Add efficient linear combination for Montgomery forms #666
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Andrew Whitehead <[email protected]>
Signed-off-by: Andrew Whitehead <[email protected]>
Signed-off-by: Andrew Whitehead <[email protected]>
Signed-off-by: Andrew Whitehead <[email protected]>
tarcieri
reviewed
Sep 19, 2024
| /// This is implemented as a macro to abstract over `const fn` and boxed use cases, since the latter | ||
| /// needs mutable references and thus the unstable `const_mut_refs` feature (rust-lang/rust#57349). | ||
| /// | ||
| // TODO: change this into a `const fn` when `const_mut_refs` is stable |
There was a problem hiding this comment.
Soon! #667
I guess we can add one more macro in the meantime.
tarcieri
reviewed
Sep 19, 2024
| @@ -30,6 +31,8 @@ pub struct MontyParams<const LIMBS: usize> { | |||
| /// The lowest limbs of -(MODULUS^-1) mod R | |||
| /// We only need the LSB because during reduction this value is multiplied modulo 2**Limb::BITS. | |||
| mod_neg_inv: Limb, | |||
| /// Leading zeros in the modulus, used to choose optimized algorithms | |||
| mod_leading_zeros: u32, | |||
There was a problem hiding this comment.
Hmm, I get the use cases, but this does seem like a potential sharp edge
There was a problem hiding this comment.
Vartime only!
There was a problem hiding this comment.
Yeah, I'm just worried someone down the road might use it in constant-time use cases
tarcieri
approved these changes
Sep 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements Algorithm 2 (for B=1) from Efficient Algorithms for Large Prime Characteristic Fields and Their Application to Bilinear Pairings by Patrick Longa: https://eprint.iacr.org/2022/367
This algorithm interleaves schoolbook multiplication and accumulation of multiple terms with the Montgomery reduction. For moduli with one or more leading zeros, this helps to reduce the number of reductions performed. In the
BoxedUintcase this also reduces the number of allocations required. For larger moduli it may be useful to explore the use of larger values of B along with the existing Karatsuba multiplication.As a concrete example, the calculation of
(a•b + c•d) mod musingConstMontyForm, wheremis aU256with at least one leading zero, is reduced from 50 to 32ns in my tests.