Unify ConstMontyParams and MontyParams (#873)

Changes `ConstMontyParams` from having associated constants that
duplicate `MontyParams` to having an associated `MontyParams` constant.

`MontyParams` has `const fn` constructors, which the
`const_monty_params!` (and legacy `impl_modulus!`) macros have been
changed to use.

This gets us a bit closer to the ideal solution which would leverage the
`adt_const_params` feature (rust-lang/rust#95174), as that would allow
`ConstMontyForm` to be generic around a `MontyParams` constant.

Author: tarcieri

benches/const_monty.rs

@@ -21,7 +21,7 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
     let mut rng = ChaChaRng::from_os_rng();
     group.bench_function("ConstMontyForm creation", |b| {
         b.iter_batched(
-            || U256::random_mod(&mut rng, Modulus::MODULUS.as_nz_ref()),
+            || U256::random_mod(&mut rng, Modulus::PARAMS.modulus().as_nz_ref()),
             |x| black_box(ConstMontyForm::new(&x)),
             BatchSize::SmallInput,
         )

src/modular.rs

@@ -74,15 +74,15 @@ mod tests {
     #[test]
     fn test_montgomery_params() {
         assert_eq!(
-            Modulus1::ONE,
+            Modulus1::PARAMS.one,
             U256::from_be_hex("1824b159acc5056f998c4fefecbc4ff55884b7fa0003480200000001fffffffe")
         );
         assert_eq!(
-            Modulus1::R2,
+            Modulus1::PARAMS.r2,
             U256::from_be_hex("0748d9d99f59ff1105d314967254398f2b6cedcb87925c23c999e990f3f29c6d")
         );
         assert_eq!(
-            Modulus1::MOD_NEG_INV,
+            Modulus1::PARAMS.mod_neg_inv,
             U64::from_be_hex("fffffffeffffffff").limbs[0]
         );
     }
@@ -98,9 +98,9 @@ mod tests {
         // Divide the value R by R, which should equal 1
         assert_eq!(
             montgomery_reduction::<{ Modulus2::LIMBS }>(
-                &(Modulus2::ONE, Uint::ZERO),
-                &Modulus2::MODULUS,
-                Modulus2::MOD_NEG_INV
+                &(Modulus2::PARAMS.one, Uint::ZERO),
+                &Modulus2::PARAMS.modulus,
+                Modulus2::PARAMS.mod_neg_inv
             ),
             Uint::ONE
         );
@@ -111,25 +111,25 @@ mod tests {
         // Divide the value R^2 by R, which should equal R
         assert_eq!(
             montgomery_reduction::<{ Modulus2::LIMBS }>(
-                &(Modulus2::R2, Uint::ZERO),
-                &Modulus2::MODULUS,
-                Modulus2::MOD_NEG_INV
+                &(Modulus2::PARAMS.r2, Uint::ZERO),
+                &Modulus2::PARAMS.modulus,
+                Modulus2::PARAMS.mod_neg_inv
             ),
-            Modulus2::ONE
+            Modulus2::PARAMS.one
         );
     }
 
     #[test]
     fn test_reducing_r2_wide() {
         // Divide the value ONE^2 by R, which should equal ONE
-        let (lo, hi) = Modulus2::ONE.square().split();
+        let (lo, hi) = Modulus2::PARAMS.one.square().split();
         assert_eq!(
             montgomery_reduction::<{ Modulus2::LIMBS }>(
                 &(lo, hi),
-                &Modulus2::MODULUS,
-                Modulus2::MOD_NEG_INV
+                &Modulus2::PARAMS.modulus,
+                Modulus2::PARAMS.mod_neg_inv
             ),
-            Modulus2::ONE
+            Modulus2::PARAMS.one
         );
     }
 
