Optimized final exponentiation in the pairing implementation + faster proof verification

[yelhousni]

Solves #31.

Currently, the final exponentiation in the snarkjs pairing implementation consists in raising to a 2790-bit integer in Fq12. This PR implements an optimized lattice-based final exponentiation following [SAC:FueKnaRod11].

        /**
         * Final exponentiation on alt-bn128:
         *
         * elt^final_exponent = elt^((q^12-1)/r)
         *                    = elt^((q^6-1)*(q^2+1)) * elt^((q^4-q^2+1)/r)
         *                            "easy part"           "hard part"
         * 
         * "easy part":
         * elt^((q^6-1)*(q^2+1)) = (elt^(q^6) * elt^(-1))^(q^2) * (elt^(q^6) * elt^(-1)) 
         * where:
         * (.)^(q^6) is a conjugate and (.)^(q^2) a q^2-Frobenius power in F12
         *
         * "hard part":
         * We raise to a multiple of the exponent and decompose it in a q(z)-base (LLL algorithm)
         * where z in the bn curve seed.
         * (Laura Fuentes-Castaneda et al. "Faster hashing to G2")
         * elt^( 2z * ( 6z^2 + 3z + 1 ) * (q^4 - q^2 + 1)/r ) = elt^(q^3 * (12*z^3 + 6z^2 + 4z - 1) +
         *                                                           q^2 * (12*z^3 + 6z^2 + 6z) +
         *                                                           q   * (12*z^3 + 6z^2 + 4z) +
         *                                                           1   * (12*z^3 + 12z^2 + 6z + 1)) 
         * where:
         * (.)^(q^i) are q^i-Frobenius powers in F12 for i in {1,2,3}
         */

In addition to the pairing test with the new version in ./test/algebra.js, the PR implements a test to check if the optimized method gives the same result as the old method, and compares timings (~14x faster).

Type: Enhacement
Status: Ready to review

[yelhousni]

Also, the current Groth16 proof verification equation is e(proof.pi_a, proof.pi_b) == vk_alfabeta_12 * e(cpub , vk_verifier.vk_gamma_2) * e(proof.pi_c , vk_verifier.vk_delta_2) which costs 3 Miller loops, 3 final exponentiations, 2 multiplications in Fq12 and 1 equality check in Fq12. The last commit of this PR changes the equation into vk_alfabeta_12 == FE( ML(proof.pi_a, proof.pi_b), conj(2ML( cpub , vk_verifier.vk_gamma_2, proof.pi_c , vk_verifier.vk_delta_ )) ), where FE is factored for the 3 pairings and double Miller loop (2ML) is implemented to factor one square inside the loop. This reduces the verification cost to 1 Miller loop + 1 double Miller loop + 1 final exponentiation + 1 multiplication in Fq12 + 1 conjugate in Fq12 + 1 equality check in Fq12.

This can be applied to pghr13 and kimleeoh too. [update] Last two commits rearrange pghr13 and kimleeoh the same way.

[jbaylina]

Current version uses wasmcurves and it already implements the fast final exp algorithm