Module field 

Prime field arithmetic for NIST curves P-256 and P-384.

All operations are constant-time: no secret-dependent branches or memory accesses. Field elements are stored in little-endian limb order (limb 0 is least significant).

Structs

FieldElement

A field element over a prime p, represented as LIMBS x u64 limbs in little-endian order (limbs[0] is least significant).

Constants

CURVE448_P

Curve448 / Ed448 field prime: p = 2^448 - 2^224 - 1 (RFC 7748).

CURVE25519_P

Curve25519 field prime: p = 2^255 - 19 (RFC 7748).

P256_N

Order of NIST P-256 (the size of the prime-order subgroup of G).

P256_P

NIST P-256 field prime: p = 2^256 - 2^224 + 2^192 + 2^96 - 1.

P384_N

Order of P-384 (FIPS 186-4 §D.1.2.4): n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF C7634D81F4372DDF 581A0DB248B0A77A ECEC196ACCC52973

P384_P

NIST P-384 field prime: p = 2^384 - 2^128 - 2^96 + 2^32 - 1.

Functions

field_add

Add two field elements: result = (a + b) mod p. Constant-time via conditional subtraction.

field_inv

Modular inverse: a^{-1} mod p via Fermat’s little theorem: a^{p-2} mod p. Constant-time (fixed sequence of square + conditional multiply for every bit).

field_mul

Multiply two field elements modulo p. Uses operand-scanning with interleaved reduction. For each word of a, we multiply by all of b and add to accumulator, then reduce the lowest word using Montgomery-like reduction.

field_neg

Negate: result = (-a) mod p = p - a if a != 0, else 0.

field_pow

Modular exponentiation: base^exp mod p. Constant-time: always does multiply + square for each bit (left-to-right).

field_sqr

Square a field element modulo p.

field_sqrt_p3mod4

Compute a square root of a in the prime field Fp, assuming p ≡ 3 (mod 4). Uses the closed-form identity

field_sub

Subtract two field elements: result = (a - b) mod p.

scalar_add

Add two scalars mod n.

scalar_inv

Inverse of a scalar mod n.

scalar_is_valid

Check if a < n (used to validate scalars are in range).

scalar_mul

Multiply two scalars mod n.