[Draft] wNAF multiplication for BN256 curve

[ZamDimon]

What ❔

This pull request implements multiplication by a scalar for the BN256 curve. This PR adds:

• WNAF-based implementation, mostly based on this implementation.
• .sage files for finding:
  • $\beta$ and $\lambda$ parameters for useful endomorphism;
  • short vectors $(a_1,b_1)$ and $(a_2,b_2)$ for effective scalar decomposition

Why ❔

Currently, multiplication by a scalar is not implemented for BN256 and therefore one needs to add support for such an operation.

Checklist

• PR title corresponds to the body of PR (we generate changelog entries from PRs).
• Tests for the changes have been added / updated.
• Documentation comments have been added / updated.
• Code has been formatted via zk fmt and zk lint.

[jules]

Everything looks great - as discussed, let's move to the cheaper mul circuit and we should be done here :)

[jules]

As discussed, this can be deleted

[jules]

Can also be deleted I believe

[jules]

All wNAF functionality can be removed. We keep the GLV decomposition but instead use Alex's fixed-width 4-bit mul circuit found here. Note that the code here deals with potential 129 bit decomposed scalars, whereas bn254 will only occupy max 127 bits. Thus, there should be some extra constraints we can drop as the scalars fit in a smaller size.

[ZamDimon]

Hey @jules, enormous thanks for the review! Updated the wnaf-based scalar multiplication to a fixed-width 4-bit multiplication, as requested, according to implementation here.

After your comment, I am now aware of the extra circuit complexity due to dealing with the potential 129-bit decomposed scalar. Still, I suggest staying with the current implementation since it is well-tested. Then, after we successfully integrate the ecMul in the more high-level repositories and make sure it works, we will surely cut off the constraints.

[ZamDimon]

BN254-specific functions will be transferred to era-zkevm_circuits. For helper gadgets, see #38. Thus, we close this pull request.