Move loop decrements into continuations

Suggested by @daurnimator

lib/std/crypto/25519/curve25519.zig

@@ -44,7 +44,7 @@ pub const Curve25519 = struct {
         var z3 = Fe.one;
         var swap: u8 = 0;
         var pos: usize = bits - 1;
-        while (true) {
+        while (true) : (pos -= 1) {
             const b = (s[pos / 8] >> @intCast(u3, pos & 7)) & 1;
             swap ^= b;
             Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
@@ -68,7 +68,6 @@ pub const Curve25519 = struct {
             z3 = x1.mul(z2);
             z2 = tmp1.mul(tmp0);
             if (pos == 0) break;
-            pos -= 1;
         }
         Fe.cSwap2(&x2, &x3, &z2, &z3, swap);
         z2 = z2.invert();

lib/std/crypto/25519/edwards25519.zig

@@ -132,12 +132,11 @@ pub const Edwards25519 = struct {
     fn pcMul(pc: [16]Edwards25519, s: [32]u8) !Edwards25519 {
         var q = Edwards25519.identityElement();
         var pos: usize = 252;
-        while (true) {
+        while (true) : (pos -= 4) {
             q = q.dbl().dbl().dbl().dbl();
             const b = (s[pos / 8] >> @intCast(u3, pos & 7)) & 0xf;
             q = q.add(pcSelect(pc, b));
             if (pos == 0) break;
-            pos -= 4;
         }
         try q.rejectIdentity();
         return q;

lib/std/crypto/25519/scalar.zig

@@ -116,13 +116,12 @@ pub fn rejectNonCanonical(s: [32]u8) !void {
     var c: u8 = 0;
     var n: u8 = 1;
     var i: usize = 31;
-    while (true) {
+    while (true) : (i -= 1) {
         const xs = @as(u16, s[i]);
         const xfield_size = @as(u16, field_size[i]);
         c |= @intCast(u8, ((xs -% xfield_size) >> 8) & n);
         n &= @intCast(u8, ((xs ^ xfield_size) -% 1) >> 8);
         if (i == 0) break;
-        i -= 1;
     }
     if (c == 0) {
         return error.NonCanonical;