Handle even s in Uint::inv_mod (#523)

tarcieri · web-flow · commit fcd621bae1e2 · 2023-12-27T14:55:29.000-07:00
This is an oversight from #501 which switched to using Bernstein-Yang inversions for `Uint::inv_odd_mod`. The new implementation assumes `s` is always `Odd` but doesn't actually check for that and set the `ConstCtOption` to be "none" accordingly.
diff --git a/src/const_choice.rs b/src/const_choice.rs
@@ -240,6 +240,13 @@ impl<T> ConstCtOption<T> {
         assert!(self.is_some.is_true_vartime());
         self.value
     }
+
+    /// Apply an additional [`ConstChoice`] requirement to `is_some`.
+    #[inline]
+    pub(crate) const fn and_choice(mut self, is_some: ConstChoice) -> Self {
+        self.is_some = self.is_some.and(is_some);
+        self
+    }
 }
 
 impl<T> From<ConstCtOption<T>> for CtOption<T> {
diff --git a/src/uint/inv_mod.rs b/src/uint/inv_mod.rs
@@ -106,7 +106,9 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         // Decompose `self` into RNS with moduli `2^k` and `s` and calculate the inverses.
         // Using the fact that `(z^{-1} mod (m1 * m2)) mod m1 == z^{-1} mod m1`
-        let maybe_a = self.inv_odd_mod(&Odd(s));
+        let s_is_odd = s.is_odd();
+        let maybe_a = self.inv_odd_mod(&Odd(s)).and_choice(s_is_odd);
+
         let maybe_b = self.inv_mod2k(k);
         let is_some = maybe_a.is_some().and(maybe_b.is_some());
 

Original file line number	Diff line number	Diff line change
`@@ -240,6 +240,13 @@ impl<T> ConstCtOption<T> {`
`240`	`240`	`assert!(self.is_some.is_true_vartime());`
`241`	`241`	`self.value`
`242`	`242`	`}`
	`243`	`+`
	`244`	+ /// Apply an additional [`ConstChoice`] requirement to `is_some`.
	`245`	`+ #[inline]`
	`246`	`+ pub(crate) const fn and_choice(mut self, is_some: ConstChoice) -> Self {`
	`247`	`+ self.is_some = self.is_some.and(is_some);`
	`248`	`+ self`
	`249`	`+ }`
`243`	`250`	`}`
`244`	`251`
`245`	`252`	`impl<T> From<ConstCtOption<T>> for CtOption<T> {`