[WIP] primefield: generic MontyFieldElement type

The previous implementation was written entirely in terms of macros.

Leveraging types from `crypto-bigint`, this provides a generic field
element type with an internal Montgomery form representation.

Author: tarcieri

p256/src/arithmetic/field.rs

@@ -11,6 +11,7 @@ use core::ops::Mul;
 use elliptic_curve::{
     FieldBytesEncoding,
     bigint::U256,
+    consts::U32,
     ff::PrimeField,
     subtle::{Choice, ConstantTimeEq, CtOption},
 };
@@ -26,6 +27,19 @@ const R2: FieldElement = FieldElement(U256::from_be_hex(
     "00000004fffffffdfffffffffffffffefffffffbffffffff0000000000000003",
 ));
 
+primefield::monty_field_params!(
+    MontyFieldParams,
+    MODULUS_HEX,
+    U256,
+    U32,
+    primefield::ByteOrder::BigEndian,
+    "P-256 field modulus"
+);
+
+/// An element in the finite field modulo p = 2^{224}(2^{32} − 1) + 2^{192} + 2^{96} − 1.
+#[allow(dead_code)]
+pub type MontyFieldElement = primefield::MontyFieldElement<MontyFieldParams, { U256::LIMBS }>;
+
 /// An element in the finite field modulo p = 2^{224}(2^{32} − 1) + 2^{192} + 2^{96} − 1.
 ///
 /// The internal representation is in little-endian order. Elements are always in

p256/src/arithmetic/scalar.rs

@@ -14,6 +14,7 @@ use core::{
 use elliptic_curve::{
     Curve,
     bigint::{Limb, U256, prelude::*},
+    consts::U32,
     group::ff::{self, Field, PrimeField},
     ops::{Invert, Reduce, ReduceNonZero},
     rand_core::TryRngCore,
@@ -41,6 +42,19 @@ pub(crate) const MODULUS: U256 = NistP256::ORDER;
 /// `MODULUS / 2`
 const FRAC_MODULUS_2: Scalar = Scalar(MODULUS.shr_vartime(1));
 
+primefield::monty_field_params!(
+    MontyScalarParams,
+    ORDER_HEX,
+    U256,
+    U32,
+    primefield::ByteOrder::BigEndian,
+    "P-256 scalar modulus"
+);
+
+/// Scalars are elements in the finite field modulo n.
+#[allow(dead_code)]
+pub type MontyScalar = primefield::MontyFieldElement<MontyScalarParams, { U256::LIMBS }>;
+
 /// Scalars are elements in the finite field modulo n.
 ///
 /// # Trait impls

primefield/Cargo.toml

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false }
+bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false, features = ["hybrid-array"] }
 ff = { version = "=0.14.0-pre.0", default-features = false }
 subtle = { version = "2.6", default-features = false }
 rand_core = { version = "0.9", default-features = false }

primefield/src/lib.rs

@@ -8,13 +8,28 @@
 #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
 #![doc = include_str!("../README.md")]
 
+pub use array::typenum::consts;
 pub use bigint;
+pub use bigint::hybrid_array as array;
 pub use ff;
 pub use rand_core;
 pub use subtle;
 pub use zeroize;
 
+pub use crate::monty::{MontyFieldElement, MontyFieldParams};
+
 mod fiat;
+mod monty;
+
+/// Byte order used when encoding/decoding field elements as bytestrings.
+#[derive(Debug)]
+pub enum ByteOrder {
+    /// Big endian.
+    BigEndian,
+
+    /// Little endian.
+    LittleEndian,
+}
 
 /// Implements a field element type whose internal representation is in
 /// Montgomery form, providing a combination of trait impls and inherent impls