Montgomery autocalculate params (#118)

* Add const shift to calculate montgomery params

* Add const rem by substractions

* Add comments

* Fix warnings

* compute MP at compile time

* compute R2 at compile time

* rename mp to mu

* fix typo

* Re added mul comments

---------

Co-authored-by: Sergio Chouhy <[email protected]>

Author: MauroToscano

crypto/src/hash/poseidon/mod.rs

@@ -158,9 +158,6 @@ mod tests {
     impl IsMontgomeryConfiguration for TestFieldConfig {
         const MODULUS: U384 =
             U384::from("2000000000000080000000000000000000000000000000000000000000000001");
-        const MP: u64 = 18446744073709551615u64;
-        const R2: U384 =
-            U384::from("C0000FFFFCFFFF800000000C0001FFFFFFFFBFFFF80000000140001FFFFE00");
     }
 
     pub type PoseidonTestField = MontgomeryBackendPrimeField<TestFieldConfig>;

math/src/elliptic_curve/short_weierstrass/curves/bls12_377/field_extension.rs

@@ -11,8 +11,6 @@ pub const BLS12377_PRIME_FIELD_ORDER: U384 = U384::from("1ae3a4617c510eac63b05c0
 pub struct BLS12377FieldConfig;
 impl IsMontgomeryConfiguration for BLS12377FieldConfig {
     const MODULUS: U384 = BLS12377_PRIME_FIELD_ORDER;
-    const MP: u64 = 9586122913090633727;
-    const R2: U384 = U384::from("6dfccb1e914b88837e92f041790bf9bfdf7d03827dc3ac22a5f11162d6b46d0329fcaab00431b1b786686c9400cd22");
 }
 
 pub type BLS12377PrimeField = MontgomeryBackendPrimeField<BLS12377FieldConfig>;

math/src/elliptic_curve/short_weierstrass/curves/bls12_381/field_extension.rs

@@ -15,8 +15,6 @@ pub const BLS12381_PRIME_FIELD_ORDER: U384 = U384::from("1a0111ea397fe69a4b1ba7b
 pub struct BLS12381FieldConfig;
 impl IsMontgomeryConfiguration for BLS12381FieldConfig {
     const MODULUS: U384 = BLS12381_PRIME_FIELD_ORDER;
-    const MP: u64 = 9940570264628428797;
-    const R2: U384 = U384::from("11988fe592cae3aa9a793e85b519952d67eb88a9939d83c08de5476c4c95b6d50a76e6a609d104f1f4df1f341c341746");
 }
 
 pub type BLS12381PrimeField = MontgomeryBackendPrimeField<BLS12381FieldConfig>;

math/src/elliptic_curve/short_weierstrass/curves/test_curve_2.rs

@@ -23,8 +23,6 @@ pub const TEST_CURVE_2_MAIN_SUBGROUP_ORDER: U384 = U384::from("40a065fb5a76390de
 pub struct TestCurve2MontgomeryConfig;
 impl IsMontgomeryConfiguration for TestCurve2MontgomeryConfig {
     const MODULUS: U384 = TEST_CURVE_2_PRIME_FIELD_ORDER;
-    const MP: u64 = 1901108026836139985;
-    const R2: U384 = U384::from("f60e53d42ca85ba186067660c4f2daa94");
 }
 
 type TestCurve2PrimeField = MontgomeryBackendPrimeField<TestCurve2MontgomeryConfig>;

math/src/field/fields/u384_prime_field.rs

@@ -5,16 +5,68 @@ use crate::{
     field::traits::IsField, unsigned_integer::element::UnsignedInteger,
     unsigned_integer::montgomery::MontgomeryAlgorithms,
 };
+
 use std::fmt::Debug;
 use std::marker::PhantomData;
 
