Struct secret_integers::U64

pub struct U64(pub u64);

Tuple Fields

0: u64

Implementations

impl U64

pub fn classify<T: Into<u64>>(x: T) -> Self

Examples found in repository

examples/dalek.rs (line 99)

    fn mul(self, _rhs: &'b FieldElement64) -> FieldElement64 {
        /// Helper function to multiply two 64-bit integers with 128
        /// bits of output.
        #[inline(always)]
        fn m(x: U64, y: U64) -> U128 {
            U128::from(x) * y.into()
        }

        // Alias self, _rhs for more readable formulas
        let a: &[Limb; 5] = &self.0;
        let b: &[Limb; 5] = &_rhs.0;

        // Precondition: assume input limbs a[i], b[i] are bounded as
        //
        // a[i], b[i] < 2^(51 + b)
        //
        // where b is a real parameter measuring the "bit excess" of the limbs.

        // 64-bit precomputations to avoid 128-bit multiplications.
        //
        // This fits into a u64 whenever 51 + b + lg(19) < 64.
        //
        // Since 51 + b + lg(19) < 51 + 4.25 + b
        //                       = 55.25 + b,
        // this fits if b < 8.75.
        let nineteen = 19u64.into();
        let b1_19 = b[1] * nineteen;
        let b2_19 = b[2] * nineteen;
        let b3_19 = b[3] * nineteen;
        let b4_19 = b[4] * nineteen;

        // Multiply to get 128-bit coefficients of output
        let c0: U128 =
            m(a[0], b[0]) + m(a[4], b1_19) + m(a[3], b2_19) + m(a[2], b3_19) + m(a[1], b4_19);
        let mut c1: U128 =
            m(a[1], b[0]) + m(a[0], b[1]) + m(a[4], b2_19) + m(a[3], b3_19) + m(a[2], b4_19);
        let mut c2: U128 =
            m(a[2], b[0]) + m(a[1], b[1]) + m(a[0], b[2]) + m(a[4], b3_19) + m(a[3], b4_19);
        let mut c3: U128 =
            m(a[3], b[0]) + m(a[2], b[1]) + m(a[1], b[2]) + m(a[0], b[3]) + m(a[4], b4_19);
        let mut c4: U128 =
            m(a[4], b[0]) + m(a[3], b[1]) + m(a[2], b[2]) + m(a[1], b[3]) + m(a[0], b[4]);

        // How big are the c[i]? We have
        //
        //    c[i] < 2^(102 + 2*b) * (1+i + (4-i)*19)
        //         < 2^(102 + lg(1 + 4*19) + 2*b)
        //         < 2^(108.27 + 2*b)
        //
        // The carry (c[i] >> 51) fits into a u64 when
        //    108.27 + 2*b - 51 < 64
        //    2*b < 6.73
        //    b < 3.365.
        //
        // So we require b < 3 to ensure this fits.
        debug_assert!(U64::declassify(a[0]) < (1 << 54));
        debug_assert!(U64::declassify(b[0]) < (1 << 54));
        debug_assert!(U64::declassify(a[1]) < (1 << 54));
        debug_assert!(U64::declassify(b[1]) < (1 << 54));
        debug_assert!(U64::declassify(a[2]) < (1 << 54));
        debug_assert!(U64::declassify(b[2]) < (1 << 54));
        debug_assert!(U64::declassify(a[3]) < (1 << 54));
        debug_assert!(U64::declassify(b[3]) < (1 << 54));
        debug_assert!(U64::declassify(a[4]) < (1 << 54));
        debug_assert!(U64::declassify(b[4]) < (1 << 54));

        // Casting to u64 and back tells the compiler that the carry is
        // bounded by 2^64, so that the addition is a u128 + u64 rather
        // than u128 + u128.

        const LOW_51_BIT_MASK: u64 = (1u64 << 51) - 1;
        let mut out = [U64::classify(0u64); 5];

        c1 += U64::from(c0 >> 51).into();
        out[0] = U64::from(c0) & LOW_51_BIT_MASK.into();

        c2 += U64::from(c1 >> 51).into();
        out[1] = U64::from(c1) & LOW_51_BIT_MASK.into();

        c3 += U64::from(c2 >> 51).into();
        out[2] = U64::from(c2) & LOW_51_BIT_MASK.into();

        c4 += U64::from(c3 >> 51).into();
        out[3] = U64::from(c3) & LOW_51_BIT_MASK.into();

        let carry: U64 = (c4 >> 51).into();
        out[4] = U64::from(c4) & LOW_51_BIT_MASK.into();

