Protect inner value of NonZero/Odd (#1239)

- pub(crate) `new_unchecked` and `new_ref_unchecked` methods are added
to `NonZero` and `Odd`
- the inner values of these wrappers are made private (with accessors),
preventing accidental mutation
- `as_nz_vartime` methods are added to `Uint` and `BoxedUint` for
converting references (consistent with `UintRef`)

---------

Signed-off-by: Andrew Whitehead <cywolf@gmail.com>

Author: andrewwhitehead

src/int.rs

@@ -152,15 +152,15 @@ impl<const LIMBS: usize> Int<LIMBS> {
     /// Returns some if the original value is non-zero, and false otherwise.
     #[must_use]
     pub const fn to_nz(self) -> CtOption<NonZero<Self>> {
-        CtOption::new(NonZero(self), self.0.is_nonzero())
+        CtOption::new(NonZero::new_unchecked(self), self.0.is_nonzero())
     }
 
     /// Convert to a [`Odd<Int<LIMBS>>`].
     ///
     /// Returns some if the original value is odd, and false otherwise.
     #[must_use]
     pub const fn to_odd(self) -> CtOption<Odd<Self>> {
-        CtOption::new(Odd(self), self.0.is_odd())
+        CtOption::new(Odd::new_unchecked(self), self.0.is_odd())
     }
 
     /// Interpret the data in this object as a [`Uint`] instead.

src/int/div.rs

@@ -181,7 +181,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
         let quotient = Uint::select(&quotient, &quotient_plus_one, modify);
 
         // Invert the remainder.
-        let inv_remainder = rhs_mag.0.wrapping_sub(&remainder);
+        let inv_remainder = rhs_mag.as_ref().wrapping_sub(&remainder);
         let remainder = Uint::select(&remainder, &inv_remainder, modify);
 
         // Negate output when lhs and rhs have opposing signs.
@@ -291,7 +291,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
         let quotient = Uint::select(&quotient, &quotient_plus_one, modify);
 
         // Invert the remainder.
-        let inv_remainder = rhs_mag.0.wrapping_sub(&remainder);
+        let inv_remainder = rhs_mag.as_ref().wrapping_sub(&remainder);
         let remainder = Uint::select(&remainder, &inv_remainder, modify);
 
         // Negate output when lhs and rhs have opposing signs.

src/limb.rs

@@ -94,14 +94,25 @@ impl Limb {
 
     /// Convert to a [`NonZero<Limb>`].
     ///
-    /// Returns some if the original value is non-zero, and false otherwise.
+    /// Returns some if the original value is non-zero, and none otherwise.
     #[must_use]
     pub const fn to_nz(self) -> CtOption<NonZero<Self>> {
-        let is_nz = self.is_nonzero();
+        let (nz, self_nz) = self.to_nz_or_one();
+        CtOption::new(nz, self_nz)
+    }
 
-        // Use `1` as a placeholder in the event that `self` is `Limb(0)`
-        let nz_word = word::select(1, self.0, is_nz);
-        CtOption::new(NonZero(Self(nz_word)), is_nz)
+    /// Convert to a [`NonZero<Limb>`], defaulting to `Self::ONE`.
+    ///
+    /// Returns a pair consisting of a [`NonZero<Limb>`], and a [`Choice`]
+    /// indicating whether the original value was non-zero (and preserved).
+    #[inline(always)]
+    #[must_use]
+    pub(crate) const fn to_nz_or_one(self) -> (NonZero<Self>, Choice) {
+        let is_nz = self.is_nonzero();
+        (
+            NonZero::new_unchecked(Self::select(Self::ONE, self, is_nz)),
+            is_nz,
+        )
     }
 
     /// Convert the least significant bit of this [`Limb`] to a [`Choice`].

src/limb/div.rs

@@ -29,17 +29,17 @@ impl Limb {
     /// if the divisor is non-zero, and `CtOption::none()` otherwise.
     #[must_use]
     pub const fn checked_div(self, rhs: Self) -> CtOption<Limb> {
-        let is_nz = rhs.is_nonzero();
-        let quo = self.div_rem(NonZero(Self::select(Limb::ONE, rhs, is_nz))).0;
+        let (rhs_nz, is_nz) = rhs.to_nz_or_one();
+        let quo = self.div_rem(rhs_nz).0;
         CtOption::new(quo, is_nz)
     }
 
