perf: G2 lattice-based GLV+FakeGLV scalar-mul

[yelhousni]

Description

This PR is stacked on #1763 and contains the G2 follow-up only. It adds lattice-based GLV+FakeGLV scalar multiplication for emulated G2 curves:

• BLS12-381 G2 switches its default ScalarMul path to the 4-dimensional GLV+FakeGLV decomposition.
• BN254 G2 gets a ScalarMul implementation using the same GLV+FakeGLV structure.
• BW6-761 G2 gets a ScalarMul implementation using the same GLV+FakeGLV structure.

The implementation adds curve-specific scalar multiplication hints and lattice reconstruction hints, then verifies the hinted result in-circuit through the GLV/fakeGLV relation instead of trusting the hint output. It also adds stats snippets for the new G2 scalar multiplication paths.

This PR intentionally does not include the native twisted Edwards MSM work; that is split into #1765.

Type of change

• New feature (non-breaking change which adds functionality)
• Optimization / performance improvement

How has this been tested?

Focused test run:

go test -short ./std/algebra/emulated/sw_bls12381 ./std/algebra/emulated/sw_bn254 ./std/algebra/emulated/sw_bw6761 ./internal/stats

Specifically covered:

• BLS12-381 G2 scalar multiplication tests
• BN254 G2 scalar multiplication tests
• BW6-761 G2 scalar multiplication tests
• stats snippets compile and solve

How has this been benchmarked?

internal/stats/latest_stats.csv was regenerated with new G2 scalar multiplication snippets.

Snippet	R1CS constraints / wires	SCS constraints / wires
scalar_mul_G2_bls12381	138129 / 216643	481714 / 463233
scalar_mul_G2_bn254	102279 / 158428	349799 / 336420
scalar_mul_G2_bw6761	191105 / 296444	659865 / 637514

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing focused tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules (gnark-crypto/algebra/lattice)

---

Note

High Risk
Large changes to in-circuit elliptic-curve scalar multiplication and hint soundness; incorrect decomposition, verification, or edge-case handling could break proof soundness for pairing/G2-heavy circuits.

Overview
Adds lattice-based GLV+FakeGLV in-circuit G2 ScalarMul for emulated BLS12-381, BN254, and BW6-761, replacing BLS12-381’s prior 2D Halo/GLV default and introducing the path on BN254/BW6 where it was missing.

The new flow hints R = [s]Q, decomposes −s into four ~r^(1/4) sub-scalars via rationalReconstructExtG2, and verifies [v1]R + [v2]Φ(R) + [u1]Q + [u2]Φ(Q) = O with a biased accumulator check against precomputed generator constants—not trusting hints alone. Complete mode uses AddUnified, unified doubling, and explicit handling of s ∈ {0, ±1} and infinity; WithIncompleteArithmetic is now a real faster path (previously ignored on BLS12-381 G2).

Also wires MultiScalarMul through the new scalar mul on BLS12-381, registers G2 hint functions, adds stats snippets and updated latest_stats.csv, and extends edge-case tests per curve.

^{Reviewed by Cursor Bugbot for commit c635573. Bugbot is set up for automated code reviews on this repo. Configure here.}

[yelhousni]

@ivokub this one is also ready for review (after #1763)

[ivokub]

Two inline comments on BN254/BW6-761 default completeness.

[ivokub]

Inline comment on the trusted emulated sub-scalar bounds issue.

[ivokub]

Inline comment on documenting the G2 subgroup precondition.

[ivokub]

Inline comment on G2 scalar-mul edge-case test coverage.

[ivokub]

In general looks good, but please see inline comments. Particularly, the implementation should now be complete by default to follow the convention as for G1.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cd1ab5f. Configure here.}

[ivokub]

Inline comments on the signed R-coefficient non-zero check. I am skipping the sub-scalar range-bound finding here since it is tracked separately in #1767.

[ivokub]

The previous issues are addressed. Now there is only one small issue still left.

[ivokub]

Thanks! All perfect now!