Coverage Report

Created: 2025-11-16 06:36

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/rust/registry/src/index.crates.io-1949cf8c6b5b557f/crypto-bigint-0.5.5/src/uint/rand.rs
Line
Count
Source
1
//! Random number generator support
2
3
use super::Uint;
4
use crate::{Encoding, Limb, NonZero, Random, RandomMod};
5
use rand_core::CryptoRngCore;
6
use subtle::ConstantTimeLess;
7
8
impl<const LIMBS: usize> Random for Uint<LIMBS> {
9
    /// Generate a cryptographically secure random [`Uint`].
10
0
    fn random(mut rng: &mut impl CryptoRngCore) -> Self {
11
0
        let mut limbs = [Limb::ZERO; LIMBS];
12
13
0
        for limb in &mut limbs {
14
0
            *limb = Limb::random(&mut rng)
15
        }
16
17
0
        limbs.into()
18
0
    }
19
}
20
21
impl<const LIMBS: usize> RandomMod for Uint<LIMBS> {
22
    /// Generate a cryptographically secure random [`Uint`] which is less than
23
    /// a given `modulus`.
24
    ///
25
    /// This function uses rejection sampling, a method which produces an
26
    /// unbiased distribution of in-range values provided the underlying
27
    /// CSRNG is unbiased, but runs in variable-time.
28
    ///
29
    /// The variable-time nature of the algorithm should not pose a security
30
    /// issue so long as the underlying random number generator is truly a
31
    /// CSRNG, where previous outputs are unrelated to subsequent
32
    /// outputs and do not reveal information about the RNG's internal state.
33
0
    fn random_mod(rng: &mut impl CryptoRngCore, modulus: &NonZero<Self>) -> Self {
34
0
        let mut n = Self::ZERO;
35
36
0
        let n_bits = modulus.as_ref().bits_vartime();
37
0
        let n_bytes = (n_bits + 7) / 8;
38
0
        let n_limbs = (n_bits + Limb::BITS - 1) / Limb::BITS;
39
0
        let hi_bytes = n_bytes - (n_limbs - 1) * Limb::BYTES;
40
41
0
        let mut bytes = Limb::ZERO.to_le_bytes();
42
43
        loop {
44
0
            for i in 0..n_limbs - 1 {
45
0
                rng.fill_bytes(bytes.as_mut());
46
0
                // Need to deserialize from little-endian to make sure that two 32-bit limbs
47
0
                // deserialized sequentially are equal to one 64-bit limb produced from the same
48
0
                // byte stream.
49
0
                n.limbs[i] = Limb::from_le_bytes(bytes);
50
0
            }
51
52
            // Generate the high limb which may need to only be filled partially.
53
0
            bytes.as_mut().fill(0);
54
0
            rng.fill_bytes(&mut (bytes.as_mut()[0..hi_bytes]));
55
0
            n.limbs[n_limbs - 1] = Limb::from_le_bytes(bytes);
56
57
0
            if n.ct_lt(modulus).into() {
58
0
                return n;
59
0
            }
60
        }
61
0
    }
62
}
63
64
#[cfg(test)]
65
mod tests {
66
    use crate::{NonZero, RandomMod, U256};
67
    use rand_core::SeedableRng;
68
69
    #[test]
70
    fn random_mod() {
71
        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(1);
72
73
        // Ensure `random_mod` runs in a reasonable amount of time
74
        let modulus = NonZero::new(U256::from(42u8)).unwrap();
75
        let res = U256::random_mod(&mut rng, &modulus);
76
77
        // Check that the value is in range
78
        assert!(res >= U256::ZERO);
79
        assert!(res < U256::from(42u8));
80
81
        // Ensure `random_mod` runs in a reasonable amount of time
82
        // when the modulus is larger than 1 limb
83
        let modulus = NonZero::new(U256::from(0x10000000000000001u128)).unwrap();
84
        let res = U256::random_mod(&mut rng, &modulus);
85
86
        // Check that the value is in range
87
        assert!(res >= U256::ZERO);
88
        assert!(res < U256::from(0x10000000000000001u128));
89
    }
90
}