverter {
 
         CtOption::new(ret, is_some)
     }
+
+    fn invert_vartime(&self, value: &BoxedMontyForm) -> CtOption<Self::Output> {
+        debug_assert_eq!(self.params, value.params);
+
+        let montgomery_form = self.inverter.invert_vartime(&value.montgomery_form);
+        let is_some = montgomery_form.is_some();
+        let montgomery_form2 = value.montgomery_form.clone();
+        let ret = BoxedMontyForm {
+            montgomery_form: Option::from(montgomery_form).unwrap_or(montgomery_form2),
+            params: value.params.clone(),
+        };
+
+        CtOption::new(ret, is_some)
+    }
 }
 
 impl fmt::Debug for BoxedMontyFormInverter {

src/modular/const_monty_form/inv.rs

@@ -15,8 +15,9 @@ where
         Output = Uint<SAT_LIMBS>,
     >,
 {
-    /// Computes `self^-1` representing the multiplicative inverse of `self`.
-    /// I.e. `self * self^-1 = 1`.
+    /// Computes `self^-1` representing the multiplicative inverse of `self`,
+    /// i.e. `self * self^-1 = 1`.
+    ///
     /// If the number was invertible, the second element of the tuple is the truthy value,
     /// otherwise it is the falsy value (in which case the first element's value is unspecified).
     pub const fn inv(&self) -> ConstCtOption<Self> {
@@ -33,6 +34,29 @@ where
 
         ConstCtOption::new(ret, inverse_is_some)
     }
+
+    /// Computes `self^-1` representing the multiplicative inverse of `self`,
+    /// i.e. `self * self^-1 = 1`.
+    ///
+    /// If the number was invertible, the second element of the tuple is the truthy value,
+    /// otherwise it is the falsy value (in which case the first element's value is unspecified).
+    ///
+    /// This version is variable-time with respect to the value of `self`, but constant-time with
+    /// respect to `MOD`.
+    pub const fn inv_vartime(&self) -> ConstCtOption<Self> {
+        let inverter =
+            <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(&MOD::MODULUS, &MOD::R2);
+
+        let maybe_inverse = inverter.inv_vartime(&self.montgomery_form);
+        let (inverse, inverse_is_some) = maybe_inverse.components_ref();
+
+        let ret = Self {
+            montgomery_form: *inverse,
+            phantom: PhantomData,
+        };
+
+        ConstCtOption::new(ret, inverse_is_some)
+    }
 }
 
 impl<MOD: ConstMontyParams<SAT_LIMBS>, const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Invert
@@ -44,9 +68,14 @@ where
     >,
 {
     type Output = CtOption<Self>;
+
     fn invert(&self) -> Self::Output {
         self.inv().into()
     }
+
+    fn invert_vartime(&self) -> Self::Output {
+        self.inv_vartime().into()
+    }
 }
 
 /// Bernstein-Yang inverter which inverts [`ConstMontyForm`] types.
@@ -91,6 +120,24 @@ where
         };
         ConstCtOption::new(ret, is_some)
     }
+
+    /// Returns either the adjusted modular multiplicative inverse for the argument or None
+    /// depending on invertibility of the argument, i.e. its coprimality with the modulus.
+    ///
+    /// This version is variable-time with respect to the value of `self`, but constant-time with
+    /// respect to `MOD`.
+    pub const fn inv_vartime(
+        &self,
+        value: &ConstMontyForm<MOD, SAT_LIMBS>,
+    ) -> ConstCtOption<ConstMontyForm<MOD, SAT_LIMBS>> {
+        let montgomery_form = self.inverter.inv_vartime(&value.montgomery_form);
+        let (montgomery_form_ref, is_some) = montgomery_form.components_ref();
+        let ret = ConstMontyForm {
+            montgomery_form: *montgomery_form_ref,
+            phantom: PhantomData,
+        };
+        ConstCtOption::new(ret, is_some)
+    }
 }
 
 impl<MOD: ConstMontyParams<SAT_LIMBS>, const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Inverter
@@ -106,6 +153,10 @@ where
     fn invert(&self, value: &ConstMontyForm<MOD, SAT_LIMBS>) -> CtOption<Self::Output> {
         self.inv(value).into()
     }
+
+    fn invert_vartime(&self, value: &ConstMontyForm<MOD, SAT_LIMBS>) -> CtOption<Self::Output> {
+        self.inv_vartime(value).into()
+    }
 }
 
