Fix Jacobi benchmarks and other benchmark improvements

[sipa]

A number of improvements to bench_internal:

• Less confusing variable naming
• Use random Z coordinates for the (initial) gej variables (instead of 1).
• Vary the inputs to the Jacobi symbol benchmarks (they were constantly testing the same input, giving a non-representative result).
• Add a benchmark for testing gej_to_ge_var.

[real-or-random]

ACK mod nit

[elichai]

Isn't it more meaningful to test it with p as the prime of the jacobi symbol? (tested locally and the result are very similiar, but I think that for purposes like schnorr this is what we care about)

EDIT: I see that bench_group_jacobi_var actually encapsulates this already.

[elichai]

FYI this seem to be slightly slower than the actual random average.

before this PR I got: (locked on 2.4Ghz)

scalar_inverse: min 15.8us / avg 15.8us / max 16.1us                                                                   
scalar_inverse_var: min 3.13us / avg 3.16us / max 3.24us                                                               
field_inverse: min 7.39us / avg 7.42us / max 7.57us                                                                                                                                                                                           
field_inverse_var: min 3.10us / avg 3.11us / max 3.12us                                                                                                                                                                                       
group_jacobi_var: min 1.23us / avg 1.24us / max 1.26us                                                                 
num_jacobi: min 1.01us / avg 1.04us / max 1.20us                                        

with this PR:

scalar_inverse: min 15.8us / avg 15.8us / max 16.0us
scalar_inverse_var: min 3.12us / avg 3.21us / max 3.48us
field_inverse: min 7.41us / avg 7.44us / max 7.55us
field_inverse_var: min 3.11us / avg 3.12us / max 3.24us
group_jacobi_var: min 3.67us / avg 3.68us / max 3.70us
num_jacobi: min 3.54us / avg 3.55us / max 3.57us

with randomly chosen inputs for field_inverse_var and num_jacobi:

scalar_inverse: min 15.8us / avg 15.8us / max 15.9us
scalar_inverse_var: min 3.13us / avg 3.15us / max 3.21us
field_inverse: min 7.39us / avg 7.41us / max 7.51us
field_inverse_var: min 3.16us / avg 3.21us / max 3.24us
group_jacobi_var: min 3.67us / avg 3.80us / max 4.43us
num_jacobi: min 3.42us / avg 3.44us / max 3.48us

(code diff for this https://pastebin.com/raw/ewuiYxGc)

[jonasnick]

ACK 38a7bb3. I can't explain @elichai's results but they seem to be close enough and preallocating random elements could be a separate improvement (because it gets rid of the normalize, add, etc noise).

[gmaxwell]

ACK. I had assumed the different results with the precomputed values were probably largely alignment/cache/branch predictor issues. There has been some academic work to eliminate these effects by basically making a bunch of different binaries with the memory layout all randomized and benchmarking all of them. ... but unfortunately, like a billion other computer science research things that have shipped modified versions of clang, I wasn't able to get their code to work with the effort I was willing to put in.

I've contemplated before making benchmarks use precomputed values but it's also really nice if the benchmarks can run on low memory systems with minimal modification. Costs like add/etc could be subtracted out.

[sipa]

With the prospect of not needing Jacobi symbols anymore for BIP340 (and it possibly being removable from the codebase), the third commit may end up not being very useful long term. It doesn't hurt though.

I think this is ready.

[real-or-random]

@sipa I think my comment above is still unresolved (#797 (comment))

[real-or-random]

ACK cb5524a

[jonasnick]

ACK cb5524a