BoxedResidue: use conditional assignment in pow (#393)

tarcieri · web-flow · commit bc53cfee094d · 2023-12-04T20:51:36.000-07:00
Changes `BoxedUint::conditional_assign` to actually be an in-place
operation rather than allocating, and uses it to impl
`BoxedResidue::pow`.

This leads to a fairly significant performance increase.

Montgomery arithmetic/modpow, BoxedUint^BoxedUint
                        time:   [27.769 µs 27.798 µs 27.830 µs]
                        change: [-39.063% -38.898% -38.724%] (p = 0.00 &lt; 0.05)
                        Performance has improved.
diff --git a/src/modular/boxed_residue/pow.rs b/src/modular/boxed_residue/pow.rs
@@ -61,10 +61,9 @@ fn pow_montgomery_form(
     // powers[i] contains x^i
     let mut powers = vec![r.clone(); 1 << WINDOW];
     powers[1] = x.clone();
-    let mut i = 2;
-    while i < powers.len() {
+
+    for i in 2..powers.len() {
         powers[i] = mul_montgomery_form(&powers[i - 1], x, modulus, mod_neg_inv);
-        i += 1;
     }
 
     let starting_limb = ((exponent_bits - 1) / Limb::BITS) as usize;
@@ -74,16 +73,15 @@ fn pow_montgomery_form(
 
     let mut z = r.clone(); // 1 in Montgomery form
 
-    let mut limb_num = starting_limb + 1;
-    while limb_num > 0 {
-        limb_num -= 1;
+    for limb_num in (0..=starting_limb).rev() {
         let w = exponent.as_limbs()[limb_num].0;
 
         let mut window_num = if limb_num == starting_limb {
             starting_window + 1
         } else {
             Limb::BITS / WINDOW
         };
+
         while window_num > 0 {
             window_num -= 1;
 
@@ -92,19 +90,15 @@ fn pow_montgomery_form(
             if limb_num == starting_limb && window_num == starting_window {
                 idx &= starting_window_mask;
             } else {
-                let mut i = 0;
-                while i < WINDOW {
-                    i += 1;
+                for _ in 1..=WINDOW {
                     square_montgomery_form_assign(&mut z, modulus, mod_neg_inv);
                 }
             }
 
             // Constant-time lookup in the array of powers
             let mut power = powers[0].clone();
-            let mut i = 1;
-            while i < 1 << WINDOW {
-                power = BoxedUint::conditional_select(&power, &powers[i as usize], i.ct_eq(&idx));
-                i += 1;
+            for i in 1..(1 << WINDOW) {
+                power.conditional_assign(&powers[i as usize], i.ct_eq(&idx));
             }
 
             mul_montgomery_form_assign(&mut z, &power, modulus, mod_neg_inv);
diff --git a/src/uint/boxed.rs b/src/uint/boxed.rs
@@ -210,7 +210,11 @@ impl BoxedUint {
     /// This function should execute in constant time.
     #[inline]
     pub fn conditional_assign(&mut self, other: &Self, choice: Choice) {
-        *self = Self::conditional_select(self, other, choice);
+        debug_assert_eq!(self.bits_precision(), other.bits_precision());
+
+        for i in 0..self.nlimbs() {
+            self.limbs[i] = Limb::conditional_select(&self.limbs[i], &other.limbs[i], choice);
+        }
     }
 
     /// Conditionally swap `self` and `other` if `choice == 1`; otherwise,
