Revert "perf(2-chains): save an addition per iteration in ScalarMul"

This reverts commit 4d71f79.

std/algebra/native/sw_bls12377/g1.go

@@ -215,7 +215,7 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	s1bits := api.ToBinary(s1, nbits)
 	s2bits := api.ToBinary(s2, nbits)
 
-	var Acc, B, B1, B2, B3, B4 G1Affine
+	var Acc /*accumulator*/, B, B2 /*tmp vars*/ G1Affine
 	// precompute -Q, -Φ(Q), Φ(Q)
 	var tableQ, tablePhiQ [2]G1Affine
 	tableQ[1] = Q
@@ -227,9 +227,9 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	// Acc = Q + Φ(Q) = B1
-	cc.phi2Neg(api, &Acc, &Q)
-	B1 = Acc
+	//     Acc = Q + Φ(Q)
+	Acc = tableQ[1]
+	Acc.AddAssign(api, tablePhiQ[1])
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
@@ -252,16 +252,12 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	B.Y = api.Select(s2bits[nbits-2], tablePhiQ[1].Y, tablePhiQ[0].Y)
 	Acc.AddAssign(api, B)
 
-	// B2 = -Q-Φ(Q)
-	B2.Neg(api, B1)
-	// B3 = Q-Φ(Q)
-	B3 = tablePhiQ[0]
-	B3.AddAssign(api, tableQ[1])
-	// B4 = -Q+Φ(Q)
-	B4.Neg(api, B3)
+	B2.X = tablePhiQ[0].X
 	for i := nbits - 3; i > 0; i-- {
-		B.X = api.Select(api.Xor(s1bits[i], s2bits[i]), B3.X, B2.X)
-		B.Y = api.Lookup2(s1bits[i], s2bits[i], B2.Y, B3.Y, B4.Y, B1.Y)
+		B.X = Q.X
+		B.Y = api.Select(s1bits[i], tableQ[1].Y, tableQ[0].Y)
+		B2.Y = api.Select(s2bits[i], tablePhiQ[1].Y, tablePhiQ[0].Y)
+		B.AddAssign(api, B2)
 		Acc.DoubleAndAdd(api, &Acc, &B)
 	}
 

std/algebra/native/sw_bls12377/g2.go

@@ -224,7 +224,7 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	s1bits := api.ToBinary(s1, nbits)
 	s2bits := api.ToBinary(s2, nbits)
 
-	var Acc, B, B1, B2, B3, B4 g2AffP
+	var Acc /*accumulator*/, B, B2 /*tmp vars*/ g2AffP
 	// precompute -Q, -Φ(Q), Φ(Q)
 	var tableQ, tablePhiQ [2]g2AffP
 	tableQ[1] = Q
@@ -236,9 +236,9 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	// Acc = Q + Φ(Q) = B1
-	cc.phi1Neg(api, &Acc, &Q)
-	B1 = Acc
+	//     Acc = Q + Φ(Q)
+	Acc = tableQ[1]
+	Acc.AddAssign(api, tablePhiQ[1])
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
@@ -261,16 +261,12 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	B.Y.Select(api, s2bits[nbits-2], tablePhiQ[1].Y, tablePhiQ[0].Y)
 	Acc.AddAssign(api, B)
 
-	// B2 = -Q-Φ(Q)
-	B2.Neg(api, B1)
-	// B3 = Q-Φ(Q)
-	B3 = tablePhiQ[0]
-	B3.AddAssign(api, tableQ[1])
-	// B4 = -Q+Φ(Q)
-	B4.Neg(api, B3)
+	B2.X = tablePhiQ[0].X
 	for i := nbits - 3; i > 0; i-- {
-		B.X.Select(api, api.Xor(s1bits[i], s2bits[i]), B3.X, B2.X)
-		B.Y.Lookup2(api, s1bits[i], s2bits[i], B2.Y, B3.Y, B4.Y, B1.Y)
+		B.X = Q.X
+		B.Y.Select(api, s1bits[i], tableQ[1].Y, tableQ[0].Y)
+		B2.Y.Select(api, s2bits[i], tablePhiQ[1].Y, tablePhiQ[0].Y)
+		B.AddAssign(api, B2)
 		Acc.DoubleAndAdd(api, &Acc, &B)
 	}
 

std/algebra/native/sw_bls12377/inner.go

@@ -29,24 +29,12 @@ func (cc *innerConfig) phi1(api frontend.API, res, P *G1Affine) *G1Affine {
 	return res
 }
 
-func (cc *innerConfig) phi2Neg(api frontend.API, res, P *G1Affine) *G1Affine {
-	res.X = api.Mul(P.X, cc.thirdRootOne2)
-	res.Y = api.Sub(0, P.Y)
-	return res
-}
-
 func (cc *innerConfig) phi2(api frontend.API, res, P *g2AffP) *g2AffP {
 	res.X.MulByFp(api, P.X, cc.thirdRootOne2)
 	res.Y = P.Y
 	return res
 }
 
-func (cc *innerConfig) phi1Neg(api frontend.API, res, P *g2AffP) *g2AffP {
-	res.X.MulByFp(api, P.X, cc.thirdRootOne1)
-	res.Y.Neg(api, P.Y)
-	return res
-}
-
 // getInnerCurveConfig returns the configuration of the inner elliptic curve
 // which can be defined on the scalars of outer curve.
 func getInnerCurveConfig(outerCurveScalarField *big.Int) *innerConfig {

std/algebra/native/sw_bls24315/g1.go

@@ -214,7 +214,7 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	s1bits := api.ToBinary(s1, nbits)
 	s2bits := api.ToBinary(s2, nbits)
 
