This moves from 255 doubles and 255 additions to 259 doubles and 71 additions.
If doubling is twice as fast, which is roughly the case as far as I can tell,
this shifts the function from executing in (255 + (255 * 2)) = 765 time to
(259 + (71 * 2)) = 401 time, a 48% speedup.
It was only present to enable an FFT implementation in `halo2_proofs`
that is generic over fields and groups, but we can replace it with an
equivalent trait in `halo2_proofs` that can have a blanket impl.
The traits of ec-gpu changed a bit, there's now also a `GpuName`
trait that needs to be implemented.
BREAKING CHANGE: `ec-gpu` v0.2 traits are not compatible with v0.1
All dependencies that use `ec-gpu` need to be on v0.2.
We can use the `ff::PrimeField::root_of_unity` method everywhere we
currently use this associated constant. If there is a more general
need for accessing this as an associated constant, we should consider
that for `ff::PrimeField`.
We re-introduce the Tonelli-Shank square root algoritm that was removed
in zcash/halo2#120, to use in no-std mode (the table-based impl requires
allocations, and also uses 29kiB of memory which is a problem for
constrained environments that typically need no-std).
They already implement CofactorGroup (trivially, with the prime-order
subgroup being Self); this just enables Pallas and Vesta to be used in
cofactor-aware protocols that also want to leverage the affine point
representation.
The previous `CurveAffine::get_xy` method returned the coordinates as
`CtOption<(C::Base, C::Base)>`. However, `ConditionallySelectable` is
not implemented for any tuple or array types, making it impossible to
use any of the useful `CtOption` methods like `and_then`. We replace it
with `CurveAffine::coordinates -> CtOption<Coordinates<Self>>` and
`impl ConditionallySelectable for Coordinates` to enable operating over
coordinates in constant time.
Luke Parker
Jack Grigg
Volker Mische
Andy Polyakov