elliptic-curve: make Curve::Order a NonZero<C::Uint> (#1969)

After RustCrypto/crypto-bigint#917 it's much more ergonomic to have the
order be `NonZero`.

We could also consider making it `Odd`, although `NonZero` is the
immediate need so this is the most straightforward transition.

Author: tarcieri

Cargo.lock

@@ -23,3 +23,4 @@ blobby = { git = "https://github.com/RustCrypto/utils" }
 # https://github.com/RustCrypto/utils/pull/1200
 # https://github.com/RustCrypto/utils/pull/1201
 block-buffer = { git = "https://github.com/RustCrypto/utils", branch = "block-buffer/read-buf" }
+crypto-bigint = { git = "https://github.com/RustCrypto/crypto-bigint" }

Cargo.toml

@@ -6,7 +6,7 @@
 use crate::{
     BatchNormalize, Curve, CurveArithmetic, CurveGroup, FieldBytesEncoding, PrimeCurve,
     array::typenum::U32,
-    bigint::{Limb, U256},
+    bigint::{Limb, NonZero, U256},
     error::{Error, Result},
     ops::{Invert, LinearCombination, Reduce, ShrAssign},
     point::{AffineCoordinates, NonIdentity},
@@ -70,8 +70,9 @@ impl Curve for MockCurve {
     type FieldBytesSize = U32;
     type Uint = U256;
 
-    const ORDER: U256 =
-        U256::from_be_hex("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551");
+    const ORDER: NonZero<U256> = NonZero::<U256>::from_be_hex(
+        "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+    );
 }
 
 impl PrimeCurve for MockCurve {}

elliptic-curve/src/dev.rs

@@ -135,6 +135,7 @@ pub use {
 #[cfg(feature = "pkcs8")]
 pub use pkcs8;
 
+use bigint::NonZero;
 use core::{
     fmt::Debug,
     ops::{Add, ShrAssign},
@@ -179,8 +180,9 @@ pub trait Curve: 'static + Copy + Clone + Debug + Default + Eq + Ord + Send + Sy
 
     /// Order of this elliptic curve, i.e. number of elements in the scalar
     /// field.
-    // TODO(tarcieri): make `NonZero` or `Odd`?
-    const ORDER: Self::Uint;
+    // TODO(tarcieri): make `Odd`? the prime order subgroup should always have an odd number of
+    // elements, even if there is a cofactor
+    const ORDER: NonZero<Self::Uint>;
 }
 
 /// Marker trait for elliptic curves with prime order.

elliptic-curve/src/lib.rs

@@ -62,13 +62,12 @@ where
     };
 
     /// Scalar modulus.
-    // TODO(tarcieri): make `NonZero` or `Odd`?
-    pub const MODULUS: C::Uint = C::ORDER;
+    pub const MODULUS: NonZero<C::Uint> = C::ORDER;
 
     /// Generate a random [`ScalarPrimitive`].
     pub fn random<R: CryptoRng + ?Sized>(rng: &mut R) -> Self {
         Self {
-            inner: C::Uint::random_mod(rng, &NonZero::new(Self::MODULUS).unwrap()),
+            inner: C::Uint::random_mod(rng, &Self::MODULUS),
         }
     }
 
@@ -255,9 +254,7 @@ where
 
     fn add(self, other: &Self) -> Self {
         Self {
-            inner: self
-                .inner
-                .add_mod(&other.inner, &NonZero::new(Self::MODULUS).unwrap()),
+            inner: self.inner.add_mod(&other.inner, &Self::MODULUS),
         }
     }
 }
@@ -299,9 +296,7 @@ where
 
     fn sub(self, other: &Self) -> Self {
         Self {
-            inner: self
-                .inner
-                .sub_mod(&other.inner, &NonZero::new(Self::MODULUS).unwrap()),
+            inner: self.inner.sub_mod(&other.inner, &Self::MODULUS),
         }
     }
 }
@@ -332,7 +327,7 @@ where
 
     fn neg(self) -> Self {
         Self {
-            inner: self.inner.neg_mod(&NonZero::new(Self::MODULUS).unwrap()),
+            inner: self.inner.neg_mod(&Self::MODULUS),
         }
     }
 }
@@ -362,7 +357,7 @@ where
     C: Curve,
 {
     fn is_high(&self) -> Choice {
-        let n_2 = C::ORDER >> 1u32;
+        let n_2 = Self::MODULUS.get() >> 1u32;
         self.inner.ct_gt(&n_2)
     }
 }