optimize Int wrapping multiplication

Signed-off-by: Andrew Whitehead <cywolf@gmail.com>

Author: andrewwhitehead

src/int.rs

@@ -56,20 +56,17 @@ impl<const LIMBS: usize> Int<LIMBS> {
     pub const ONE: Self = Self(Uint::ONE); // Bit sequence (be): 0000....0001
 
     /// The value `-1`
-    pub const MINUS_ONE: Self = Self::FULL_MASK; // Bit sequence (be): 1111....1111
+    pub const MINUS_ONE: Self = Self(Uint::MAX); // Bit sequence (be): 1111....1111
 
     /// Smallest value this [`Int`] can express.
-    pub const MIN: Self = Self(Uint::MAX.bitxor(&Uint::MAX.shr(1u32))); // Bit sequence (be): 1000....0000
+    pub const MIN: Self = Self::MAX.not(); // Bit sequence (be): 1000....0000
 
     /// Maximum value this [`Int`] can express.
-    pub const MAX: Self = Self(Uint::MAX.shr(1u32)); // Bit sequence (be): 0111....1111
+    pub const MAX: Self = Self(Uint::MAX.shr_vartime(1u32)); // Bit sequence (be): 0111....1111
 
     /// Bit mask for the sign bit of this [`Int`].
     pub const SIGN_MASK: Self = Self::MIN; // Bit sequence (be): 1000....0000
 
-    /// All-one bit mask.
-    pub const FULL_MASK: Self = Self(Uint::MAX); // Bit sequence (be): 1111...1111
-
     /// Total size of the represented integer in bits.
     pub const BITS: u32 = Uint::<LIMBS>::BITS;
 
@@ -113,7 +110,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
     }
 
     /// Borrow the inner limbs as a mutable array of [`Word`]s.
-    pub fn as_mut_words(&mut self) -> &mut [Word; LIMBS] {
+    pub const fn as_mut_words(&mut self) -> &mut [Word; LIMBS] {
         self.0.as_mut_words()
     }
 
@@ -182,7 +179,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
     }
 
     /// Whether this [`Int`] is equal to `Self::MAX`.
-    pub fn is_max(&self) -> ConstChoice {
+    pub const fn is_max(&self) -> ConstChoice {
         Self::eq(self, &Self::MAX)
     }
 

src/int/mul.rs

@@ -4,7 +4,7 @@ use core::ops::{Mul, MulAssign};
 use num_traits::WrappingMul;
 use subtle::CtOption;
 
-use crate::{Checked, CheckedMul, ConcatMixed, ConstChoice, ConstCtOption, Int, Uint, Zero};
+use crate::{Checked, CheckedMul, ConcatMixed, ConstChoice, ConstCtOption, Int, Uint};
 
 impl<const LIMBS: usize> Int<LIMBS> {
     /// Compute "wide" multiplication as a 3-tuple `(lo, hi, negate)`.
@@ -64,12 +64,26 @@ impl<const LIMBS: usize> Int<LIMBS> {
         Int::from_bits(product_abs.wrapping_neg_if(product_sign))
     }
 
+    /// Multiply `self` by `rhs`, returning a `ConstCtOption` which is `is_some` only if
+    /// overflow did not occur.
+    pub const fn checked_mul<const RHS_LIMBS: usize>(
+        &self,
+        rhs: &Int<RHS_LIMBS>,
+    ) -> ConstCtOption<Self> {
+        let (abs_lhs, lhs_sgn) = self.abs_sign();
+        let (abs_rhs, rhs_sgn) = rhs.abs_sign();
+        let maybe_res = abs_lhs.checked_mul(&abs_rhs);
+        let (lo, is_some) = maybe_res.components_ref();
+        Self::new_from_abs_sign(*lo, lhs_sgn.xor(rhs_sgn)).and_choice(is_some)
+    }
+
     /// Multiply `self` by `rhs`, wrapping the result in case of overflow.
+    /// This is equivalent to `(self * rhs) % (Uint::<LIMBS>::MAX + 1)`.
     pub const fn wrapping_mul<const RHS_LIMBS: usize>(&self, rhs: &Int<RHS_LIMBS>) -> Self {
         let (abs_lhs, lhs_sgn) = self.abs_sign();
         let (abs_rhs, rhs_sgn) = rhs.abs_sign();
-        let (lo, _) = abs_lhs.widening_mul(&abs_rhs);
-        *lo.wrapping_neg_if(lhs_sgn.xor(rhs_sgn)).as_int()
+        let lo = Self(abs_lhs.wrapping_mul(&abs_rhs));
+        lo.wrapping_neg_if(lhs_sgn.xor(rhs_sgn))
     }
 }
 
