* windowed mul
* Working
* Window of 4 bits
* Fix
* Comments
* Unroll loop
* Unroll loop
* remove global
* Minor
* Minor
* Implement `CALLVALUE, CALLDATALOAD, CALLDATASIZE, CALLDATACOPY` in interpreter
* Minor
* Doesn't work
* Minor
* Minor
* wnaf msm
* Working hardcoded values: 28657 opcodes
* Working wnaf
* Small wnaf optim
* Precompute works
* Working together
* Bump to 129 bits
* Working glv decomposition
* Working MSM with GLV
* Almost working
* Working
* ECC test folder
* Working with real sig data
* Fix tests + Clippy
* Minor
* Cleaning
* Comments
* Cleaning
* Smaller glv test file
* Print opcode count at the end of interpreter run
* More constants
* Add z3 proof that the GLV scalars are 129-bit or less
* Minor change to z3 proof
* Move files and renaming fns
* Testing
* Fix BN GLV
* BN precompute table
* Working precompute
* Working bn tests
* Working
* Minor
* Minor
* Use MULFP254
* Minor
* Merge conflicts
* Remove unused asm file
* ECC fns renaming (#874)
* PR feedback
* windowed mul
* Working
* Window of 4 bits
* Fix
* Comments
* Unroll loop
* Unroll loop
* remove global
* Minor
* Minor
* Implement `CALLVALUE, CALLDATALOAD, CALLDATASIZE, CALLDATACOPY` in interpreter
* Minor
* Doesn't work
* Minor
* Minor
* wnaf msm
* Working hardcoded values: 28657 opcodes
* Working wnaf
* Small wnaf optim
* Precompute works
* Working together
* Bump to 129 bits
* Working glv decomposition
* Working MSM with GLV
* Almost working
* Working
* ECC test folder
* Working with real sig data
* Fix tests + Clippy
* Minor
* Cleaning
* Comments
* Cleaning
* Smaller glv test file
* Print opcode count at the end of interpreter run
* More constants
* Add z3 proof that the GLV scalars are 129-bit or less
* Minor change to z3 proof
* Minor
* Hamish's suggestion
* Working
* Cleaning
* Clippy
* PR feedback
* Minor PR feedback
Lots of little bugs!
- The Keccak sponge table's padding logic was wrong, it was mixing up the number of rows with the number of hashes.
- The Keccak sponge table's Keccak-looking data was wrong - input to Keccak-f should be after xor'ing in the block.
- The Keccak sponge table's logic-looking filter was wrong. We do 5 logic CTLs for any final-block row, even if some of the xors are with 0s from Keccak padding.
- The CPU was using the wrong/outdated output memory channel for its Keccak sponge and logic CTLs.
- The Keccak table just didn't have a way to filter out padding rows. I added a filter column for this.
- The Keccak table wasn't remembering the original preimage of a permutation; lookers were seeing the preimage of the final step. I added columns for the original preimage.
- `ctl_data_logic` was using the wrong memory channel
- Kernel bootloading generation was using the wrong length for its Keccak sponge CTL, and its `keccak_sponge_log` was seeing the wrong clock since it was called after adding the final bootloading row.
