crypto-bigint icon indicating copy to clipboard operation
crypto-bigint copied to clipboard

Published 20 hours ago verified publisher icon RustCrypto

Feature wishlist tracking ticket

Open tarcieri opened this issue 4 years ago • 33 comments
trafficstars

This is a ticket for tracking desired new features for crypto-bigint and which algorithms should be used in order to implement particular features.

Unless otherwise stated, these features are implied to be for the UInt type.

  • [x] signed integers (#700)
  • [x] addition/subtraction
  • [x] multiplication algorithms
    • [x] "schoolbook"
    • [x] Karatsuba
  • [x] sqrt
  • [x] modular arithmetic
    • [x] add
    • [x] subtract
    • [x] multiply
    • [x] negate
    • [x] modulus
    • [x] pow
    • [x] sqrt
    • [x] inversions
  • [ ] bitwise operations (request other ops in comments)
    • [x] shift
    • [ ] rotate
    • [x] XOR
  • [x] fields mod n (i.e. wrapper newtypes for UInt)
  • [x] constant-time division
    • [x] by 2 (useful for elliptic-curve crates)
    • [x] arbitrary
  • [x] subtle comparisons
    • [x] ConstantTimeEq
    • [x] ConstantTimeGreater
    • [x] ConstantTimeLess
  • [ ] CRT (algorithms listed below)
  • [ ] LCM
  • [ ] GCD (algorithms listed below)
  • [x] RNG
  • [ ] Hardware acceleration / assembly (see also #572)
    • [ ] x86/x86_64
    • [ ] ARM
      • [ ] NEON

NOTE: for prime number support, see the crypto-primes crate

tarcieri avatar May 30 '21 21:05 tarcieri

  • Prime generation
  • Random < n
  • Least common multiple
  • Negative numbers
  • Inverse (available if gcd exists but nice convenience)

mikelodder7 avatar Jun 24 '21 19:06 mikelodder7

@mikelodder7 added to the list

random < n implemented in RustCrypto/utils#508. Will cut a release with that fairly soon.

Re: signed integers, yes that's definitely planned but not on this list yet, so thanks. Tentatively the idea is composing in terms of a UInt using two's complement.

Edit: released in v0.2.2 (#509)

tarcieri avatar Jun 27 '21 02:06 tarcieri

How about bit tests? Check if bit at position i is set or cleared?

mikelodder7 avatar Jul 21 '21 03:07 mikelodder7

@mikelodder7 what kind of API are you looking for there?

Would a Choice suffice, or are you looking for a secret-dependent/vartime API?

tarcieri avatar Jul 21 '21 04:07 tarcieri

Choice will suffice. Vartime not necessary.

mikelodder7 avatar Jul 21 '21 11:07 mikelodder7

Fast generation of safe primes would be great for RSA applications.

ggutoski avatar Aug 05 '21 19:08 ggutoski

It’s also great for applications that require groups of unknown order based on prime factoring like accumulator, paillier, camenisch-shoup verifiable encryption

mikelodder7 avatar Aug 05 '21 19:08 mikelodder7

I'd like to add a +1 for implementingmodpow. It's useful in older protocols such as SRP.

complexspaces avatar Aug 24 '21 16:08 complexspaces

@mikelodder7 it looks like it might be interesting to adapt the code in glass_pumpkin for (safe) prime generation, that is if we could get your blessing to license the resulting code as Apache 2.0+MIT

tarcieri avatar Aug 26 '21 21:08 tarcieri

Of course. Glass pumpkin is already licensed as Apache 2 so adapting to be dual licensed is fine too. Consider this post my legal binding statement to authorize that work.

mikelodder7 avatar Aug 26 '21 23:08 mikelodder7

It will be nice to have it integrated directly into the big int library vs a bolt-on. Many operations can be simplified since the underlying int rep is accessible. We'll need modpow and reduce at a minimum.

mikelodder7 avatar Aug 26 '21 23:08 mikelodder7

Absolutely, that'd be the goal.

Generic modpow seems a bit tricky, or at least our last attempt at it didn't work.