@@ -102,9 +116,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
 impl<const LIMBS: usize, const RHS_LIMBS: usize> CheckedMul<Int<RHS_LIMBS>> for Int<LIMBS> {
     #[inline]
     fn checked_mul(&self, rhs: &Int<RHS_LIMBS>) -> CtOption<Self> {
-        let (lo, hi, is_negative) = self.widening_mul(rhs);
-        let val = Self::new_from_abs_sign(lo, is_negative);
-        CtOption::from(val).and_then(|int| CtOption::new(int, hi.is_zero()))
+        self.checked_mul(rhs).into()
     }
 }
 
@@ -173,7 +185,7 @@ impl<const LIMBS: usize> MulAssign<&Checked<Int<LIMBS>>> for Checked<Int<LIMBS>>
 
 #[cfg(test)]
 mod tests {
-    use crate::{CheckedMul, ConstChoice, I64, I128, I256, Int, U128, U256};
+    use crate::{ConstChoice, I64, I128, I256, Int, U128, U256};
 
     #[test]
     #[allow(clippy::init_numbered_fields)]
@@ -271,20 +283,26 @@ mod tests {
     #[test]
     fn test_wrapping_mul() {
         // wrapping
-        let a = I128::from_be_hex("FFFFFFFB7B63198EF870DF1F90D9BD9E");
-        let b = I128::from_be_hex("F20C29FA87B356AA3B4C05C4F9C24B4A");
+        let a = 0xFFFFFFFB7B63198EF870DF1F90D9BD9Eu128 as i128;
+        let b = 0xF20C29FA87B356AA3B4C05C4F9C24B4Au128 as i128;
+        let z = 0xAA700D354D6CF4EE881F8FF8093A19ACu128 as i128;
+        assert_eq!(a.wrapping_mul(b), z);
         assert_eq!(
-            a.wrapping_mul(&b),
-            I128::from_be_hex("AA700D354D6CF4EE881F8FF8093A19AC")
+            I128::from_i128(a).wrapping_mul(&I128::from_i128(b)),
+            I128::from_i128(z)
         );
 
         // no wrapping
-        let c = I64::from_i64(-12345i64);
+        let c = -12345i64;
         assert_eq!(
-            a.wrapping_mul(&c),
-            I128::from_be_hex("0000D9DEF2248095850866CFEBF727D2")
+            I128::from_i128(a).wrapping_mul(&I128::from_i64(c)),
+            I128::from_i128(a.wrapping_mul(c as i128))
         );
 
+        // overflow into MSB
+        let a = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFu128 as i128;
+        assert!(!a.is_negative() && a.wrapping_mul(a).is_negative());
+
         // core case
         assert_eq!(i8::MAX.wrapping_mul(2), -2);
         assert_eq!(i64::MAX.wrapping_mul(2), -2);

src/int/mul_uint.rs

@@ -96,8 +96,10 @@ impl<const LIMBS: usize> Int<LIMBS> {
         &self,
         rhs: &Uint<RHS_LIMBS>,
     ) -> ConstCtOption<Int<LIMBS>> {
-        let (lo, hi, is_negative) = self.widening_mul_uint(rhs);
-        Self::new_from_abs_sign(lo, is_negative).and_choice(hi.is_nonzero().not())
+        let (abs_lhs, lhs_sgn) = self.abs_sign();
+        let maybe_lo = abs_lhs.checked_mul(rhs);
+        let (lo, is_some) = maybe_lo.components_ref();
+        Self::new_from_abs_sign(*lo, lhs_sgn).and_choice(is_some)
     }
 }
 
