Introduce the CtChoice newtype

Author: fjarri

src/ct_choice.rs

@@ -0,0 +1,83 @@
+use subtle::Choice;
+
+use crate::Word;
+
+/// A boolean value returned by constant-time `const fn`s.
+// TODO: should be replaced by `subtle::Choice` or `CtOption`
+// when `subtle` starts supporting const fns.
+#[derive(Debug, Copy, Clone)]
+pub struct CtChoice(Word);
+
+impl CtChoice {
+    /// The falsy vaue.
+    pub const FALSE: Self = Self(0);
+
+    /// The truthy vaue.
+    pub const TRUE: Self = Self(Word::MAX);
+
+    /// Returns the truthy value if `value == Word::MAX`, and the falsy value if `value == 0`.
+    /// Panics for other values.
+    pub(crate) const fn from_mask(value: Word) -> Self {
+        debug_assert!(value == Self::FALSE.0 || value == Self::TRUE.0);
+        Self(value)
+    }
+
+    /// Returns the truthy value if `value == 1`, and the falsy value if `value == 0`.
+    /// Panics for other values.
+    pub(crate) const fn from_lsb(value: Word) -> Self {
+        debug_assert!(value == Self::FALSE.0 || value == 1);
+        Self(value.wrapping_neg())
+    }
+
+    pub(crate) const fn not(&self) -> Self {
+        Self(!self.0)
+    }
+
+    pub(crate) const fn and(&self, other: Self) -> Self {
+        Self(self.0 & other.0)
+    }
+
+    pub(crate) const fn or(&self, other: Self) -> Self {
+        Self(self.0 | other.0)
+    }
+
+    /// Return `b` if `self` is truthy, otherwise return `a`.
+    pub(crate) const fn select(&self, a: Word, b: Word) -> Word {
+        a ^ (self.0 & (a ^ b))
+    }
+
+    /// Return `x` if `self` is truthy, otherwise return 0.
+    pub(crate) const fn if_true(&self, x: Word) -> Word {
+        x & self.0
+    }
+
+    pub(crate) const fn is_true_vartime(&self) -> bool {
+        self.0 == CtChoice::TRUE.0
+    }
+}
+
+impl From<CtChoice> for Choice {
+    fn from(choice: CtChoice) -> Self {
+        Choice::from(choice.0 as u8 & 1)
+    }
+}
+
+impl From<CtChoice> for bool {
+    fn from(choice: CtChoice) -> Self {
+        choice.is_true_vartime()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::CtChoice;
+    use crate::Word;
+
+    #[test]
+    fn select() {
+        let a: Word = 1;
+        let b: Word = 2;
+        assert_eq!(CtChoice::TRUE.select(a, b), b);
+        assert_eq!(CtChoice::FALSE.select(a, b), a);
+    }
+}

src/lib.rs

@@ -161,6 +161,7 @@ mod nlimbs;
 #[cfg(feature = "generic-array")]
 mod array;
 mod checked;
+mod ct_choice;
 mod limb;
 mod non_zero;
 mod traits;
@@ -169,7 +170,8 @@ mod wrapping;
 
 pub use crate::{
     checked::Checked,
-    limb::{CtChoice, Limb, WideWord, Word},
+    ct_choice::CtChoice,
+    limb::{Limb, WideWord, Word},
     non_zero::NonZero,
     traits::*,
     uint::div_limb::Reciprocal,

src/limb.rs

@@ -20,7 +20,7 @@ mod sub;
 #[cfg(feature = "rand_core")]
 mod rand;
 
-use crate::{Bounded, Zero};
+use crate::{Bounded, CtChoice, Zero};
 use core::fmt;
 use subtle::{Choice, ConditionallySelectable};
 
@@ -57,12 +57,6 @@ pub type WideWord = u128;
 /// Highest bit in a [`Limb`].
 pub(crate) const HI_BIT: usize = Limb::BITS - 1;
 
