simplify invert and FE conversions with checked mul

Author: austinabell

p256/src/arithmetic.rs

@@ -75,7 +75,7 @@ impl PrimeCurveParams for NistP256 {
         FieldElement256::new_unchecked(crate::__risc0::SECP256R1_EQUATION_B_LE);
 
     #[cfg(all(target_os = "zkvm", target_arch = "riscv32"))]
-    fn from_u32_words_le(words: [u32; 8]) -> elliptic_curve::subtle::CtOption<FieldElement> {
+    fn from_u32_words_le(words: [u32; 8]) -> FieldElement {
         FieldElement::from_words_le(words)
     }
 }

p256/src/arithmetic/field.rs

@@ -63,20 +63,18 @@ primeorder::impl_mont_field_element!(
 
 impl FieldElement {
     #[cfg(all(target_os = "zkvm", target_arch = "riscv32"))]
-    pub(crate) fn from_words_le(fe: [u32; 8]) -> CtOption<Self> {
+    pub(crate) fn from_words_le(fe: [u32; 8]) -> Self {
         let fe = FieldElement256::new_unchecked(fe);
 
         // Convert to montgomery form with aR mod p
         let mut mont = FieldElement256::default();
-        fe.mul(&R_2_LE, &mut mont);
 
-        let buffer: [u32; 8] = mont.data;
+        // This mul will check if the result is within the modulus.
+        fe.mul(&R_2_LE, &mut mont);
 
-        use crate::elliptic_curve::subtle::ConstantTimeLess as _;
-        let uint = U256::from_le_slice(bytemuck::cast_slice::<u32, u8>(&buffer));
-        let is_within_modulus = uint.ct_lt(&MODULUS);
+        let uint = U256::from_le_slice(bytemuck::cast_slice::<u32, u8>(&mont.data));
 
-        CtOption::new(Self(uint), is_within_modulus)
+        Self(uint)
     }
 
     #[cfg(all(target_os = "zkvm", target_arch = "riscv32"))]
@@ -108,7 +106,8 @@ impl FieldElement {
                     &crate::__risc0::SECP256R1_PRIME,
                     &mut output,
                 );
-                FieldElement::from_words_le(output)
+                let element = FieldElement::from_words_le(output);
+                return CtOption::new(element, Choice::from(1));
             }
         }
 

primeorder/src/lib.rs

@@ -95,5 +95,5 @@ pub trait PrimeCurveParams:
     /// expected layout.
     const EQUATION_B_LE: __risc0::FieldElement256<Self>;
 
-    fn from_u32_words_le(words: [u32; 8]) -> elliptic_curve::subtle::CtOption<Self::FieldElement>;
+    fn from_u32_words_le(words: [u32; 8]) -> Self::FieldElement;
 }

primeorder/src/projective.rs

@@ -86,9 +86,7 @@ where
                 &mut buffer,
             );
             let y = C::from_u32_words_le(buffer);
-            return x
-                .and_then(|x| y.map(|y| AffinePoint { x, y, infinity: 0 }))
-                .unwrap_or(AffinePoint::IDENTITY);
+            return AffinePoint { x, y, infinity: 0 };
         }
 
         self.z

primeorder/src/risc0.rs

@@ -235,8 +235,8 @@ where
 {
     if let Some(value) = affine.as_u32s() {
         // This should only not be within the modulus with a malicious host, panic in that case.
-        let x = C::from_u32_words_le(value[0]).unwrap();
-        let y = C::from_u32_words_le(value[1]).unwrap();
+        let x = C::from_u32_words_le(value[0]);
+        let y = C::from_u32_words_le(value[1]);
 
         let affine = AffinePoint { x, y, infinity: 0 };
         ProjectivePoint::from(affine)