perf: in-circuit ECDSA on secp256k1

[yelhousni]

Groth16: 4.2M --> 3M
Plonk: 10M --> 7M
todo:

• faster variable scalar mul (Halo2 book)

[ivokub]

Suggested edit:

diff --git a/std/algebra/weierstrass/point.go b/std/algebra/weierstrass/point.go
index c32932d4..afa19788 100644
--- a/std/algebra/weierstrass/point.go
+++ b/std/algebra/weierstrass/point.go
@@ -912,11 +912,15 @@ func (c *Curve[B, S]) Double(p *AffinePoint[B]) *AffinePoint[B] {
 	}
 }
 
-// Triple triples p and return it.
-// It follows [ELM03]: https://arxiv.org/pdf/math/0208038.pdf, 3.1
+// Triple triples p and return it. It follows [ELM03] (Section 3.1).
 // Saves the computation of the y coordinate of 2p as it is used only in the computation of λ2,
-// which can be computed as λ2 = -λ1-2*p.y/(x2-p.x) instead.
+// which can be computed as
+//
+//	λ2 = -λ1-2*p.y/(x2-p.x) instead.
+//
 // It doesn't modify p.
+//
+// [ELM03]: https://arxiv.org/pdf/math/0208038.pdf
 func (c *Curve[B, S]) Triple(p *AffinePoint[B]) *AffinePoint[B] {
 
 	// compute λ1 = (3p.x²+a)/2p.y, here we assume a=0 (j invariant 0 curve)
@@ -955,10 +959,15 @@ func (c *Curve[B, S]) Triple(p *AffinePoint[B]) *AffinePoint[B] {
 	}
 }
 
-// DoubleAndAdd computes 2p+q as (p+q)+p. It follows [ELM03]: https://arxiv.org/pdf/math/0208038.pdf, 3.1
+// DoubleAndAdd computes 2p+q as (p+q)+p. It follows [ELM03] (Section 3.1)
 // Saves the computation of the y coordinate of p+q as it is used only in the computation of λ2,
-// which can be computed as λ2 = -λ1-2*p.y/(x2-p.x) instead.
-// It doesn't modify p nor q.
+// which can be computed as
+//
+//	λ2 = -λ1-2*p.y/(x2-p.x)
+//
+// instead. It doesn't modify p nor q.
+//
+// [ELM03]: https://arxiv.org/pdf/math/0208038.pdf
 func (c *Curve[B, S]) DoubleAndAdd(p, q *AffinePoint[B]) *AffinePoint[B] {
 
 	// compute λ1 = (q.y-p.y)/(q.x-p.x)
@@ -996,7 +1005,7 @@ func (c *Curve[B, S]) DoubleAndAdd(p, q *AffinePoint[B]) *AffinePoint[B] {
 
 }
 
-// Select selects between p and q given the selector b. If b == 0, then returns
+// Select selects between p and q given the selector b. If b == 1, then returns
 // p and q otherwise.
 func (c *Curve[B, S]) Select(b frontend.Variable, p, q *AffinePoint[B]) *AffinePoint[B] {
 	x := c.baseApi.Select(b, &p.X, &q.X)
@@ -1008,8 +1017,11 @@ func (c *Curve[B, S]) Select(b frontend.Variable, p, q *AffinePoint[B]) *AffineP
 }
 
 // Lookup2 performs a 2-bit lookup between i0, i1, i2, i3 based on bits b0
-// and b1. Returns i0 if b0=b1=0, i1 if b0=1 and b1=0, i2 if b0=0 and b1=1
-// and i3 if b0=b1=1.
+// and b1. Returns:
+//   - i0 if b0=0 and b1=0,
+//   - i1 if b0=1 and b1=0,
+//   - i2 if b0=0 and b1=1,
+//   - i3 if b0=1 and b1=1.
 func (c *Curve[B, S]) Lookup2(b0, b1 frontend.Variable, i0, i1, i2, i3 *AffinePoint[B]) *AffinePoint[B] {
 	x := c.baseApi.Lookup2(b0, b1, &i0.X, &i1.X, &i2.X, &i3.X)
 	y := c.baseApi.Lookup2(b0, b1, &i0.Y, &i1.Y, &i2.Y, &i3.Y)

[ivokub]

Looks good and checks out. I just have a question about precomputing the tables or lazy-computing them. If it is better to completely recompute, then can keep as is but otherwise I would compute lazily for better auditability.

I also proposed a few edits which makes Documentation nicer. It would be nice to update std/algebra/weierstrass/doc_test.go to include the new methods, but isn't that importan as the package doc is already very good!

[ivokub]

@yelhousni - I implemented the table version. Can you have a look and merge if is OK.

[yelhousni]

@yelhousni - I implemented the table version. Can you have a look and merge if is OK.

That was quick ^^
It looks great! we can merge.