Clamp Montgomery exponent bit bounds

[tob-joe]

Summary

Bounded Montgomery exponentiation APIs define exponent_bits as the number of least-significant exponent bits to take into account:

crypto-bigint/src/modular/fixed_monty_form/pow.rs

Lines 21 to 30 in 4c6f87d

	/// Raises to the `exponent` power,
	/// with `exponent_bits` representing the number of (least significant) bits
	/// to take into account for the exponent.
	///
	/// NOTE: `exponent_bits` may be leaked in the time pattern.
	#[must_use]
	pub const fn pow_bounded_exp<const RHS_LIMBS: usize>(
	&self,
	exponent: &Uint<RHS_LIMBS>,
	exponent_bits: u32,

crypto-bigint/src/modular/const_monty_form/pow.rs

Lines 21 to 30 in 4c6f87d

	/// Raises to the `exponent` power,
	/// with `exponent_bits` representing the number of (least significant) bits
	/// to take into account for the exponent.
	///
	/// NOTE: `exponent_bits` may be leaked in the time pattern.
	#[must_use]
	pub const fn pow_bounded_exp<const RHS_LIMBS: usize>(
	&self,
	exponent: &Uint<RHS_LIMBS>,
	exponent_bits: u32,

crypto-bigint/src/modular/boxed_monty_form/pow.rs

Lines 13 to 24 in 4c6f87d

	/// Raises to the `exponent` power,
	/// with `exponent_bits` representing the number of (least significant) bits
	/// to take into account for the exponent.
	///
	/// NOTE: `exponent_bits` may be leaked in the time pattern.
	#[must_use]
	pub fn pow_bounded_exp(&self, exponent: &BoxedUint, exponent_bits: u32) -> Self {
	Self {
	montgomery_form: pow_montgomery_form_amm(
	&self.montgomery_form,
	exponent,
	exponent_bits,

When exponent_bits exceeded the supplied exponent precision, the Montgomery helpers could derive an out-of-range limb index. Since exponent limbs are little-endian, those missing high exponent bits should be treated as zero.

Fix

Clamp exponent_bits to the supplied exponent precision at the shared Montgomery exponentiation entry points. This makes oversized bounded exponent lengths behave like full-precision exponentiation instead of indexing past the exponent limbs.

Tests

Added regression tests covering oversized exponent_bits for:

• standard Montgomery exponentiation
• AMM Montgomery exponentiation
• array multi-exponentiation
• alloc slice multi-exponentiation

Verified with:

cargo test --all-features modular::pow::tests -- --nocapture
cargo test --all-features --test uint monty_form_pow_bounded_exp -- --exact

---

This work was completed by Trail of Bits as part of the Patch The Planet project in collaboration with OpenAI. The issue was identified primarily by the Codex coding agent, and manually reviewed before submission.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.02%. Comparing base (4c6f87d) to head (1b1b52e).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1273      +/-   ##
==========================================
+ Coverage   90.99%   91.02%   +0.02%     
==========================================
  Files         189      189              
  Lines       22139    22195      +56     
==========================================
+ Hits        20146    20202      +56     
  Misses       1993     1993              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.