        // To see that this does not overflow, we need out[0] + carry * 19 < 2^64.
        //
        // c4 < a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0 + (carry from c3)
        //    < 5*(2^(51 + b) * 2^(51 + b)) + (carry from c3)
        //    < 2^(102 + 2*b + lg(5)) + 2^64.
        //
        // When b < 3 we get
        //
        // c4 < 2^110.33  so that carry < 2^59.33
        //
        // so that
        //
        // out[0] + carry * 19 < 2^51 + 19 * 2^59.33 < 2^63.58
        //
        // and there is no overflow.
        out[0] = out[0] + carry * nineteen;

        // Now out[1] < 2^51 + 2^(64 -51) = 2^51 + 2^13 < 2^(51 + epsilon).
        out[1] += out[0] >> 51;
        out[0] &= LOW_51_BIT_MASK.into();

        // Now out[i] < 2^(51 + epsilon) for all i.
        FieldElement64(out)
    }

pub fn declassify(self) -> u64

Warning: use with caution, breaks the constant-time guarantee.

Examples found in repository

examples/dalek.rs (line 83)

    fn mul(self, _rhs: &'b FieldElement64) -> FieldElement64 {
        /// Helper function to multiply two 64-bit integers with 128
        /// bits of output.
        #[inline(always)]
        fn m(x: U64, y: U64) -> U128 {
            U128::from(x) * y.into()
        }

        // Alias self, _rhs for more readable formulas
        let a: &[Limb; 5] = &self.0;
        let b: &[Limb; 5] = &_rhs.0;

        // Precondition: assume input limbs a[i], b[i] are bounded as
        //
        // a[i], b[i] < 2^(51 + b)
        //
        // where b is a real parameter measuring the "bit excess" of the limbs.

        // 64-bit precomputations to avoid 128-bit multiplications.
        //
        // This fits into a u64 whenever 51 + b + lg(19) < 64.
        //
        // Since 51 + b + lg(19) < 51 + 4.25 + b
        //                       = 55.25 + b,
        // this fits if b < 8.75.
        let nineteen = 19u64.into();
        let b1_19 = b[1] * nineteen;
        let b2_19 = b[2] * nineteen;
        let b3_19 = b[3] * nineteen;
        let b4_19 = b[4] * nineteen;

        // Multiply to get 128-bit coefficients of output
        let c0: U128 =
            m(a[0], b[0]) + m(a[4], b1_19) + m(a[3], b2_19) + m(a[2], b3_19) + m(a[1], b4_19);
        let mut c1: U128 =
            m(a[1], b[0]) + m(a[0], b[1]) + m(a[4], b2_19) + m(a[3], b3_19) + m(a[2], b4_19);
        let mut c2: U128 =
            m(a[2], b[0]) + m(a[1], b[1]) + m(a[0], b[2]) + m(a[4], b3_19) + m(a[3], b4_19);
        let mut c3: U128 =
            m(a[3], b[0]) + m(a[2], b[1]) + m(a[1], b[2]) + m(a[0], b[3]) + m(a[4], b4_19);
        let mut c4: U128 =
            m(a[4], b[0]) + m(a[3], b[1]) + m(a[2], b[2]) + m(a[1], b[3]) + m(a[0], b[4]);

        // How big are the c[i]? We have
        //
        //    c[i] < 2^(102 + 2*b) * (1+i + (4-i)*19)
        //         < 2^(102 + lg(1 + 4*19) + 2*b)
        //         < 2^(108.27 + 2*b)
        //
        // The carry (c[i] >> 51) fits into a u64 when
        //    108.27 + 2*b - 51 < 64
        //    2*b < 6.73
        //    b < 3.365.
        //
        // So we require b < 3 to ensure this fits.
        debug_assert!(U64::declassify(a[0]) < (1 << 54));
        debug_assert!(U64::declassify(b[0]) < (1 << 54));
        debug_assert!(U64::declassify(a[1]) < (1 << 54));
        debug_assert!(U64::declassify(b[1]) < (1 << 54));
        debug_assert!(U64::declassify(a[2]) < (1 << 54));
        debug_assert!(U64::declassify(b[2]) < (1 << 54));
        debug_assert!(U64::declassify(a[3]) < (1 << 54));
        debug_assert!(U64::declassify(b[3]) < (1 << 54));
        debug_assert!(U64::declassify(a[4]) < (1 << 54));
        debug_assert!(U64::declassify(b[4]) < (1 << 54));

