perf(bn254): include G2 membership check in ML

[yelhousni]

Description

Including G2 subgroup membership in the pairing computations saves a lot of constraints. For Linea zkEVM, gnark circuit has only to check G2 membership as the arithemtization does the check for G1.

In computeLines the accumulated point is [6x₀+2]Q (x₀ being the curve seed). We can tweak* the subgroup membership to check [6x₀+2]Q + ψ(Q) + ψ³(Q) == ψ²(Q) instead of ψ³([2x₀]Q) - ψ²([x₀]Q) - ψ([x₀]Q) - [x₀]Q == Q. This saves the multiplication by 6x₀+2 and enforces G2 membership check systematically in pairing calls, simplifying probably the Wizard glue.

* since x₀ ≠ 4 mod 13 and x₀ ≠ 92 mod 97 for BN254, V=(6x₀+ 2,1,−1,1) is also a valid short vector.

TL;DR: G2 subgroup membership becomes ~2 point additions instead of ~81 point additions.

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

All current tests pass.

How has this been benchmarked?

On one hand a product of 2 pairings check increases by 18,857 scs but on the other hand the G2 membership which costs (for 2 points) 407,729 scs is removed.

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules