primefield: add monty_field_arithmetic! macro (#1547)

tarcieri · web-flow · commit e3985360d2c8 · 2025-12-16T11:21:14.000-07:00
Previously the only option for adding a field arithmetic backend was the
`monty_field_fiat_arithmetic!` macro, which is designed to plug into
`fiat-crypto` synthesized code. In the past we have only used
fiat-crypto for our field element implementations (aside from `p256` and
`k256` which have handwritten implementations).

However, the inner field element type of newtypes written by the
`monty_field_element!` macro is `primefield::MontyFieldElement` which
is a full-fledged generic field element implementation itself. To use
it, we just need to emit the same set of `const fn`s as the
`monty_field_fiat_arithmetic!` macro and delegate to the inner type,
which is what this PR does.
diff --git a/primefield/src/macros.rs b/primefield/src/macros.rs
@@ -95,13 +95,6 @@ macro_rules! monty_field_params_with_root_of_unity {
 /// - `pub fn is_zero`
 /// - `pub fn double`
 ///
-/// NOTE: field implementations must provide their own inherent impls of
-/// the following methods in order for the code generated by this macro to
-/// compile:
-///
-/// - `pub fn invert`
-/// - `pub fn sqrt`
-///
 /// # Trait impls
 /// - `ConditionallySelectable`
 /// - `ConstantTimeEq`
@@ -616,6 +609,100 @@ macro_rules! monty_field_element {
     };
 }
 
+/// Add `const fn` methods to the given field element for performing field arithmetic operations,
+/// e.g. `add`, `double`, `sub`, `multiply`, `neg`.
+///
+/// This macro wraps a generic field implementation provided by the `crypto-bigint` crate, which is
+/// exposed as the [`primefield::MontyFieldElement`] type.
+#[macro_export]
+macro_rules! monty_field_arithmetic {
+    (
+        name: $fe:tt,
+        params: $params:ty,
+        uint: $uint:ty
+    ) => {
+        impl $fe {
+            /// Decode [`
+            #[doc = stringify!($fe)]
+            /// `] from [`
+            #[doc = stringify!($uint)]
+            /// `] converting it into Montgomery form.
+            ///
+            /// Does *not* perform a check that the field element does not overflow the order.
+            ///
+            /// Used incorrectly this can lead to invalid results!
+            #[inline]
+            pub(crate) const fn from_uint_unchecked(w: $uint) -> Self {
+                // TODO(tarcieri): this reduces every time, maybe we can find a way to skip that?
+                Self($crate::MontyFieldElement::from_uint_reduced(&w))
+            }
+
+            /// Translate [`
+            #[doc = stringify!($fe)]
+            /// `] out of the Montgomery domain, returning a [`
+            #[doc = stringify!($uint)]
+            /// `] in canonical form.
+            #[inline]
+            pub const fn to_canonical(self) -> $uint {
+                self.0.to_canonical()
+            }
+
+            /// Add elements.
+            #[inline]
+            pub const fn add(&self, rhs: &Self) -> Self {
+                Self(self.0.add(&rhs.0))
+            }
+
+            /// Double element (add it to itself).
+            #[inline]
+            #[must_use]
+            pub const fn double(&self) -> Self {
+                Self(self.0.double())
+            }
+
+            /// Subtract elements.
+            #[inline]
+            pub const fn sub(&self, rhs: &Self) -> Self {
+                Self(self.0.sub(&rhs.0))
+            }
+
+            /// Multiply elements.
+            #[inline]
+            pub const fn multiply(&self, rhs: &Self) -> Self {
+                Self(self.0.multiply(&rhs.0))
+            }
+
+            /// Negate element.
+            #[inline]
+            pub const fn neg(&self) -> Self {
+                Self(self.0.neg())
+            }
+
+            /// Compute modular square.
+            #[inline]
+            #[must_use]
+            pub const fn square(&self) -> Self {
+                Self(self.0.square())
+            }
+
+            /// Compute
+            #[doc = stringify!($fe)]
+            /// inversion: `1 / self`.
+            #[inline]
+            pub fn invert(&self) -> $crate::subtle::CtOption<Self> {
+                self.0.invert().map(|fe| Self(fe))
+            }
+
+            /// Compute field inversion as a `const fn`. Panics if `self` is zero.
+            ///
+            /// This is mainly intended for inverting constants at compile time.
+            pub const fn const_invert(&self) -> Self {
+                Self(self.0.const_invert())
+            }
+        }
+    };
+}
+
 /// Emit a `core::ops` trait wrapper for an inherent method which is expected to be provided by a
 /// backend arithmetic implementation (e.g. `fiat-crypto`)
 #[macro_export]
diff --git a/primefield/src/macros/fiat.rs b/primefield/src/macros/fiat.rs
@@ -3,10 +3,8 @@
 
 /// Add `fiat-crypto` synthesized arithmetic impls to the given field element.
 ///
-/// This method wraps a field implementation generated by the `word-by-word-montgomery` backend
+/// This macro wraps a field implementation generated by the `word-by-word-montgomery` backend
 /// (other field implementations are not supported).
-///
-/// This provides a complete arithmetic implementation except for `sqrt`.
 #[macro_export]
 macro_rules! monty_field_fiat_arithmetic {
     (