 impl<MOD: ConstMontyParams<SAT_LIMBS>, const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> fmt::Debug

src/modular/monty_form/inv.rs

@@ -16,7 +16,8 @@ where
     >,
 {
     /// Computes `self^-1` representing the multiplicative inverse of `self`.
-    /// I.e. `self * self^-1 = 1`.
+    /// i.e. `self * self^-1 = 1`.
+    ///
     /// If the number was invertible, the second element of the tuple is the truthy value,
     /// otherwise it is the falsy value (in which case the first element's value is unspecified).
     pub const fn inv(&self) -> ConstCtOption<Self> {
@@ -35,6 +36,31 @@ where
 
         ConstCtOption::new(ret, inverse_is_some)
     }
+
+    /// Computes `self^-1` representing the multiplicative inverse of `self`.
+    /// i.e. `self * self^-1 = 1`.
+    ///
+    /// If the number was invertible, the second element of the tuple is the truthy value,
+    /// otherwise it is the falsy value (in which case the first element's value is unspecified).
+    ///
+    /// This version is variable-time with respect to the value of `self`, but constant-time with
+    /// respect to `self`'s `params`.
+    pub const fn inv_vartime(&self) -> ConstCtOption<Self> {
+        let inverter = <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(
+            &self.params.modulus,
+            &self.params.r2,
+        );
+
+        let maybe_inverse = inverter.inv_vartime(&self.montgomery_form);
+        let (inverse, inverse_is_some) = maybe_inverse.components_ref();
+
+        let ret = Self {
+            montgomery_form: *inverse,
+            params: self.params,
+        };
+
+        ConstCtOption::new(ret, inverse_is_some)
+    }
 }
 
 impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Invert for MontyForm<SAT_LIMBS>
@@ -49,6 +75,10 @@ where
     fn invert(&self) -> Self::Output {
         self.inv().into()
     }
+
+    fn invert_vartime(&self) -> Self::Output {
+        self.inv_vartime().into()
+    }
 }
 
 impl<const LIMBS: usize> PrecomputeInverter for MontyParams<LIMBS>
@@ -92,6 +122,17 @@ where
                 params: value.params,
             })
     }
+
+    fn invert_vartime(&self, value: &MontyForm<LIMBS>) -> CtOption<Self::Output> {
+        debug_assert_eq!(self.params, value.params);
+
+        self.inverter
+            .invert_vartime(&value.montgomery_form)
+            .map(|montgomery_form| MontyForm {
+                montgomery_form,
+                params: value.params,
+            })
+    }
 }
 
 impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> fmt::Debug for MontyFormInverter<SAT_LIMBS>

src/modular/safegcd.rs

@@ -73,7 +73,7 @@ impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> SafeGcdInverter<SAT_LIMBS
     }
 
     /// Returns either the adjusted modular multiplicative inverse for the argument or `None`
-    /// depending on invertibility of the argument, i.e. its coprimality with the modulus
+    /// depending on invertibility of the argument, i.e. its coprimality with the modulus.
     pub const fn inv(&self, value: &Uint<SAT_LIMBS>) -> ConstCtOption<Uint<SAT_LIMBS>> {
         let (d, f) = divsteps(
             self.adjuster,
@@ -91,6 +91,27 @@ impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> SafeGcdInverter<SAT_LIMBS
         ConstCtOption::new(ret.to_uint(), is_some)
     }
 
