Please implement constant time montgomery mulitplication

[bastien-roucaries]

Could you please implement this kind of mult:
https://github.com/libressl-portable/openbsd/blob/57dcd4329d83bff3dd67a293d5c4a53b795c587e/src/lib/libcrypto/bn/bn_exp.c#L641-L646

It will be useful for browserify/diffie-hellman#22

[axic]

I wonder how much safety this would actually provide given the interpreted/JITed nature of Javascript?

[indutny]

This is not obvious, but it might be worth exploration.

[dcousens]

Keep open as debt or close? Someone can always open a PR if necessary.

[Artoria2e5]

For anyone trying to look at this later, the problem in redPow that debian noted is the bit === 0 && current === 0 stuff as it performs differential treatment of different bits, skipping through consecutive zeros and allowing some classic DH timing stuff to happen. The rest looks mostly fine: mul is linear to input size; add / sub is trying to be clever but not too much.

It should be possible to just add a flag to disable the check. Someone will have to bench it and see there is any difference though.