[WIP] primefield: generic MontyFieldElement type

The previous implementation was written entirely in terms of macros.

Leveraging types from `crypto-bigint`, this provides a generic field
element type with an internal Montgomery form representation.

Author: tarcieri

Cargo.lock

@@ -21,7 +21,9 @@ members = [
 opt-level = 2
 
 [patch.crates-io]
+crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint" }
 elliptic-curve = { git = "https://github.com/RustCrypto/traits.git" }
+
 hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }

Cargo.toml

@@ -11,6 +11,7 @@ use core::ops::Mul;
 use elliptic_curve::{
     FieldBytesEncoding,
     bigint::U256,
+    //consts::U32,
     ff::PrimeField,
     subtle::{Choice, ConstantTimeEq, CtOption},
 };
@@ -26,6 +27,20 @@ const R2: FieldElement = FieldElement(U256::from_be_hex(
     "00000004fffffffdfffffffffffffffefffffffbffffffff0000000000000003",
 ));
 
+// primefield::monty_field_params!(
+//     MontyFieldParams,
+//     MODULUS_HEX,
+//     U256,
+//     U32,
+//     primefield::ByteOrder::BigEndian,
+//     "P-256 field modulus",
+//     "FieldElement"
+// );
+//
+// /// An element in the finite field modulo p = 2^{224}(2^{32} − 1) + 2^{192} + 2^{96} − 1.
+// #[allow(dead_code)]
+// pub type MontyFieldElement = primefield::MontyFieldElement<MontyFieldParams, { U256::LIMBS }>;
+
 /// An element in the finite field modulo p = 2^{224}(2^{32} − 1) + 2^{192} + 2^{96} − 1.
 ///
 /// The internal representation is in little-endian order. Elements are always in

p256/src/arithmetic/field.rs

@@ -14,6 +14,7 @@ use core::{
 use elliptic_curve::{
     Curve,
     bigint::{Limb, U256, prelude::*},
+    //consts::U32,
     group::ff::{self, Field, PrimeField},
     ops::{Invert, Reduce, ReduceNonZero},
     rand_core::TryRngCore,
@@ -41,6 +42,20 @@ pub(crate) const MODULUS: U256 = NistP256::ORDER;
 /// `MODULUS / 2`
 const FRAC_MODULUS_2: Scalar = Scalar(MODULUS.shr_vartime(1));
 
+// primefield::monty_field_params!(
+//     MontyScalarParams,
+//     ORDER_HEX,
+//     U256,
+//     U32,
+//     primefield::ByteOrder::BigEndian,
+//     "P-256 scalar modulus",
+//     "Scalar"
+// );
+//
+// /// Scalars are elements in the finite field modulo n.
+// #[allow(dead_code)]
+// pub type MontyScalar = primefield::MontyFieldElement<MontyScalarParams, { U256::LIMBS }>;
+
 /// Scalars are elements in the finite field modulo n.
 ///
 /// # Trait impls

p256/src/arithmetic/scalar.rs

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false }
+bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false, features = ["hybrid-array"] }
 ff = { version = "=0.14.0-pre.0", default-features = false }
 subtle = { version = "2.6", default-features = false }
 rand_core = { version = "0.9", default-features = false }

primefield/Cargo.toml

@@ -8,13 +8,28 @@
 #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
 #![doc = include_str!("../README.md")]
 
+pub use array::typenum::consts;
 pub use bigint;
+pub use bigint::hybrid_array as array;
 pub use ff;
 pub use rand_core;
 pub use subtle;
 pub use zeroize;
 
+pub use crate::monty::{MontyFieldElement, MontyFieldParams};
+
 mod fiat;
+mod monty;
+
+/// Byte order used when encoding/decoding field elements as bytestrings.
+#[derive(Debug)]
+pub enum ByteOrder {
+    /// Big endian.
+    BigEndian,
+
+    /// Little endian.
+    LittleEndian,
+}
 
 /// Implements a field element type whose internal representation is in
 /// Montgomery form, providing a combination of trait impls and inherent impls
@@ -220,12 +235,10 @@ macro_rules! field_element_type {
                 Self::ZERO.ct_eq(self)
             }
 
-            #[must_use]
             fn square(&self) -> Self {
                 self.square()
             }
 
-            #[must_use]
             fn double(&self) -> Self {
                 self.double()
             }