+    /// Returns either the adjusted modular multiplicative inverse for the argument or `None`
+    /// depending on invertibility of the argument, i.e. its coprimality with the modulus.
+    ///
+    /// This version is variable-time with respect to `value`.
+    pub const fn inv_vartime(&self, value: &Uint<SAT_LIMBS>) -> ConstCtOption<Uint<SAT_LIMBS>> {
+        let (d, f) = divsteps_vartime(
+            self.adjuster,
+            self.modulus,
+            UnsatInt::from_uint(value),
+            self.inverse,
+        );
+
+        // At this point the absolute value of "f" equals the greatest common divisor of the
+        // integer to be inverted and the modulus the inverter was created for.
+        // Thus, if "f" is neither 1 nor -1, then the sought inverse does not exist.
+        let antiunit = f.eq(&UnsatInt::MINUS_ONE);
+        let ret = self.norm(d, antiunit);
+        let is_some = f.eq(&UnsatInt::ONE).or(antiunit);
+        ConstCtOption::new(ret.to_uint(), is_some)
+    }
+
     /// Returns the greatest common divisor (GCD) of the two given numbers.
     ///
     /// This is defined on this type to piggyback on the definitions for `SAT_LIMBS` and
@@ -142,6 +163,10 @@ impl<const SAT_LIMBS: usize, const UNSAT_LIMBS: usize> Inverter
     fn invert(&self, value: &Uint<SAT_LIMBS>) -> CtOption<Self::Output> {
         self.inv(value).into()
     }
+
+    fn invert_vartime(&self, value: &Uint<SAT_LIMBS>) -> CtOption<Self::Output> {
+        self.inv_vartime(value).into()
+    }
 }
 
 /// Returns the multiplicative inverse of the argument modulo 2^62. The implementation is based

src/modular/safegcd/boxed.rs

@@ -67,6 +67,21 @@ impl Inverter for BoxedSafeGcdInverter {
 
         CtOption::new(ret.to_uint(value.bits_precision()), is_some)
     }
+
+    fn invert_vartime(&self, value: &BoxedUint) -> CtOption<Self::Output> {
+        let mut d = BoxedUnsatInt::zero(self.modulus.nlimbs());
+        let mut g = BoxedUnsatInt::from(value).widen(d.nlimbs());
+        let f = divsteps_vartime(&mut d, &self.adjuster, &self.modulus, &mut g, self.inverse);
+
+        // At this point the absolute value of "f" equals the greatest common divisor of the
+        // integer to be inverted and the modulus the inverter was created for.
+        // Thus, if "f" is neither 1 nor -1, then the sought inverse does not exist.
+        let antiunit = f.is_minus_one();
+        let ret = self.norm(d, antiunit);
+        let is_some = f.is_one() | antiunit;
+
+        CtOption::new(ret.to_uint(value.bits_precision()), is_some)
+    }
 }
 
 /// Compute the number of unsaturated limbs needed to represent a saturated integer with the given

src/traits.rs

@@ -220,9 +220,15 @@ pub trait Inverter {
     /// Output of an inversion.
     type Output;
 
-    /// Compute a modular inversion, returning `None` if the result is undefined (i.e. if `value` is zero or isn't
-    /// prime relative to the modulus).
+    /// Compute a modular inversion, returning `None` if the result is undefined (i.e. if `value` is
+    /// zero or isn't prime relative to the modulus).
     fn invert(&self, value: &Self::Output) -> CtOption<Self::Output>;
+
+    /// Compute a modular inversion, returning `None` if the result is undefined (i.e. if `value` is
+    /// zero or isn't prime relative to the modulus).
+    ///
+    /// This version is variable-time with respect to `value`.
+    fn invert_vartime(&self, value: &Self::Output) -> CtOption<Self::Output>;
 }
 
 /// Obtain a precomputed inverter for efficiently computing modular inversions for a given modulus.
@@ -757,6 +763,9 @@ pub trait Invert: Sized {
 
     /// Computes the inverse.
     fn invert(&self) -> Self::Output;
+
+    /// Computes the inverse in variable-time.
+    fn invert_vartime(&self) -> Self::Output;
 }
 
 /// Widening multiply: returns a value with a number of limbs equal to the sum of the inputs.

tests/safegcd.rs

@@ -51,6 +51,10 @@ proptest! {
             let inv_bi = to_biguint(&actual);
             let res = (inv_bi * x_bi) % p_bi;
             prop_assert_eq!(res, BigUint::one());
+
+            // check vartime implementation equivalence
+            let actual_vartime = inverter.invert_vartime(&x).unwrap();
+            prop_assert_eq!(actual, actual_vartime);
         }
     }
 
@@ -73,6 +77,10 @@ proptest! {
             let inv_bi = to_biguint(&actual);
             let res = (inv_bi * x_bi) % p_bi;
             prop_assert_eq!(res, BigUint::one());
+
+            // check vartime implementation equivalence
+            let actual_vartime = inverter.invert_vartime(&x).unwrap();
+            prop_assert_eq!(actual, actual_vartime);
         }
     }
 }