Removed the unsafe_op_in_unsafe_fn workspace lint override

Author: tlepoint

Cargo.toml

@@ -14,7 +14,6 @@ rust-version = "1.88"
 missing_docs = "warn"
 unused_imports = "warn"
 unused_must_use = "deny"
-unsafe_op_in_unsafe_fn = "allow"
 
 [workspace.dependencies]
 clap = { version = "^4.5.54", features = ["derive"] }

crates/fhe-math/src/ntt/native.rs

@@ -140,31 +140,31 @@ impl NttOperator {
     /// This function is not constant time and its timing may reveal information
     /// about the value being reduced.
     pub(crate) unsafe fn forward_vt_lazy(&self, a_ptr: *mut u64) {
-        let a = std::slice::from_raw_parts_mut(a_ptr, self.size);
+        let a = unsafe { std::slice::from_raw_parts_mut(a_ptr, self.size) };
 
         let mut l = self.size >> 1;
         let mut m = 1;
         let mut k = 1;
         while l > 0 {
             for i in 0..m {
-                let omega = *self.omegas.get_unchecked(k);
-                let omega_shoup = *self.omegas_shoup.get_unchecked(k);
+                let omega = unsafe { *self.omegas.get_unchecked(k) };
+                let omega_shoup = unsafe { *self.omegas_shoup.get_unchecked(k) };
                 k += 1;
 
                 let s = 2 * i * l;
                 match l {
                     1 => {
                         // SAFETY: s and s + l are distinct (l > 0) and in-bounds
                         // (s + l < 2 * m * l = size)
-                        let [x, y] = a.get_disjoint_unchecked_mut([s, s + l]);
-                        self.butterfly_vt(x, y, omega, omega_shoup);
+                        let [x, y] = unsafe { a.get_disjoint_unchecked_mut([s, s + l]) };
+                        unsafe { self.butterfly_vt(x, y, omega, omega_shoup) };
                     }
                     _ => {
                         for j in s..(s + l) {
                             // SAFETY: j and j + l are distinct (l > 0) and in-bounds
                             // (j + l < s + 2 * l <= 2 * m * l = size)
-                            let [x, y] = a.get_disjoint_unchecked_mut([j, j + l]);
-                            self.butterfly_vt(x, y, omega, omega_shoup);
+                            let [x, y] = unsafe { a.get_disjoint_unchecked_mut([j, j + l]) };
+                            unsafe { self.butterfly_vt(x, y, omega, omega_shoup) };
                         }
                     }
                 }
@@ -181,10 +181,10 @@ impl NttOperator {
     /// This function is not constant time and its timing may reveal information
     /// about the value being reduced.
     pub unsafe fn forward_vt(&self, a_ptr: *mut u64) {
-        self.forward_vt_lazy(a_ptr);
-        let a = std::slice::from_raw_parts_mut(a_ptr, self.size);
+        unsafe { self.forward_vt_lazy(a_ptr) };
+        let a = unsafe { std::slice::from_raw_parts_mut(a_ptr, self.size) };
         for ai in a.iter_mut() {
-            *ai = self.reduce3_vt(*ai);
+            *ai = unsafe { self.reduce3_vt(*ai) };
         }
     }
 
@@ -195,30 +195,30 @@ impl NttOperator {
     /// This function is not constant time and its timing may reveal information
     /// about the value being reduced.
     pub unsafe fn backward_vt(&self, a_ptr: *mut u64) {
-        let a = std::slice::from_raw_parts_mut(a_ptr, self.size);
+        let a = unsafe { std::slice::from_raw_parts_mut(a_ptr, self.size) };
 
         let mut k = 0;
         let mut m = self.size >> 1;
         let mut l = 1;
         while m > 0 {
             for i in 0..m {
                 let s = 2 * i * l;
-                let zeta_inv = *self.zetas_inv.get_unchecked(k);
-                let zeta_inv_shoup = *self.zetas_inv_shoup.get_unchecked(k);
+                let zeta_inv = unsafe { *self.zetas_inv.get_unchecked(k) };
+                let zeta_inv_shoup = unsafe { *self.zetas_inv_shoup.get_unchecked(k) };
                 k += 1;
                 match l {
                     1 => {
                         // SAFETY: s and s + l are distinct (l > 0) and in-bounds
                         // (s + l < 2 * m * l = size)
-                        let [x, y] = a.get_disjoint_unchecked_mut([s, s + l]);
-                        self.inv_butterfly_vt(x, y, zeta_inv, zeta_inv_shoup);
+                        let [x, y] = unsafe { a.get_disjoint_unchecked_mut([s, s + l]) };
+                        unsafe { self.inv_butterfly_vt(x, y, zeta_inv, zeta_inv_shoup) };
                     }
                     _ => {
                         for j in s..(s + l) {
                             // SAFETY: j and j + l are distinct (l > 0) and in-bounds
                             // (j + l < s + 2 * l <= 2 * m * l = size)
-                            let [x, y] = a.get_disjoint_unchecked_mut([j, j + l]);
-                            self.inv_butterfly_vt(x, y, zeta_inv, zeta_inv_shoup);
+                            let [x, y] = unsafe { a.get_disjoint_unchecked_mut([j, j + l]) };
+                            unsafe { self.inv_butterfly_vt(x, y, zeta_inv, zeta_inv_shoup) };
                         }
                     }
                 }
@@ -248,8 +248,8 @@ impl NttOperator {
     const unsafe fn reduce3_vt(&self, a: u64) -> u64 {
         debug_assert!(a < 4 * self.p.p);
 
