Strauss-Shamir trick: [a]P + [b]Q

[mratsim]

It is often needed to compute scalar multiplication in parallel via

R <- [a]P + [b]Q

This is usually known as the Strauss-Shamir trick, see https://eprint.iacr.org/2003/257.pdf or https://stackoverflow.com/questions/50993471/ec-scalar-multiplication-with-strauss-shamir-method

Furthermore to reduce the number of point addition, the points P and Q can be recoded under the joint-sparse-form to minimize the total hamming weight.

[paulmillr]

See https://gist.github.com/paulmillr/178042240169f0f531f8cc95e532f9db

It's slower if you use G precomputes, unfortunately.

[mratsim]

For ease of simplicity, we can start by re-using the algorithms used to add split scalars resulting from endomorphism acceleration. This should provide a decent baseline since the doublings are shared.