+/// Computes `- modulus^{-1} mod 2^{64}`
+/// This algorithm is given  by Dussé and Kaliski Jr. in
+/// "S. R. Dussé and B. S. Kaliski Jr. A cryptographic library for the Motorola
+/// DSP56000. In I. Damgård, editor, Advances in Cryptology – EUROCRYPT’90,
+/// volume 473 of Lecture Notes in Computer Science, pages 230–244. Springer,
+/// Heidelberg, May 1991."
+const fn compute_mu_parameter(modulus: &U384) -> u64 {
+    let mut y = 1;
+    let word_size = 64;
+    let mut i: usize = 2;
+    while i <= word_size {
+        let (_, lo) = U384::mul(modulus, &U384::from_u64(y));
+        let least_significant_limb = lo.limbs[5];
+        if (least_significant_limb << (word_size - i)) >> (word_size - i) != 1 {
+            y += 1 << (i - 1);
+        }
+        i += 1;
+    }
+    y.wrapping_neg()
+}
+
+/// Computes 2^{384 * 2} modulo `modulus`
+const fn compute_r2_parameter(modulus: &U384) -> U384 {
+    let number_limbs = 6;
+    let word_size = 64;
+    let mut l: usize = 0;
+    let zero = U384::from_u64(0);
+    // Define `c` as the largest power of 2 smaller than `modulus`
+    while l < number_limbs * word_size {
+        if U384::const_ne(&modulus.const_shr(l), &zero) {
+            break;
+        }
+        l += 1;
+    }
+    let mut c = U384::from_u64(1).const_shl(l);
+
+    // Double `c` and reduce modulo `modulus` until getting
+    // `2^{2 * number_limbs * word_size}` mod `modulus`
+    let mut i: usize = 1;
+    while i <= 2 * number_limbs * word_size - l {
+        let (double_c, overflow) = U384::add(&c, &c);
+        c = if U384::const_le(modulus, &double_c) || overflow {
+            U384::sub(&double_c, modulus).0
+        } else {
+            double_c
+        };
+        i += 1;
+    }
+    c
+}
+
 /// This trait is necessary for us to be able to use unsigned integer types bigger than
 /// `u128` (the biggest native `unit`) as constant generics.
 /// This trait should be removed when Rust supports this feature.
 pub trait IsMontgomeryConfiguration {
     const MODULUS: U384;
-    const R2: U384;
-    const MP: u64;
+    const R2: U384 = compute_r2_parameter(&Self::MODULUS);
+    const MU: u64 = compute_mu_parameter(&Self::MODULUS);
 }
 
 #[derive(Clone, Debug)]
@@ -50,7 +102,7 @@ where
     }
 
     fn mul(a: &Self::BaseType, b: &Self::BaseType) -> Self::BaseType {
-        MontgomeryAlgorithms::cios(a, b, &C::MODULUS, &C::MP)
+        MontgomeryAlgorithms::cios(a, b, &C::MODULUS, &C::MU)
     }
 
     fn sub(a: &Self::BaseType, b: &Self::BaseType) -> Self::BaseType {
@@ -93,11 +145,11 @@ where
     }
 
     fn from_u64(x: u64) -> Self::BaseType {
-        MontgomeryAlgorithms::cios(&UnsignedInteger::from_u64(x), &C::R2, &C::MODULUS, &C::MP)
+        MontgomeryAlgorithms::cios(&UnsignedInteger::from_u64(x), &C::R2, &C::MODULUS, &C::MU)
     }
 
     fn from_base_type(x: Self::BaseType) -> Self::BaseType {
-        MontgomeryAlgorithms::cios(&x, &C::R2, &C::MODULUS, &C::MP)
+        MontgomeryAlgorithms::cios(&x, &C::R2, &C::MODULUS, &C::MU)
     }
 }
 
@@ -106,12 +158,12 @@ where
     C: IsMontgomeryConfiguration + Clone + Debug,
 {
     fn to_bytes_be(&self) -> Vec<u8> {
-        MontgomeryAlgorithms::cios(self.value(), &U384::from_u64(1), &C::MODULUS, &C::MP)
+        MontgomeryAlgorithms::cios(self.value(), &U384::from_u64(1), &C::MODULUS, &C::MU)
             .to_bytes_be()
     }
 
     fn to_bytes_le(&self) -> Vec<u8> {
-        MontgomeryAlgorithms::cios(self.value(), &U384::from_u64(1), &C::MODULUS, &C::MP)
+        MontgomeryAlgorithms::cios(self.value(), &U384::from_u64(1), &C::MODULUS, &C::MU)
             .to_bytes_le()
     }
 
