Bignum: Implement fixed width modular negation

[yanesca]

Prerequisites: #6017

Implement and test mbedtls_mpi_mod_raw_neg(). The implementation should follow the prototype:
https://github.com/hanno-arm/mbedtls/blob/ecp_prototype/library/bignum_core.c#L436-L447

This function should take the modulus as a modulus struct instead of a raw pointer.

[tom-cosgrove-arm]

Rather than 2 x sub + 1 x add-if, could we do something like this?

mbedtls_mpi_uint zero_check = 0;

/* The only representation of 0 is all-bits 0 in all limbs */
for( size_t i = 0; i < n; i++ )
    zero_check |= A[i];

/* We want X = N - A, except if A was 0, we want to return 0 */
mbedtls_mpi_core_sub( X, N, A, n );

/* mask is all-bits 0 if zero_check is 0, else all-bits 1 */
mbedtls_mpi_uint mask = mbedtls_ct_mpi_uint_mask( zero_check );

/* So if A was 0, we will clear it all out, else leave unchanged */
for( size_t i = 0; i < n; i++ )
        A[i] &= mask;

[gilles-peskine-arm]

@tom-cosgrove-arm I think that's correct, and maybe marginally more efficient (because there's no carry to propagate, so the per-limb calculations can be pipelined more), but I don't think that's worth the extra complexity.

[minosgalanakis]

@tom-cosgrove-arm I was wondering if there is a need for a constantime zero check method reglardless of the specific applicaton. It could be usefull if many inputs for bignum_mod have branching or invalid behavior when the input is zero, but I cannot think of many.

[gilles-peskine-arm]

I was wondering if there is a need for a constantime zero check

This is going to be needed for inv_mod at least.