A list of breaking changes to consider for v0.6

[fjarri]

There's a lot of small stuff so I decided to put them in one issue:

• (Make bit ops use u32 for shifts #373) The types of the arguments to shl/shr methods are inconsistent: std has them as u32, Limb as Limb, and Uint as usize. Perhaps we should at least match Limb and Uint.
• (Bring the overflow behavior in bit shifts in sync with std #395) What should Uint::shl_limb(), shl_vartime(), and shl() (same for shr()) do on shift overflow? Currently shl_limb() panics, shl_vartime() returns self, and shl() returns zero. Should probably do the same thing. See also Diverging from primitive behavior in overflowing shift #121
• (Make inv_mod2k(_vartime) return a CtChoice #416) Should inv_mod2k() return CtChoice::FALSE if self is even? Should inv_odd_mod() return CtChoice::FALSE if modulus is even?
• (Normalize the usage of prefixes for method names #417) We need to make the usage of ct_ and const_ prefixes uniform. One prefix, either const_ or ct_, should be used for const fn when there is a non-const fn with the same functionality (otherwise no prefix needed); ct_ meaning "constant-time" really shouldn't be used at all because that's the default. uint/div.rs is especially bad in this respect.
• (Make division methods take NonZero-wrapped divisors #419) Should const fn division methods take a NonZero-wrapped modulus? Should div_rem_limb_with_reciprocal() take a CtOption of the reciprocal, or the caller should do the mapping instead?

[AaronFeickert]

The functionality for DynResidueParams::new_checked added in #240 was done with the understanding that it could be moved to DynResidueParams::new in a future breaking release.

[tarcieri]

Uint::{sqrt, checked_sqrt, wrapping_sqrt} should be removed or replaced with a constant-time implementation

[fjarri]

@tarcieri , what are your plans regarding the v0.6 release? I can start working on this so that we have time to discuss the planned breaking changes.

[tarcieri]

We're getting the ball rolling on another cycle of breaking changes over at https://github.com/rustcrypto/traits

I can cut a v0.5.4 release here and we can switch master to be v0.6.0-pre. If need be we can make a 0-5-stable branch for changes to the current release series.

[tarcieri]

Starting on this in #295

[tarcieri]

#296 made DynResidueParams::new fallible

[tarcieri]

Looking at the division operations, I'm wondering if we should consider NonZero divisors, which would eliminate the need to have multiple division functions, e.g. instead of wrapping_div (which makes no sense, except for cargo cult parity with std) and checked_div, we could have a single infallible-and-panic-free function with a NonZero<Self> divisor. The same goes for the *_rem functions.

Also, since it's only constant time with respect to the dividend and not to the divisor, it should probably be called div_vartime (or otherwise we need to rename all of the existing functions with _vartime suffixes, e.g. wrapping_div_vartime, checked_div_vartime).

We already use this approach for various *_mod functions.

[tarcieri]

It'd be nice to close #70, perhaps with a trait redesign

[fjarri]

This probably can be closed now?

[tarcieri]

Indeed!