Window method for GLV acceleration

[mratsim]

#44 introduced a basic endomorphism accelerated scalar multiplication.

This can be further accelerated by introducing windows to save the following amount of operations:

• On G1, with a 2 dimensional decomposition, the lookup table is small (2 curve points), we can use a window of 2 or 3 (especially with affine coordinates) with the following estimated speedups:
  • GLV scalarmul on 254-bit scalar --> 127 doubling + 127 additions (from table lookup)
  • With window of size 2 --> 127 doublings + 64 additions (-25% operations)
  • With window of size 3 --> 127 doublings + 43 additions (-33% operations)

On G2 scalar multiplier for pairing curves can already be decomposed ways by combining 2 endomorphisms acceleration (GLV + GLS methods) and adding window methods on top will blow up the stack for few savings

The paper has a in-depth explanation of the window method applied to the custom representation.

• Efficient and Secure Algorithms for GLV-Based Scalar
  Multiplication and their Implementation on GLV-GLS
  Curves (Extended Version)
  Armando Faz-Hernández, Patrick Longa, Ana H. Sánchez, 2013
  https://eprint.iacr.org/2013/158.pdf

Additionally:

• Exponentiating in Pairing Groups
  Joppe W. Bos, Craig Costello, and Michael Naehrig, 2013
  https://eprint.iacr.org/2013/458.pdf

Also Snowshoe (https://github.com/catid/snowshoe) has such an implementation and sems to be the only project with such an implementation in the wild: https://github.com/catid/snowshoe/blob/8ba3f575/src/ecmul.inc#L134-L160