Binary XGCD

benches/int.rs

@@ -1,7 +1,6 @@
 use std::ops::Div;
 
 use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
-use num_traits::WrappingSub;
 use rand_core::OsRng;
 
 use crypto_bigint::{NonZero, Random, I1024, I128, I2048, I256, I4096, I512};

benches/uint.rs

@@ -1,7 +1,11 @@
-use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
+use criterion::measurement::WallTime;
+use criterion::{
+    black_box, criterion_group, criterion_main, BatchSize, BenchmarkGroup, BenchmarkId, Criterion,
+};
+use crypto_bigint::modular::SafeGcdInverter;
 use crypto_bigint::{
-    Limb, NonZero, Odd, Random, RandomBits, RandomMod, Reciprocal, Uint, U1024, U128, U2048, U256,
-    U4096, U512,
+    Int, Limb, NonZero, Odd, PrecomputeInverter, Random, RandomBits, RandomMod, Reciprocal, Uint,
+    U1024, U128, U16384, U192, U2048, U256, U320, U384, U4096, U448, U512, U64, U8192,
 };
 use rand_chacha::ChaCha8Rng;
 use rand_core::{OsRng, RngCore, SeedableRng};
@@ -302,32 +306,121 @@ fn bench_division(c: &mut Criterion) {
     group.finish();
 }
 
-fn bench_gcd(c: &mut Criterion) {
-    let mut group = c.benchmark_group("greatest common divisor");
+fn gcd_bench<const LIMBS: usize, const UNSAT_LIMBS: usize>(
+    g: &mut BenchmarkGroup<WallTime>,
+    _x: Uint<LIMBS>,
+) where
+    Odd<Uint<LIMBS>>: PrecomputeInverter<Inverter = SafeGcdInverter<LIMBS, UNSAT_LIMBS>>,
+{
+    g.bench_function(BenchmarkId::new("gcd", LIMBS), |b| {
+        b.iter_batched(
+            || {
+                let f = Uint::<LIMBS>::random(&mut OsRng);
+                let g = Uint::<LIMBS>::random(&mut OsRng);
+                (f, g)
+            },
+            |(f, g)| black_box(Uint::gcd(&f, &g)),
+            BatchSize::SmallInput,
+        )
+    });
+    g.bench_function(BenchmarkId::new("bingcd", LIMBS), |b| {
+        b.iter_batched(
+            || {
+                let f = Uint::<LIMBS>::random(&mut OsRng);
+                let g = Uint::<LIMBS>::random(&mut OsRng);
+                (f, g)
+            },
+            |(f, g)| black_box(Uint::bingcd(&f, &g)),
+            BatchSize::SmallInput,
+        )
+    });
 
-    group.bench_function("gcd, U256", |b| {
+    g.bench_function(BenchmarkId::new("bingcd_small", LIMBS), |b| {
+        b.iter_batched(
+            || {
+                let f = Uint::<LIMBS>::random(&mut OsRng)
+                    .bitor(&Uint::ONE)
+                    .to_odd()
+                    .unwrap();
+                let g = Uint::<LIMBS>::random(&mut OsRng);
+                (f, g)
+            },
+            |(f, g)| black_box(f.classic_bingcd(&g)),
+            BatchSize::SmallInput,
+        )
+    });
+    g.bench_function(BenchmarkId::new("bingcd_large", LIMBS), |b| {
         b.iter_batched(
             || {
-                let f = U256::random(&mut OsRng);
-                let g = U256::random(&mut OsRng);
+                let f = Uint::<LIMBS>::random(&mut OsRng)
+                    .bitor(&Uint::ONE)
+                    .to_odd()
+                    .unwrap();
+                let g = Uint::<LIMBS>::random(&mut OsRng);
                 (f, g)
             },
-            |(f, g)| black_box(f.gcd(&g)),
+            |(f, g)| black_box(f.optimized_bingcd(&g)),
             BatchSize::SmallInput,
         )
     });
+}
+
+fn bench_gcd(c: &mut Criterion) {
+    let mut group = c.benchmark_group("greatest common divisor");
+
+    gcd_bench(&mut group, U64::ZERO);
+    gcd_bench(&mut group, U128::ZERO);
+    gcd_bench(&mut group, U192::ZERO);
+    gcd_bench(&mut group, U256::ZERO);
+    gcd_bench(&mut group, U320::ZERO);
+    gcd_bench(&mut group, U384::ZERO);
+    gcd_bench(&mut group, U448::ZERO);
+    gcd_bench(&mut group, U512::ZERO);
+    gcd_bench(&mut group, U1024::ZERO);
+    gcd_bench(&mut group, U2048::ZERO);
+    gcd_bench(&mut group, U4096::ZERO);
+    gcd_bench(&mut group, U8192::ZERO);
+    gcd_bench(&mut group, U16384::ZERO);
+
+    group.finish();
+}
 
