perf: twisted Edwards lattice-based double-base MSM

[yelhousni]

Description

This PR is stacked on #1763 and contains the native twisted Edwards MSM follow-up only. It adds lattice-based double-base scalar multiplication variants for native twisted Edwards curves:

• DoubleBaseScalarMulNonZero as the optimized non-degenerate path.
• MSM(3, 2n/3) for curves without a GLV endomorphism.
• MSM(6, n/3) for curves with a GLV endomorphism, including Bandersnatch endomorphism parameters.
• lattice reconstruction hints for the multi-scalar decomposition.
• in-circuit scalar decomposition verification helpers.

DoubleBaseScalarMul remains complete for the public API and handles zero scalars / identity edge cases before dispatching to the optimized non-zero path. The branch also includes the review fixes that remove redundant hint outputs, wire scalar decomposition verification into the twisted Edwards scalar multiplication path, and bind the non-GLV MSM hint to a single result with the sound relation [x1]P1 + [x2]P2 - [z]R = O.

This PR intentionally does not include the emulated G2 GLV+FakeGLV work; that is split into #1764.

Type of change

• New feature (non-breaking change which adds functionality)
• Optimization / performance improvement
• Bug fix (non-breaking change which fixes an issue)

How has this been tested?

Focused test run:

go test -short ./std/algebra/native/twistededwards ./internal/stats

Specifically covered:

• native twisted Edwards scalar multiplication tests
• native twisted Edwards double-base scalar multiplication tests
• regression coverage for malicious trivial scalar decompositions
• regression coverage for forged double-base MSM hint outputs
• stats snippets compile and solve

How has this been benchmarked?

internal/stats/latest_stats.csv was regenerated with new MSM(2) snippets.

Snippet	R1CS constraints / wires	SCS constraints / wires
msm_G1_bn254_2	208925 / 312617	688811 / 658743
msm_P256_2	185846 / 288056	635297 / 608874
msm_secp256k1_2	208997 / 312737	689104 / 659028
msm_babyjubjub_2	5269 / 5683	12389 / 11848
msm_jubjub_2	5276 / 5754	12332 / 11855
msm_bandersnatch_2	5532 / 6301	13470 / 12918

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing focused tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules (gnark-crypto/algebra/lattice)

---

Note

High Risk
Changes in-circuit elliptic-curve MSM soundness (hints, LogUp tables, emulated scalar checks); mistakes could admit invalid witnesses in proofs.

Overview
Adds DoubleBaseScalarMulNonZero on native twisted Edwards curves: a fast path for s1·P1 + s2·P2 when scalars and points are non-degenerate, while DoubleBaseScalarMul stays the complete API.

Non-GLV curves use a 3-MSM + LogUp path with joint multi-rational scalar decomposition (r^(2/3) bits). Bandersnatch uses 6-MSM with GLV endomorphism params and extended multi-rational reconstruction (r^(1/3) bits). New hints (doubleBaseScalarMulHint, multiRationalReconstruct*) supply partial results; in-circuit checks enforce the MSM identity (e.g. [x1]P1 + [x2]P2 − [z]R = O).

rationalReconstruct drops the integer k output (3 outputs instead of 4); scalarMulFakeGLV verifies decomposition via new emulated-mod-order helpers in scalar_decomp.go / emulatedparams.go. internal/stats gains MSM(2) snippets and updated latest_stats.csv for constraint benchmarking.

^{Reviewed by Cursor Bugbot for commit ad550d0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[yelhousni]

@ivokub this one is also ready for review (after #1763)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit b69a249. Configure here.}