-	var Acc, B, B1, B2, B3, B4 G1Affine
+	var Acc /*accumulator*/, B, B2 /*tmp vars*/ G1Affine
 	// precompute -Q, -Φ(Q), Φ(Q)
 	var tableQ, tablePhiQ [2]G1Affine
 	tableQ[1] = Q
@@ -226,9 +226,9 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	// Acc = Q + Φ(Q) = B1
-	cc.phi2Neg(api, &Acc, &Q)
-	B1 = Acc
+	//     Acc = Q + Φ(Q)
+	Acc = tableQ[1]
+	Acc.AddAssign(api, tablePhiQ[1])
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
@@ -251,16 +251,12 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	B.Y = api.Select(s2bits[nbits-2], tablePhiQ[1].Y, tablePhiQ[0].Y)
 	Acc.AddAssign(api, B)
 
-	// B2 = -Q-Φ(Q)
-	B2.Neg(api, B1)
-	// B3 = Q-Φ(Q)
-	B3 = tablePhiQ[0]
-	B3.AddAssign(api, tableQ[1])
-	// B4 = -Q+Φ(Q)
-	B4.Neg(api, B3)
+	B2.X = tablePhiQ[0].X
 	for i := nbits - 3; i > 0; i-- {
-		B.X = api.Select(api.Xor(s1bits[i], s2bits[i]), B3.X, B2.X)
-		B.Y = api.Lookup2(s1bits[i], s2bits[i], B2.Y, B3.Y, B4.Y, B1.Y)
+		B.X = Q.X
+		B.Y = api.Select(s1bits[i], tableQ[1].Y, tableQ[0].Y)
+		B2.Y = api.Select(s2bits[i], tablePhiQ[1].Y, tablePhiQ[0].Y)
+		B.AddAssign(api, B2)
 		Acc.DoubleAndAdd(api, &Acc, &B)
 	}
 

std/algebra/native/sw_bls24315/g2.go

@@ -224,7 +224,7 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	s1bits := api.ToBinary(s1, nbits)
 	s2bits := api.ToBinary(s2, nbits)
 
-	var Acc, B, B1, B2, B3, B4 g2AffP
+	var Acc /*accumulator*/, B, B2 /*tmp vars*/ g2AffP
 	// precompute -Q, -Φ(Q), Φ(Q)
 	var tableQ, tablePhiQ [2]g2AffP
 	tableQ[1] = Q
@@ -236,9 +236,9 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	// Acc = Q + Φ(Q) = B1
-	cc.phi1Neg(api, &Acc, &Q)
-	B1 = Acc
+	//     Acc = Q + Φ(Q)
+	Acc = tableQ[1]
+	Acc.AddAssign(api, tablePhiQ[1])
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
@@ -261,16 +261,12 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	B.Y.Select(api, s2bits[nbits-2], tablePhiQ[1].Y, tablePhiQ[0].Y)
 	Acc.AddAssign(api, B)
 
-	// B2 = -Q-Φ(Q)
-	B2.Neg(api, B1)
-	// B3 = Q-Φ(Q)
-	B3 = tablePhiQ[0]
-	B3.AddAssign(api, tableQ[1])
-	// B4 = -Q+Φ(Q)
-	B4.Neg(api, B3)
+	B2.X = tablePhiQ[0].X
 	for i := nbits - 3; i > 0; i-- {
-		B.X.Select(api, api.Xor(s1bits[i], s2bits[i]), B3.X, B2.X)
-		B.Y.Lookup2(api, s1bits[i], s2bits[i], B2.Y, B3.Y, B4.Y, B1.Y)
+		B.X = Q.X
+		B.Y.Select(api, s1bits[i], tableQ[1].Y, tableQ[0].Y)
+		B2.Y.Select(api, s2bits[i], tablePhiQ[1].Y, tablePhiQ[0].Y)
+		B.AddAssign(api, B2)
 		Acc.DoubleAndAdd(api, &Acc, &B)
 	}
 

std/algebra/native/sw_bls24315/inner.go

@@ -61,24 +61,12 @@ func (cc *innerConfig) phi1(api frontend.API, res, P *G1Affine) *G1Affine {
 	return res
 }
 
-func (cc *innerConfig) phi2Neg(api frontend.API, res, P *G1Affine) *G1Affine {
-	res.X = api.Mul(P.X, cc.thirdRootOne2)
-	res.Y = api.Sub(0, P.Y)
-	return res
-}
-
 func (cc *innerConfig) phi2(api frontend.API, res, P *g2AffP) *g2AffP {
 	res.X.MulByFp(api, P.X, cc.thirdRootOne2)
 	res.Y = P.Y
 	return res
 }
 
-func (cc *innerConfig) phi1Neg(api frontend.API, res, P *g2AffP) *g2AffP {
-	res.X.MulByFp(api, P.X, cc.thirdRootOne1)
-	res.Y.Neg(api, P.Y)
-	return res
-}
-
 type curvePoints struct {
 	G1x *big.Int      // base point x
 	G1y *big.Int      // base point y