Add endo scalar decomposition

[kilic]

Adds scalar decomposition for endomorphism for pasta and bn curves. Now we should be able to rebase privacy-scaling-explorations/halo2#40. Also in tests there is a naive glv multiplication applilcation. I think it should not be replaced with the present multiplication function since that one also applies constant time multiplication. Closes #17

[CPerezz]

Where can we check the endomorfism docs from which you derived the impl? Is the endomorfism formalized somewhere?

[kilic]

Documents:

• Guide to Elliptic Curve Cryptography. Section 3.5
• Original GLV paper
• Speed up secp256k1 with endomorphism

Implementations that helped:

• Consensys/gnark
• kilic/bls12-381

[CPerezz]

I'd try a match statement here. It maybe brings tiny bit more performance than if-else chains

[CPerezz]

Should we bench the diff? Or not worth?

[CPerezz]

Could we try https://docs.rs/rayon/latest/rayon/iter/trait.ParallelIterator.html#method.fold here?

[CPerezz]

Why do we reverse k2 here?

[davidnevadoc]

They are both reversed to apply the sliding window mul algorithm starting from the less significant bit.

[CPerezz]

Maybe move this test inside of wnaf mod?

[kilic]

I added glv multiplication as an example application of endo decomposition and whole thing is in test mod. And I think it can be removed. We can change ecc mul with another PR. However it seems like single multiplication hasn't been a bottlenck for us that much so I think it is better to keep the original and simple one unless such change is strictly necessary

[davidnevadoc]

Overall LGTM! Great work :)
I have made some suggestions to add some comments and references to make the code more understandable.

[davidnevadoc]

I am unsure of the criteria of this function. Could you give some further explanation please? :)
Do we get is_neg(e) when e[3] >0?
Aren't the 3 first assignments of borrow always 0?

[kilic]

This trick actually reveals whether a element is ~128 bit or ~F::NUM_BITS. if latter we see that element is negative and subtract it from modulus and get the actual ~128 bit element. It was originally like below

let (_, borrow) = sbb(0xffffffffffffffff, e[0], 0);
let (_, borrow) = sbb(0xffffffffffffffff, e[1], borrow);
let (_, borrow) = sbb(0x00, e[2], borrow);
let (_, borrow) = sbb(0x00, e[3], borrow);

However in some fields we hit scalars decomposed into 129 bits so I just also made third control limb sparse�

[davidnevadoc]

I see, thanks for the explanation!

[davidnevadoc]

Are these derived directly or taken form some implementation/ article? I think it would be good to add some reference in any case.
I also think it would be good to add a reference to some resource that explains what these are. Maybe something like:

//  https://www.iacr.org/archive/crypto2001/21390189.pdf
//  Vectors v1, v2 described in Section 4.

Without some indication I know future me will forget what these are x)

[kilic]

I think this is resolved with de71b18

[davidnevadoc]

Looks good! However there are some non-obvious optimizations that make the algorithm quite hard to follow.
I gave some explanation of what I believe is going on in this note
I think some comments should be added so that working in this code is easier in the future.

[davidnevadoc]

Can we fix the changes and merge the PR @kilic ?

[davidnevadoc]

LGTM! Thanks a lot 👍

[davidnevadoc]

They are both reversed to apply the sliding window mul algorithm starting from the less significant bit.

[davidnevadoc]

I see, thanks for the explanation!

[davidnevadoc]

LGTM! Thanks a lot 👍