Feat: emulated BLS12-381 pairing

[yelhousni]

Following #566, this PR implements an emulated BLS12-381 pairing circuit. It costs 3177374 = ~3.1M R1CS constraints when verified in a BN254 Groth16. The gap between BN254 pairing (3.1M-2M=1.1M) is justified by BLS12-381 size (emulating a 381-bit field in a 254-bit compared to 254-bit in 254-bit).

The PR needs Consensys/gnark-crypto#360 for testing.

TODOs:

• When loopCounter[i]=1, multiply lines between them (Mul014By014) before multiplying by the accumulator (MulBy01245). This is less efficient than 2 multiplications of lines by accumulator (MulBy014) because MulBy01245 costs one more multiplication compared to MulBy01234 in the case of a D-type twist (e.g. BN254).
• We implement SQR2345 variant of Karabina's cyclotomic square which is the most circuit-efficient for a series of 4+ squares. However, in Expt() here, there is a shift of size 3 which is optimal with SQR12345 variant (paragraph 5.6).

(we don't use Karabina nor Granger-Scott cyclotomic square anymore. All the final exp is done with T2 arithmetic.)

[yelhousni]

Following #594, the last commit uses torus-based arithmetic for the entire final exp. This removes 323413 = ~323k constraints taking the whole BLS12-381 pairing down to 2853961 = ~2.8M constraints. An additional 2136 can be saved when we only need to check that a pairing product is 1 (no need to decompress pairing result --> check equality in E6).

[yelhousni]

To finish this PR, here is the total number of constraints for an emulated bls12-381 pairing over bn254 scalar field: 2702761 = ~2.7M

[ivokub]

Looks good. I only made the double method on E6 public to be consistent with other methods.