Don't use "ct_" prefixes for constant-time methods - it is the default

Author: fjarri

src/limb/cmp.rs

@@ -28,13 +28,13 @@ impl Limb {
 
     /// Return `b` if `c` is truthy, otherwise return `a`.
     #[inline]
-    pub(crate) const fn ct_select(a: Self, b: Self, c: CtChoice) -> Self {
+    pub(crate) const fn select(a: Self, b: Self, c: CtChoice) -> Self {
         Self(c.select_word(a.0, b.0))
     }
 
     /// Returns the truthy value if `self != 0` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_is_nonzero(&self) -> CtChoice {
+    pub(crate) const fn is_nonzero(&self) -> CtChoice {
         CtChoice::from_word_nonzero(self.0)
     }
 }

src/modular/div_by_2.rs

@@ -26,5 +26,5 @@ pub(crate) fn div_by_2<const LIMBS: usize>(a: &Uint<LIMBS>, modulus: &Uint<LIMBS
         .wrapping_add(&half_modulus)
         .wrapping_add(&Uint::<LIMBS>::ONE);
 
-    Uint::<LIMBS>::ct_select(&if_even, &if_odd, is_odd)
+    Uint::<LIMBS>::select(&if_even, &if_odd, is_odd)
 }

src/modular/pow.rs

@@ -164,7 +164,7 @@ const fn multi_exponentiate_montgomery_form_internal<const LIMBS: usize, const R
                 let mut j = 1;
                 while j < 1 << WINDOW {
                     let choice = CtChoice::from_word_eq(j, idx);
-                    power = Uint::<LIMBS>::ct_select(&power, &powers[j as usize], choice);
+                    power = Uint::<LIMBS>::select(&power, &powers[j as usize], choice);
                     j += 1;
                 }
 

src/modular/residue.rs

@@ -204,7 +204,7 @@ where
         D: Deserializer<'de>,
     {
         Uint::<LIMBS>::deserialize(deserializer).and_then(|montgomery_form| {
-            if Uint::ct_lt(&montgomery_form, &MOD::MODULUS).into() {
+            if montgomery_form < MOD::MODULUS.0 {
                 Ok(Self {
                     montgomery_form,
                     phantom: PhantomData,

src/non_zero.rs

@@ -28,15 +28,15 @@ impl NonZero<Limb> {
     /// Creates a new non-zero limb in a const context.
     /// The second return value is `FALSE` if `n` is zero, `TRUE` otherwise.
     pub const fn const_new(n: Limb) -> (Self, CtChoice) {
-        (Self(n), n.ct_is_nonzero())
+        (Self(n), n.is_nonzero())
     }
 }
 
 impl<const LIMBS: usize> NonZero<Uint<LIMBS>> {
     /// Creates a new non-zero integer in a const context.
     /// The second return value is `FALSE` if `n` is zero, `TRUE` otherwise.
     pub const fn const_new(n: Uint<LIMBS>) -> (Self, CtChoice) {
-        (Self(n), n.ct_is_nonzero())
+        (Self(n), n.is_nonzero())
     }
 }
 

src/uint/add.rs

@@ -24,7 +24,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
     /// Perform saturating addition, returning `MAX` on overflow.
     pub const fn saturating_add(&self, rhs: &Self) -> Self {
         let (res, overflow) = self.adc(rhs, Limb::ZERO);
-        Self::ct_select(&res, &Self::MAX, CtChoice::from_word_lsb(overflow.0))
+        Self::select(&res, &Self::MAX, CtChoice::from_word_lsb(overflow.0))
     }
 
     /// Perform wrapping addition, discarding overflow.
@@ -39,7 +39,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         rhs: &Self,
         choice: CtChoice,
     ) -> (Self, CtChoice) {
-        let actual_rhs = Uint::ct_select(&Uint::ZERO, rhs, choice);
+        let actual_rhs = Uint::select(&Uint::ZERO, rhs, choice);
         let (sum, carry) = self.adc(&actual_rhs, Limb::ZERO);
         (sum, CtChoice::from_word_lsb(carry.0))
     }

src/uint/cmp.rs

@@ -10,46 +10,46 @@ use subtle::{Choice, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess};
 impl<const LIMBS: usize> Uint<LIMBS> {
     /// Return `b` if `c` is truthy, otherwise return `a`.
     #[inline]
-    pub(crate) const fn ct_select(a: &Self, b: &Self, c: CtChoice) -> Self {
+    pub(crate) const fn select(a: &Self, b: &Self, c: CtChoice) -> Self {
         let mut limbs = [Limb::ZERO; LIMBS];
 
         let mut i = 0;
         while i < LIMBS {
-            limbs[i] = Limb::ct_select(a.limbs[i], b.limbs[i], c);
+            limbs[i] = Limb::select(a.limbs[i], b.limbs[i], c);
             i += 1;
         }
 
