Update to the latest version of subtle

Cargo.toml

@@ -21,7 +21,7 @@ harness = false
 required-features = ["groups"]
 
 [dependencies.subtle]
-version = "2.1"
+version = "2.2.1"
 default-features = false
 
 [dependencies.byteorder]

src/fp2.rs

@@ -241,8 +241,6 @@ impl Fp2 {
     }
 
     pub fn sqrt(&self) -> CtOption<Self> {
-        use crate::CtOptionExt;
-
         // Algorithm 9, https://eprint.iacr.org/2012/685.pdf
         // with constant time modifications.
 

src/g1.rs

@@ -322,8 +322,6 @@ impl G1Affine {
         };
 
         x.and_then(|x| {
-            use crate::CtOptionExt;
-
             // If the infinity flag is set, return the value assuming
             // the x-coordinate is zero and the sort bit is not set.
             //

src/g2.rs

@@ -393,8 +393,6 @@ impl G2Affine {
             xc0.and_then(|xc0| {
                 let x = Fp2 { c0: xc0, c1: xc1 };
 
-                use crate::CtOptionExt;
-
                 // If the infinity flag is set, return the value assuming
                 // the x-coordinate is zero and the sort bit is not set.
                 //

src/lib.rs

@@ -72,20 +72,3 @@ const BLS_X_IS_NEGATIVE: bool = true;
 mod pairings;
 
 pub use pairings::{pairing, Gt, MillerLoopResult};
-
-// TODO: This should be upstreamed to subtle.
-// See https://github.com/dalek-cryptography/subtle/pull/48
-trait CtOptionExt<T> {
-    /// Calls f() and either returns self if it contains a value,
-    /// or returns the output of f() otherwise.
-    fn or_else<F: FnOnce() -> subtle::CtOption<T>>(self, f: F) -> subtle::CtOption<T>;
-}
-
-impl<T: subtle::ConditionallySelectable> CtOptionExt<T> for subtle::CtOption<T> {
-    fn or_else<F: FnOnce() -> subtle::CtOption<T>>(self, f: F) -> subtle::CtOption<T> {
-        let is_none = self.is_none();
-        let f = f();
-
-        subtle::ConditionallySelectable::conditional_select(&self, &f, is_none)
-    }
-}