feat: introduce callable oracle for ecrecover

[antoniolocascio]

What ❔

Reimplement the hints for ecrecover from ethproofs.
Instead of having a new full implementation of ecrecover, this PR introduces "hooks" for 3 secp256k1 field operations. These hooks have two implmentations: default, where the implementation is straightforward (same implementation as before this PR) and oracle-based, where we use the new callable oracles.
This way, most of the logic for ecrecover is reused.

Given that this is a critical part of the system, the PR includes:

• PBT for "good" case (showing equivalence when using the right oracle)
• Tests for the "bad" case (showing panics if the oracle lies)
• Modifies the fuzz target for ecrecover to compare the forward and oracle runs. I've ran the fuzzer for over 1h without finding issues.

Why ❔

Is this a breaking change?

• Yes
• No

Checklist

• PR title corresponds to the body of PR (we generate changelog entries from PRs).
• Tests for the changes have been added / updated.
• Documentation comments have been added / updated.
• Code has been formatted.

[antoniolocascio]

Opening thread to think if we want to use the oracle-based version in prod

[0xVolosnikov]

Note: we should not forget about it in v0.4.0 @AntonD3

[shamatar]

Did you check it on negative cases by the way? I wonder if there are state tests with Ecrecover that have an input that is not square root. Here we need candidate to be some exact value and not just random one

[antoniolocascio]

Yes, I added negative tests both in unit/prop and fuzzing. Regarding fuzzing, I ran it for several hours and it didn't find any issues

[shamatar]

Looks fine for me in general. Did you get any fuzzer results already?

[github-actions]

Benchmark report

Benchmark	Symbol	Base Eff	Head Eff (%)	Base Raw	Head Raw (%)	Base Blake	Head Blake (%)	Base Bigint	Head Bigint (%)
block_19299001	process_block	315,717,448	299,102,437 (-5.26%)	273,052,368	263,775,845 (-3.40%)	410,610	410,610 (+0.00%)	9,023,830	7,189,208 (-20.33%)
block_22244135	process_block	197,585,521	183,546,402 (-7.11%)	170,670,049	162,831,766 (-4.59%)	172,020	172,020 (+0.00%)	6,040,788	4,490,579 (-25.66%)
precompiles	bn254_ecadd	53,268	53,268 (+0.00%)	47,816	47,816 (+0.00%)	0	0 (+0.00%)	1,363	1,363 (+0.00%)
precompiles	bn254_ecmul	728,781	728,781 (+0.00%)	564,593	564,593 (+0.00%)	0	0 (+0.00%)	41,047	41,047 (+0.00%)
precompiles	bn254_pairing	72,336,733	72,336,733 (+0.00%)	57,808,589	57,808,589 (+0.00%)	0	0 (+0.00%)	3,632,036	3,632,036 (+0.00%)
precompiles	ecrecover	478,116	383,588 (-19.77%)	310,148	257,224 (-17.06%)	0	0 (+0.00%)	41,992	31,591 (-24.77%)
precompiles	id	927	927 (+0.00%)	927	927 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
precompiles	keccak	137,579	137,579 (+0.00%)	137,579	137,579 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
precompiles	modexp	31,267,898	31,267,898 (+0.00%)	20,610,078	20,610,078 (+0.00%)	0	0 (+0.00%)	2,664,455	2,664,455 (+0.00%)
precompiles	p256_verify	748,861	748,861 (+0.00%)	470,169	470,169 (+0.00%)	0	0 (+0.00%)	69,673	69,673 (+0.00%)
precompiles	point_evaluation	51,215,457	51,215,457 (+0.00%)	39,592,829	39,592,829 (+0.00%)	0	0 (+0.00%)	2,905,657	2,905,657 (+0.00%)
precompiles	process_block	147,514,977	147,325,533 (-0.13%)	118,048,293	117,928,077 (-0.10%)	5,140	5,110 (-0.58%)	7,346,111	7,328,924 (-0.23%)
precompiles	process_transaction	73,491,162	73,396,768 (-0.13%)	58,793,838	58,734,608 (-0.10%)	160	160 (+0.00%)	3,673,691	3,664,900 (-0.24%)
precompiles	ripemd	8,013	8,013 (+0.00%)	8,013	8,013 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
precompiles	run_tx_loop	146,894,989	146,710,935 (-0.13%)	117,507,665	117,392,359 (-0.10%)	180	180 (+0.00%)	7,346,111	7,328,924 (-0.23%)
precompiles	sha256	13,168	13,168 (+0.00%)	13,168	13,168 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
precompiles	system_init	43,451	43,451 (+0.00%)	43,451	43,451 (+0.00%)	0	0 (+0.00%)	0	0 (+0.00%)
precompiles	verify_and_apply_batch	141,986	137,524 (-3.14%)	105,986	101,844 (-3.91%)	2,250	2,230 (-0.89%)	0	0 (+0.00%)