One option would be to have a trait for it, and implement it for specific moduli.

tarcieri avatar Aug 26 '21 23:08 tarcieri

What about using modular square and modular multiply and using conditional_select if the exponent bit is 1? Does that not work?

mikelodder7 avatar Aug 27 '21 00:08 mikelodder7

To be clear @dignifiedquire tried to add generic mulmod in RustCrypto/utils#510 but it was buggy so we backed it out.

It would be great to have a generic implementation.

tarcieri avatar Aug 27 '21 00:08 tarcieri

Doing a "better random < n" with https://github.com/apple/swift/pull/39143 in bigint is expensive compared to correct bigint rejection sampling (see RustCrypto/utils#618). As that requires multiplication of the modulus and a random number about 128 bits larger than the modulus. Basically that's O(N^2) vs O(N).

Sc00bz avatar Sep 08 '21 21:09 Sc00bz

To be clear @dignifiedquire tried to add generic mulmod in RustCrypto/utils#510 but it was buggy so we backed it out.

I'll get there, soon (TM)

dignifiedquire avatar Sep 08 '21 21:09 dignifiedquire

Need to update this list with completed features @tarcieri

mikelodder7 avatar Sep 15 '21 00:09 mikelodder7

@mikelodder7 should be updated now

tarcieri avatar Sep 15 '21 00:09 tarcieri

Modular exponentiation?

newpavlov avatar Sep 19 '21 09:09 newpavlov

It's under "modular arithmetic" as "pow". Hmm "sqrt" and "inversions" should be under the "modular arithmetic" section.

Sc00bz avatar Sep 20 '21 02:09 Sc00bz

Sorry, I reorganized the modular arithmetic section, and missed a few things along the way.

Note there is sqrt under modular arithmetic. However, I'll move inversions there.

tarcieri avatar Sep 20 '21 13:09 tarcieri

Oh I missed that. Is the other "sqrt" for floor(sqrt(n))?

P.S. I just re-found the edit history button and "pow" was added after @newpavlov's question. I thought there was edit history but it wasn't in the "…" menu.

Sc00bz avatar Sep 21 '21 13:09 Sc00bz

The other sqrt is for generic number sqrt versus modular sqrt which can take some optimizations.

mikelodder7 avatar Sep 21 '21 13:09 mikelodder7

Both are important. Integer sqrt is used in the Lucas test for prime numbers for example.

mikelodder7 avatar Sep 21 '21 13:09 mikelodder7

Modular sqrt could potentially be helpful for the elliptic curve crates, although we're presently using an algorithm (Tonelli-Shank) specialized to the modulus (q mod 16 = 1).

I'm not sure what the best algorithm to use which isn't specialized to the modulus, or if it would make sense to select an algorithm based on the modulus size. The latter might make more sense if the modulus were a const generic parameter so the best algorithm could be selected at compile time.

tarcieri avatar Sep 21 '21 14:09 tarcieri

I would suggest having the different algorithms behind specific methods, such that downstream implementors can choose the algorithm, eg fn sqrt_tonelli_shank().

dignifiedquire avatar Sep 22 '21 16:09 dignifiedquire

Would completing full num_traits::PrimInt implementation to be a good goal ? I made a test branch with stubbed out functions here, it's not too hard to complete - with an optional num_traits dependency.

The main reason is it allows easily writing generic algos that take T: PrimInt as either bignum or builtin integers.

kaidokert avatar Oct 17 '21 15:10 kaidokert

Optional num_traits support sounds great.

I would suggest following the same pattern as all the other functions that can presently support it which are currently impl'd on UInt (and Limb) though: add that functionality as const fn inherent methods, then add a trait wrapper for the inherent methods.

Based on a cursory survey of Primint, it looks like that should be possible for most if not all of those methods.

Edit: opened #158 to track num-traits support.

tarcieri avatar Oct 17 '21 15:10 tarcieri

Seems like it can be updated, all the modular arithmetic is done, and random primes are implemented by crypto-primes.

fjarri avatar May 06 '23 19:05 fjarri

Should there be regular pow for Uint and BoxedUint types - like

  • https://docs.rs/num-bigint-dig/latest/src/num_bigint_dig/biguint.rs.html#501

pinkforest avatar Apr 03 '24 11:04 pinkforest