Refine scalar decomposition for GLV/GLS endomorphism acceleration

[mratsim]

This issue tracks research and potential alternatives to the current lattice reduction based scalar decomposition. This is mentioned in #345 (comment).

Ideally we solve the following 3 issues:

• rigorous bounds on the mini-scalars, even if we try to decompose both a 4-bit scalar and a 254-bit scalar with the same code.
• ensuring only positive scalars, so GLV recoding does not need to have an extra bit.
• reducing the number of precomputed values to reduce binary size.

Research papers

• An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves
  Young-Ho Park, Sangtae Jeong, Chang Han Kim & Jongin Lim, 2002
  https://link.springer.com/content/pdf/10.1007/3-540-45664-3_23.pdf
• GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
  Diego F. Aranha, Pierre-Alain Fouque, Benoît Gérard, Jean-Gabriel
  Kammerer, Mehdi Tibouchi, and Jean-Christophe Zapalowicz, 2014
  https://iacr.org/archive/asiacrypt2014/88730232/88730232.pdf
• Refinement of the Four-Dimensional GLV Method on Elliptic Curves
  Hairong Yi, Yuqing Zhu, and Dongdai Lin, 2017
  https://link.springer.com/content/pdf/10.1007/978-3-319-72565-9_2.pdf

[mratsim]

• Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves
  Francesco Sica, Mathieu Ciet, Jean-Jacques Quisquater
  https://link.springer.com/chapter/10.1007/3-540-36492-7_3
• Integer Decomposition for Fast Scalar Multiplication on Elliptic Curves
  Dongryeol Kim, Seongan Lim
  https://link.springer.com/chapter/10.1007/3-540-36492-7_2

[mratsim]

• Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians
  Benjamin Smith, 2013
  https://inria.hal.science/hal-00874925v1/document