Limit integer widths in RNS calculations

fjarri · fjarri · commit f4165fea9284 · 2025-04-23T16:42:13.000-07:00
diff --git a/src/algorithms/rsa.rs b/src/algorithms/rsa.rs
@@ -3,7 +3,7 @@
 use core::cmp::Ordering;
 
 use crypto_bigint::modular::{BoxedMontyForm, BoxedMontyParams};
-use crypto_bigint::{BoxedUint, Gcd, NonZero, Odd, RandomMod, Wrapping};
+use crypto_bigint::{BoxedUint, Gcd, NonZero, Odd, RandomMod};
 use rand_core::TryCryptoRng;
 use zeroize::Zeroize;
 
@@ -68,32 +68,52 @@ pub fn rsa_decrypt<R: TryCryptoRng + ?Sized>(
         (Some(dp), Some(dq), Some(qinv), Some(p_params), Some(q_params)) if !is_multiprime => {
             // We have the precalculated values needed for the CRT.
 
-            let _p = &priv_key.primes()[0];
+            let p = &priv_key.primes()[0];
             let q = &priv_key.primes()[1];
 
             // precomputed: dP = (1/e) mod (p-1) = d mod (p-1)
             // precomputed: dQ = (1/e) mod (q-1) = d mod (q-1)
 
+            // TODO: it may be faster to convert to and from Montgomery with prepared parameters
+            // (modulo `p` and `q`) rather than calculating the remainder directly.
+
             // m1 = c^dP mod p
-            let cp = BoxedMontyForm::new(c.clone(), p_params.clone());
+            let c_mod_dp = (&c
+                % NonZero::new(p_params.modulus().widen(c.bits_precision())).unwrap())
+            .shorten(dp.bits_precision());
+            let cp = BoxedMontyForm::new(c_mod_dp, p_params.clone());
             let mut m1 = cp.pow(dp);
             // m2 = c^dQ mod q
-            let cq = BoxedMontyForm::new(c, q_params.clone());
+            let c_mod_dq = (&c
+                % NonZero::new(q_params.modulus().widen(c.bits_precision())).unwrap())
+            .shorten(dq.bits_precision());
+            let cq = BoxedMontyForm::new(c_mod_dq, q_params.clone());
             let m2 = cq.pow(dq).retrieve();
 
+            // Note that since `p` and `q` may have different `bits_precision`,
+            // so it will be different for `m1` and `m2` as well.
+
             // (m1 - m2) mod p = (m1 mod p) - (m2 mod p) mod p
-            let m2r = BoxedMontyForm::new(m2.clone(), p_params.clone());
+            let m2r = match p_params.bits_precision().cmp(&q_params.bits_precision()) {
+                Ordering::Less => BoxedMontyForm::new(
+                    (&m2 % NonZero::new(p.widen(q_params.bits_precision())).unwrap())
+                        .shorten(p_params.bits_precision()),
+                    p_params.clone(),
+                ),
+                Ordering::Greater => {
+                    BoxedMontyForm::new(m2.widen(p_params.bits_precision()), p_params.clone())
+                }
+                Ordering::Equal => BoxedMontyForm::new(m2.clone(), p_params.clone()),
+            };
             m1 -= &m2r;
 
             // precomputed: qInv = (1/q) mod p
 
             // h = qInv.(m1 - m2) mod p
-            let mut m: Wrapping<BoxedUint> = Wrapping(qinv.mul(&m1).retrieve());
+            let h = qinv.mul(&m1).retrieve();
 
             // m = m2 + h.q
-            m *= Wrapping(q.clone());
-            m += Wrapping(m2);
-            m.0
+            m2.widen(n.bits_precision()).wrapping_add(&(h * q))
         }
         _ => {
             // c^d (mod n)
@@ -102,7 +122,7 @@ pub fn rsa_decrypt<R: TryCryptoRng + ?Sized>(
     };
 
     // Ensure output precision matches input precision
-    let m = m.shorten(n_params.bits_precision());
+    let m = m.widen(n_params.bits_precision());
     match ir {
         Some(ref ir) => {
             // unblind
diff --git a/src/key.rs b/src/key.rs
@@ -1,4 +1,5 @@
 use alloc::vec::Vec;
+use core::cmp::Ordering;
 use core::fmt;
 use core::hash::{Hash, Hasher};
 
@@ -325,6 +326,9 @@ impl RsaPrivateKey {
             _ => {}
         }
 
+        // The primes may come in padded with zeros, so we need to shorten them.
+        let primes = primes.iter().map(|p| p.shorten(p.bits())).collect();
+
         let mut k = RsaPrivateKey {
             pubkey_components: RsaPublicKey {
                 n: n_c,
@@ -408,9 +412,8 @@ impl RsaPrivateKey {
         }
 
         let d = &self.d;
-        let bits = d.bits_precision();
-        let p = self.primes[0].widen(bits);
-        let q = self.primes[1].widen(bits);
+        let p = self.primes[0].clone();
+        let q = self.primes[1].clone();
 
         let p_odd = Odd::new(p.clone())
             .into_option()
@@ -431,14 +434,23 @@ impl RsaPrivateKey {
             .ok_or(Error::InvalidPrime)?;
         let dq = d.rem_vartime(&x);
 
-        let qinv = BoxedMontyForm::new(q.clone(), p_params.clone());
-        let qinv = qinv.invert().into_option().ok_or(Error::InvalidPrime)?;
+        // Note that since `p` and `q` may have different `bits_precision`,
+        // so we have to equalize them to calculate the remainder.
+        let q_mod_p = match p.bits_precision().cmp(&q.bits_precision()) {
+            Ordering::Less => (&q % &NonZero::new(p.widen(q.bits_precision())).unwrap())
+                .shorten(p.bits_precision()),
+            Ordering::Greater => q.widen(p.bits_precision()) % &NonZero::new(p.clone()).unwrap(),
+            Ordering::Equal => &q % NonZero::new(p.clone()).unwrap(),
+        };
+
+        let q_mod_p = BoxedMontyForm::new(q_mod_p, p_params.clone());
+        let qinv = q_mod_p.invert().into_option().ok_or(Error::InvalidPrime)?;
 
-        debug_assert_eq!(dp.bits_precision(), bits);
-        debug_assert_eq!(dq.bits_precision(), bits);
-        debug_assert_eq!(qinv.bits_precision(), bits);
-        debug_assert_eq!(p_params.bits_precision(), bits);
-        debug_assert_eq!(q_params.bits_precision(), bits);
+        debug_assert_eq!(dp.bits_precision(), p.bits_precision());
+        debug_assert_eq!(dq.bits_precision(), q.bits_precision());
+        debug_assert_eq!(qinv.bits_precision(), p.bits_precision());
+        debug_assert_eq!(p_params.bits_precision(), p.bits_precision());
+        debug_assert_eq!(q_params.bits_precision(), q.bits_precision());
 
         self.precomputed = Some(PrecomputedValues {
             dp,
@@ -742,8 +754,7 @@ mod tests {
 
     key_generation!(key_generation_multi_5_64, 5, 64);
     key_generation!(key_generation_multi_8_576, 8, 576);
-    // TODO: reenable, currently slow
-    // key_generation!(key_generation_multi_16_1024, 16, 1024);
+    key_generation!(key_generation_multi_16_1024, 16, 1024);
 
     #[test]
     fn test_negative_decryption_value() {
@@ -768,8 +779,8 @@ mod tests {
             )
             .unwrap(),
             vec![
-                BoxedUint::from_le_slice(&[105, 101, 60, 173, 19, 153, 3, 192], bits).unwrap(),
-                BoxedUint::from_le_slice(&[235, 65, 160, 134, 32, 136, 6, 241], bits).unwrap(),
+                BoxedUint::from_le_slice(&[105, 101, 60, 173, 19, 153, 3, 192], bits / 2).unwrap(),
+                BoxedUint::from_le_slice(&[235, 65, 160, 134, 32, 136, 6, 241], bits / 2).unwrap(),
             ],
         )
         .unwrap();