-/// A boolean value returned by constant-time `const fn`s.
-/// `Word::MAX` signifies `true`, and `0` signifies `false`.
-// TODO: should be replaced by `subtle::Choice` or `CtOption`
-// when `subtle` starts supporting const fns.
-pub type CtChoice = Word;
-
 /// Big integers are represented as an array of smaller CPU word-size integers
 /// called "limbs".
 #[derive(Copy, Clone, Debug, Default, Hash)]
@@ -100,7 +94,7 @@ impl Limb {
     /// Return `b` if `c` is truthy, otherwise return `a`.
     #[inline]
     pub(crate) const fn ct_select(a: Self, b: Self, c: CtChoice) -> Self {
-        Self(a.0 ^ (c & (a.0 ^ b.0)))
+        Self(c.select(a.0, b.0))
     }
 }
 

src/limb/cmp.rs

@@ -1,6 +1,7 @@
 //! Limb comparisons
 
-use super::{CtChoice, Limb, HI_BIT};
+use super::HI_BIT;
+use crate::{CtChoice, Limb};
 use core::cmp::Ordering;
 use subtle::{Choice, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess};
 
@@ -28,7 +29,7 @@ impl Limb {
     #[inline]
     pub(crate) const fn ct_is_nonzero(&self) -> CtChoice {
         let inner = self.0;
-        ((inner | inner.wrapping_neg()) >> HI_BIT).wrapping_neg()
+        CtChoice::from_lsb((inner | inner.wrapping_neg()) >> HI_BIT)
     }
 
     /// Returns the truthy value if `lhs == rhs` and the falsy value otherwise.
@@ -38,7 +39,7 @@ impl Limb {
         let y = rhs.0;
 
         // x ^ y == 0 if and only if x == y
-        !Self(x ^ y).ct_is_nonzero()
+        Self(x ^ y).ct_is_nonzero().not()
     }
 
     /// Returns the truthy value if `lhs < rhs` and the falsy value otherwise.
@@ -47,7 +48,7 @@ impl Limb {
         let x = lhs.0;
         let y = rhs.0;
         let bit = (((!x) & y) | (((!x) | y) & (x.wrapping_sub(y)))) >> (Limb::BITS - 1);
-        bit.wrapping_neg()
+        CtChoice::from_lsb(bit)
     }
 
     /// Returns the truthy value if `lhs <= rhs` and the falsy value otherwise.
@@ -56,7 +57,7 @@ impl Limb {
         let x = lhs.0;
         let y = rhs.0;
         let bit = (((!x) | y) & ((x ^ y) | !(y.wrapping_sub(x)))) >> (Limb::BITS - 1);
-        bit.wrapping_neg()
+        CtChoice::from_lsb(bit)
     }
 }
 

src/uint/add.rs

@@ -46,9 +46,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
     ) -> (Self, CtChoice) {
         let actual_rhs = Uint::ct_select(&Uint::ZERO, rhs, choice);
         let (sum, carry) = self.adc(&actual_rhs, Limb::ZERO);
-
-        debug_assert!(carry.0 == 0 || carry.0 == 1);
-        (sum, carry.0.wrapping_neg())
+        (sum, CtChoice::from_lsb(carry.0))
     }
 }
 

src/uint/bits.rs

@@ -1,14 +1,13 @@
 use crate::{CtChoice, Limb, Uint, Word};
 
 impl<const LIMBS: usize> Uint<LIMBS> {
-    /// Get the value of the bit at position `index`, as a truthy or falsy `CtChoice`.
-    /// Returns the falsy value for indices out of range.
+    /// Returns `true` if the bit at position `index` is set, `false` otherwise.
     #[inline(always)]
-    pub const fn bit_vartime(self, index: usize) -> CtChoice {
+    pub const fn bit_vartime(self, index: usize) -> bool {
         if index >= Self::BITS {
-            0
+            false
         } else {
-            ((self.limbs[index / Limb::BITS].0 >> (index % Limb::BITS)) & 1).wrapping_neg()
+            (self.limbs[index / Limb::BITS].0 >> (index % Limb::BITS)) & 1 == 1
         }
     }
 