@@ -138,12 +138,12 @@ mod tests {
         // Reducing xR should return x
         let x =
             U256::from_be_hex("44acf6b7e36c1342c2c5897204fe09504e1e2efb1a900377dbc4e7a6a133ec56");
-        let product = x.widening_mul(&Modulus2::ONE);
+        let product = x.widening_mul(&Modulus2::PARAMS.one);
         assert_eq!(
             montgomery_reduction::<{ Modulus2::LIMBS }>(
                 &product,
-                &Modulus2::MODULUS,
-                Modulus2::MOD_NEG_INV
+                &Modulus2::PARAMS.modulus,
+                Modulus2::PARAMS.mod_neg_inv
             ),
             x
         );
@@ -154,20 +154,21 @@ mod tests {
         // Reducing xR^2 should return xR
         let x =
             U256::from_be_hex("44acf6b7e36c1342c2c5897204fe09504e1e2efb1a900377dbc4e7a6a133ec56");
-        let product = x.widening_mul(&Modulus2::R2);
+        let product = x.widening_mul(&Modulus2::PARAMS.r2);
 
         // Computing xR mod modulus without Montgomery reduction
-        let (lo, hi) = x.widening_mul(&Modulus2::ONE);
+        let (lo, hi) = x.widening_mul(&Modulus2::PARAMS.one);
         let c = lo.concat(&hi);
-        let red = c.rem_vartime(&NonZero::new(Modulus2::MODULUS.0.concat(&U256::ZERO)).unwrap());
+        let red =
+            c.rem_vartime(&NonZero::new(Modulus2::PARAMS.modulus.0.concat(&U256::ZERO)).unwrap());
         let (lo, hi) = red.split();
         assert_eq!(hi, Uint::ZERO);
 
         assert_eq!(
             montgomery_reduction::<{ Modulus2::LIMBS }>(
                 &product,
-                &Modulus2::MODULUS,
-                Modulus2::MOD_NEG_INV
+                &Modulus2::PARAMS.modulus,
+                Modulus2::PARAMS.mod_neg_inv
             ),
             lo
         );

src/modular/boxed_monty_form.rs

@@ -8,10 +8,10 @@ mod neg;
 mod pow;
 mod sub;
 
-use super::{ConstMontyParams, Retrieve, div_by_2};
+use super::{Retrieve, div_by_2};
 use mul::BoxedMontyMultiplier;
 
-use crate::{BoxedUint, Limb, Monty, Odd, Resize, Word};
+use crate::{BoxedUint, Limb, Monty, Odd, Resize, Word, modular::MontyParams};
 use alloc::sync::Arc;
 use subtle::Choice;
 
@@ -155,23 +155,30 @@ impl BoxedMontyParams {
     pub(crate) fn mod_leading_zeros(&self) -> u32 {
         self.0.mod_leading_zeros
     }
+}
 
-    /// Create from a set of [`ConstMontyParams`].
-    pub fn from_const_params<const LIMBS: usize, P: ConstMontyParams<LIMBS>>() -> Self {
+impl<const LIMBS: usize> From<&MontyParams<LIMBS>> for BoxedMontyParams {
+    fn from(params: &MontyParams<LIMBS>) -> Self {
         Self(
             BoxedMontyParamsInner {
-                modulus: P::MODULUS.into(),
-                one: P::ONE.into(),
-                r2: P::R2.into(),
-                r3: P::R3.into(),
-                mod_neg_inv: P::MOD_NEG_INV,
-                mod_leading_zeros: P::MOD_LEADING_ZEROS,
+                modulus: params.modulus.into(),
+                one: params.one.into(),
+                r2: params.r2.into(),
+                r3: params.r3.into(),
+                mod_neg_inv: params.mod_neg_inv,
+                mod_leading_zeros: params.mod_leading_zeros,
             }
             .into(),
         )
     }
 }
 
+impl<const LIMBS: usize> From<MontyParams<LIMBS>> for BoxedMontyParams {
+    fn from(params: MontyParams<LIMBS>) -> Self {
+        BoxedMontyParams::from(&params)
+    }
+}
+
 /// An integer in Montgomery form represented using heap-allocated limbs.
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct BoxedMontyForm {

src/modular/const_monty_form.rs

@@ -9,8 +9,10 @@ mod pow;
 mod sub;
 
 use self::invert::ConstMontyFormInverter;
-use super::{Retrieve, SafeGcdInverter, div_by_2::div_by_2, reduction::montgomery_reduction};
-use crate::{ConstZero, Limb, Odd, PrecomputeInverter, Uint};
+use super::{
+    MontyParams, Retrieve, SafeGcdInverter, div_by_2::div_by_2, reduction::montgomery_reduction,
+};
+use crate::{ConstZero, Odd, PrecomputeInverter, Uint};
 use core::{fmt::Debug, marker::PhantomData};
 use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 
@@ -39,19 +41,8 @@ pub trait ConstMontyParams<const LIMBS: usize>:
     /// Number of limbs required to encode the Montgomery form
     const LIMBS: usize;
 
