crypto_bigint/uint/
rand.rs

1//! Random number generator support
2
3use super::Uint;
4use crate::{Encoding, Limb, NonZero, Random, RandomMod};
5use rand_core::CryptoRngCore;
6use subtle::ConstantTimeLess;
7
8impl<const LIMBS: usize> Random for Uint<LIMBS> {
9    /// Generate a cryptographically secure random [`Uint`].
10    fn random(mut rng: &mut impl CryptoRngCore) -> Self {
11        let mut limbs = [Limb::ZERO; LIMBS];
12
13        for limb in &mut limbs {
14            *limb = Limb::random(&mut rng)
15        }
16
17        limbs.into()
18    }
19}
20
21impl<const LIMBS: usize> RandomMod for Uint<LIMBS> {
22    /// Generate a cryptographically secure random [`Uint`] which is less than
23    /// a given `modulus`.
24    ///
25    /// This function uses rejection sampling, a method which produces an
26    /// unbiased distribution of in-range values provided the underlying
27    /// CSRNG is unbiased, but runs in variable-time.
28    ///
29    /// The variable-time nature of the algorithm should not pose a security
30    /// issue so long as the underlying random number generator is truly a
31    /// CSRNG, where previous outputs are unrelated to subsequent
32    /// outputs and do not reveal information about the RNG's internal state.
33    fn random_mod(rng: &mut impl CryptoRngCore, modulus: &NonZero<Self>) -> Self {
34        let mut n = Self::ZERO;
35
36        let n_bits = modulus.as_ref().bits_vartime();
37        let n_bytes = (n_bits + 7) / 8;
38        let n_limbs = (n_bits + Limb::BITS - 1) / Limb::BITS;
39        let hi_bytes = n_bytes - (n_limbs - 1) * Limb::BYTES;
40
41        let mut bytes = Limb::ZERO.to_le_bytes();
42
43        loop {
44            for i in 0..n_limbs - 1 {
45                rng.fill_bytes(bytes.as_mut());
46                // Need to deserialize from little-endian to make sure that two 32-bit limbs
47                // deserialized sequentially are equal to one 64-bit limb produced from the same
48                // byte stream.
49                n.limbs[i] = Limb::from_le_bytes(bytes);
50            }
51
52            // Generate the high limb which may need to only be filled partially.
53            bytes.as_mut().fill(0);
54            rng.fill_bytes(&mut (bytes.as_mut()[0..hi_bytes]));
55            n.limbs[n_limbs - 1] = Limb::from_le_bytes(bytes);
56
57            if n.ct_lt(modulus).into() {
58                return n;
59            }
60        }
61    }
62}
63
64#[cfg(test)]
65mod tests {
66    use crate::{NonZero, RandomMod, U256};
67    use rand_core::SeedableRng;
68
69    #[test]
70    fn random_mod() {
71        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
72
73        // Ensure `random_mod` runs in a reasonable amount of time
74        let modulus = NonZero::new(U256::from(42u8)).unwrap();
75        let res = U256::random_mod(&mut rng, &modulus);
76
77        // Check that the value is in range
78        assert!(res >= U256::ZERO);
79        assert!(res < U256::from(42u8));
80
81        // Ensure `random_mod` runs in a reasonable amount of time
82        // when the modulus is larger than 1 limb
83        let modulus = NonZero::new(U256::from(0x10000000000000001u128)).unwrap();
84        let res = U256::random_mod(&mut rng, &modulus);
85
86        // Check that the value is in range
87        assert!(res >= U256::ZERO);
88        assert!(res < U256::from(0x10000000000000001u128));
89    }
90}