crypto/internal/fips140/rsa: add Miller-Rabin test

A following CL will move key generation to crypto/internal/fips140/rsa.

Updates #69799
For #69536

Change-Id: Icdf9b8424da20453939c6587af7dc922aad9e0ca
Reviewed-on: https://go-review.googlesource.com/c/go/+/632215
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Russ Cox <[email protected]>
Reviewed-by: Daniel McCarney <[email protected]>

Author: FiloSottile

src/crypto/internal/fips140/bigmod/nat.go

@@ -244,6 +244,56 @@ func (x *Nat) IsZero() choice {
 	return zero
 }
 
+// IsOne returns 1 if x == 1, and 0 otherwise.
+func (x *Nat) IsOne() choice {
+	// Eliminate bounds checks in the loop.
+	size := len(x.limbs)
+	xLimbs := x.limbs[:size]
+
+	if len(xLimbs) == 0 {
+		return no
+	}
+
+	one := ctEq(xLimbs[0], 1)
+	for i := 1; i < size; i++ {
+		one &= ctEq(xLimbs[i], 0)
+	}
+	return one
+}
+
+// IsMinusOne returns 1 if x == -1 mod m, and 0 otherwise.
+//
+// The length of x must be the same as the modulus. x must already be reduced
+// modulo m.
+func (x *Nat) IsMinusOne(m *Modulus) choice {
+	minusOne := m.Nat()
+	minusOne.SubOne(m)
+	return x.Equal(minusOne)
+}
+
+// IsOdd returns 1 if x is odd, and 0 otherwise.
+func (x *Nat) IsOdd() choice {
+	if len(x.limbs) == 0 {
+		return no
+	}
+	return choice(x.limbs[0] & 1)
+}
+
+// TrailingZeroBitsVarTime returns the number of trailing zero bits in x.
+func (x *Nat) TrailingZeroBitsVarTime() uint {
+	var t uint
+	limbs := x.limbs
+	for _, l := range limbs {
+		if l == 0 {
+			t += _W
+			continue
+		}
+		t += uint(bits.TrailingZeros(l))
+		break
+	}
+	return t
+}
+
 // cmpGeq returns 1 if x >= y, and 0 otherwise.
 //
 // Both operands must have the same announced length.
@@ -308,6 +358,37 @@ func (x *Nat) sub(y *Nat) (c uint) {
 	return
 }
 
+// ShiftRightVarTime sets x = x >> n.
+//
+// The announced length of x is unchanged.
+func (x *Nat) ShiftRightVarTime(n uint) *Nat {
+	// Eliminate bounds checks in the loop.
+	size := len(x.limbs)
+	xLimbs := x.limbs[:size]
+
+	shift := int(n % _W)
+	shiftLimbs := int(n / _W)
+
+	var shiftedLimbs []uint
+	if shiftLimbs < size {
+		shiftedLimbs = xLimbs[shiftLimbs:]
+	}
+
+	for i := range xLimbs {
+		if i >= len(shiftedLimbs) {
+			xLimbs[i] = 0
+			continue
+		}
+
+		xLimbs[i] = shiftedLimbs[i] >> shift
+		if i+1 < len(shiftedLimbs) {
+			xLimbs[i] |= shiftedLimbs[i+1] << (_W - shift)
+		}
+	}
+
+	return x
+}
+
 // Modulus is used for modular arithmetic, precomputing relevant constants.
 //
 // A Modulus can leak the exact number of bits needed to store its value
@@ -403,7 +484,7 @@ func NewModulus(b []byte) (*Modulus, error) {
 		return nil, errors.New("modulus must be > 0")
 	}
 	m.leading = _W - bitLen(m.nat.limbs[len(m.nat.limbs)-1])
-	if m.nat.limbs[0]&1 == 1 {
+	if m.nat.IsOdd() == 1 {
 		m.odd = true
 		m.m0inv = minusInverseModW(m.nat.limbs[0])
 		m.rr = rr(m)
@@ -435,9 +516,13 @@ func (m *Modulus) BitLen() int {
 	return len(m.nat.limbs)*_W - int(m.leading)
 }
 
-// Nat returns m as a Nat. The return value must not be written to.
+// Nat returns m as a Nat.
 func (m *Modulus) Nat() *Nat {
-	return m.nat
+	// Make a copy so that the caller can't modify m.nat or alias it with
+	// another Nat in a modulus operation.
+	n := NewNat()
+	n.set(m.nat)
+	return n
 }
 
 // shiftIn calculates x = x << _W + y mod m.
@@ -553,6 +638,16 @@ func (x *Nat) Sub(y *Nat, m *Modulus) *Nat {
 	return x
 }
 