         Uint { limbs }
     }
 
     #[inline]
-    pub(crate) const fn ct_swap(a: &Self, b: &Self, c: CtChoice) -> (Self, Self) {
-        let new_a = Self::ct_select(a, b, c);
-        let new_b = Self::ct_select(b, a, c);
+    pub(crate) const fn swap(a: &Self, b: &Self, c: CtChoice) -> (Self, Self) {
+        let new_a = Self::select(a, b, c);
+        let new_b = Self::select(b, a, c);
 
         (new_a, new_b)
     }
 
     /// Returns the truthy value if `self`!=0 or the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_is_nonzero(&self) -> CtChoice {
+    pub(crate) const fn is_nonzero(&self) -> CtChoice {
         let mut b = 0;
         let mut i = 0;
         while i < LIMBS {
             b |= self.limbs[i].0;
             i += 1;
         }
-        Limb(b).ct_is_nonzero()
+        Limb(b).is_nonzero()
     }
 
     /// Returns the truthy value if `self` is odd or the falsy value otherwise.
-    pub(crate) const fn ct_is_odd(&self) -> CtChoice {
+    pub(crate) const fn is_odd(&self) -> CtChoice {
         CtChoice::from_word_lsb(self.limbs[0].0 & 1)
     }
 
     /// Returns the truthy value if `self == rhs` or the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_eq(lhs: &Self, rhs: &Self) -> CtChoice {
+    pub(crate) const fn eq(lhs: &Self, rhs: &Self) -> CtChoice {
         let mut acc = 0;
         let mut i = 0;
 
@@ -59,12 +59,12 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         }
 
         // acc == 0 if and only if self == rhs
-        Limb(acc).ct_is_nonzero().not()
+        Limb(acc).is_nonzero().not()
     }
 
     /// Returns the truthy value if `self <= rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_lt(lhs: &Self, rhs: &Self) -> CtChoice {
+    pub(crate) const fn lt(lhs: &Self, rhs: &Self) -> CtChoice {
         // We could use the same approach as in Limb::ct_lt(),
         // but since we have to use Uint::wrapping_sub(), which calls `sbb()`,
         // there are no savings compared to just calling `sbb()` directly.
@@ -74,7 +74,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
     /// Returns the truthy value if `self >= rhs` and the falsy value otherwise.
     #[inline]
-    pub(crate) const fn ct_gt(lhs: &Self, rhs: &Self) -> CtChoice {
+    pub(crate) const fn gt(lhs: &Self, rhs: &Self) -> CtChoice {
         let (_res, borrow) = rhs.sbb(lhs, Limb::ZERO);
         CtChoice::from_word_mask(borrow.0)
     }
@@ -85,7 +85,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
     ///   0 is Equal
     ///   1 is Greater
     #[inline]
-    pub(crate) const fn ct_cmp(lhs: &Self, rhs: &Self) -> i8 {
+    pub(crate) const fn cmp(lhs: &Self, rhs: &Self) -> i8 {
         let mut i = 0;
         let mut borrow = Limb::ZERO;
         let mut diff = Limb::ZERO;
@@ -97,7 +97,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
             i += 1;
         }
         let sgn = ((borrow.0 & 2) as i8) - 1;
-        (diff.ct_is_nonzero().to_u8() as i8) * sgn
+        (diff.is_nonzero().to_u8() as i8) * sgn
     }
 
     /// Returns the Ordering between `self` and `rhs` in variable time.
@@ -123,29 +123,29 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 impl<const LIMBS: usize> ConstantTimeEq for Uint<LIMBS> {
     #[inline]
     fn ct_eq(&self, other: &Self) -> Choice {
-        Uint::ct_eq(self, other).into()
+        Uint::eq(self, other).into()
     }
 }
 
 impl<const LIMBS: usize> ConstantTimeGreater for Uint<LIMBS> {
     #[inline]
     fn ct_gt(&self, other: &Self) -> Choice {
-        Uint::ct_gt(self, other).into()
+        Uint::gt(self, other).into()
     }
 }
 
 impl<const LIMBS: usize> ConstantTimeLess for Uint<LIMBS> {
     #[inline]
     fn ct_lt(&self, other: &Self) -> Choice {
-        Uint::ct_lt(self, other).into()
+        Uint::lt(self, other).into()
     }
 }
 
 impl<const LIMBS: usize> Eq for Uint<LIMBS> {}
 
 impl<const LIMBS: usize> Ord for Uint<LIMBS> {
     fn cmp(&self, other: &Self) -> Ordering {
-        let c = Self::ct_cmp(self, other);
+        let c = Self::cmp(self, other);
         match c {
             -1 => Ordering::Less,
             0 => Ordering::Equal,
@@ -181,9 +181,15 @@ mod tests {
 
