DDB

Hi, shouldn't the zero point in SW Jacobian be any point of the form (t^2:t^3:0) with t 0 (conventionally represented with (1:1:0)), instead of (0:1:0), which is actually the zero...

This PR introduces several macros to generate concrete algebraic and crypto-primitive type bindings and functions for (a subset of) curves defined in ginger-lib, via specific compilation flags. This is done...

PR is huge due to some refactoring and new constants added in the density optimized Poseidon Hash Gadget affecting around +20000 -9000 lines of code.

- In `mul_bits_fixed_base` we can optimize performances by applying the batch inversion to the whole table and not only to the table obtained by packing 2 bits at a time;...

Some of the IOP rounds are exactly the same across different variants of the Marlin/Darlin proving system. Currently there is no code reuse because the functions implementing the IOP rounds...

There are a couple of pending refactoring/improvements on poly-commit that we decided to postpone: - Avoid cloning when trimming keys. This requires passing around references and dealing with lifetimes, that...

We require an hash-to-curve in our implementation of the ECVRF. Currently we are using Bowe-Hopwood, that is actually a CRH, so probably it is not the best choice. We should...

A couple of errors with the endo mul must be fixed: 1. Tests (both for primitive and gadget) for Tweedle are wrong, as they consider the first 128 bits of...

Current construction of Blake2ChaChaFsRng is fine, though we can replace it with a more common complete hash-based construction (using only Blake2 SIMD for instance)