Feat: fixed-argument emulated pairing

[yelhousni]

This PR adds circuits for emulated pairing e(P,G₂) and e(P,G₂)*e(T,Q) where G₂ is a fixed point (the canonical generator of the G2 subgroup). The idea is to precompute all the lines and avoid to do EC arithmetic in-circuit. This scenario happens for e.g. BLS signature (minimal-signature-size variant) and KZG.

TODO for later PRs:

• pre-compute product of lines when bit is 1 or -1
• emulated BLS signature gadget
• emulated KZG gadget
• allow fixed arguments other than G₂ (KZG has 2 pairings, one with fixed G₂ and one with fixed [α]G₂ from the SRS)

---

• same for native pairing packages
  • BLS12-377
  • BLS24-315

[yelhousni]

For a single fixed-argument BN254 pairing, i.e. e(P,G2), this PR saves 301k r1cs:

BenchmarkSinglePairing
groth16:  1525855

BenchmarkSingleFixedPairing
groth16:  1223891

For a double BN254 pairing where only one is fixed-argument, i.e. e(P1,G2)*e(P2,Q), this saves 173k r1cs:

BenchmarkDoublePairing
groth16:  1876157

BenchmarkDoubleFixedPairing
groth16:  1702867

Same goes for BLS12-381.

[ivokub]

I made a few changes:

• for native I just made the computated lines private.
• for emulated I made the computed lines private and also initalise lazily as there is small overhead. It is not significant, but in the future when we maybe want to provide fixed point as a paremeter, then it is bigger.

Otherwise looks good as always!

[ivokub]

Your modifications also approved.