Alternative to #659/#661 and #662 which leverages subtle::Choice and subtle::ConditionallySelectable as the optimization barriers.
Really the previous masking was there to conditionally add the scalar field modulus on underflow, so instead of that, we can conditionally select zero or the modulus using a Choice constructed from the underflow bit.
Alternative to #659/#661 and #662 which leverages
subtle::Choiceandsubtle::ConditionallySelectableas the optimization barriers.Really the previous masking was there to conditionally add the scalar field modulus on underflow, so instead of that, we can conditionally select zero or the modulus using a
Choiceconstructed from the underflow bit.TODO: verify codegen and check benchmarks