        // Casting to u64 and back tells the compiler that the carry is
        // bounded by 2^64, so that the addition is a u128 + u64 rather
        // than u128 + u128.

        const LOW_51_BIT_MASK: u64 = (1u64 << 51) - 1;
        let mut out = [U64::classify(0u64); 5];

        c1 += U64::from(c0 >> 51).into();
        out[0] = U64::from(c0) & LOW_51_BIT_MASK.into();

        c2 += U64::from(c1 >> 51).into();
        out[1] = U64::from(c1) & LOW_51_BIT_MASK.into();

        c3 += U64::from(c2 >> 51).into();
        out[2] = U64::from(c2) & LOW_51_BIT_MASK.into();

        c4 += U64::from(c3 >> 51).into();
        out[3] = U64::from(c3) & LOW_51_BIT_MASK.into();

        let carry: U64 = (c4 >> 51).into();
        out[4] = U64::from(c4) & LOW_51_BIT_MASK.into();

        // To see that this does not overflow, we need out[0] + carry * 19 < 2^64.
        //
        // c4 < a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0 + (carry from c3)
        //    < 5*(2^(51 + b) * 2^(51 + b)) + (carry from c3)
        //    < 2^(102 + 2*b + lg(5)) + 2^64.
        //
        // When b < 3 we get
        //
        // c4 < 2^110.33  so that carry < 2^59.33
        //
        // so that
        //
        // out[0] + carry * 19 < 2^51 + 19 * 2^59.33 < 2^63.58
        //
        // and there is no overflow.
        out[0] = out[0] + carry * nineteen;

        // Now out[1] < 2^51 + 2^(64 -51) = 2^51 + 2^13 < 2^(51 + epsilon).
        out[1] += out[0] >> 51;
        out[0] &= LOW_51_BIT_MASK.into();

        // Now out[i] < 2^(51 + epsilon) for all i.
        FieldElement64(out)
    }

pub fn zero() -> Self

pub fn one() -> Self

pub fn ones() -> Self

pub fn from_le_bytes(bytes: &[U8]) -> Vec<U64>

pub fn to_le_bytes(ints: &[U64]) -> Vec<U8>

pub fn from_be_bytes(bytes: &[U8]) -> Vec<U64>

pub fn to_be_bytes(ints: &[U64]) -> Vec<U8>

pub fn max_value() -> U64

impl U64

pub fn checked_add(self, rhs: Self) -> Self

Warning: panics when overflow.

impl U64

pub fn checked_sub(self, rhs: Self) -> Self

Warning: panics when overflow.

impl U64

pub fn checked_mul(self, rhs: Self) -> Self

Warning: panics when overflow.

impl U64

pub fn rotate_left(self, rotval: usize) -> Self

pub fn rotate_right(self, rotval: usize) -> Self

impl U64

Constant-time comparison operators

pub fn comp_eq(self, rhs: Self) -> Self

Produces a new integer which is all ones if the two arguments are equal and all zeroes otherwise. With inspiration from Wireguard.

pub fn comp_ne(self, rhs: Self) -> Self

Produces a new integer which is all ones if the first argument is different from the second argument, and all zeroes otherwise.

pub fn comp_gte(self, rhs: Self) -> Self

Produces a new integer which is all ones if the first argument is greater than or equal to the second argument, and all zeroes otherwise. With inspiration from WireGuard.

pub fn comp_gt(self, rhs: Self) -> Self

Produces a new integer which is all ones if the first argument is strictly greater than the second argument, and all zeroes otherwise.

pub fn comp_lte(self, rhs: Self) -> Self

Produces a new integer which is all ones if the first argument is less than or equal to the second argument, and all zeroes otherwise.

pub fn comp_lt(self, rhs: Self) -> Self

Produces a new integer which is all ones if the first argument is strictly less than the second argument, and all zeroes otherwise.

