Add ff::Field::pow

Ported from zcash/pasta_curves@db83057.

CHANGELOG.md

@@ -6,6 +6,8 @@ and this library adheres to Rust's notion of
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- `ff::Field::pow`
 
 ## [0.12.1] - 2022-10-28
 ### Fixed

src/lib.rs

@@ -105,11 +105,35 @@ pub trait Field:
     /// quadratic residue.
     fn sqrt(&self) -> CtOption<Self>;
 
-    /// Exponentiates `self` by `exp`, where `exp` is a little-endian order
-    /// integer exponent.
+    /// Exponentiates `self` by `exp`, where `exp` is a little-endian order integer
+    /// exponent.
     ///
-    /// **This operation is variable time with respect to the exponent.** If the
-    /// exponent is fixed, this operation is effectively constant time.
+    /// # Guarantees
+    ///
+    /// This operation is constant time with respect to `self`, for all exponents with the
+    /// same number of digits (`exp.as_ref().len()`). It is variable time with respect to
+    /// the number of digits in the exponent.
+    fn pow<S: AsRef<[u64]>>(&self, exp: S) -> Self {
+        let mut res = Self::one();
+        for e in exp.as_ref().iter().rev() {
+            for i in (0..64).rev() {
+                res = res.square();
+                let mut tmp = res;
+                tmp *= self;
+                res.conditional_assign(&tmp, (((*e >> i) & 1) as u8).into());
+            }
+        }
+        res
+    }
+
+    /// Exponentiates `self` by `exp`, where `exp` is a little-endian order integer
+    /// exponent.
+    ///
+    /// # Guarantees
+    ///
+    /// **This operation is variable time with respect to `self`, for all exponent.** If
+    /// the exponent is fixed, this operation is effectively constant time. However, for
+    /// stronger constant-time guarantees, [`Field::pow`] should be used.
     fn pow_vartime<S: AsRef<[u64]>>(&self, exp: S) -> Self {
         let mut res = Self::one();
         for e in exp.as_ref().iter().rev() {