From d9f85647f128546df8bfdb878ac94fabef80ad39 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 12 Jan 2026 12:43:20 -0700
Subject: [PATCH] Bump `crypto-bigint` to v0.7.0-rc.16

This includes changes to `BoxedMontyForm::new` that handle cloning the
`Arc` around the `BoxedMontyParams` internally, rather than requiring
the caller to clone it.

It also renames the unchecked square root to `floor_sqrt`, which is fine
for the one usage here (in the prime recovery implementation), because
it immediately performs a check on the result.
---
 Cargo.lock            |  8 ++++----
 Cargo.toml            |  4 ++--
 src/algorithms/rsa.rs | 22 +++++++---------------
 src/key.rs            |  2 +-
 4 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a14f55ad..33b0daeb 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -163,9 +163,9 @@ dependencies = [
 
 [[package]]
 name = "crypto-bigint"
-version = "0.7.0-rc.13"
+version = "0.7.0-rc.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2bb4138de6db76c8155b4423e967049fbef2cf84ad6af7f552f73a161941b72"
+checksum = "fbd828c64d6fecf364ec127641e5ce0f8d6e3264a6c466b4a4bdcbec5b038b9e"
 dependencies = [
  "ctutils",
  "getrandom 0.4.0-rc.0",
@@ -188,9 +188,9 @@ dependencies = [
 
 [[package]]
 name = "crypto-primes"
-version = "0.7.0-pre.5"
+version = "0.7.0-pre.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da0b07a7a616370e8b6efca0c6a25e5f4c6d02fde11f3d570e4af64d8ed7e2e9"
+checksum = "e79c98a281f9441200b24e3151407a629bfbe720399186e50516da939195e482"
 dependencies = [
  "crypto-bigint",
  "libm",
diff --git a/Cargo.toml b/Cargo.toml
index 4d4974e6..02155845 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,8 +15,8 @@ exclude = ["marvin_toolkit/", "thirdparty/"]
 
 [dependencies]
 const-oid = { version = "0.10", default-features = false }
-crypto-bigint = { version = "0.7.0-rc.13", default-features = false, features = ["zeroize", "alloc"] }
-crypto-primes = { version = "0.7.0-pre.5", default-features = false }
+crypto-bigint = { version = "0.7.0-rc.16", default-features = false, features = ["zeroize", "alloc"] }
+crypto-primes = { version = "0.7.0-pre.6", default-features = false }
 digest = { version = "0.11.0-rc.4", default-features = false, features = ["alloc", "oid"] }
 rand_core = { version = "0.10.0-rc-2", default-features = false }
 signature = { version = "3.0.0-rc.5", default-features = false, features = ["alloc", "digest", "rand_core"] }
diff --git a/src/algorithms/rsa.rs b/src/algorithms/rsa.rs
index 326cd445..18ca94de 100644
--- a/src/algorithms/rsa.rs
+++ b/src/algorithms/rsa.rs
@@ -84,12 +84,12 @@ pub fn rsa_decrypt<R: TryCryptoRng + ?Sized>(
             // m1 = c^dP mod p
             let p_wide = p_params.modulus().resize_unchecked(c.bits_precision());
             let c_mod_dp = (&c % p_wide.as_nz_ref()).resize_unchecked(dp.bits_precision());
-            let cp = BoxedMontyForm::new(c_mod_dp, p_params.clone());
+            let cp = BoxedMontyForm::new(c_mod_dp, p_params);
             let mut m1 = cp.pow(dp);
             // m2 = c^dQ mod q
             let q_wide = q_params.modulus().resize_unchecked(c.bits_precision());
             let c_mod_dq = (&c % q_wide.as_nz_ref()).resize_unchecked(dq.bits_precision());
-            let cq = BoxedMontyForm::new(c_mod_dq, q_params.clone());
+            let cq = BoxedMontyForm::new(c_mod_dq, q_params);
             let m2 = cq.pow(dq).retrieve();
 
