perf: optimize class equivalence check for BLS12 final exp

[yelhousni]

Description

Instead of applying Th.1 of https://eprint.iacr.org/2024/640.pdf naively as in #1173 ans #1202 we can scale the miller loop result by some factors:

• for BLS12-381 by 27th root and p-th root where p=(1-u)/3
• for BLS12-377 by p'-th root where p'=12(u-1)

and use the optimal exponent q-u instead of r. This is based on a personal communication (and a lot of help) from Andrija Novakovic @akinovak: https://gist.github.com/akinovak/0db531d350b95ccec682666b2257db77

Type of change

• New feature (non-breaking change which adds functionality)

How has this been tested?

pairing tests pass.

How has this been benchmarked?

• BLS12-381:
  This PR saves 3,369,246 scs for a PairingCheck.
• BLS12-377:
  This PR saves 21,989 scs in the PairingCheck and in the PLONK native aggregation circuit.

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[ivokub]

LGTM

[ivokub]

Changes good. I only now noticed that in FinalExpCheck we have indicated that we return *E12, but always return nil. I think we can change the the function signature to indicate that.

And, now after #1209 is merged, maybe it would make sense to also have methods for other curves for returning the FinalExpCheck result? Long-term this allows us to amend the std/algebra/Pairing interface so that we can also prove that final exponentiation doesn't hold.

[ivokub]

Thanks!