𝔾ₜ multi-exponentiations

[mratsim]

This adds serial and parallel endomorphism accelerated 𝔾ₜ multi-exponentiations to provide a baseline for them before optimizations.

This is motivated by research in Ethereum SSLE (Secret Shared Leader Election), a technique to keep private who the next Ethereum block producer will be.

• This avoids people DOS-ing the next block producer
• There are way too many deanonymizing attacks and metadata analysis possible to only rely on the P2P layer for anonymization.

Benchmarks

The machine is a low power (15W~30W) Ryzen 7840U.

Serial 𝔾ₜ multi-exp vs 𝔾₁ MSM

There is a 3x ratio between single exponentiation and single scalar mul.
But it becomes 5x with multiexp / MSM.

This can be explained because with many points, you can use affine coordinates and Montgomery batch inversion to switch from a cost of ~12Mul (Jacobian coordinate) to an asymptotic cost of ~6M (affine coordinates)

Parallel

Application

A size 128 𝔾ₜ multi-exp is 8ms when serial or for 256 ~ 15ms, parallelization only does a 4x speedup with 8 cores / 16 threads.

cc @asanso

[mratsim]

Upstream compilation regression here on this bench

constantine/benchmarks/bench_gt_parallel_template.nim

Lines 74 to 78 in fa4fb00

	type BenchMultiexpContext*[GT] = object
	tp: Threadpool
	numInputs: int
	elems: seq[GT]
	exponents: seq[getBigInt(GT.Name, kScalarField)]

nim-lang/Nim#23853