             // Note that since `p` and `q` may have different `bits_precision`,
@@ -106,7 +106,7 @@ pub fn rsa_decrypt<R: TryCryptoRng + ?Sized>(
                 Ordering::Greater => (&m2).resize_unchecked(p_params.bits_precision()),
                 Ordering::Equal => m2.clone(),
             };
-            let m2r = BoxedMontyForm::new(m2_mod_p, p_params.clone());
+            let m2r = BoxedMontyForm::new(m2_mod_p, p_params);
             m1 -= &m2r;
 
             // precomputed: qInv = (1/q) mod p
@@ -197,7 +197,7 @@ fn blind<R: TryCryptoRng + ?Sized, K: PublicKeyParts>(
         // r^e (mod n)
         let mut rpowe = pow_mod_params(&r, key.e(), n_params);
         // c * r^e (mod n)
-        let c = mul_mod_params(c, &rpowe, n_params);
+        let c = c.mul_mod(&rpowe, n_params.modulus().as_nz_ref());
         rpowe.zeroize();
 
         c
@@ -225,7 +225,7 @@ fn unblind(m: &BoxedUint, unblinder: &BoxedUint, n_params: &BoxedMontyParams) ->
         "invalid n_params"
     );
 
-    mul_mod_params(m, unblinder, n_params)
+    m.mul_mod(unblinder, n_params.modulus().as_nz_ref())
 }
 
 /// Computes `base.pow_mod(exp, n)` with precomputed `n_params`.
@@ -237,15 +237,7 @@ fn pow_mod_params(base: &BoxedUint, exp: &BoxedUint, n_params: &BoxedMontyParams
 fn reduce_vartime(n: &BoxedUint, p: &BoxedMontyParams) -> BoxedMontyForm {
     let modulus = p.modulus().as_nz_ref().clone();
     let n_reduced = n.rem_vartime(&modulus).resize_unchecked(p.bits_precision());
-    BoxedMontyForm::new(n_reduced, p.clone())
-}
-
-/// Computes `lhs.mul_mod(rhs, n)` with precomputed `n_params`.
-fn mul_mod_params(lhs: &BoxedUint, rhs: &BoxedUint, n_params: &BoxedMontyParams) -> BoxedUint {
-    // TODO: nicer api in crypto-bigint?
-    let lhs = BoxedMontyForm::new(lhs.clone(), n_params.clone());
-    let rhs = BoxedMontyForm::new(rhs.clone(), n_params.clone());
-    (lhs * rhs).retrieve()
+    BoxedMontyForm::new(n_reduced, p)
 }
 
 /// The following (deterministic) algorithm also recovers the prime factors `p` and `q` of a modulus `n`, given the
@@ -300,7 +292,7 @@ pub fn recover_primes(
 
     // 4. Let ϒ be the positive square root of b^2 – 4n; if ϒ is not an integer,
     //    then output an error indicator, and exit without further processing.
-    let y = b_squared_minus_four_n.sqrt();
+    let y = b_squared_minus_four_n.floor_sqrt();
 
     let y_squared = y.square();
     let sqrt_is_whole_number = y_squared == b_squared_minus_four_n;
diff --git a/src/key.rs b/src/key.rs
index 3b1f74f9..7b54f320 100644
--- a/src/key.rs
+++ b/src/key.rs
@@ -525,7 +525,7 @@ impl RsaPrivateKey {
             Ordering::Equal => &q % NonZero::new(p.clone()).expect("`p` is non-zero"),
         };
 
-        let q_mod_p = BoxedMontyForm::new(q_mod_p, p_params.clone());
+        let q_mod_p = BoxedMontyForm::new(q_mod_p, &p_params);
         let qinv = q_mod_p.invert().into_option().ok_or(Error::InvalidPrime)?;
 
         debug_assert_eq!(dp.bits_precision(), p.bits_precision());