ff_derive: unnecessary limb required for large modulus (e.g. for NIST P-curves)

[tarcieri]

When using ff_derive with the base or scalar field modulus of elliptic curves like P-256 or P-384, ff_derive requires one more limb than is strictly necessary.

Example:

use ff::PrimeField;

#[derive(PrimeField)]
#[PrimeFieldModulus = "115792089210356248762697446949407573530086143415290314195533631308867097853951")
#[PrimeFieldGenerator = "6"]
#[PrimeFieldReprEndianness = "big"]
struct P256FieldElement([u64; 4]);

...fails with the following error:

error: The given modulus requires 5 limbs.
 --> src/lib.rs:7:31
  |
7 | struct P256FieldElement([u64; 4]);

[str4d]

The constraint comes from here:

ff/ff_derive/src/lib.rs

Lines 142 to 152 in e9ee111

	// The arithmetic in this library only works if the modulus*2 is smaller than the backing
	// representation. Compute the number of limbs we need.
	let mut limbs = 1;
	{
	let mod2 = (&modulus) << 1; // modulus * 2
	let mut cur = BigUint::one() << 64; // always 64-bit limbs for now
	while cur < mod2 {
	limbs += 1;
	cur <<= 64;
	}
	}

To address this limitation, we'd need to audit all of the arithmetic that ff-derive implements, and fix anywhere it assumes that 2p is smaller than the backing representation (which is not the case for P256 etc).