Add RandomBits trait (#510)

Adds a trait for generating a random number of a given bit size.

Author: fjarri

benches/boxed_monty.rs

@@ -4,7 +4,7 @@ use criterion::{
 };
 use crypto_bigint::{
     modular::{BoxedMontyForm, BoxedMontyParams},
-    BoxedUint, Odd, RandomMod,
+    BoxedUint, Odd, RandomBits, RandomMod,
 };
 use num_bigint::BigUint;
 use rand_core::OsRng;
@@ -35,10 +35,14 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("multiplication, BoxedUint*BoxedUint", |b| {
         b.iter_batched(
             || {
-                let x =
-                    BoxedMontyForm::new(BoxedUint::random(&mut OsRng, UINT_BITS), params.clone());
-                let y =
-                    BoxedMontyForm::new(BoxedUint::random(&mut OsRng, UINT_BITS), params.clone());
+                let x = BoxedMontyForm::new(
+                    BoxedUint::random_bits(&mut OsRng, UINT_BITS),
+                    params.clone(),
+                );
+                let y = BoxedMontyForm::new(
+                    BoxedUint::random_bits(&mut OsRng, UINT_BITS),
+                    params.clone(),
+                );
                 (x, y)
             },
             |(x, y)| black_box(x * y),
@@ -50,8 +54,8 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("multiplication, BigUint*BigUint (num-bigint-dig)", |b| {
         b.iter_batched(
             || {
-                let x = to_biguint(&BoxedUint::random(&mut OsRng, UINT_BITS)) % &modulus;
-                let y = to_biguint(&BoxedUint::random(&mut OsRng, UINT_BITS)) % &modulus;
+                let x = to_biguint(&BoxedUint::random_bits(&mut OsRng, UINT_BITS)) % &modulus;
+                let y = to_biguint(&BoxedUint::random_bits(&mut OsRng, UINT_BITS)) % &modulus;
                 (x, y)
             },
             |(x, y)| x * y % &modulus,
@@ -64,9 +68,9 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("modpow, BoxedUint^BoxedUint", |b| {
         b.iter_batched(
             || {
-                let x = BoxedUint::random(&mut OsRng, UINT_BITS);
+                let x = BoxedUint::random_bits(&mut OsRng, UINT_BITS);
                 let x_m = BoxedMontyForm::new(x, params.clone());
-                let p = BoxedUint::random(&mut OsRng, UINT_BITS)
+                let p = BoxedUint::random_bits(&mut OsRng, UINT_BITS)
                     | (BoxedUint::one_with_precision(UINT_BITS) << (UINT_BITS - 1));
                 (x_m, p)
             },
@@ -78,10 +82,10 @@ fn bench_montgomery_ops<M: Measurement>(group: &mut BenchmarkGroup<'_, M>) {
     group.bench_function("modpow, BigUint^BigUint (num-bigint-dig)", |b| {
         b.iter_batched(
             || {
-                let x = to_biguint(&BoxedUint::random(&mut OsRng, UINT_BITS));
+                let x = to_biguint(&BoxedUint::random_bits(&mut OsRng, UINT_BITS));
                 let x_m = x % &modulus;
                 let p = to_biguint(
-                    &(BoxedUint::random(&mut OsRng, UINT_BITS)
+                    &(BoxedUint::random_bits(&mut OsRng, UINT_BITS)
                         | (BoxedUint::one_with_precision(UINT_BITS) << (UINT_BITS - 1))),
                 );
                 (x_m, p)
@@ -112,7 +116,7 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
     let params = BoxedMontyParams::new(Odd::<BoxedUint>::random(&mut OsRng, UINT_BITS));
     group.bench_function("BoxedMontyForm::new", |b| {
         b.iter_batched(
-            || BoxedUint::random(&mut OsRng, UINT_BITS),
+            || BoxedUint::random_bits(&mut OsRng, UINT_BITS),
             |x| black_box(BoxedMontyForm::new(x, params.clone())),
             BatchSize::SmallInput,
         )
@@ -121,7 +125,12 @@ fn bench_montgomery_conversion<M: Measurement>(group: &mut BenchmarkGroup<'_, M>
     let params = BoxedMontyParams::new(Odd::<BoxedUint>::random(&mut OsRng, UINT_BITS));
     group.bench_function("BoxedMontyForm::retrieve", |b| {
         b.iter_batched(
-            || BoxedMontyForm::new(BoxedUint::random(&mut OsRng, UINT_BITS), params.clone()),
+            || {
+                BoxedMontyForm::new(
+                    BoxedUint::random_bits(&mut OsRng, UINT_BITS),
+                    params.clone(),
+                )
+            },
             |x| black_box(x.retrieve()),
             BatchSize::SmallInput,
         )

benches/boxed_uint.rs

@@ -1,5 +1,5 @@
 use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
-use crypto_bigint::BoxedUint;
+use crypto_bigint::{BoxedUint, RandomBits};
 use rand_core::OsRng;
 