     #[test]
     fn is_odd() {
+        // inherent methods
         assert!(!bool::from(U128::ZERO.is_odd()));
         assert!(bool::from(U128::ONE.is_odd()));
         assert!(bool::from(U128::MAX.is_odd()));
+
+        // `Integer` methods
+        assert!(!bool::from(<U128 as Integer>::is_odd(&U128::ZERO)));
+        assert!(bool::from(<U128 as Integer>::is_odd(&U128::ONE)));
+        assert!(bool::from(<U128 as Integer>::is_odd(&U128::MAX)));
     }
 
     #[test]

src/uint/div.rs

@@ -34,9 +34,9 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         let mut done = CtChoice::FALSE;
         loop {
             let (mut r, borrow) = rem.sbb(&c, Limb::ZERO);
-            rem = Self::ct_select(&r, &rem, CtChoice::from_word_mask(borrow.0).or(done));
+            rem = Self::select(&r, &rem, CtChoice::from_word_mask(borrow.0).or(done));
             r = quo.bitor(&Self::ONE);
-            quo = Self::ct_select(&r, &quo, CtChoice::from_word_mask(borrow.0).or(done));
+            quo = Self::select(&r, &quo, CtChoice::from_word_mask(borrow.0).or(done));
             if i == 0 {
                 break;
             }
@@ -45,7 +45,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
             // aren't modified further (but do the remaining iterations anyway to be constant-time)
             done = CtChoice::from_word_lt(i as Word, mb as Word);
             c = c.shr1();
-            quo = Self::ct_select(&quo.shl1(), &quo, done);
+            quo = Self::select(&quo.shl1(), &quo, done);
         }
 
         (quo, rem)
@@ -68,9 +68,9 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         loop {
             let (mut r, borrow) = rem.sbb(&c, Limb::ZERO);
-            rem = Self::ct_select(&r, &rem, CtChoice::from_word_mask(borrow.0));
+            rem = Self::select(&r, &rem, CtChoice::from_word_mask(borrow.0));
             r = quo.bitor(&Self::ONE);
-            quo = Self::ct_select(&r, &quo, CtChoice::from_word_mask(borrow.0));
+            quo = Self::select(&r, &quo, CtChoice::from_word_mask(borrow.0));
             if bd == 0 {
                 break;
             }
@@ -96,7 +96,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         loop {
             let (r, borrow) = rem.sbb(&c, Limb::ZERO);
-            rem = Self::ct_select(&r, &rem, CtChoice::from_word_mask(borrow.0));
+            rem = Self::select(&r, &rem, CtChoice::from_word_mask(borrow.0));
             if bd == 0 {
                 break;
             }
@@ -129,8 +129,8 @@ impl<const LIMBS: usize> Uint<LIMBS> {
             let (lower_sub, borrow) = lower.sbb(&c.0, Limb::ZERO);
             let (upper_sub, borrow) = upper.sbb(&c.1, borrow);
 
-            lower = Self::ct_select(&lower_sub, &lower, CtChoice::from_word_mask(borrow.0));
-            upper = Self::ct_select(&upper_sub, &upper, CtChoice::from_word_mask(borrow.0));
+            lower = Self::select(&lower_sub, &lower, CtChoice::from_word_mask(borrow.0));
+            upper = Self::select(&upper_sub, &upper, CtChoice::from_word_mask(borrow.0));
             if bd == 0 {
                 break;
             }
@@ -156,7 +156,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         let outmask = Limb(out.limbs[limb_num].0 & mask);
 
-        out.limbs[limb_num] = Limb::ct_select(out.limbs[limb_num], outmask, le);
+        out.limbs[limb_num] = Limb::select(out.limbs[limb_num], outmask, le);
 
         // TODO: this is not constant-time.
         let mut i = limb_num + 1;

src/uint/div_limb.rs

@@ -70,14 +70,14 @@ pub const fn reciprocal(d: Word) -> Word {
 
 /// Returns `u32::MAX` if `a < b` and `0` otherwise.
 #[inline]
-const fn ct_lt(a: u32, b: u32) -> u32 {
+const fn lt(a: u32, b: u32) -> u32 {
     let bit = (((!a) & b) | (((!a) | b) & (a.wrapping_sub(b)))) >> (u32::BITS - 1);
     bit.wrapping_neg()
 }
 
 /// Returns `a` if `c == 0` and `b` if `c == u32::MAX`.
 #[inline(always)]
-const fn ct_select(a: u32, b: u32, c: u32) -> u32 {
+const fn select(a: u32, b: u32, c: u32) -> u32 {
     a ^ (c & (a ^ b))
 }
 
