feat: switch from num-bigint-dig to crypto-bigint

[dignifiedquire]

Very, very WIP

Not anymore, this is ready for review.
Replaces all usage of num-bigint-dig based BigInt usage with the new crypto-bigint crate, using BoxedUint

Current known issue is that we do have a performance regression, which will be able to get rid of over time:

# crypto-bigint

# macbook m1
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   7,184,387.50 ns/iter (+/- 425,598.69)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:  13,453,579.10 ns/iter (+/- 686,276.31)

# AMD
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   9,260,832.80 ns/iter (+/- 30,013.38)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:  16,610,079.40 ns/iter (+/- 251,292.53)

# master

# macbook m1
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   1,117,479.15 ns/iter (+/- 31,334.30)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:   1,337,437.55 ns/iter (+/- 88,624.39)

# AMD
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   1,414,348.80 ns/iter (+/- 12,585.71)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:   1,685,650.00 ns/iter (+/- 11,105.71)

TODOs

• switch internal storage for RsaPrivateKey
• switch internal storage for RsaPublicKey
• switch all code to use the new decrypt implementation
• update public traits using BigUint to return owned versions
• fix blinding implementation
• switch decryption algorithm with precompute to use crypto-bigint ops
• go through other algorithms and update what can be done without having primality checks implemented
• review & update code for constant time operation
• review & update code for performance
• benchmarks

[dignifiedquire]

CI is finally green again, time for lots of review and cleanup

[dignifiedquire]

@zeerooth nostd builds should be working again

[dignifiedquire]

this is not entirely correct or optimal, but I am not sure what other way there is

[tarcieri]

@fjarri is there anything in crypto-primes for this?

[fjarri]

No, nothing like that currently

[tarcieri]

@dignifiedquire so if I understand correctly, the purpose of this calculation is ultimately for a check that keygen terminates in a reasonable amount of time?

[tarcieri]

@dignifiedquire seems like you can remove "Very, very WIP" now

[dignifiedquire]

@dignifiedquire seems like you can remove "Very, very WIP" now

🤣 yeah, finally

[Snowiiii]

@dignifiedquire how it's going ?

[tarcieri]

He's waiting on review, which I'll try to do soon

[tarcieri]

IMO it would be nice to avoid this, especially if its only used for no_std prime counting

[fjarri]

If all you need from there is logf(x), you can probably just approximate it with x.bits() / log2(e), pre-calculating log2(e).

[fjarri]

Or even take log2(e) == 1 if the approximation allows it :)

[dignifiedquire]

bits() seems to not be around either..

[tarcieri]

This is crypto-bigint's latest MSRV:

Suggested change

	This crate supports Rust 1.73 or higher.
	This crate supports Rust 1.83 or higher.

[dignifiedquire]

fixed all around

[tarcieri]

Perhaps consider a BoxedUint re-export here, possibly using a shorter name:

pub use crypto_bigint::BoxedUint as Uint;

[dignifiedquire]

added

[tarcieri]

😢

[tarcieri]

Something which makes this pattern better would be nice. We have various NonZero::new_unwrap constructors which allow you to infallibly construct a NonZero.

[dignifiedquire]

278 |     let two = NonZero::new_unwrap(2).widen(bits);
    |                        ^^^^^^^^^^ multiple `new_unwrap` found
    |
    = note: candidate #1 is defined in an impl for the type `crypto_bigint::NonZero<Limb>`
    = note: candidate #2 is defined in an impl for the type `crypto_bigint::NonZero<crypto_bigint::Uint<LIMBS>>`

seems to not exist for theBoxedUint version

[tarcieri]

@dignifiedquire aah, yeah the idea would be to const construct a NonZero<Uint> first and either convert it to a NonZero<BoxedUint> first or make it possible to use NonZero<Uint> as an operand.

[fjarri]

The comment should be updated for the new name of the function.

Also I don't quite understand "gen_prime should set the top two bits in each prime" - what was that behavior for? generate_prime_with_rng() only sets one top bit, to ensure that the returned primes are of the requested bit size.

[tarcieri]

I was a bit curious about that myself. I saw @FiloSottile mention the same thing in this post:

https://words.filippo.io/dispatches/rsa-keygen-bench/

There is almost nothing special to selecting prime candidates. You draw an appropriately sized random number from a CSPRNG, and to avoid wasting time, you set the least significant bit and the two most significant bits: large even numbers are not prime, and setting the top two guarantees N won’t come out too small.

[FiloSottile]

If you set only the top bit of a n/2 bits number, you get a value >= 2^(n/2-1). If you multiply two of them, you get a value >= 2^(n-2), which is at a minimum n-1 bits long, one too short for a n-bit modulus.

[fjarri]

Ah I see, that makes sense. Do you think it should be the default behavior in crypto-primes?

[FiloSottile]

If you mainly need the primes for RSA, yes, you are only wasting CPU rejecting small moduli after you found the primes. If you're using the primes for something else, it might depend on what they are for.

[dignifiedquire]

@fjarri are you planning on changing the behaviour?

[fjarri]

I thought about it, and I don't think it should be the default - too specialized. It can be achieved with custom sieves, but I need to make a release first

[dignifiedquire]

that's fair, please do let me know if you have a release/how to make replicate the desired behavior with custom sieves

[tarcieri]

FYI: release PR for crypto-bigint v0.6.0 is up: RustCrypto/crypto-bigint#750

[YgorSouza]

Typo here: logrithm -> logarithm (and the same on line 123). Could add the typos GitHub action to the repo to avoid that.