fix: Further WHIR audit fixes (chiefly consistency checks in WhirProofShape construction)

[erabinov]

The main fixes in this PR are:

1. Check whether the length of a variable-length slice passed to the challenger overflows the field order, and return an error if so.
2. Move the into_extension() methods on Buffer and Tensor to CPU-specific implementations that use safe Rust. The generic-backend versions are not needed.
3. Removed redundant fields of the WhirProofShape struct (ones that could be deduced from equalities like starting_domain_log_size = starting_interleaved_log_height + starting_inv_log_rate), and created a new struct UncheckedWhirProofShape that has all the same fields but pub. Made a constructor for WhirProofShape that takes in an UncheckedWhirProofShape and performs consistency checks on the shape, panicking if the unchecked shape is invalid. The WhirProofShape struct fields are only accessed via getters.

[github-actions]

Test	Old	New	Diff
rust_crypto_rsa_test_pkcs_verify_100	29100609	28709911	-1.3426 %
rustcrypto_bigint_test_bigint_mul_mod_special	1753913	1753913	0.0000 %
secp256k1_program_test_verify_rand_lte_100	17183372	17159514	-0.1388 %
p256_test_verify_rand_lte_100	11904094	11896827	-0.0610 %
sha_test_sha2_v0_9_9_expected_digest_lte_100_times	1262268	1261020	-0.0989 %
k256_test_recover_pubkey_infinity	98256	98256	0.0000 %
k256_test_verify_rand_lte_100	11935528	11897335	-0.3200 %
bls12_381_tests_test_bls_double_100	6402221	6402221	0.0000 %
curve25519_dalek_ng_test_zero_mul	108069	108069	0.0000 %
bls12_381_tests_test_inverse_fp_100	1434358	1434358	0.0000 %
curve25519_dalek_test_zero_mul	72086	72086	0.0000 %
bn_test_bn_test_g1_double_100	729016	729016	0.0000 %
curve25519_dalek_test_decompressed_expected_value	4503210	4583403	1.7808 %
bn_test_bn_test_g1_add_100	986709	986709	0.0000 %
keccack_test_expected_digest_lte_100	1713554	1717289	0.2180 %
rustcrypto_bigint_test_bigint_mul_add_residue	1736510	1736476	-0.0020 %
secp256k1_program_test_recover_v0_30_0_rand_lte_100	5487322	5483565	-0.0685 %
sha_test_sha2_v0_10_8_expected_digest_lte_100_times	1767655	1766124	-0.0866 %
p256_test_recover_high_hash_high_recid	5231609	4670436	-10.7266 %
bn_test_bn_test_fr_inverse_100	851812	851812	0.0000 %
curve25519_dalek_ng_test_add_then_multiply	3931405	3777701	-3.9096 %
curve25519_dalek_ng_test_decompressed_noncanonical	195590	195590	0.0000 %
k256_test_recover_high_hash_high_recid	2103540	1780372	-15.3631 %
secp256k1_program_test_verify_v0_30_0_rand_lte_100	17123216	17125425	0.0129 %
k256_test_recover_rand_lte_100	4451299	4445785	-0.1239 %
bls12_381_tests_test_inverse_fp2_100	2764153	2764153	0.0000 %
bls12_381_tests_test_bls_add_100	10573308	10573308	0.0000 %
bls12_381_tests_test_sqrt_fp2_100	1847617	1761883	-4.6402 %
curve25519_dalek_test_add_then_multiply	3067898	3144632	2.5012 %
sha_test_sha2_v0_10_9_expected_digest_lte_100_times	1767470	1765552	-0.1085 %
secp256k1_program_test_recover_rand_lte_100	5494683	5478818	-0.2887 %
bn_test_bn_test_fq_sqrt_100	833212	833212	0.0000 %
k256_test_schnorr_verify	5745649	5746580	0.0162 %
sha_test_sha2_v0_10_6_expected_digest_lte_100_times	1765644	1765081	-0.0319 %
sha_test_sha3_expected_digest_lte_100_times	1609044	1609108	0.0040 %
bn_test_bn_test_fq_inverse_100	834812	834812	0.0000 %
curve25519_dalek_test_decompressed_noncanonical	7660	7660	0.0000 %
bls12_381_tests_test_sqrt_fp_100	1012142	955538	-5.5925 %
curve25519_dalek_ng_test_zero_msm	125560	125560	0.0000 %
curve25519_dalek_test_ed25519_verify	13288849	13289582	0.0055 %
p256_test_recover_pubkey_infinity	102276	102276	0.0000 %
curve25519_dalek_test_zero_msm	83636	83636	0.0000 %
p256_test_recover_rand_lte_100	15958208	15953579	-0.0290 %