     /// Computes the checked division `self / rhs`, returning the remainder
     /// if the divisor is non-zero, and `CtOption::none()` otherwise.
     #[must_use]
     pub const fn checked_rem(self, rhs: Self) -> CtOption<Limb> {
-        let is_nz = rhs.is_nonzero();
-        let rem = self.div_rem(NonZero(Self::select(Limb::ONE, rhs, is_nz))).1;
+        let (rhs_nz, is_nz) = rhs.to_nz_or_one();
+        let rem = self.div_rem(rhs_nz).1;
         CtOption::new(rem, is_nz)
     }
 }
@@ -318,8 +318,8 @@ mod tests {
         assert_eq!(a / &b, c);
         assert_eq!(&a / b, c);
         assert_eq!(&a / &b, c);
-        assert_eq!(a / &b.0, c);
-        assert_eq!(&a / b.0, c);
+        assert_eq!(a / b.as_ref(), c);
+        assert_eq!(&a / b.get(), c);
     }
 
     #[test]
@@ -335,10 +335,10 @@ mod tests {
         res /= &b;
         assert_eq!(res, c);
         let mut res = a;
-        res /= b.0;
+        res /= b.get();
         assert_eq!(res, c);
         let mut res = a;
-        res /= &b.0;
+        res /= b.as_ref();
         assert_eq!(res, c);
     }
 
@@ -364,8 +364,8 @@ mod tests {
         assert_eq!(a % &b, c);
         assert_eq!(&a % b, c);
         assert_eq!(&a % &b, c);
-        assert_eq!(a % &b.0, c);
-        assert_eq!(&a % b.0, c);
+        assert_eq!(a % b.as_ref(), c);
+        assert_eq!(&a % b.get(), c);
     }
 
     #[test]
@@ -381,10 +381,10 @@ mod tests {
         res %= &b;
         assert_eq!(res, c);
         let mut res = a;
-        res %= b.0;
+        res %= b.get();
         assert_eq!(res, c);
         let mut res = a;
-        res %= &b.0;
+        res %= b.as_ref();
         assert_eq!(res, c);
     }
 

src/modular.rs

@@ -165,8 +165,9 @@ mod tests {
         // Computing xR mod modulus without Montgomery reduction
         let (lo, hi) = x.widening_mul(&Modulus256::PARAMS.one);
         let c = lo.concat(&hi);
-        let red =
-            c.rem_vartime(&NonZero::new(Modulus256::PARAMS.modulus.0.concat(&U256::ZERO)).unwrap());
+        let red = c.rem_vartime(
+            &NonZero::new(Modulus256::PARAMS.modulus.as_ref().concat(&U256::ZERO)).unwrap(),
+        );
         let (lo, hi) = red.split();
         assert_eq!(hi, Uint::ZERO);
 
@@ -294,8 +295,9 @@ mod tests {
         // Computing xR mod modulus without Montgomery reduction
         let (lo, hi) = x.widening_mul(&Modulus256::PARAMS.one);
         let c = lo.concat(&hi);
-        let red =
-            c.rem_vartime(&NonZero::new(Modulus256::PARAMS.modulus.0.concat(&U256::ZERO)).unwrap());
+        let red = c.rem_vartime(
+            &NonZero::new(Modulus256::PARAMS.modulus.as_ref().concat(&U256::ZERO)).unwrap(),
+        );
         let (lo, hi) = red.split();
         assert_eq!(hi, Uint::ZERO);
 

src/modular/bingcd/div_mod_2k.rs

@@ -15,7 +15,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         k_upper_bound: u32,
         q: &Odd<Self>,
     ) -> Self {
-        let one_half_mod_q = OddUint::half_mod(q).0;
+        let one_half_mod_q = OddUint::half_mod(q);
 
         // Invariant: x = self / 2^e mod q.
         let (mut x, mut e) = (self, 0);
@@ -30,7 +30,8 @@ impl<const LIMBS: usize> Uint<LIMBS> {
             let f = u32_min(k - e, f_upper_bound);
 
