perf: twisted Edwards lattice-based double-base MSM

[yelhousni]

Description

This PR is stacked on #1763 and contains the native twisted Edwards MSM follow-up only. It adds lattice-based double-base scalar multiplication variants for native twisted Edwards curves:

• DoubleBaseScalarMulNonZero as the optimized non-degenerate path.
• MSM(3, 2n/3) for curves without a GLV endomorphism.
• MSM(6, n/3) for curves with a GLV endomorphism, including Bandersnatch endomorphism parameters.
• lattice reconstruction hints for the multi-scalar decomposition.
• in-circuit scalar decomposition verification helpers.

DoubleBaseScalarMul remains complete for the public API and handles zero scalars / identity edge cases before dispatching to the optimized non-zero path. The branch also includes the review fixes that remove redundant hint outputs, wire scalar decomposition verification into the twisted Edwards scalar multiplication path, and bind the non-GLV MSM hint to a single result with the sound relation [x1]P1 + [x2]P2 - [z]R = O.

This PR intentionally does not include the emulated G2 GLV+FakeGLV work; that is split into #1764.

Type of change

• New feature (non-breaking change which adds functionality)
• Optimization / performance improvement
• Bug fix (non-breaking change which fixes an issue)

How has this been tested?

Focused test run:

go test -short ./std/algebra/native/twistededwards ./internal/stats

Specifically covered:

• native twisted Edwards scalar multiplication tests
• native twisted Edwards double-base scalar multiplication tests
• regression coverage for malicious trivial scalar decompositions
• regression coverage for forged double-base MSM hint outputs
• stats snippets compile and solve

How has this been benchmarked?

internal/stats/latest_stats.csv was regenerated with new MSM(2) snippets.

Snippet	R1CS constraints / wires	SCS constraints / wires
msm_G1_bn254_2	208925 / 312617	688811 / 658743
msm_P256_2	185846 / 288056	635297 / 608874
msm_secp256k1_2	208997 / 312737	689104 / 659028
msm_babyjubjub_2	5269 / 5683	12389 / 11848
msm_jubjub_2	5276 / 5754	12332 / 11855
msm_bandersnatch_2	5532 / 6301	13470 / 12918

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing focused tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules (gnark-crypto/algebra/lattice)

---

Note

High Risk
Touches cryptographic scalar decomposition and hint verification logic used in-circuit (GLV/fake-GLV and new TE MSM paths), where mistakes can cause soundness or incorrect proofs. Adds new hint-driven MSM implementations and parameter handling across multiple curves, increasing surface area despite added regression tests.

Overview
Adds an optimized native twisted Edwards DoubleBaseScalarMulNonZero that dispatches to new lattice-based MSM variants: a 3-MSM path for non-GLV curves and a 6-MSM (with φ endomorphism) path for Bandersnatch, including wiring endomorphism parameters into NewEdCurve.

Replaces HalfGCD/Eisenstein HalfGCD hint usage with LLL-backed rational reconstruction (rationalReconstruct, rationalReconstructExt) in both emulated SW and native BLS12-377 GLV+FakeGLV paths, and tightens bit-length bounds for the GLV accumulator loops.

Introduces new twisted Edwards hints (doubleBaseScalarMulHint, multi-scalar rational reconstruction hints) plus emulated-order parameters and in-circuit decomposition verification helpers, and adds/updates regression tests to reject trivial decompositions and forged MSM hint outputs. Updates internal/stats snippets/bench CSV with new MSM(2) measurements (including TE curves).

^{Reviewed by Cursor Bugbot for commit 82edcb3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit d230b53. Configure here.}

[yelhousni]

@ivokub this one is also ready for review (after #1763)