feat: switch from num-bigint-dig to crypto-bigint

[dignifiedquire]

Very, very WIP

Not anymore, this is ready for review.
Replaces all usage of num-bigint-dig based BigInt usage with the new crypto-bigint crate, using BoxedUint

Current known issue is that we do have a performance regression, which will be able to get rid of over time:

# crypto-bigint

# macbook m1
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   7,184,387.50 ns/iter (+/- 425,598.69)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:  13,453,579.10 ns/iter (+/- 686,276.31)

# AMD
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   9,260,832.80 ns/iter (+/- 30,013.38)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:  16,610,079.40 ns/iter (+/- 251,292.53)

# master

# macbook m1
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   1,117,479.15 ns/iter (+/- 31,334.30)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:   1,337,437.55 ns/iter (+/- 88,624.39)

# AMD
test bench_rsa_2048_pkcsv1_decrypt      ... bench:   1,414,348.80 ns/iter (+/- 12,585.71)
test bench_rsa_2048_pkcsv1_sign_blinded ... bench:   1,685,650.00 ns/iter (+/- 11,105.71)

TODOs

• switch internal storage for RsaPrivateKey
• switch internal storage for RsaPublicKey
• switch all code to use the new decrypt implementation
• update public traits using BigUint to return owned versions
• fix blinding implementation
• switch decryption algorithm with precompute to use crypto-bigint ops
• go through other algorithms and update what can be done without having primality checks implemented
• review & update code for constant time operation
• review & update code for performance
• benchmarks

[tarcieri]

I could continue scanning this PR looking for improvements, but I don't see any worth blocking a merge on. I can retroactively file some issues perhaps.

[dignifiedquire]

@tarcieri updated to the latest version, and fixed a subtle padding bug that I found, please take a final look before I merge

[tarcieri]

Is there a particular reason you're getting rid of ?Sized on these? It makes it possible to use a dyn CryptoRngCore

[dignifiedquire]

Is there a particular reason you're getting rid of ?Sized on these? It makes it possible to use a dyn CryptoRngCore

I don't think so, can revert probably

[dignifiedquire]

I checked, and I removed it because I can't pass that constraint to crypto_primes

[fjarri]

Adding it to crypto-primes is unfortunately blocked by crypto-bigint not supporting it.

[fjarri]

Made RustCrypto/crypto-bigint#760 for that

[tarcieri]

Similar concern re: PublicKeyParts

[tarcieri]

Ugh, should really fix this upstream in the signature crate

[tarcieri]

Various little nits but things are looking a lot better on this pass

[tarcieri]

@dignifiedquire can we land this?

[fjarri]

There's a minor thing of needing the libm dependency (#394 (comment)), but I can make a separate PR for that

[fjarri]

Also the 6-10x performance drop is quite surprising, but that can be addressed in a follow-up as well.

[dignifiedquire]

There's a minor thing of needing the libm dependency (#394 (comment)), but I can make a separate PR for that

I removed that, there is some other follow ups from you and @tarcieri I wanted to get to, but we can also merge as is

[dignifiedquire]

Thank you everyone who helped make this a reality! And sorry for this taking so long..