Constant-time field inversion

WARNING: THIS IS NOT ACTUALLY CONSTANT TIME YET!

The jubjub and bls12_381 crates will replace our constant-time usages,
but we NEED to fix ff_derive because other users will expect it to
implement the Field trait correctly.

bellman/src/groth16/tests/dummy_engine.rs

@@ -10,13 +10,19 @@ use std::cmp::Ordering;
 use std::fmt;
 use std::num::Wrapping;
 use std::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign};
-use subtle::{Choice, ConditionallySelectable};
+use subtle::{Choice, ConditionallySelectable, CtOption};
 
 const MODULUS_R: Wrapping<u32> = Wrapping(64513);
 
 #[derive(Copy, Clone, Debug, PartialEq, Eq)]
 pub struct Fr(Wrapping<u32>);
 
+impl Default for Fr {
+    fn default() -> Self {
+        <Fr as Field>::zero()
+    }
+}
+
 impl fmt::Display for Fr {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
         write!(f, "{}", (self.0).0)
@@ -159,11 +165,11 @@ impl Field for Fr {
         Fr((self.0 << 1) % MODULUS_R)
     }
 
-    fn inverse(&self) -> Option<Self> {
+    fn invert(&self) -> CtOption<Self> {
         if <Fr as Field>::is_zero(self) {
-            None
+            CtOption::new(<Fr as Field>::zero(), Choice::from(0))
         } else {
-            Some(self.pow(&[(MODULUS_R.0 as u64) - 2]))
+            CtOption::new(self.pow(&[(MODULUS_R.0 as u64) - 2]), Choice::from(1))
         }
     }
 
@@ -382,8 +388,8 @@ impl Engine for DummyEngine {
     }
 
     /// Perform final exponentiation of the result of a miller loop.
-    fn final_exponentiation(this: &Self::Fqk) -> Option<Self::Fqk> {
-        Some(*this)
+    fn final_exponentiation(this: &Self::Fqk) -> CtOption<Self::Fqk> {
+        CtOption::new(*this, Choice::from(1))
     }
 }