-    /// The constant modulus
-    const MODULUS: Odd<Uint<LIMBS>>;
-    /// 1 in Montgomery form
-    const ONE: Uint<LIMBS>;
-    /// `R^2 mod MODULUS`, used to move into Montgomery form
-    const R2: Uint<LIMBS>;
-    /// `R^3 mod MODULUS`, used to perform a multiplicative inverse
-    const R3: Uint<LIMBS>;
-    /// The lowest limbs of -(MODULUS^-1) mod R
-    // We only need the LSB because during reduction this value is multiplied modulo 2**Limb::BITS.
-    const MOD_NEG_INV: Limb;
-    /// Leading zeros in the modulus, used to choose optimized algorithms
-    const MOD_LEADING_ZEROS: u32;
+    /// Montgomery parameters constant.
+    const PARAMS: MontyParams<LIMBS>;
 
     /// Precompute a Bernstein-Yang inverter for this modulus.
     ///
@@ -67,7 +58,7 @@ pub trait ConstMontyParams<const LIMBS: usize>:
 /// An integer in Montgomery form modulo `MOD`, represented using `LIMBS` limbs.
 /// The modulus is constant, so it cannot be set at runtime.
 ///
-/// Internally, the value is stored in Montgomery form (multiplied by MOD::ONE) until it is retrieved.
+/// Internally, the value is stored in Montgomery form (multiplied by MOD::PARAMS.one) until it is retrieved.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct ConstMontyForm<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> {
     montgomery_form: Uint<LIMBS>,
@@ -89,16 +80,16 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
 
     /// The representation of 1 mod `MOD`.
     pub const ONE: Self = Self {
-        montgomery_form: MOD::ONE,
+        montgomery_form: MOD::PARAMS.one,
         phantom: PhantomData,
     };
 
     /// Internal helper function to convert to Montgomery form;
     /// this lets us cleanly wrap the constructors.
     const fn from_integer(integer: &Uint<LIMBS>) -> Self {
-        let product = integer.widening_mul(&MOD::R2);
+        let product = integer.widening_mul(&MOD::PARAMS.r2);
         let montgomery_form =
-            montgomery_reduction::<LIMBS>(&product, &MOD::MODULUS, MOD::MOD_NEG_INV);
+            montgomery_reduction::<LIMBS>(&product, &MOD::PARAMS.modulus, MOD::PARAMS.mod_neg_inv);
 
         Self {
             montgomery_form,
@@ -115,8 +106,8 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
     pub const fn retrieve(&self) -> Uint<LIMBS> {
         montgomery_reduction::<LIMBS>(
             &(self.montgomery_form, Uint::ZERO),
-            &MOD::MODULUS,
-            MOD::MOD_NEG_INV,
+            &MOD::PARAMS.modulus,
+            MOD::PARAMS.mod_neg_inv,
         )
     }
 
@@ -146,7 +137,7 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
     /// Performs division by 2, that is returns `x` such that `x + x = self`.
     pub const fn div_by_2(&self) -> Self {
         Self {
-            montgomery_form: div_by_2(&self.montgomery_form, &MOD::MODULUS),
+            montgomery_form: div_by_2(&self.montgomery_form, &MOD::PARAMS.modulus),
             phantom: PhantomData,
         }
     }
@@ -206,7 +197,7 @@ where
     fn try_random<R: TryRngCore + ?Sized>(rng: &mut R) -> Result<Self, R::Error> {
         Ok(Self::new(&Uint::try_random_mod(
             rng,
-            MOD::MODULUS.as_nz_ref(),
+            MOD::PARAMS.modulus.as_nz_ref(),
         )?))
     }
 }
@@ -229,7 +220,7 @@ where
         D: Deserializer<'de>,
     {
         Uint::<LIMBS>::deserialize(deserializer).and_then(|montgomery_form| {
-            if montgomery_form < MOD::MODULUS.0 {
+            if montgomery_form < MOD::PARAMS.modulus.0 {
                 Ok(Self {
                     montgomery_form,
                     phantom: PhantomData,

