primefield: generic MontyFieldElement type (#1311)

The previous implementation was written entirely in terms of macros.

Leveraging types from `crypto-bigint`, this provides a generic field
element type with an internal Montgomery form representation.

Author: tarcieri

Cargo.lock

@@ -21,7 +21,9 @@ members = [
 opt-level = 2
 
 [patch.crates-io]
+crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint" }
 elliptic-curve = { git = "https://github.com/RustCrypto/traits.git" }
+
 hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }

Cargo.toml

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false }
+bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false, features = ["hybrid-array"] }
 ff = { version = "=0.14.0-pre.0", default-features = false }
 subtle = { version = "2.6", default-features = false }
 rand_core = { version = "0.9", default-features = false }

primefield/Cargo.toml

@@ -16,24 +16,11 @@ macro_rules! test_primefield_constants {
         use $crate::ff::PrimeField as _;
 
         /// t = (modulus - 1) >> S
-        const T: $uint = $uint::from_be_hex($fe::MODULUS)
-            .wrapping_sub(&$uint::ONE)
-            .wrapping_shr($fe::S);
-
-        /// Helper function to compute the args to `pow_vartime`.
         #[cfg(target_pointer_width = "32")]
-        fn pow_args(n: &$uint) -> [u64; $uint::LIMBS.div_ceil(2)] {
-            let words = n.as_words();
-            core::array::from_fn(|i| {
-                let hi = words.get((2 * i) + 1).copied().unwrap_or_default();
-                let lo = words[2 * i];
-                (hi as u64) << 32 | (lo as u64)
-            })
-        }
+        const T: [u64; $uint::LIMBS.div_ceil(2)] =
+            $crate::compute_t(&$uint::from_be_hex($fe::MODULUS));
         #[cfg(target_pointer_width = "64")]
-        fn pow_args(n: &$uint) -> [u64; $uint::LIMBS] {
-            *n.as_words()
-        }
+        const T: [u64; $uint::LIMBS] = $crate::compute_t(&$uint::from_be_hex($fe::MODULUS));
 
         #[test]
         fn two_inv_constant() {
@@ -58,7 +45,7 @@ macro_rules! test_primefield_constants {
 
             // MULTIPLICATIVE_GENERATOR^{t} mod m == ROOT_OF_UNITY
             assert_eq!(
-                $fe::MULTIPLICATIVE_GENERATOR.pow_vartime(&pow_args(&T)),
+                $fe::MULTIPLICATIVE_GENERATOR.pow_vartime(&T),
                 $fe::ROOT_OF_UNITY
             )
         }
@@ -71,7 +58,7 @@ macro_rules! test_primefield_constants {
         #[test]
         fn delta_constant() {
             // DELTA^{t} mod m == 1
-            assert_eq!($fe::DELTA.pow_vartime(&pow_args(&T)), $fe::ONE);
+            assert_eq!($fe::DELTA.pow_vartime(&T), $fe::ONE);
         }
     };
 }

primefield/src/dev.rs

@@ -8,14 +8,28 @@
 #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
 #![doc = include_str!("../README.md")]
 
+mod dev;
+mod fiat;
+mod monty;
+
+pub use crate::monty::{MontyFieldElement, MontyFieldParams, compute_t};
+pub use array::typenum::consts;
 pub use bigint;
+pub use bigint::hybrid_array as array;
 pub use ff;
 pub use rand_core;
 pub use subtle;
 pub use zeroize;
 
-mod dev;
-mod fiat;
+/// Byte order used when encoding/decoding field elements as bytestrings.
+#[derive(Debug)]
+pub enum ByteOrder {
+    /// Big endian.
+    BigEndian,
+
+    /// Little endian.
+    LittleEndian,
+}
 
 /// Implements a field element type whose internal representation is in
 /// Montgomery form, providing a combination of trait impls and inherent impls
@@ -221,12 +235,10 @@ macro_rules! field_element_type {
                 Self::ZERO.ct_eq(self)
             }
 
-            #[must_use]
             fn square(&self) -> Self {
                 self.square()
             }
 
-            #[must_use]
             fn double(&self) -> Self {
                 self.double()
             }