perf(2-chains): small optim in varScalarMul and JointScalarMul

std/algebra/native/sw_bls12377/g1.go

@@ -227,16 +227,16 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	//     Acc = Q + Φ(Q)
-	Acc = tableQ[1]
-	Acc.AddAssign(api, tablePhiQ[1])
+	// Acc = Q + Φ(Q) = -Φ²(Q)
+	cc.phi2Neg(api, &Acc, &Q)
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
 	// step value from [2] Acc (instead of conditionally adding step value to
 	// Acc):
 	//     Acc = [2] (Q + Φ(Q)) ± Q ± Φ(Q)
 	// only y coordinate differs for negation, select on that instead.
+	// first bit
 	B.X = tableQ[0].X
 	B.Y = api.Select(s1bits[nbits-1], tableQ[1].Y, tableQ[0].Y)
 	Acc.DoubleAndAdd(api, &Acc, &B)
@@ -498,9 +498,9 @@ func (P *G1Affine) jointScalarMulUnsafe(api frontend.API, Q, R G1Affine, s, t fr
 	cc.phi1(api, &tablePhiS[3], &tableS[3])
 
 	// suppose first bit is 1 and set:
-	// Acc = Q + R + Φ(Q) + Φ(R)
-	Acc := tableS[1]
-	Acc.AddAssign(api, tablePhiS[1])
+	// Acc = Q + R + Φ(Q) + Φ(R) = -Φ²(Q+R)
+	var Acc G1Affine
+	cc.phi2Neg(api, &Acc, &tableS[1])
 
 	// Acc = [2]Acc ± Q ± R ± Φ(Q) ± Φ(R)
 	var B G1Affine

std/algebra/native/sw_bls12377/g2.go

@@ -236,16 +236,16 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	//     Acc = Q + Φ(Q)
-	Acc = tableQ[1]
-	Acc.AddAssign(api, tablePhiQ[1])
+	// Acc = Q + Φ(Q)
+	cc.phi1Neg(api, &Acc, &Q)
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
 	// step value from [2] Acc (instead of conditionally adding step value to
 	// Acc):
 	//     Acc = [2] (Q + Φ(Q)) ± Q ± Φ(Q)
 	// only y coordinate differs for negation, select on that instead.
+	// first bit
 	B.X = tableQ[0].X
 	B.Y.Select(api, s1bits[nbits-1], tableQ[1].Y, tableQ[0].Y)
 	Acc.DoubleAndAdd(api, &Acc, &B)

std/algebra/native/sw_bls12377/inner.go

@@ -29,12 +29,24 @@ func (cc *innerConfig) phi1(api frontend.API, res, P *G1Affine) *G1Affine {
 	return res
 }
 
+func (cc *innerConfig) phi2Neg(api frontend.API, res, P *G1Affine) *G1Affine {
+	res.X = api.Mul(P.X, cc.thirdRootOne2)
+	res.Y = api.Sub(0, P.Y)
+	return res
+}
+
 func (cc *innerConfig) phi2(api frontend.API, res, P *g2AffP) *g2AffP {
 	res.X.MulByFp(api, P.X, cc.thirdRootOne2)
 	res.Y = P.Y
 	return res
 }
 
+func (cc *innerConfig) phi1Neg(api frontend.API, res, P *g2AffP) *g2AffP {
+	res.X.MulByFp(api, P.X, cc.thirdRootOne1)
+	res.Y.Neg(api, P.Y)
+	return res
+}
+
 // getInnerCurveConfig returns the configuration of the inner elliptic curve
 // which can be defined on the scalars of outer curve.
 func getInnerCurveConfig(outerCurveScalarField *big.Int) *innerConfig {

std/algebra/native/sw_bls24315/g1.go

@@ -226,16 +226,16 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	//     Acc = Q + Φ(Q)
-	Acc = tableQ[1]
-	Acc.AddAssign(api, tablePhiQ[1])
+	// Acc = Q + Φ(Q) = -Φ²(Q)
+	cc.phi2Neg(api, &Acc, &Q)
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
 	// step value from [2] Acc (instead of conditionally adding step value to
 	// Acc):
 	//     Acc = [2] (Q + Φ(Q)) ± Q ± Φ(Q)
 	// only y coordinate differs for negation, select on that instead.
+	// first bit
 	B.X = tableQ[0].X
 	B.Y = api.Select(s1bits[nbits-1], tableQ[1].Y, tableQ[0].Y)
 	Acc.DoubleAndAdd(api, &Acc, &B)
@@ -480,9 +480,9 @@ func (P *G1Affine) jointScalarMul(api frontend.API, Q, R G1Affine, s, t frontend
 	cc.phi1(api, &tablePhiS[3], &tableS[3])
 
 	// suppose first bit is 1 and set:
-	// Acc = Q + R + Φ(Q) + Φ(R)
-	Acc := tableS[1]
-	Acc.AddAssign(api, tablePhiS[1])
+	// Acc = Q + R + Φ(Q) + Φ(R) = -Φ²(Q+R)
+	var Acc G1Affine
+	cc.phi2Neg(api, &Acc, &tableS[1])
 
 	// Acc = [2]Acc ± Q ± R ± Φ(Q) ± Φ(R)
 	var B G1Affine

std/algebra/native/sw_bls24315/g2.go

@@ -236,16 +236,16 @@ func (P *g2AffP) varScalarMul(api frontend.API, Q g2AffP, s frontend.Variable, o
 	// decomposed, either the high bits of s1 or s2 are set and we can use the
 	// incomplete addition laws.
 
-	//     Acc = Q + Φ(Q)
-	Acc = tableQ[1]
-	Acc.AddAssign(api, tablePhiQ[1])
+	// Acc = Q + Φ(Q)
+	cc.phi1Neg(api, &Acc, &Q)
 
 	// However, we can not directly add step value conditionally as we may get
 	// to incomplete path of the addition formula. We either add or subtract
 	// step value from [2] Acc (instead of conditionally adding step value to
 	// Acc):
 	//     Acc = [2] (Q + Φ(Q)) ± Q ± Φ(Q)
 	// only y coordinate differs for negation, select on that instead.
+	// first bit
 	B.X = tableQ[0].X
 	B.Y.Select(api, s1bits[nbits-1], tableQ[1].Y, tableQ[0].Y)
 	Acc.DoubleAndAdd(api, &Acc, &B)

std/algebra/native/sw_bls24315/inner.go

@@ -61,12 +61,24 @@ func (cc *innerConfig) phi1(api frontend.API, res, P *G1Affine) *G1Affine {
 	return res
 }
 
+func (cc *innerConfig) phi2Neg(api frontend.API, res, P *G1Affine) *G1Affine {
+	res.X = api.Mul(P.X, cc.thirdRootOne2)
+	res.Y = api.Sub(0, P.Y)
+	return res
+}
+
 func (cc *innerConfig) phi2(api frontend.API, res, P *g2AffP) *g2AffP {
 	res.X.MulByFp(api, P.X, cc.thirdRootOne2)
 	res.Y = P.Y
 	return res
 }
 
+func (cc *innerConfig) phi1Neg(api frontend.API, res, P *g2AffP) *g2AffP {
+	res.X.MulByFp(api, P.X, cc.thirdRootOne1)
+	res.Y.Neg(api, P.Y)
+	return res
+}
+
 type curvePoints struct {
 	G1x *big.Int      // base point x
 	G1y *big.Int      // base point y