-        let y = Modulus::reduce1_vt(a, self.p_twice);
-        Modulus::reduce1_vt(y, self.p.p)
+        let y = unsafe { Modulus::reduce1_vt(a, self.p_twice) };
+        unsafe { Modulus::reduce1_vt(y, self.p.p) }
     }
 
     /// NTT Butterfly.
@@ -275,7 +275,7 @@ impl NttOperator {
         debug_assert!(w < self.p.p);
         debug_assert_eq!(self.p.shoup(w), w_shoup);
 
-        *x = Modulus::reduce1_vt(*x, self.p_twice);
+        *x = unsafe { Modulus::reduce1_vt(*x, self.p_twice) };
         let t = self.p.lazy_mul_shoup(*y, w, w_shoup);
         *y = *x + self.p_twice - t;
         *x += t;
@@ -307,7 +307,7 @@ impl NttOperator {
         debug_assert_eq!(self.p.shoup(z), z_shoup);
 
         let t = *x;
-        *x = Modulus::reduce1_vt(*y + t, self.p_twice);
+        *x = unsafe { Modulus::reduce1_vt(*y + t, self.p_twice) };
         *y = self.p.lazy_mul_shoup(self.p_twice + t - *y, z, z_shoup);
 
         debug_assert!(*x < self.p_twice);

crates/fhe-math/src/rq/mod.rs

@@ -406,7 +406,7 @@ impl Poly {
                     .unwrap()
                     .clone_from_slice(power_basis_coefficients);
                 qi.lazy_reduce_vec(p.as_slice_mut().unwrap());
-                op.forward_vt_lazy(p.as_mut_ptr());
+                unsafe { op.forward_vt_lazy(p.as_mut_ptr()) };
             },
         );
         Self {
@@ -750,6 +750,33 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn create_constant_ntt_with_lazy_coefficients_and_variable_time() -> Result<(), Box<dyn Error>>
+    {
+        let modulus = MODULI[0];
+        let ctx = Arc::new(Context::new(&[modulus], 16)?);
+        let coeffs: Vec<u64> = (0..ctx.degree)
+            .map(|i| (i as u64).wrapping_mul(modulus).wrapping_add(i as u64))
+            .collect();
+
+        let poly = unsafe {
+            Poly::create_constant_ntt_polynomial_with_lazy_coefficients_and_variable_time(
+                &coeffs, &ctx,
+            )
+        };
+
+        assert_eq!(poly.representation(), &Representation::Ntt);
+        assert!(poly.allow_variable_time_computations);
+        assert!(poly.has_lazy_coefficients);
+
+        let mut expected = coeffs.clone();
+        ctx.q[0].lazy_reduce_vec(&mut expected);
+        unsafe { ctx.ops[0].forward_vt_lazy(expected.as_mut_ptr()) };
+        assert_eq!(poly.coefficients().as_slice().unwrap(), expected);
+
+        Ok(())
+    }
+
     #[test]
     fn change_representation() -> Result<(), Box<dyn Error>> {
         let mut rng = rand::rng();

crates/fhe-math/src/zq/mod.rs

@@ -114,7 +114,7 @@ impl Modulus {
     #[must_use]
     pub const unsafe fn add_vt(&self, a: u64, b: u64) -> u64 {
         debug_assert!(a < self.p && b < self.p);
-        Self::reduce1_vt(a + b, self.p)
+        unsafe { Self::reduce1_vt(a + b, self.p) }
     }
 
     /// Performs the modular subtraction of a and b in constant time.
@@ -141,7 +141,7 @@ impl Modulus {
     /// about the values being multiplied.
     const unsafe fn mul_vt(&self, a: u64, b: u64) -> u64 {
         debug_assert!(a < self.p && b < self.p);
-        Self::reduce1_vt(self.lazy_reduce_u128((a as u128) * (b as u128)), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_reduce_u128((a as u128) * (b as u128)), self.p) }
     }
 
