perf(crypto): CRP-2965 Avoid adding into the identity element during BLS12-381 multiplication

[randombit]

In various elliptic curve point multiplication algorithms, an accumulator element is created (initialized as the identity element) and then several points are added to it.

However the first point addition is always completely avoidable; it's equvalent to just an assignment.

Restructure the multiplication algorithms such that the accumulator is instead initialized with the value created in the first loop of the multiplication algorithm.

[randombit]

This is a pretty minor optimization overall; at best it saves a single point addition which even for G2 costs just ~ 2 microseconds. But it's a pretty easy change and, imo across all of the scalar multiplications ever performed by the system kind of adds up.

[andreacerulli]

I see we have three implementations of ct_select. One of them does the wrapping_sub(1) internally, the other two don't, so we have to do the wrapping_sub(1) here. I guess this kind of makes sense, because in the former case the table is defined elsewhere, while in the latter the table is part of the same function so we know the table is shifted.

However, I wonder if we should aim to have a consistent implementation across all types, if possible. The actual concern I have is related to the use of macros, which makes it a bit hard (for me) to track what types we can instantiate them on. For example, could I have declare_windowed_scalar_mul_ops_for on an affine type? IIUC this would then use the ct_select with internal wrapping_sub, which may not result in the correct behaviour?

WDYT?

[randombit]

Yeah that is kind of funky (and the macro proliferation admittedly does not make it easier!), I'll see if I can clean that up