BREAKING: Write random_mod in terms of new random_bits

[mrdomino]

Breaking changes

• Encoding::Repr is no longer required to implement Copy, so consumers of Encoding::Repr will need to explicitly call clone.

• The numbers produced by both random_bits and random_mod will generally be different, and calling these functions will leave the RNG in a different state, than before.

Fixes

• Adds a mitigation for Rustc 1.87+ incorrectly compiles some code involving subtle ct_lt loop conditions over bigints on linux-aarch64 rust-lang/rust#149522, modifying Word::borrowing_sub to use overflowing_sub instead of WideWord casts.

Summary

This essentially applies #285 to random_bits as well as random_mod. Both functions behave the same way now, with the only difference being that random_mod adds rejection sampling; otherwise both will produce the same numbers over the same entropy stream.

Questions of platform dependence are now easy; we do not define these algorithms in terms of sequences of machine words but of bytes. Randomly sampled Uints are now always constructed little-endian over the entropy stream. This does not preclude future machine-specific optimizations, but given how perilous the landscape has been (e.g. #1018), I’ve elected to err in the direction of parsimony rather than performance for this change.

This leverages the existing work making Uint implement Encoding. It additionally needs Encoding on BoxedUint to make RandomMod and RandomBits work there; this is implemented, but requires dropping the Copy constraint on Encoding::Repr.

Fixes #1009

[codecov]

Codecov Report

❌ Patch coverage is 84.61538% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.82%. Comparing base (401e98e) to head (a25867b).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
src/uint/boxed/encoding.rs	50.00%	7 Missing ⚠️
src/uint/rand.rs	94.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1026      +/-   ##
==========================================
- Coverage   79.87%   79.82%   -0.05%     
==========================================
  Files         163      163              
  Lines       17735    17750      +15     
==========================================
+ Hits        14165    14169       +4     
- Misses       3570     3581      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tarcieri]

Encoding::Repr is no longer required to implement Copy, so consumers of Encoding::Repr will need to explicitly call clone.

That's probably a good change if we want to be able to impl Encoding for BoxedUint where it would be nice to use Vec<u8> for that value

[mrdomino]

@tarcieri PTAL - I added a mitigation for the compiler bug that allows us to keep using ct_lt for the comparison.

NB. this mitigation could also be applied to any of the other attempts, including the original reverted PR, at your preference; it may also make sense to merge it separately, in which case feel free to cherry-pick the commit onto a new branch or I can do the same.

[mrdomino]

#1029 has just the cherry-picked mitigation commit.

[tarcieri]

@mrdomino can you rebase now that #1029 is merged?

[mrdomino]

Done. Two clean commits, one that adds the test (passing on 64-bit, failing on 32-bit), one that implements the change (and shows the diffs against the test.)