             // Find `s` s.t. qs + x = 0 mod 2^f
-            let (_, s) = x.limbs[0].bounded_div2k_mod_q(f, f_upper_bound, one_half_mod_q.limbs[0]);
+            let (_, s) =
+                x.limbs[0].bounded_div2k_mod_q(f, f_upper_bound, one_half_mod_q.as_ref().limbs[0]);
 
             // Set x <- (x + qs) / 2^f
             x = q.mul_add_div2k(s, &x, f);
@@ -98,7 +99,7 @@ impl<const LIMBS: usize> OddUint<LIMBS> {
         // = (q + 1) / 2      mod q
         // = (q - 1) / 2  + 1 mod q
         // = floor(q / 2) + 1 mod q, since q is odd.
-        Odd(q.as_ref().shr1().wrapping_add(&Uint::ONE))
+        Odd::new_unchecked(q.as_ref().shr1().wrapping_add(&Uint::ONE))
     }
 
     /// Compute `((self * b) + addend) / 2^k`

src/modular/bingcd/xgcd.rs

@@ -174,7 +174,7 @@ impl<const LIMBS: usize> OddUint<LIMBS> {
         // `rhs` is even.
         let rhs_is_even = rhs_.is_odd().not();
         let (abs_diff, rhs_gt_lhs) = lhs_.abs_diff(rhs_);
-        let odd_rhs = Odd(Uint::select(rhs_, &abs_diff, rhs_is_even));
+        let odd_rhs = Odd::new_unchecked(Uint::select(rhs_, &abs_diff, rhs_is_even));
 
         let mut output = self.binxgcd_odd(&odd_rhs);
         let matrix = &mut output.matrix;

src/modular/const_monty_form.rs

@@ -236,7 +236,7 @@ where
         D: Deserializer<'de>,
     {
         Uint::<LIMBS>::deserialize(deserializer).and_then(|montgomery_form| {
-            if montgomery_form < MOD::PARAMS.modulus.0 {
+            if montgomery_form < *MOD::PARAMS.modulus.as_ref() {
                 Ok(Self {
                     montgomery_form,
                     phantom: PhantomData,

src/modular/div_by_2.rs

@@ -17,7 +17,7 @@ pub(crate) const fn div_by_2<const LIMBS: usize>(
     // whose Montgomery representation is `b`.
 
     let is_odd = a.is_odd();
-    let (if_odd, carry) = a.carrying_add(&modulus.0, Limb::ZERO);
+    let (if_odd, carry) = a.carrying_add(modulus.as_ref(), Limb::ZERO);
     let carry = Limb::select(Limb::ZERO, carry, is_odd);
     Uint::<LIMBS>::select(a, &if_odd, is_odd)
         .shr1()