     /// Optimized modular multiplication of a and b in constant time.
@@ -165,7 +165,7 @@ impl Modulus {
         debug_assert!(self.supports_opt);
         debug_assert!(a < self.p && b < self.p);
 
-        self.reduce_opt_u128_vt((a as u128) * (b as u128))
+        unsafe { self.reduce_opt_u128_vt((a as u128) * (b as u128)) }
     }
 
     /// Modular negation in constant time.
@@ -185,7 +185,7 @@ impl Modulus {
     /// about the value being negated.
     const unsafe fn neg_vt(&self, a: u64) -> u64 {
         debug_assert!(a < self.p);
-        Self::reduce1_vt(self.p - a, self.p)
+        unsafe { Self::reduce1_vt(self.p - a, self.p) }
     }
 
     /// Compute the Shoup representation of a.
@@ -213,7 +213,7 @@ impl Modulus {
     /// This function is not constant time and its timing may reveal information
     /// about the values being multiplied.
     const unsafe fn mul_shoup_vt(&self, a: u64, b: u64, b_shoup: u64) -> u64 {
-        Self::reduce1_vt(self.lazy_mul_shoup(a, b, b_shoup), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_mul_shoup(a, b, b_shoup), self.p) }
     }
 
     /// Lazy Shoup multiplication of a and b in constant time.
@@ -364,7 +364,7 @@ impl Modulus {
         let b_shoup = self.shoup(b);
         self.arch.dispatch(|| {
             a.iter_mut()
-                .for_each(|ai| *ai = self.mul_shoup_vt(*ai, b, b_shoup))
+                .for_each(|ai| *ai = unsafe { self.mul_shoup_vt(*ai, b, b_shoup) })
         })
     }
 
@@ -380,11 +380,13 @@ impl Modulus {
 
         if self.supports_opt {
             self.arch.dispatch(|| {
-                izip!(a.iter_mut(), b.iter()).for_each(|(ai, bi)| *ai = self.mul_opt_vt(*ai, *bi))
+                izip!(a.iter_mut(), b.iter())
+                    .for_each(|(ai, bi)| *ai = unsafe { self.mul_opt_vt(*ai, *bi) })
             })
         } else {
             self.arch.dispatch(|| {
-                izip!(a.iter_mut(), b.iter()).for_each(|(ai, bi)| *ai = self.mul_vt(*ai, *bi))
+                izip!(a.iter_mut(), b.iter())
+                    .for_each(|(ai, bi)| *ai = unsafe { self.mul_vt(*ai, *bi) })
             })
         }
     }
@@ -426,8 +428,9 @@ impl Modulus {
         debug_assert_eq!(&b_shoup, &self.shoup_vec(b));
 
         self.arch.dispatch(|| {
-            izip!(a.iter_mut(), b.iter(), b_shoup.iter())
-                .for_each(|(ai, bi, bi_shoup)| *ai = self.mul_shoup_vt(*ai, *bi, *bi_shoup))
+            izip!(a.iter_mut(), b.iter(), b_shoup.iter()).for_each(|(ai, bi, bi_shoup)| {
+                *ai = unsafe { self.mul_shoup_vt(*ai, *bi, *bi_shoup) }
+            })
         })
     }
 
@@ -460,8 +463,11 @@ impl Modulus {
     /// about the values being centered.
     #[must_use]
     pub unsafe fn center_vec_vt(&self, a: &[u64]) -> Vec<i64> {
-        self.arch
-            .dispatch(|| a.iter().map(|ai| self.center_vt(*ai)).collect_vec())
+        self.arch.dispatch(|| {
+            a.iter()
+                .map(|ai| unsafe { self.center_vt(*ai) })
+                .collect_vec()
+        })
     }
 
     /// Reduce a vector in place in variable time.
@@ -470,8 +476,10 @@ impl Modulus {
     /// This function is not constant time and its timing may reveal information
     /// about the values being reduced.
     pub unsafe fn reduce_vec_vt(&self, a: &mut [u64]) {
-        self.arch
-            .dispatch(|| a.iter_mut().for_each(|ai| *ai = self.reduce_vt(*ai)))
+        self.arch.dispatch(|| {
+            a.iter_mut()
+                .for_each(|ai| *ai = unsafe { self.reduce_vt(*ai) })
+        })
     }
 
