Tony Arcieri
Tony Arcieri
The feedback I left hasn't been addressed and the tests aren't yet all passing
We don't yet have an easy `From` conversion for this but it should be easy to add
Reopened this so we can track adding an appropriate `From` impl
One problem is we use `*_vartime` if *any* of the parameters lead to variable-time behavior, however often in practice we will call these `*_vartime` methods on a secret input but...
See also: #67
The author of #67 (@pdogr) became unresponsive. The PR is also out of date and in need of a rebase, and contained undesirable breaking changes which have open comment threads
> And what are the benefits of using Montgomery in the first place, if working over the integers is faster? Montgomery form is typically useful when performing many operations which...
I think that's unavoidable without lazy reductions?
I should probably note we do have a Barrett reduction implementation here, but it's specialized to P-256's limb count: https://github.com/RustCrypto/elliptic-curves/blob/d1ea1a3/p256/src/arithmetic/scalar/scalar64.rs