Fast clear cofactor

[mratsim]

Unless the cofactor is 1 (for BN254 curves) we are unfortunately working on a subgroup of an elliptic curve.

This means that when generating a random point for testing we may be generating a point out of our subgroup of interest.

In particular for scalar multiplication accelerated by endomorphism, the point MUST be on the subgroup or the result is incorrect.

A simple way to generate a point in the proper subgroup is to scalar multiply a random point by the cofactor of the curve:

• Q: can we use GLV multiplication for that?

More efficient ways exist and are detailed in the IETF hash-to-curve draft https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08#section-7 and (Wahby, Boneh, 2019, Fast and simple constant-time hashingto the BLS12-381 elliptic curve, https://eprint.iacr.org/2019/403.pdf). For BLS G1 in particular we can simply multiply by 1-u with u the BLS parameter.

Note for compatibility, when a fast cofactor clearing method exist, it is usually incompatible with the "normal" scalar multiplication by the actual cofactor. As clear cofactor is only used in 2 cases, random testing and hash-to-curve, we should implement the hash-to-curve version.

For G2 see https://github.com/status-im/nim-blscurve/blob/1a18d0db/blscurve/hash_to_curve.nim#L454-L512

Sage implementation: https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/ead9c911/poc/clear_h_bls12381g2.sage