@@ -136,7 +138,7 @@ impl<const LIMBS: usize, const RHS_LIMBS: usize> Mul<&Uint<RHS_LIMBS>> for &Int<
     type Output = Int<LIMBS>;
 
     fn mul(self, rhs: &Uint<RHS_LIMBS>) -> Self::Output {
-        self.checked_mul(rhs)
+        self.checked_mul_uint(rhs)
             .expect("attempted to multiply with overflow")
     }
 }

src/int/sign.rs

@@ -6,6 +6,7 @@ impl<const LIMBS: usize> Int<LIMBS> {
     /// For the degenerate case where the number of limbs is zero,
     /// zeroed word is returned (which is semantically correct).
     /// This method leaks the limb length of the value, which is also OK.
+    #[inline(always)]
     const fn most_significant_word(&self) -> Word {
         if Self::LIMBS == 0 {
             Word::ZERO
@@ -15,17 +16,27 @@ impl<const LIMBS: usize> Int<LIMBS> {
     }
 
     /// Construct new [`Int`] from an absolute value and sign.
-    /// Returns `None` when the absolute value does not fit in an [`Int<LIMBS>`].
+    /// Returns `None` when the result exceeds the bounds of an [`Int<LIMBS>`].
+    #[inline]
     pub const fn new_from_abs_sign(
         abs: Uint<LIMBS>,
         is_negative: ConstChoice,
     ) -> ConstCtOption<Self> {
-        let magnitude = Self(abs).wrapping_neg_if(is_negative);
-        let fits = Uint::lte(&abs, &Int::MAX.0).or(is_negative.and(Uint::eq(&abs, &Int::MIN.0)));
-        ConstCtOption::new(magnitude, fits)
+        let abs_int = abs.as_int();
+        let abs_msb = abs_int.is_negative();
+        let signed = abs_int.wrapping_neg_if(is_negative);
+
+        // abs is an acceptable input if the high bit is unset, covering 0..=Int::MAX,
+        // or if it is equal to Int::MIN (bit sequence '1000...0000') and the sign is negative.
+        // Int::MIN and zero are the only values for which wrapping negation does not change
+        // the MSB, so we check if the sign is negative (wrapping negation is performed) and
+        // the sign of the wrapping negation is also negative.
+        let fits = abs_msb.not().or(is_negative.and(signed.is_negative()));
+        ConstCtOption::new(signed, fits)
     }
 
     /// Whether this [`Int`] is negative, as a `ConstChoice`.
+    #[inline(always)]
     pub const fn is_negative(&self) -> ConstChoice {
         ConstChoice::from_word_msb(self.most_significant_word())
     }
@@ -52,7 +63,39 @@ impl<const LIMBS: usize> Int<LIMBS> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::I128;
+    use crate::{I128, U128};
+
+    #[test]
+    fn new_from_abs_sign() {
+        assert_eq!(
+            I128::new_from_abs_sign(U128::ZERO, ConstChoice::FALSE).is_some(),
+            ConstChoice::TRUE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(U128::ZERO, ConstChoice::TRUE).is_some(),
+            ConstChoice::TRUE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(I128::MIN.abs(), ConstChoice::FALSE).is_some(),
+            ConstChoice::FALSE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(I128::MIN.abs(), ConstChoice::TRUE).is_some(),
+            ConstChoice::TRUE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(I128::MAX.abs(), ConstChoice::FALSE).is_some(),
+            ConstChoice::TRUE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(I128::MAX.abs(), ConstChoice::TRUE).is_some(),
+            ConstChoice::TRUE
+        );
+        assert_eq!(
+            I128::new_from_abs_sign(U128::MAX, ConstChoice::TRUE).is_some(),
+            ConstChoice::FALSE
+        );
+    }
 
     #[test]
     fn is_negative() {

src/uint/mul_int.rs

@@ -36,8 +36,10 @@ impl<const LIMBS: usize> Uint<LIMBS> {
         &self,
         rhs: &Int<RHS_LIMBS>,
     ) -> ConstCtOption<Int<LIMBS>> {
-        let (lo, hi, is_negative) = self.widening_mul_int(rhs);
-        Int::new_from_abs_sign(lo, is_negative).and_choice(hi.is_nonzero().not())
+        let (abs_rhs, rhs_sgn) = rhs.abs_sign();
+        let maybe_res = self.checked_mul(&abs_rhs);
+        let (lo, is_some) = maybe_res.components_ref();
+        Int::new_from_abs_sign(*lo, rhs_sgn).and_choice(is_some)
     }
 }