+// SubOne computes x = x - 1 mod m.
+//
+// The length of x must be the same as the modulus. x must already be reduced
+// modulo m.
+func (x *Nat) SubOne(m *Modulus) *Nat {
+	one := NewNat().ExpandFor(m)
+	one.limbs[0] = 1
+	return x.Sub(one, m)
+}
+
 // Add computes x = x + y mod m.
 //
 // The length of both operands must be the same as the modulus. Both operands

src/crypto/internal/fips140/bigmod/nat_test.go

@@ -31,6 +31,14 @@ func (x *Nat) setBig(n *big.Int) *Nat {
 	return x
 }
 
+func (n *Nat) asBig() *big.Int {
+	bits := make([]big.Word, len(n.limbs))
+	for i := range n.limbs {
+		bits[i] = big.Word(n.limbs[i])
+	}
+	return new(big.Int).SetBits(bits)
+}
+
 func (n *Nat) String() string {
 	var limbs []string
 	for i := range n.limbs {
@@ -404,6 +412,98 @@ func testMul(t *testing.T, n int) {
 	}
 }
 
+func TestIs(t *testing.T) {
+	checkYes := func(c choice, err string) {
+		t.Helper()
+		if c != yes {
+			t.Error(err)
+		}
+	}
+	checkNot := func(c choice, err string) {
+		t.Helper()
+		if c != no {
+			t.Error(err)
+		}
+	}
+
+	mFour := modulusFromBytes([]byte{4})
+	n, err := NewNat().SetBytes([]byte{3}, mFour)
+	if err != nil {
+		t.Fatal(err)
+	}
+	checkYes(n.IsMinusOne(mFour), "3 is not -1 mod 4")
+	checkNot(n.IsZero(), "3 is zero")
+	checkNot(n.IsOne(), "3 is one")
+	checkYes(n.IsOdd(), "3 is not odd")
+	n.SubOne(mFour)
+	checkNot(n.IsMinusOne(mFour), "2 is -1 mod 4")
+	checkNot(n.IsZero(), "2 is zero")
+	checkNot(n.IsOne(), "2 is one")
+	checkNot(n.IsOdd(), "2 is odd")
+	n.SubOne(mFour)
+	checkNot(n.IsMinusOne(mFour), "1 is -1 mod 4")
+	checkNot(n.IsZero(), "1 is zero")
+	checkYes(n.IsOne(), "1 is not one")
+	checkYes(n.IsOdd(), "1 is not odd")
+	n.SubOne(mFour)
+	checkNot(n.IsMinusOne(mFour), "0 is -1 mod 4")
+	checkYes(n.IsZero(), "0 is not zero")
+	checkNot(n.IsOne(), "0 is one")
+	checkNot(n.IsOdd(), "0 is odd")
+	n.SubOne(mFour)
+	checkYes(n.IsMinusOne(mFour), "-1 is not -1 mod 4")
+	checkNot(n.IsZero(), "-1 is zero")
+	checkNot(n.IsOne(), "-1 is one")
+	checkYes(n.IsOdd(), "-1 mod 4 is not odd")
+
+	mTwoLimbs := maxModulus(2)
+	n, err = NewNat().SetBytes([]byte{0x01}, mTwoLimbs)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n.IsOne() != 1 {
+		t.Errorf("1 is not one")
+	}
+}
+
+func TestTrailingZeroBits(t *testing.T) {
+	nb := new(big.Int).SetBytes([]byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7e})
+	nb.Lsh(nb, 128)
+	expected := 129
+	for expected >= 0 {
+		n := NewNat().setBig(nb)
+		if n.TrailingZeroBitsVarTime() != uint(expected) {
+			t.Errorf("%d != %d", n.TrailingZeroBitsVarTime(), expected)
+		}
+		nb.Rsh(nb, 1)
+		expected--
+	}
+}
+
+func TestRightShift(t *testing.T) {
+	nb, err := cryptorand.Int(cryptorand.Reader, new(big.Int).Lsh(big.NewInt(1), 1024))
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, shift := range []uint{1, 32, 64, 128, 1024 - 128, 1024 - 64, 1024 - 32, 1024 - 1} {
+		testShift := func(t *testing.T, shift uint) {
+			n := NewNat().setBig(nb)
+			oldLen := len(n.limbs)
+			n.ShiftRightVarTime(shift)
+			if len(n.limbs) != oldLen {
+				t.Errorf("len(n.limbs) = %d, want %d", len(n.limbs), oldLen)
+			}
+			exp := new(big.Int).Rsh(nb, shift)
+			if n.asBig().Cmp(exp) != 0 {
+				t.Errorf("%v != %v", n.asBig(), exp)
+			}
+		}
+		t.Run(fmt.Sprint(shift-1), func(t *testing.T) { testShift(t, shift-1) })
+		t.Run(fmt.Sprint(shift), func(t *testing.T) { testShift(t, shift) })
+		t.Run(fmt.Sprint(shift+1), func(t *testing.T) { testShift(t, shift+1) })
+	}
+}
+
 func natBytes(n *Nat) []byte {
 	return n.Bytes(maxModulus(uint(len(n.limbs))))
 }