@@ -21,14 +20,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         }
 
         let limb = self.limbs[i].0;
-        let bits = (Limb::BITS * (i + 1)) as Word - limb.leading_zeros() as Word;
-
-        Limb::ct_select(
-            Limb(bits),
-            Limb::ZERO,
-            !self.limbs[0].ct_is_nonzero() & !Limb(i as Word).ct_is_nonzero(),
-        )
-        .0 as usize
+        Limb::BITS * (i + 1) - limb.leading_zeros() as usize
     }
 
     /// Calculate the number of leading zeros in the binary representation of this number.
@@ -37,13 +29,14 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         let mut count: Word = 0;
         let mut i = LIMBS;
-        let mut mask = Word::MAX;
+        let mut nonzero_limb_not_encountered = CtChoice::TRUE;
         while i > 0 {
             i -= 1;
             let l = limbs[i];
             let z = l.leading_zeros() as Word;
-            count += z & mask;
-            mask &= !l.ct_is_nonzero();
+            count += nonzero_limb_not_encountered.if_true(z);
+            nonzero_limb_not_encountered =
+                nonzero_limb_not_encountered.and(l.ct_is_nonzero().not());
         }
 
         count as usize
@@ -55,12 +48,13 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         let mut count: Word = 0;
         let mut i = 0;
-        let mut mask = Word::MAX;
+        let mut nonzero_limb_not_encountered = CtChoice::TRUE;
         while i < LIMBS {
             let l = limbs[i];
             let z = l.trailing_zeros() as Word;
-            count += z & mask;
-            mask &= !l.ct_is_nonzero();
+            count += nonzero_limb_not_encountered.if_true(z);
+            nonzero_limb_not_encountered =
+                nonzero_limb_not_encountered.and(l.ct_is_nonzero().not());
             i += 1;
         }
 
@@ -86,17 +80,17 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         while i < LIMBS {
             let bit = limbs[i] & index_mask;
             let is_right_limb = Limb::ct_eq(limb_num, Limb(i as Word));
-            result |= bit & is_right_limb;
+            result |= is_right_limb.if_true(bit);
             i += 1;
         }
 
-        (result >> index_in_limb).wrapping_neg()
+        CtChoice::from_lsb(result >> index_in_limb)
     }
 }
 
 #[cfg(test)]
 mod tests {
-    use crate::{Word, U256};
+    use crate::U256;
 
     fn uint_with_bits_at(positions: &[usize]) -> U256 {
         let mut result = U256::ZERO;
@@ -109,25 +103,25 @@ mod tests {
     #[test]
     fn bit_vartime() {
         let u = uint_with_bits_at(&[16, 48, 112, 127, 255]);
-        assert_eq!(u.bit_vartime(0), 0);
-        assert_eq!(u.bit_vartime(1), 0);
-        assert_eq!(u.bit_vartime(16), Word::MAX);
-        assert_eq!(u.bit_vartime(127), Word::MAX);
-        assert_eq!(u.bit_vartime(255), Word::MAX);
-        assert_eq!(u.bit_vartime(256), 0);
-        assert_eq!(u.bit_vartime(260), 0);
+        assert!(!u.bit_vartime(0));
+        assert!(!u.bit_vartime(1));
+        assert!(u.bit_vartime(16));
+        assert!(u.bit_vartime(127));
+        assert!(u.bit_vartime(255));
+        assert!(!u.bit_vartime(256));
+        assert!(!u.bit_vartime(260));
     }
 
     #[test]
     fn bit() {
         let u = uint_with_bits_at(&[16, 48, 112, 127, 255]);
-        assert_eq!(u.bit(0), 0);
-        assert_eq!(u.bit(1), 0);
-        assert_eq!(u.bit(16), Word::MAX);
-        assert_eq!(u.bit(127), Word::MAX);
-        assert_eq!(u.bit(255), Word::MAX);
-        assert_eq!(u.bit(256), 0);
-        assert_eq!(u.bit(260), 0);
+        assert!(!u.bit(0).is_true_vartime());
+        assert!(!u.bit(1).is_true_vartime());
+        assert!(u.bit(16).is_true_vartime());
+        assert!(u.bit(127).is_true_vartime());
+        assert!(u.bit(255).is_true_vartime());
+        assert!(!u.bit(256).is_true_vartime());
+        assert!(!u.bit(260).is_true_vartime());
     }
 
     #[test]