Fix modulus leading zeros calculation for (Boxed)MontyForm (#713)

andrewwhitehead · web-flow · commit c128bbdf5b19 · 2024-12-11T12:36:26.000-07:00
Fixes #707 Signed-off-by: Andrew Whitehead <cywolf@gmail.com>
diff --git a/src/modular/boxed_monty_form.rs b/src/modular/boxed_monty_form.rs
@@ -97,7 +97,7 @@ impl BoxedMontyParams {
 
         let mod_neg_inv = Limb(Word::MIN.wrapping_sub(inv_mod_limb.limbs[0].0));
 
-        let mod_leading_zeros = modulus.as_ref().leading_zeros().max(Word::BITS - 1);
+        let mod_leading_zeros = modulus.as_ref().leading_zeros().min(Word::BITS - 1);
 
         let r3 = montgomery_reduction_boxed(&mut r2.square(), &modulus, mod_neg_inv);
 
@@ -327,12 +327,14 @@ fn convert_to_montgomery(integer: &mut BoxedUint, params: &BoxedMontyParams) {
 
 #[cfg(test)]
 mod tests {
-    use super::{BoxedMontyForm, BoxedMontyParams, BoxedUint, Odd};
+    use super::{BoxedMontyForm, BoxedMontyParams, BoxedUint, Limb, Odd};
 
     #[test]
     fn new_params_with_valid_modulus() {
         let modulus = Odd::new(BoxedUint::from(3u8)).unwrap();
-        BoxedMontyParams::new(modulus);
+        let params = BoxedMontyParams::new(modulus);
+
+        assert_eq!(params.mod_leading_zeros, Limb::BITS - 2);
     }
 
     #[test]
diff --git a/src/modular/const_monty_form/macros.rs b/src/modular/const_monty_form/macros.rs
@@ -84,3 +84,16 @@ macro_rules! const_monty_form {
         $crate::modular::ConstMontyForm::<$modulus, { $modulus::LIMBS }>::new(&$variable)
     };
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::modular::ConstMontyParams;
+    use crate::{Limb, U64};
+
+    #[test]
+    fn new_params_with_valid_modulus() {
+        impl_modulus!(Mod, U64, "0000000000000003");
+
+        assert_eq!(Mod::MOD_LEADING_ZEROS, core::cmp::min(Limb::BITS - 1, 62));
+    }
+}
diff --git a/src/modular/monty_form.rs b/src/modular/monty_form.rs
@@ -60,7 +60,7 @@ where
 
         let mod_neg_inv = Limb(Word::MIN.wrapping_sub(inv_mod.limbs[0].0));
 
-        let mod_leading_zeros = modulus.as_ref().leading_zeros().max(Word::BITS - 1);
+        let mod_leading_zeros = modulus.as_ref().leading_zeros().min(Word::BITS - 1);
 
         // `R^3 mod modulus`, used for inversion in Montgomery form.
         let r3 = montgomery_reduction(&r2.square_wide(), &modulus, mod_neg_inv);
@@ -95,7 +95,7 @@ impl<const LIMBS: usize> MontyParams<LIMBS> {
 
         let mod_neg_inv = Limb(Word::MIN.wrapping_sub(inv_mod.limbs[0].0));
 
-        let mod_leading_zeros = modulus.as_ref().leading_zeros().max(Word::BITS - 1);
+        let mod_leading_zeros = modulus.as_ref().leading_zeros_vartime().min(Word::BITS - 1);
 
         // `R^3 mod modulus`, used for inversion in Montgomery form.
         let r3 = montgomery_reduction(&r2.square_wide(), &modulus, mod_neg_inv);
@@ -337,3 +337,16 @@ impl<const LIMBS: usize> zeroize::Zeroize for MontyForm<LIMBS> {
         self.params.zeroize();
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::{Limb, MontyParams, Odd, Uint};
+
+    #[test]
+    fn new_params_with_valid_modulus() {
+        let modulus = Odd::new(Uint::from(3u8)).unwrap();
+        let params = MontyParams::<1>::new(modulus);
+
+        assert_eq!(params.mod_leading_zeros, Limb::BITS - 2);
+    }
+}
diff --git a/src/modular/monty_form/lincomb.rs b/src/modular/monty_form/lincomb.rs
@@ -39,7 +39,7 @@ mod tests {
         use rand_core::SeedableRng;
 
         let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
-        for n in 0..1000 {
+        for n in 0..1500 {
             let modulus = Odd::<U256>::random(&mut rng);
             let params = MontyParams::new_vartime(modulus);
             let m = modulus.as_nz_ref();