Trait Implementations

impl Add<U64> for U64

Warning: has wrapping semantics.

type Output = U64

The resulting type after applying the + operator.

fn add(self, rhs: Self) -> Self

Performs the + operation.

impl AddAssign<U64> for U64

Warning: has wrapping semantics.

fn add_assign(&mut self, rhs: Self)

Performs the += operation.

impl BitAnd<U64> for U64

type Output = U64

The resulting type after applying the & operator.

fn bitand(self, rhs: Self) -> Self

Performs the & operation.

impl BitAndAssign<U64> for U64

fn bitand_assign(&mut self, rhs: Self)

Performs the &= operation.

impl BitOr<U64> for U64

type Output = U64

The resulting type after applying the | operator.

fn bitor(self, rhs: Self) -> Self

Performs the | operation.

impl BitOrAssign<U64> for U64

fn bitor_assign(&mut self, rhs: Self)

Performs the |= operation.

impl BitXor<U64> for U64

type Output = U64

The resulting type after applying the ^ operator.

fn bitxor(self, rhs: Self) -> Self

Performs the ^ operation.

impl BitXorAssign<U64> for U64

fn bitxor_assign(&mut self, rhs: Self)

Performs the ^= operation.

impl Clone for U64

fn clone(&self) -> U64

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for U64

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for U64

fn default() -> U64

Returns the “default value” for a type.

impl Display for U64

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl From<I64> for U64

fn from(x: I64) -> U64

Converts to this type from the input type.

impl From<U128> for U64

Warning: wrapping semantics.

fn from(x: U128) -> U64

Converts to this type from the input type.

impl From<U16> for U64

fn from(x: U16) -> U64

Converts to this type from the input type.

impl From<U32> for U64

fn from(x: U32) -> U64

Converts to this type from the input type.

impl From<U64> for I64

Warning: wrapping semantics.

fn from(x: U64) -> I64

Converts to this type from the input type.

impl From<U64> for U128

fn from(x: U64) -> U128

Converts to this type from the input type.

impl From<U64> for U16

Warning: wrapping semantics.

fn from(x: U64) -> U16

Converts to this type from the input type.

impl From<U64> for U32

Warning: wrapping semantics.

fn from(x: U64) -> U32

Converts to this type from the input type.

impl From<U64> for U8

Warning: wrapping semantics.

fn from(x: U64) -> U8

Converts to this type from the input type.

impl From<U64> for u128

Warning: conversion can be lossy!

fn from(x: U64) -> u128

Converts to this type from the input type.

impl From<U64> for u64

Warning: conversion can be lossy!

fn from(x: U64) -> u64

Converts to this type from the input type.

impl From<U8> for U64

fn from(x: U8) -> U64

Converts to this type from the input type.

impl From<u16> for U64

fn from(x: u16) -> U64

Converts to this type from the input type.

impl From<u32> for U64

fn from(x: u32) -> U64

Converts to this type from the input type.

impl From<u64> for U64

fn from(x: u64) -> Self

Converts to this type from the input type.

impl From<u8> for U64

fn from(x: u8) -> U64

Converts to this type from the input type.

impl From<usize> for U64

fn from(x: usize) -> U64

Converts to this type from the input type.

impl LowerHex for U64

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Mul<U64> for U64

Warning: has wrapping semantics.

type Output = U64

The resulting type after applying the * operator.

fn mul(self, rhs: Self) -> Self

Performs the * operation.

impl MulAssign<U64> for U64

Warning: has wrapping semantics.

fn mul_assign(&mut self, rhs: Self)

Performs the *= operation.

impl Neg for U64

type Output = U64

The resulting type after applying the - operator.

fn neg(self) -> Self

Performs the unary - operation.

impl Not for U64

type Output = U64

The resulting type after applying the ! operator.

fn not(self) -> Self

Performs the unary ! operation.

impl Shl<usize> for U64

type Output = U64

The resulting type after applying the << operator.

fn shl(self, rhs: usize) -> Self

Performs the << operation.

impl ShlAssign<usize> for U64

fn shl_assign(&mut self, rhs: usize)

Performs the <<= operation.

impl Shr<usize> for U64

type Output = U64

The resulting type after applying the >> operator.

fn shr(self, rhs: usize) -> Self

Performs the >> operation.

impl ShrAssign<usize> for U64

fn shr_assign(&mut self, rhs: usize)

Performs the >>= operation.

impl Sub<U64> for U64

Warning: has wrapping semantics.

type Output = U64

The resulting type after applying the - operator.

fn sub(self, rhs: Self) -> Self

Performs the - operation.

impl SubAssign<U64> for U64

Warning: has wrapping semantics.

fn sub_assign(&mut self, rhs: Self)

Performs the -= operation.

impl Copy for U64