Add sum-of-products for G1Projective and G2Projective

[andrewwhitehead]

This code originates in bls12_381_plus and is copied with permission. Written by @mikelodder7

[andrewwhitehead]

For our use case this can be drastically faster when computing p[0] * s[0] + ... + p[n-1] * s[n-1] where p are G1 points and s are scalars. For example:

• n = 10: 4.9057 ms vs 259.34 us (94% faster)
• n = 100: 50.524 ms vs 281.01 us (99% faster)

[tarcieri]

Sidebar: it might be nice to have traits for this in e.g. the group crate.

We had a similar need in the k256 crate: RustCrypto/elliptic-curves#380

Maybe someone can open a tracking issue /cc @fjarri

[mikelodder7]

I’d be up for that.

[str4d]

We also have multiexponentiation arithmetic in the halo2 crate, and it definitely seems like a good candidate for making generic in the group crate (in the same way I recently added generic batch-inversion logic to the ff crate).

In the meantime, I'll look at this PR in the next week or two.

[str4d]

I skimmed over the PR and it looks fine. However, @ebfull and I don't think that we should have an implementation of this here specifically; instead it should go generically into group. I've opened zkcrypto/group#25 for tracking progress on this.