fix: ecc/groups audit findings

[suyash67]

Summary

Addresses findings from the ecc/groups audit.

Commits

• finding 1 — extend batch_affine_double_impl slope formula to include a for curves with a ≠ 0
• finding 2 — reject non-canonical x-coordinate encodings in affine_element::from_compressed (Opened its own PR)
• finding 3 — route ECDSA / Schnorr secret-nonce scalar mul through a new constant-time element::mul_const_time (Montgomery ladder + Coron blinding)
• finding 4 — handle rhs = ∞ in mixed-coordinate operator+=
• finding 5 — zero y (and z) in self_set_inf so the infinity representation is canonical
• finding 6 — fix pairing.FinalExponentiation reference helper to iterate the full 256-bit exponent
• finding 7 — extend the G1/G2 SRS defenses from fix: harden BN254 G2 SRS ingress #22858 across the bb.js boundary: in SrsInitSrs::execute, SHA-256-verify every fully-present compressed-G1 chunk against BN254_G1_CHUNK_HASHES before decompression, pin g1_points[0] to the canonical generator and g1_points[1] to τ·G after parsing, and SHA-256-pin the 128-byte G2 input. The subgroup check, on-disk G2 hash pin, infinity rejection, and is_in_prime_subgroup implementation itself already landed in fix: harden BN254 G2 SRS ingress #22858.
• finding 8 — make field::is_zero constant-time

Test plan

• ecc_tests — pass (audit-related filter: 110 pass, 8 skipped, 0 failures)
• srs_tests (CrsFactory.*) — pass
• bbapi_tests — pass (30/30)
• New regression tests in affine_element.test.cpp, element.test.cpp, pairing.test.cpp, prime_field.test.cpp

[federicobarbacovi]

Looks great, thanks for doing this! Just a few small comments

[federicobarbacovi]

It's not clear to me why this bug didn't affect small modulus: the solution doesn't seem to take into account small/large moduli

[suyash67]

The small modulus case already handled the infinity edge case:

aztec-packages/barretenberg/cpp/src/barretenberg/ecc/groups/element_impl.hpp

Lines 170 to 178 in 327252e

	} else {
	const bool edge_case_trigger = x.is_msb_set() || other.x.is_msb_set();
	if (edge_case_trigger) {
	if (x.is_msb_set()) {
	*this = { other.x, other.y, Fq::one() };
	}
	return *this;
	}
	}

But good point regardless, I edited the test to run for all curves.

[federicobarbacovi]

Can you please explain a bit more why it's ok not to hash check partial final data? Is it ok to have such data?

[suyash67]

Actually this is not a problem in how bb.js initialises SRS because it always fetches either $2^{18}$ or $2^{20}$ points. But still you raise a good point: I added a check if numPoints buffer is NOT a multiple of 4 MiB (so basically a multiple of $2^{17}$, which is true for our use-cases) it'll throw