primefield: generic MontyFieldElement type

The previous implementation was written entirely in terms of macros.

Leveraging types from `crypto-bigint`, this provides a generic field
element type with an internal Montgomery form representation.

Author: tarcieri

Cargo.lock

@@ -21,7 +21,9 @@ members = [
 opt-level = 2
 
 [patch.crates-io]
+crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint" }
 elliptic-curve = { git = "https://github.com/RustCrypto/traits.git" }
+
 hash2curve = { path = "hash2curve" }
 primefield = { path = "primefield" }
 primeorder = { path = "primeorder" }

Cargo.toml

@@ -9,10 +9,10 @@ mod field_impl;
 use crate::{FieldBytes, NistP256};
 use core::ops::Mul;
 use elliptic_curve::{
-    FieldBytesEncoding,
     bigint::U256,
     ff::PrimeField,
     subtle::{Choice, ConstantTimeEq, CtOption},
+    FieldBytesEncoding,
 };
 
 const MODULUS_HEX: &str = "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff";
@@ -195,7 +195,7 @@ impl PrimeField for FieldElement {
 #[cfg(test)]
 mod tests {
     use super::FieldElement;
-    use crate::{FieldBytes, U256, test_vectors::field::DBL_TEST_VECTORS};
+    use crate::{test_vectors::field::DBL_TEST_VECTORS, FieldBytes, U256};
 
     #[cfg(target_pointer_width = "64")]
     use proptest::{num::u64::ANY, prelude::*};

p256/src/arithmetic/field.rs

@@ -12,8 +12,7 @@ use core::{
     ops::{Add, AddAssign, Mul, MulAssign, Neg, Shr, ShrAssign, Sub, SubAssign},
 };
 use elliptic_curve::{
-    Curve,
-    bigint::{Limb, U256, prelude::*},
+    bigint::{prelude::*, Limb, U256},
     group::ff::{self, Field, PrimeField},
     ops::{Invert, Reduce, ReduceNonZero},
     rand_core::TryRngCore,
@@ -23,6 +22,7 @@ use elliptic_curve::{
         CtOption,
     },
     zeroize::DefaultIsZeroes,
+    Curve,
 };
 
 #[cfg(feature = "bits")]
@@ -31,7 +31,7 @@ use {crate::ScalarBits, elliptic_curve::group::ff::PrimeFieldBits};
 #[cfg(feature = "serde")]
 use {
     elliptic_curve::ScalarPrimitive,
-    serdect::serde::{Deserialize, Serialize, de, ser},
+    serdect::serde::{de, ser, Deserialize, Serialize},
 };
 
 /// Constant representing the modulus
@@ -714,10 +714,10 @@ mod tests {
     use super::{Scalar, U256};
     use crate::{FieldBytes, NistP256, NonZeroScalar, SecretKey};
     use elliptic_curve::{
-        Curve,
         array::Array,
         group::ff::{Field, PrimeField},
         ops::{BatchInvert, ReduceNonZero},
+        Curve,
     };
     use proptest::{prelude::any, prop_compose, proptest};
 

p256/src/arithmetic/scalar.rs

@@ -14,7 +14,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false }
+bigint = { package = "crypto-bigint", version = "=0.7.0-pre.7", default-features = false, features = ["hybrid-array"] }
 ff = { version = "=0.14.0-pre.0", default-features = false }
 subtle = { version = "2.6", default-features = false }
 rand_core = { version = "0.9", default-features = false }

primefield/Cargo.toml

@@ -16,24 +16,11 @@ macro_rules! test_primefield_constants {
         use $crate::ff::PrimeField as _;
 
         /// t = (modulus - 1) >> S
-        const T: $uint = $uint::from_be_hex($fe::MODULUS)
-            .wrapping_sub(&$uint::ONE)
-            .wrapping_shr($fe::S);
-
-        /// Helper function to compute the args to `pow_vartime`.
         #[cfg(target_pointer_width = "32")]
-        fn pow_args(n: &$uint) -> [u64; $uint::LIMBS.div_ceil(2)] {
-            let words = n.as_words();
-            core::array::from_fn(|i| {
-                let hi = words.get((2 * i) + 1).copied().unwrap_or_default();
-                let lo = words[2 * i];
-                (hi as u64) << 32 | (lo as u64)
-            })
-        }
+        const T: [u64; $uint::LIMBS.div_ceil(2)] =
+            $crate::compute_t(&$uint::from_be_hex($fe::MODULUS));
         #[cfg(target_pointer_width = "64")]
-        fn pow_args(n: &$uint) -> [u64; $uint::LIMBS] {
-            *n.as_words()
-        }
+        const T: [u64; $uint::LIMBS] = $crate::compute_t(&$uint::from_be_hex($fe::MODULUS));
 
         #[test]
         fn two_inv_constant() {
@@ -58,7 +45,7 @@ macro_rules! test_primefield_constants {
 
             // MULTIPLICATIVE_GENERATOR^{t} mod m == ROOT_OF_UNITY
             assert_eq!(
-                $fe::MULTIPLICATIVE_GENERATOR.pow_vartime(&pow_args(&T)),
+                $fe::MULTIPLICATIVE_GENERATOR.pow_vartime(&T),
                 $fe::ROOT_OF_UNITY
             )
         }
@@ -71,7 +58,7 @@ macro_rules! test_primefield_constants {
         #[test]
         fn delta_constant() {
             // DELTA^{t} mod m == 1
-            assert_eq!($fe::DELTA.pow_vartime(&pow_args(&T)), $fe::ONE);
+            assert_eq!($fe::DELTA.pow_vartime(&T), $fe::ONE);
         }
     };
 }

primefield/src/dev.rs

@@ -8,14 +8,28 @@
 #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
 #![doc = include_str!("../README.md")]
 
+mod dev;
+mod fiat;
+mod monty;
+
+pub use crate::monty::{MontyFieldElement, MontyFieldParams, compute_t};
+pub use array::typenum::consts;
 pub use bigint;
+pub use bigint::hybrid_array as array;
 pub use ff;
 pub use rand_core;
 pub use subtle;
 pub use zeroize;
 
-mod dev;
-mod fiat;
+/// Byte order used when encoding/decoding field elements as bytestrings.
+#[derive(Debug)]
+pub enum ByteOrder {
+    /// Big endian.
+    BigEndian,
+
+    /// Little endian.
+    LittleEndian,
+}
 
 /// Implements a field element type whose internal representation is in
 /// Montgomery form, providing a combination of trait impls and inherent impls
@@ -221,12 +235,10 @@ macro_rules! field_element_type {
                 Self::ZERO.ct_eq(self)
             }
 
-            #[must_use]
             fn square(&self) -> Self {
                 self.square()
             }
 
-            #[must_use]
             fn double(&self) -> Self {
                 self.double()
             }