crypto: BN254 pairing line eval following Beuchat 2010 literally

[chfast]

Alternative to the ipsilon-convention line eval on master (PRs #1541

• crypto: Trivial reuse of computed values in pairing helpers #1542): reimplement lin_func_and_dbl, lin_func_and_add, and lin_func to follow Beuchat 2010 Algorithms 26 and 27
  (https://eprint.iacr.org/2010/354.pdf) literally.

  lin_func_and_dbl (Alg 26):
  t[0] = -4·y·z³ (negated to compensate for -P.y at the
  call site; Beuchat uses +y_P)
  t[1] = -6·x²·z²
  t[2] = 6·x³ - 4·y²
  T_out = standard Jacobian doubling (X3, Y3, Z3)

  lin_func_and_add (Alg 27):
  t[0] = +4·Z3 (Z3 = z0·H; call site uses +P.y)
  t[1] = -4·R (R = y1·z0³ - y0)
  t[2] = 4·(R·x1 - y1·Z3)
  T_out RESCALED by λ=2 to (4·X3, 8·Y3, 2·Z3) — Beuchat's Alg 27
  output Jacobian. Same affine point, different Jacobian Z; required
  for the line scaling to compose consistently across Miller-loop
  iterations.

  lin_func: Alg 27 line eval without the T update.

Per Miller-loop step, this line equals -2 × the line on master (a uniform F_p factor absorbed by final exponentiation). Both produce the same pairing — the three discrepancies the ipsilon HackMD note enumerates between its derivation and Beuchat's published formulas are not correctness bugs, just a uniform F_p scaling difference that vanishes under FE. The third claim ("tmp6 = -3X² + 3X³ + 9X⁴ - 4Y² which is not close to 2Y² - 3X³") is an arithmetic slip in the note: Beuchat's line 14 expansion needs the (a+b)² - a² - b² = 2ab identity (which the algorithm uses earlier), and gives 6X³ - 4Y² = -2·(2Y² - 3X³) — the same uniform -2 factor.

Bench (build/clang-tt, 100 reps × 1s, ecpairing precompile):
master (ipsilon factored): 2892598 ns mean, 2872961 ns median
this branch (Beuchat lit.): 2861296 ns mean, 2862051 ns median
Δ: -31k ns mean (-1.1 %), within ~7 % stddev — statistically
indistinguishable. The DBL-side cost (3 extra Fq2 doublings per
call × 64 iter/pair) and the ADD-side savings (2 Fq2 muls per ~9
ADD steps/pair) roughly cancel.

Kept as a branch for reference / future comparison, not intended to land on master.

Tests: 53/53 unit, EEST state tests 11/11 on every stable fork (Byzantium / Istanbul / Cancun / Prague / Osaka).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.98%. Comparing base (1dc88fc) to head (889f20a).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1543   +/-   ##
=======================================
  Coverage   96.97%   96.98%           
=======================================
  Files         163      163           
  Lines       14455    14478   +23     
  Branches     3385     3385           
=======================================
+ Hits        14018    14041   +23     
  Misses        307      307           
  Partials      130      130           

Flag	Coverage Δ
eest-develop	91.98% <100.00%> (+0.03%)	⬆️
eest-develop-gmp	26.65% <100.00%> (+0.11%)	⬆️
eest-legacy	17.52% <0.00%> (-0.03%)	⬇️
eest-libsecp256k1	28.29% <100.00%> (+0.11%)	⬆️
eest-stable	91.89% <100.00%> (+0.03%)	⬆️
evmone-unittests	92.65% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
core	96.04% <100.00%> (+0.01%)	⬆️
tooling	86.71% <ø> (ø)
tests	99.79% <ø> (ø)

Files with missing lines	Coverage Δ
lib/evmone_precompiles/pairing/bn254/utils.hpp	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.