src/modular/lincomb.rs

@@ -80,9 +80,14 @@ pub const fn lincomb_const_monty_form<MOD: ConstMontyParams<LIMBS>, const LIMBS:
     let mut ret = Uint::ZERO;
     let mut remain = products.len();
     if remain <= max_accum {
-        let carry =
-            impl_longa_monty_lincomb!(products, ret.limbs, modulus.0.limbs, mod_neg_inv, LIMBS);
-        ret.try_sub_with_carry(carry, &modulus.0).0
+        let carry = impl_longa_monty_lincomb!(
+            products,
+            ret.limbs,
+            modulus.as_ref().limbs,
+            mod_neg_inv,
+            LIMBS
+        );
+        ret.try_sub_with_carry(carry, modulus.as_ref()).0
     } else {
         let mut window;
         while remain > 0 {
@@ -92,9 +97,14 @@ pub const fn lincomb_const_monty_form<MOD: ConstMontyParams<LIMBS>, const LIMBS:
                 count = max_accum;
             }
             (window, products) = products.split_at(count);
-            let carry =
-                impl_longa_monty_lincomb!(window, buf.limbs, modulus.0.limbs, mod_neg_inv, LIMBS);
-            buf = buf.try_sub_with_carry(carry, &modulus.0).0;
+            let carry = impl_longa_monty_lincomb!(
+                window,
+                buf.limbs,
+                modulus.as_ref().limbs,
+                mod_neg_inv,
+                LIMBS
+            );
+            buf = buf.try_sub_with_carry(carry, modulus.as_ref()).0;
             ret = ret.add_mod(&buf, modulus.as_nz_ref());
             remain -= count;
         }
@@ -112,9 +122,14 @@ pub const fn lincomb_monty_form<const LIMBS: usize>(
     let mut ret = Uint::ZERO;
     let mut remain = products.len();
     if remain <= max_accum {
-        let carry =
-            impl_longa_monty_lincomb!(products, ret.limbs, modulus.0.limbs, mod_neg_inv, LIMBS);
-        ret.try_sub_with_carry(carry, &modulus.0).0
+        let carry = impl_longa_monty_lincomb!(
+            products,
+            ret.limbs,
+            modulus.as_ref().limbs,
+            mod_neg_inv,
+            LIMBS
+        );
+        ret.try_sub_with_carry(carry, modulus.as_ref()).0
     } else {
         let mut window;
         while remain > 0 {
@@ -124,9 +139,14 @@ pub const fn lincomb_monty_form<const LIMBS: usize>(
             }
             (window, products) = products.split_at(count);
             let mut buf = Uint::ZERO;
-            let carry =
-                impl_longa_monty_lincomb!(window, buf.limbs, modulus.0.limbs, mod_neg_inv, LIMBS);
-            buf = buf.try_sub_with_carry(carry, &modulus.0).0;
+            let carry = impl_longa_monty_lincomb!(
+                window,
+                buf.limbs,
+                modulus.as_ref().limbs,
+                mod_neg_inv,
+                LIMBS
+            );
+            buf = buf.try_sub_with_carry(carry, modulus.as_ref()).0;
             ret = ret.add_mod(&buf, modulus.as_nz_ref());
             remain -= count;
         }
@@ -142,26 +162,36 @@ pub fn lincomb_boxed_monty_form(
     mod_leading_zeros: u32,
 ) -> BoxedUint {
     let max_accum = 1 << u32_min(mod_leading_zeros, usize::BITS - 1);
-    let nlimbs = modulus.0.nlimbs();
-    let mut ret = BoxedUint::zero_with_precision(modulus.0.bits_precision());
+    let nlimbs = modulus.as_ref().nlimbs();
+    let mut ret = BoxedUint::zero_with_precision(modulus.as_ref().bits_precision());
     let mut remain = products.len();
     if remain <= max_accum {
-        let carry =
-            impl_longa_monty_lincomb!(products, ret.limbs, modulus.0.limbs, mod_neg_inv, nlimbs);
-        ret.sub_assign_mod_with_carry(carry, &modulus.0, &modulus.0);
+        let carry = impl_longa_monty_lincomb!(
+            products,
+            ret.limbs,
+            modulus.as_ref().limbs,
+            mod_neg_inv,
+            nlimbs
+        );
+        ret.sub_assign_mod_with_carry(carry, modulus.as_ref(), modulus.as_ref());
     } else {
         let mut window;
-        let mut buf = BoxedUint::zero_with_precision(modulus.0.bits_precision());
+        let mut buf = BoxedUint::zero_with_precision(modulus.as_ref().bits_precision());
         while remain > 0 {
             buf.limbs.fill(Limb::ZERO);
             let mut count = remain;
             if count > max_accum {
                 count = max_accum;
             }
             (window, products) = products.split_at(count);
-            let carry =
-                impl_longa_monty_lincomb!(window, buf.limbs, modulus.0.limbs, mod_neg_inv, nlimbs);
-            buf.sub_assign_mod_with_carry(carry, &modulus.0, &modulus.0);
+            let carry = impl_longa_monty_lincomb!(
+                window,
+                buf.limbs,
+                modulus.as_ref().limbs,
+                mod_neg_inv,
+                nlimbs
+            );
+            buf.sub_assign_mod_with_carry(carry, modulus.as_ref(), modulus.as_ref());
             ret.add_mod_assign(&buf, modulus.as_nz_ref());
             remain -= count;
         }