     /// Modular reduction of a i64 in constant time.
@@ -485,7 +493,7 @@ impl Modulus {
     /// This function is not constant time and its timing may reveal information
     /// about the values being reduced.
     const unsafe fn reduce_i64_vt(&self, a: i64) -> u64 {
-        self.reduce_u128_vt((((self.p as i128) << 64) + (a as i128)) as u128)
+        unsafe { self.reduce_u128_vt((((self.p as i128) << 64) + (a as i128)) as u128) }
     }
 
     /// Reduce a vector in place in constant time.
@@ -502,8 +510,11 @@ impl Modulus {
     /// about the values being reduced.
     #[must_use]
     pub unsafe fn reduce_vec_i64_vt(&self, a: &[i64]) -> Vec<u64> {
-        self.arch
-            .dispatch(|| a.iter().map(|ai| self.reduce_i64_vt(*ai)).collect())
+        self.arch.dispatch(|| {
+            a.iter()
+                .map(|ai| unsafe { self.reduce_i64_vt(*ai) })
+                .collect()
+        })
     }
 
     /// Reduce a vector in constant time.
@@ -521,7 +532,7 @@ impl Modulus {
     #[must_use]
     pub unsafe fn reduce_vec_new_vt(&self, a: &[u64]) -> Vec<u64> {
         self.arch
-            .dispatch(|| a.iter().map(|bi| self.reduce_vt(*bi)).collect())
+            .dispatch(|| a.iter().map(|bi| unsafe { self.reduce_vt(*bi) }).collect())
     }
 
     /// Modular negation of a vector in place in constant time.
@@ -539,8 +550,10 @@ impl Modulus {
     /// This function is not constant time and its timing may reveal information
     /// about the values being negated.
     pub unsafe fn neg_vec_vt(&self, a: &mut [u64]) {
-        self.arch
-            .dispatch(|| a.iter_mut().for_each(|ai| *ai = self.neg_vt(*ai)))
+        self.arch.dispatch(|| {
+            a.iter_mut()
+                .for_each(|ai| *ai = unsafe { self.neg_vt(*ai) })
+        })
     }
 
     /// Modular exponentiation in variable time.
@@ -596,7 +609,7 @@ impl Modulus {
     /// about the value being reduced.
     #[must_use]
     pub const unsafe fn reduce_u128_vt(&self, a: u128) -> u64 {
-        Self::reduce1_vt(self.lazy_reduce_u128(a), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_reduce_u128(a), self.p) }
     }
 
     /// Modular reduction of a u64 in constant time.
@@ -612,7 +625,7 @@ impl Modulus {
     /// about the value being reduced.
     #[must_use]
     pub const unsafe fn reduce_vt(&self, a: u64) -> u64 {
-        Self::reduce1_vt(self.lazy_reduce(a), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_reduce(a), self.p) }
     }
 
     /// Optimized modular reduction of a u128 in constant time.
@@ -629,7 +642,7 @@ impl Modulus {
     /// about the value being reduced.
     pub(crate) const unsafe fn reduce_opt_u128_vt(&self, a: u128) -> u64 {
         debug_assert!(self.supports_opt);
-        Self::reduce1_vt(self.lazy_reduce_opt_u128(a), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_reduce_opt_u128(a), self.p) }
     }
 
     /// Optimized modular reduction of a u64 in constant time.
@@ -645,7 +658,7 @@ impl Modulus {
     /// about the value being reduced.
     #[must_use]
     pub const unsafe fn reduce_opt_vt(&self, a: u64) -> u64 {
-        Self::reduce1_vt(self.lazy_reduce_opt(a), self.p)
+        unsafe { Self::reduce1_vt(self.lazy_reduce_opt(a), self.p) }
     }
 
     /// Return x mod p in constant time.

crates/fhe/src/bfv/ops/dot_product.rs

@@ -17,8 +17,10 @@ unsafe fn fma(out: &mut [u128], x: &[u64], y: &[u64]) {
 
     macro_rules! fma_at {
         ($idx:expr) => {
-            *out.get_unchecked_mut($idx) +=
-                (*x.get_unchecked($idx) as u128) * (*y.get_unchecked($idx) as u128);
+            unsafe {
+                *out.get_unchecked_mut($idx) +=
+                    (*x.get_unchecked($idx) as u128) * (*y.get_unchecked($idx) as u128);
+            }
         };
     }
 
@@ -166,6 +168,10 @@ mod tests {
     #[test]
     fn test_dot_product_scalar() -> Result<(), Box<dyn Error>> {
         let mut rng = rng();
+        let empty_ct: Vec<Ciphertext> = Vec::new();
+        let empty_pt: Vec<Plaintext> = Vec::new();
+        assert!(dot_product_scalar(empty_ct.iter(), empty_pt.iter()).is_err());
+
         for params in [
             BfvParameters::default_arc(1, 16),
             BfvParameters::default_arc(2, 32),