-    group.bench_function("gcd_vartime, U256", |b| {
+fn xgcd_bench<const LIMBS: usize, const UNSAT_LIMBS: usize>(
+    g: &mut BenchmarkGroup<WallTime>,
+    _x: Uint<LIMBS>,
+) where
+    Odd<Uint<LIMBS>>: PrecomputeInverter<Inverter = SafeGcdInverter<LIMBS, UNSAT_LIMBS>>,
+{
+    g.bench_function(BenchmarkId::new("binxgcd", LIMBS), |b| {
         b.iter_batched(
             || {
-                let f = Odd::<U256>::random(&mut OsRng);
-                let g = U256::random(&mut OsRng);
+                let modulus = Int::MIN.as_uint().wrapping_add(&Uint::ONE).to_nz().unwrap();
+                let f = Uint::<LIMBS>::random_mod(&mut OsRng, &modulus).as_int();
+                let g = Uint::<LIMBS>::random_mod(&mut OsRng, &modulus).as_int();
                 (f, g)
             },
-            |(f, g)| black_box(f.gcd_vartime(&g)),
+            |(f, g)| black_box(f.binxgcd(&g)),
             BatchSize::SmallInput,
         )
     });
+}
+
+fn bench_xgcd(c: &mut Criterion) {
+    let mut group = c.benchmark_group("greatest common divisor");
+
+    xgcd_bench(&mut group, U64::ZERO);
+    xgcd_bench(&mut group, U128::ZERO);
+    xgcd_bench(&mut group, U192::ZERO);
+    xgcd_bench(&mut group, U256::ZERO);
+    xgcd_bench(&mut group, U320::ZERO);
+    xgcd_bench(&mut group, U384::ZERO);
+    xgcd_bench(&mut group, U448::ZERO);
+    xgcd_bench(&mut group, U512::ZERO);
+    xgcd_bench(&mut group, U1024::ZERO);
+    xgcd_bench(&mut group, U2048::ZERO);
+    xgcd_bench(&mut group, U4096::ZERO);
+    xgcd_bench(&mut group, U8192::ZERO);
+    xgcd_bench(&mut group, U16384::ZERO);
 
     group.finish();
 }
@@ -491,6 +584,7 @@ criterion_group!(
     bench_mul,
     bench_division,
     bench_gcd,
+    bench_xgcd,
     bench_shl,
     bench_shr,
     bench_inv_mod,

src/const_choice.rs

@@ -413,6 +413,20 @@ impl<const LIMBS: usize> ConstCtOption<(Uint<LIMBS>, Uint<LIMBS>)> {
     }
 }
 
+impl<const LIMBS: usize> ConstCtOption<(Uint<LIMBS>, ConstChoice)> {
+    /// Returns the contained value, consuming the `self` value.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the value is none with a custom panic message provided by
+    /// `msg`.
+    #[inline]
+    pub const fn expect(self, msg: &str) -> (Uint<LIMBS>, ConstChoice) {
+        assert!(self.is_some.is_true_vartime(), "{}", msg);
+        self.value
+    }
+}
+
 impl<const LIMBS: usize> ConstCtOption<NonZero<Uint<LIMBS>>> {
     /// Returns the contained value, consuming the `self` value.
     ///
@@ -461,6 +475,34 @@ impl<const LIMBS: usize> ConstCtOption<Int<LIMBS>> {
     }
 }
 
+impl<const LIMBS: usize> ConstCtOption<NonZero<Int<LIMBS>>> {
+    /// Returns the contained value, consuming the `self` value.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the value is none with a custom panic message provided by
+    /// `msg`.
+    #[inline]
+    pub const fn expect(self, msg: &str) -> NonZero<Int<LIMBS>> {
+        assert!(self.is_some.is_true_vartime(), "{}", msg);
+        self.value
+    }
+}
+
+impl<const LIMBS: usize> ConstCtOption<Odd<Int<LIMBS>>> {
+    /// Returns the contained value, consuming the `self` value.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the value is none with a custom panic message provided by
+    /// `msg`.
+    #[inline]
+    pub const fn expect(self, msg: &str) -> Odd<Int<LIMBS>> {
+        assert!(self.is_some.is_true_vartime(), "{}", msg);
+        self.value
+    }
+}
+
 impl ConstCtOption<NonZero<Limb>> {
     /// Returns the contained value, consuming the `self` value.
     ///

src/int.rs

@@ -12,6 +12,7 @@ use crate::Encoding;
 use crate::{Bounded, ConstChoice, ConstCtOption, Constants, Limb, NonZero, Odd, Uint, Word};
 
 mod add;
+mod bingcd;
 mod bit_and;
 mod bit_not;
 mod bit_or;
@@ -119,7 +120,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
     }
 
     /// Borrow the limbs of this [`Int`] mutably.
-    pub fn as_limbs_mut(&mut self) -> &mut [Limb; LIMBS] {
+    pub const fn as_limbs_mut(&mut self) -> &mut [Limb; LIMBS] {
         self.0.as_limbs_mut()
     }