keccakf precompile + GKR-IOP integration

[mcalancea]

Note that this PR is done against tianyi/refactor-prover and not the master branch.

Contains the following:

• A bitwise keccakf precompile implementation.
• A lookup-based keccakf precompile implementation.
• Partial integration of the GKR-IOP developed in tianyi/refactor-prover in the existing Ceno proving flow.

The lookup-based impl. is the superior one performance-wise; the bitwise one is rather a proof-of-concept and it might be relevant for benchmarking the proving system itself. The lookup version should be well documented by comments.

Some highlights of the integration code for keccakf:

• There are two components: the old-style LargeEcallDummy circuit which handles memory state by doing the appropriate reads and writes but does not connect them logically (doesn't get into keccakf). The logic is handled by the GKR-IOP circuit.
• Witnesses, output evaluations and lookups used by the GKR-IOP circuit are committed into the RMM of the LargeEcallDummy. This ensures we can reuse the existing tower proofs in scheme/prover.rs and provides access to these polynomials for PCS logic.
• There is a new GKRIOPInstruction trait, conceived as a subtrait of Instruction. It generally makes calls to the corresponding methods in Instruction + does some extra work to implement the functionality as described above. It also has some other methods useful for syncing state between the two protocols.

Items that still need to be addressed to complete the integration:

• PCS opening and verification for the GKR-IOP proof. The relevant witnesses/outputs/lookups are already committed in the same row-major matrix used by LargeEcallDummy. However the opening logic is missing.
• The GKR-IOP proof crashes when the number of instances is not a power of two, some kind of padding is needed.