@@ -101,8 +101,8 @@ const fn short_div(dividend: u32, dividend_bits: u32, divisor: u32, divisor_bits
 
     while i > 0 {
         i -= 1;
-        let bit = ct_lt(dividend, divisor);
-        dividend = ct_select(dividend.wrapping_sub(divisor), dividend, bit);
+        let bit = lt(dividend, divisor);
+        dividend = select(dividend.wrapping_sub(divisor), dividend, bit);
         divisor >>= 1;
         let inv_bit = !bit;
         quotient |= (inv_bit >> (u32::BITS - 1)) << i;

src/uint/inv_mod.rs

@@ -21,14 +21,14 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         let mut i = 0;
 
         // The inverse exists either if `k` is 0 or if `self` is odd.
-        let is_some = CtChoice::from_u32_nonzero(k).not().or(self.ct_is_odd());
+        let is_some = CtChoice::from_u32_nonzero(k).not().or(self.is_odd());
 
         while i < k {
             // X_i = b_i mod 2
             let x_i = b.limbs[0].0 & 1;
             let x_i_choice = CtChoice::from_word_lsb(x_i);
             // b_{i+1} = (b_i - a * X_i) / 2
-            b = Self::ct_select(&b, &b.wrapping_sub(self), x_i_choice).shr1();
+            b = Self::select(&b, &b.wrapping_sub(self), x_i_choice).shr1();
             // Store the X_i bit in the result (x = x | (1 << X_i))
             let (shifted, _overflow) = Uint::from_word(x_i).shl_vartime(i);
             x = x.bitor(&shifted);
@@ -53,7 +53,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         let mut i = 0;
 
         // The inverse exists either if `k` is 0 or if `self` is odd.
-        let is_some = CtChoice::from_u32_nonzero(k).not().or(self.ct_is_odd());
+        let is_some = CtChoice::from_u32_nonzero(k).not().or(self.is_odd());
 
         while i < Self::BITS {
             // Only iterations for i = 0..k need to change `x`,
@@ -64,7 +64,7 @@ impl<const LIMBS: usize> Uint<LIMBS> {
             let x_i = b.limbs[0].0 & 1;
             let x_i_choice = CtChoice::from_word_lsb(x_i);
             // b_{i+1} = (b_i - self * X_i) / 2
-            b = Self::ct_select(&b, &b.wrapping_sub(self), x_i_choice).shr1();
+            b = Self::select(&b, &b.wrapping_sub(self), x_i_choice).shr1();
 
             // Store the X_i bit in the result (x = x | (1 << X_i))
             // Don't change the result in dummy iterations.
@@ -106,24 +106,24 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         let m1hp = modulus.shr1().wrapping_add(&Uint::ONE);
 
-        let modulus_is_odd = modulus.ct_is_odd();
+        let modulus_is_odd = modulus.is_odd();
 
         let mut i = 0;
         while i < bit_size {
             // A sanity check that `b` stays odd. Only matters if `modulus` was odd to begin with,
             // otherwise this whole thing produces nonsense anyway.
-            debug_assert!(modulus_is_odd.not().or(b.ct_is_odd()).is_true_vartime());
+            debug_assert!(modulus_is_odd.not().or(b.is_odd()).is_true_vartime());
 
-            let self_odd = a.ct_is_odd();
+            let self_odd = a.is_odd();
 
             // Set `self -= b` if `self` is odd.
             let (new_a, swap) = a.conditional_wrapping_sub(&b, self_odd);
             // Set `b += self` if `swap` is true.
-            b = Uint::ct_select(&b, &b.wrapping_add(&new_a), swap);
+            b = Uint::select(&b, &b.wrapping_add(&new_a), swap);
             // Negate `self` if `swap` is true.
             a = new_a.conditional_wrapping_neg(swap);
 
-            let (new_u, new_v) = Uint::ct_swap(&u, &v, swap);
+            let (new_u, new_v) = Uint::swap(&u, &v, swap);
             let (new_u, cy) = new_u.conditional_wrapping_sub(&new_v, self_odd);
             let (new_u, cyy) = new_u.conditional_wrapping_add(modulus, cy);
             debug_assert!(cy.is_true_vartime() == cyy.is_true_vartime());
@@ -143,10 +143,10 @@ impl<const LIMBS: usize> Uint<LIMBS> {
 
         debug_assert!(modulus_is_odd
             .not()
-            .or(a.ct_is_nonzero().not())
+            .or(a.is_nonzero().not())
             .is_true_vartime());
 
-        (v, Uint::ct_eq(&b, &Uint::ONE).and(modulus_is_odd))
+        (v, Uint::eq(&b, &Uint::ONE).and(modulus_is_odd))
     }
 
     /// Computes the multiplicative inverse of `self` mod `modulus`, where `modulus` is odd.