 /// Size of `BoxedUint` to use in benchmark.
@@ -10,31 +10,31 @@ fn bench_shifts(c: &mut Criterion) {
 
     group.bench_function("shl_vartime", |b| {
         b.iter_batched(
-            || BoxedUint::random(&mut OsRng, UINT_BITS),
+            || BoxedUint::random_bits(&mut OsRng, UINT_BITS),
             |x| black_box(x.shl_vartime(UINT_BITS / 2 + 10)),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("shl", |b| {
         b.iter_batched(
-            || BoxedUint::random(&mut OsRng, UINT_BITS),
+            || BoxedUint::random_bits(&mut OsRng, UINT_BITS),
             |x| x.overflowing_shl(UINT_BITS / 2 + 10),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("shr_vartime", |b| {
         b.iter_batched(
-            || BoxedUint::random(&mut OsRng, UINT_BITS),
+            || BoxedUint::random_bits(&mut OsRng, UINT_BITS),
             |x| black_box(x.shr_vartime(UINT_BITS / 2 + 10)),
             BatchSize::SmallInput,
         )
     });
 
     group.bench_function("shr", |b| {
         b.iter_batched(
-            || BoxedUint::random(&mut OsRng, UINT_BITS),
+            || BoxedUint::random_bits(&mut OsRng, UINT_BITS),
             |x| x.overflowing_shr(UINT_BITS / 2 + 10),
             BatchSize::SmallInput,
         )

src/odd.rs

@@ -10,6 +10,9 @@ use crate::BoxedUint;
 #[cfg(feature = "rand_core")]
 use {crate::Random, rand_core::CryptoRngCore};
 
+#[cfg(all(feature = "alloc", feature = "rand_core"))]
+use crate::RandomBits;
+
 /// Wrapper type for odd integers.
 ///
 /// These are frequently used in cryptography, e.g. as a modulus.
@@ -143,8 +146,8 @@ impl<const LIMBS: usize> Random for Odd<Uint<LIMBS>> {
 #[cfg(all(feature = "alloc", feature = "rand_core"))]
 impl Odd<BoxedUint> {
     /// Generate a random `Odd<Uint<T>>`.
-    pub fn random(rng: &mut impl CryptoRngCore, bits_precision: u32) -> Self {
-        let mut ret = BoxedUint::random(rng, bits_precision);
+    pub fn random(rng: &mut impl CryptoRngCore, bit_length: u32) -> Self {
+        let mut ret = BoxedUint::random_bits(rng, bit_length);
         ret.limbs[0] |= Limb::ONE;
         Odd(ret)
     }

src/traits.rs

@@ -22,6 +22,9 @@ use subtle::{
 #[cfg(feature = "rand_core")]
 use rand_core::CryptoRngCore;
 
+#[cfg(feature = "rand_core")]
+use core::fmt;
+
 /// Integers whose representation takes a bounded amount of space.
 pub trait Bounded {
     /// Size of this integer in bits.
@@ -274,6 +277,104 @@ pub trait Random: Sized {
     fn random(rng: &mut impl CryptoRngCore) -> Self;
 }
 
+/// Possible errors of the methods in [`RandomBits`] trait.
+#[cfg(feature = "rand_core")]
+#[derive(Debug)]
+pub enum RandomBitsError {
+    /// An error of the internal RNG library.
+    RandCore(rand_core::Error),
+    /// The requested `bits_precision` does not match the size of the integer
+    /// corresponding to the type (in the cases where this is set in compile time).
+    BitsPrecisionMismatch {
+        /// The requested precision.
+        bits_precision: u32,
+        /// The compile-time size of the integer.
+        integer_bits: u32,
+    },
+    /// The requested `bit_length` is larger than `bits_precision`.
+    BitLengthTooLarge {
+        /// The requested bit length of the random number.
+        bit_length: u32,
+        /// The requested precision.
+        bits_precision: u32,
+    },
+}
+
+#[cfg(feature = "rand_core")]
+impl fmt::Display for RandomBitsError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::RandCore(err) => write!(f, "{}", err),
+            Self::BitsPrecisionMismatch {
+                bits_precision,
+                integer_bits,
+            } => write!(
+                f,
+                concat![
+                    "The requested `bits_precision` ({}) does not match ",
+                    "the size of the integer corresponding to the type ({})"
+                ],
+                bits_precision, integer_bits
+            ),
+            Self::BitLengthTooLarge {
+                bit_length,
+                bits_precision,
+            } => write!(
+                f,
+                "The requested `bit_length` ({}) is larger than `bits_precision` ({}).",
+                bit_length, bits_precision
+            ),
+        }
+    }
+}
+
+#[cfg(feature = "std")]
+impl std::error::Error for RandomBitsError {}
+
+/// Random bits generation support.
+#[cfg(feature = "rand_core")]
+pub trait RandomBits: Sized {
+    /// Generate a cryptographically secure random value in range `[0, 2^bit_length)`.
+    ///
+    /// A wrapper for [`RandomBits::try_random_bits`] that panics on error.
+    fn random_bits(rng: &mut impl CryptoRngCore, bit_length: u32) -> Self {
+        Self::try_random_bits(rng, bit_length).expect("try_random_bits() failed")
+    }
+
+    /// Generate a cryptographically secure random value in range `[0, 2^bit_length)`.
+    ///
+    /// This method is variable time wrt `bit_length`.
+    fn try_random_bits(
+        rng: &mut impl CryptoRngCore,
+        bit_length: u32,
+    ) -> Result<Self, RandomBitsError>;
+
+    /// Generate a cryptographically secure random value in range `[0, 2^bit_length)`,
+    /// returning an integer with the closest available size to `bits_precision`
+    /// (if the implementing type supports runtime sizing).
+    ///
+    /// A wrapper for [`RandomBits::try_random_bits_with_precision`] that panics on error.
+    fn random_bits_with_precision(
+        rng: &mut impl CryptoRngCore,
+        bit_length: u32,
+        bits_precision: u32,
+    ) -> Self {
+        Self::try_random_bits_with_precision(rng, bit_length, bits_precision)
+            .expect("try_random_bits_with_precision() failed")
+    }
+
+    /// Generate a cryptographically secure random value in range `[0, 2^bit_length)`,
+    /// returning an integer with the closest available size to `bits_precision`
+    /// (if the implementing type supports runtime sizing).
+    ///
+    /// This method is variable time wrt `bit_length`.
+    fn try_random_bits_with_precision(
+        rng: &mut impl CryptoRngCore,
+        bit_length: u32,
+        bits_precision: u32,
+    ) -> Result<Self, RandomBitsError>;
+}
+
 /// Modular random number generation support.
 #[cfg(feature = "rand_core")]
 pub trait RandomMod: Sized + Zero {