src/modular/const_monty_form/add.rs

@@ -11,7 +11,7 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
             montgomery_form: add_montgomery_form(
                 &self.montgomery_form,
                 &rhs.montgomery_form,
-                &MOD::MODULUS,
+                &MOD::PARAMS.modulus,
             ),
             phantom: core::marker::PhantomData,
         }
@@ -20,7 +20,7 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
     /// Double `self`.
     pub const fn double(&self) -> Self {
         Self {
-            montgomery_form: double_montgomery_form(&self.montgomery_form, &MOD::MODULUS),
+            montgomery_form: double_montgomery_form(&self.montgomery_form, &MOD::PARAMS.modulus),
             phantom: core::marker::PhantomData,
         }
     }

src/modular/const_monty_form/invert.rs

@@ -31,8 +31,10 @@ where
     /// If the number was invertible, the second element of the tuple is the truthy value,
     /// otherwise it is the falsy value (in which case the first element's value is unspecified).
     pub const fn invert(&self) -> ConstCtOption<Self> {
-        let inverter =
-            <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(&MOD::MODULUS, &MOD::R2);
+        let inverter = <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(
+            &MOD::PARAMS.modulus,
+            &MOD::PARAMS.r2,
+        );
 
         let maybe_inverse = inverter.invert(&self.montgomery_form);
         let (inverse, inverse_is_some) = maybe_inverse.components_ref();
@@ -67,8 +69,10 @@ where
     /// This version is variable-time with respect to the value of `self`, but constant-time with
     /// respect to `MOD`.
     pub const fn invert_vartime(&self) -> ConstCtOption<Self> {
-        let inverter =
-            <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(&MOD::MODULUS, &MOD::R2);
+        let inverter = <Odd<Uint<SAT_LIMBS>> as PrecomputeInverter>::Inverter::new(
+            &MOD::PARAMS.modulus,
+            &MOD::PARAMS.r2,
+        );
 
         let maybe_inverse = inverter.invert_vartime(&self.montgomery_form);
         let (inverse, inverse_is_some) = maybe_inverse.components_ref();
@@ -121,7 +125,7 @@ where
     /// Create a new [`ConstMontyFormInverter`] for the given [`ConstMontyParams`].
     #[allow(clippy::new_without_default)]
     pub const fn new() -> Self {
-        let inverter = SafeGcdInverter::new(&MOD::MODULUS, &MOD::R2);
+        let inverter = SafeGcdInverter::new(&MOD::PARAMS.modulus, &MOD::PARAMS.r2);
 
         Self {
             inverter,

src/modular/const_monty_form/lincomb.rs

@@ -12,7 +12,11 @@ impl<MOD: ConstMontyParams<LIMBS>, const LIMBS: usize> ConstMontyForm<MOD, LIMBS
     /// For a modulus with leading zeros, this method is more efficient than a naive sum of products.
     pub const fn lincomb_vartime(products: &[(Self, Self)]) -> Self {
         Self {
-            montgomery_form: lincomb_const_monty_form(products, &MOD::MODULUS, MOD::MOD_NEG_INV),
+            montgomery_form: lincomb_const_monty_form(
+                products,
+                &MOD::PARAMS.modulus,
+                MOD::PARAMS.mod_neg_inv,
+            ),
             phantom: PhantomData,
         }
     }
@@ -32,7 +36,7 @@ mod tests {
             U256,
             "7fffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"
         );
-        let modulus = P::MODULUS.as_nz_ref();
+        let modulus = P::PARAMS.modulus.as_nz_ref();
 
         let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
         for n in 0..1000 {