p521: initial Scalar with fiat-crypto arithmetic (RustCrypto#760)

Adds a scalar field implementation generated by fiat-crypto, run with
the following arguments:

    $ ./word_by_word_montgomery --lang Rust --inline p521_scalar 64 '0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'

The output has been postprocessed by the `fiat-constify` utility, which
rewrites the functions in the fiat-crypto output as `const fn`.

Only a 64-bit implementation has been synthesized. I encountered a stack
overflow when attempting a 32-bit one.

Constants for the `PrimeField` impl were calculated in `sage` as
follows:

sage: p = 0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f7
....: 09a5d03bb5c9b8899c47aebb6fb71e91386409
sage: multiplicative_generator = GF(p).primitive_element()
sage: p_minus_1_bin = (p - 1).binary()
sage: s = len(p_minus_1_bin) - len(p_minus_1_bin.rstrip('0')) # count trailing zeros in binary
sage: t = (p - 1) >> s
sage: root_of_unity = pow(multiplicative_generator,t,p)
sage: delta = pow(multiplicative_generator, 2^s, p)
sage: multiplicative_generator
3
sage: p_minus_1_bin
'11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110100101000110000110100001111000001110111111001011111001011001101011011111111100110000000001010010001111011100001001101001011101000000111011101101011100100110111000100010011001110001000111101011101011101101101111101101110001111010010001001110000110010000001000'
sage: s
3
sage:  hex(t)
'0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff4a30d0f077e5f2cd6ff980291ee134ba0776b937113388f5d76df6e3d2270c81'
sage: hex(root_of_unity)
'0x9a0a650d44b28c17f3d708ad2fa8c4fbc7e6000d7c12dafa92fcc5673a3055276d535f79ff391dcdbcd998b7836647d3a72472b3da861ac810a7f9c7b7b63e2205'
sage: delta
6561

Author: tarcieri

p521/src/arithmetic.rs

@@ -5,3 +5,35 @@
 //! [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final
 
 pub mod field;
+pub mod scalar;
+
+/// Convert an 18-element array of `u32` into a 9-element array of `u16`,
+/// assuming integer arrays are in little-endian order.
+#[cfg(target_pointer_width = "32")]
+const fn u32x18_to_u64x9(w: &[u32; 18]) -> [u64; 9] {
+    let mut ret = [0u64; 9];
+    let mut i = 0;
+
+    while i < 9 {
+        ret[i] = (w[i * 2] as u64) | ((w[(i * 2) + 1] as u64) << 32);
+        i += 1;
+    }
+
+    ret
+}
+
+/// Convert a 9-element array of `u64` into an 18-element array of `u32`,
+/// assuming integers are in little-endian order.
+#[cfg(target_pointer_width = "32")]
+const fn u64x9_to_u32x18(w: &[u64; 9]) -> [u32; 18] {
+    let mut ret = [0u32; 18];
+    let mut i = 0;
+
+    while i < 9 {
+        ret[i * 2] = (w[i] & 0xFFFFFFFF) as u32;
+        ret[(i * 2) + 1] = (w[i] >> 32) as u32;
+        i += 1;
+    }
+
+    ret
+}

p521/src/arithmetic/field.rs

@@ -39,11 +39,15 @@ use core::{
 use elliptic_curve::{
     ff::{self, Field, PrimeField},
     generic_array::GenericArray,
+    rand_core::RngCore,
     subtle::{Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeLess, CtOption},
     zeroize::DefaultIsZeroes,
-    FieldBytesEncoding,
+    Error, FieldBytesEncoding,
 };
 
+#[cfg(target_pointer_width = "32")]
+use super::u32x18_to_u64x9;
+
 /// Constant representing the modulus serialized as hex.
 /// p = 2^{521} − 1
 const MODULUS_HEX: &str = "00000000000001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff";
@@ -73,10 +77,10 @@ impl FieldElement {
     /// Decode [`FieldElement`] from a big endian byte slice.
     pub fn from_slice(slice: &[u8]) -> elliptic_curve::Result<Self> {
         if slice.len() != Self::BYTES {
-            return Err(elliptic_curve::Error);
+            return Err(Error);
         }
 
-        Option::from(Self::from_bytes(GenericArray::from_slice(slice))).ok_or(elliptic_curve::Error)
+        Option::from(Self::from_bytes(GenericArray::from_slice(slice))).ok_or(Error)
     }
 
     /// Decode [`FieldElement`] from [`U576`].
@@ -107,19 +111,7 @@ impl FieldElement {
     /// Used incorrectly this can lead to invalid results!
     #[cfg(target_pointer_width = "32")]
     pub(crate) const fn from_uint_unchecked(w: U576) -> Self {
-        let words = w.to_words();
-
-        Self([
-            (words[0] as u64) | ((words[1] as u64) << 32),
-            (words[2] as u64) | ((words[3] as u64) << 32),
-            (words[4] as u64) | ((words[5] as u64) << 32),
-            (words[6] as u64) | ((words[7] as u64) << 32),
-            (words[8] as u64) | ((words[9] as u64) << 32),
-            (words[10] as u64) | ((words[11] as u64) << 32),
-            (words[12] as u64) | ((words[13] as u64) << 32),
-            (words[14] as u64) | ((words[15] as u64) << 32),
-            (words[16] as u64) | ((words[17] as u64) << 32),
-        ])
+        Self(u32x18_to_u64x9(w.as_words()))
     }
 
     /// Decode [`FieldElement`] from [`U576`].
@@ -326,7 +318,7 @@ impl Field for FieldElement {
     const ZERO: Self = Self::ZERO;
     const ONE: Self = Self::ONE;
 
-    fn random(mut rng: impl elliptic_curve::rand_core::RngCore) -> Self {
+    fn random(mut rng: impl RngCore) -> Self {
         // NOTE: can't use ScalarPrimitive::random due to CryptoRng bound
         let mut bytes = <FieldBytes>::default();