@@ -129,20 +181,113 @@ where
 #[cfg(test)]
 mod tests {
     use crate::{
-        field::element::FieldElement,
+        field::{
+            element::FieldElement,
+            fields::u384_prime_field::{compute_mu_parameter, compute_r2_parameter},
+        },
         traits::ByteConversion,
         unsigned_integer::element::{UnsignedInteger, U384},
     };
 
     use super::{IsMontgomeryConfiguration, MontgomeryBackendPrimeField};
 
+    #[test]
+    fn test_compute_mu_parameter_1() {
+        let modulus = U384 {
+            limbs: [0, 0, 0, 0, 0, 23],
+        };
+        let mu = compute_mu_parameter(&modulus);
+        let expected_mu: u64 = 3208129404123400281;
+        assert_eq!(mu, expected_mu);
+    }
+
+    #[test]
+    fn test_compute_mu_parameter_2() {
+        let modulus = U384 {
+            limbs: [
+                0,
+                0,
+                0,
+                3450888597,
+                5754816256417943771,
+                15923941673896418529,
+            ],
+        };
+        let mu = compute_mu_parameter(&modulus);
+        let expected_mu: u64 = 16085280245840369887;
+        assert_eq!(mu, expected_mu);
+    }
+
+    #[test]
+    fn test_compute_mu_parameter_3() {
+        let modulus = U384 {
+            limbs: [
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551275,
+            ],
+        };
+        let mu = compute_mu_parameter(&modulus);
+        let expected_mu: u64 = 14984598558409225213;
+        assert_eq!(mu, expected_mu);
+    }
+
+    #[test]
+    fn test_compute_r2_parameter_1() {
+        let modulus = U384 {
+            limbs: [0, 0, 0, 0, 0, 23],
+        };
+        let r2 = compute_r2_parameter(&modulus);
+        let expected_r2 = U384::from_u64(6);
+        assert_eq!(r2, expected_r2);
+    }
+
+    #[test]
+    fn test_compute_r2_parameter_2() {
+        let modulus = U384 {
+            limbs: [
+                0,
+                0,
+                0,
+                3450888597,
+                5754816256417943771,
+                15923941673896418529,
+            ],
+        };
+        let r2 = compute_r2_parameter(&modulus);
+        let expected_r2 = U384 {
+            limbs: [0, 0, 0, 362264696, 173086217205162856, 7848132598488868435],
+        };
+        assert_eq!(r2, expected_r2);
+    }
+
+    #[test]
+    fn test_compute_r2_parameter_3() {
+        let modulus = U384 {
+            limbs: [
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551615,
+                18446744073709551275,
+            ],
+        };
+        let r2 = compute_r2_parameter(&modulus);
+        let expected_r2 = U384 {
+            limbs: [0, 0, 0, 0, 0, 116281],
+        };
+        assert_eq!(r2, expected_r2);
+    }
+
     // F23
     #[derive(Clone, Debug)]
     struct MontgomeryConfig23;
     impl IsMontgomeryConfiguration for MontgomeryConfig23 {
         const MODULUS: U384 = UnsignedInteger::from_u64(23);
-        const MP: u64 = 3208129404123400281;
-        const R2: U384 = UnsignedInteger::from_u64(6);
     }
 
     type F23 = MontgomeryBackendPrimeField<MontgomeryConfig23>;
@@ -305,10 +450,6 @@ mod tests {
                 15923941673896418529,
             ],
         };
-        const MP: u64 = 16085280245840369887;
-        const R2: U384 = UnsignedInteger {
-            limbs: [0, 0, 0, 362264696, 173086217205162856, 7848132598488868435],
-        };
     }
 
     #[test]
@@ -355,10 +496,6 @@ mod tests {
                 18446744073709551275,
             ],
         };
-        const MP: u64 = 14984598558409225213;
-        const R2: U384 = UnsignedInteger {
-            limbs: [0, 0, 0, 0, 0, 116281],
-        };
     }
 
     type FP2 = MontgomeryBackendPrimeField<MontgomeryConfigP2>;