GLV for Edwards curves.

[SupremoUGH]

Add the twisted edwards implementation too.

Originally posted by @bhgomes in #211 (comment)

Right now we have a proper implementation of the GLV endomorphism https://www.iacr.org/archive/crypto2001/21390189.pdf
for BLS12 and BN254 and, in general, for any elliptic curve given in Weierstrass normal form whose prime field is 1 mod 3 and whose scalar field is of prime order.

GLV is the fastest scalar multiplication algorithm we have (at least in R1CS), so it is worth investigating how to generalize it to curves given in Edwards form.

What we need:

• Find an efficient endomorphism of the curve (which has to depend only on the curve and not on the point).
• One of the roots of the characteristic polynomial of this endomorphism has to have roughly half the bits of the scalar field of the Edwards curve.

Where to start:

• Check the papers which cite the original GLV work. Has this been done before?
• (twisted) Edwards curves are birationally equivalent to Weierstrass curves. See if the corresponding WC has a GLV endomorphism and, if so, whether it translates well into the tEC under the birational transformation.
• Start with solving "desirable" characteristic polynomials and see whether the corresponding endomorphism is efficient or not.

Just as a final reminder, keep in mind we don't need to come up with a complete theory/write a new paper on GLV, we just need efficient endomorphisms for those tEC that we're going to support.