src/uint/boxed/rand.rs

@@ -1,25 +1,35 @@
 //! Random number generator support.
 
 use super::BoxedUint;
-use crate::{uint::rand::random_mod_core, Limb, NonZero, Random, RandomMod};
+use crate::{
+    uint::rand::{random_bits_core, random_mod_core},
+    NonZero, RandomBits, RandomBitsError, RandomMod,
+};
 use rand_core::CryptoRngCore;
 
-impl BoxedUint {
-    /// Generate a cryptographically secure random [`BoxedUint`].
-    /// in range `[0, 2^bits_precision)`.
-    pub fn random(rng: &mut impl CryptoRngCore, bits_precision: u32) -> Self {
-        let mut ret = BoxedUint::zero_with_precision(bits_precision);
+impl RandomBits for BoxedUint {
+    fn try_random_bits(
+        rng: &mut impl CryptoRngCore,
+        bit_length: u32,
+    ) -> Result<Self, RandomBitsError> {
+        Self::try_random_bits_with_precision(rng, bit_length, bit_length)
+    }
 
-        for limb in &mut *ret.limbs {
-            *limb = Limb::random(rng)
+    fn try_random_bits_with_precision(
+        rng: &mut impl CryptoRngCore,
+        bit_length: u32,
+        bits_precision: u32,
+    ) -> Result<Self, RandomBitsError> {
+        if bit_length > bits_precision {
+            return Err(RandomBitsError::BitLengthTooLarge {
+                bit_length,
+                bits_precision,
+            });
         }
 
-        // Since `bits_precision` will be rounded up on creation of `ret`,
-        // we need to clear the high bits if the rounding occurred.
-        ret.limbs[ret.limbs.len() - 1] =
-            ret.limbs[ret.limbs.len() - 1] & (Limb::MAX >> (ret.bits_precision() - bits_precision));
-
-        ret
+        let mut ret = BoxedUint::zero_with_precision(bits_precision);
+        random_bits_core(rng, &mut ret.limbs, bit_length)?;
+        Ok(ret)
     }
 }
 
@@ -42,17 +52,17 @@ impl RandomMod for BoxedUint {
 
 #[cfg(test)]
 mod tests {
-    use crate::{BoxedUint, NonZero, RandomMod};
+    use crate::{BoxedUint, NonZero, RandomBits, RandomMod};
     use rand_core::SeedableRng;
 
     #[test]
     fn random() {
         let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
 
-        let r = BoxedUint::random(&mut rng, 256);
+        let r = BoxedUint::random_bits(&mut rng, 256);
         assert!(r.bits_precision() == 256);
 
-        let r = BoxedUint::random(&mut rng, 256 - 32 + 1);
+        let r = BoxedUint::random_bits(&mut rng, 256 - 32 + 1);
         assert!(r.bits_precision() == 256);
         assert!(r < BoxedUint::one_with_precision(256) << (256 - 32 + 1));
     }

src/uint/boxed/sqrt.rs

@@ -137,7 +137,7 @@ mod tests {
 
     #[cfg(feature = "rand")]
     use {
-        crate::CheckedMul,
+        crate::{CheckedMul, RandomBits},
         rand_chacha::ChaChaRng,
         rand_core::{RngCore, SeedableRng},
     };
@@ -303,7 +303,7 @@ mod tests {
         }
 
         for _ in 0..50 {
-            let s = BoxedUint::random(&mut rng, 512);
+            let s = BoxedUint::random_bits(&mut rng, 512);
             let mut s2 = BoxedUint::zero_with_precision(512);
             s2.limbs[..s.limbs.len()].copy_from_slice(&s.limbs);
             assert_eq!(s.square().sqrt(), s2);