Optimizations: ROM Fusion, Spread Multiset Fusion & Constant Spread Path

[rose2221]

ROM Table Constraint Fusion (rom.rs)

Added add_indexed_table_entry_quotient() replacing the old
add_indexed_lookup_factor() + add_product() pattern.

Before:

• 3 constraints per table entry
  (denominator definition + denom × inverse = 1 + mult × inverse = quotient)

After:

• 2 constraints per table entry
  (denominator definition + fused denom × quotient = mult)

The inverse witness is still created for batch inversion but is no longer separately constrained.
Soundness holds since denom × quotient = mult uniquely implies quotient = mult / denom in the field.

---

Spread Table Multiset Fusion (spread.rs)

Replaced two add_sum() calls + grand sum equality with a single fused A-vector constraint (same pattern as add_range_check_via_lookup()).

Before:

• 2 sum witnesses
• 3 constraints (query sum + table sum + equality)

After:

• 0 extra witnesses
• 1 constraint
  ((Σ table_quotients − Σ query_inverses) × 1 = 0)

Savings: 2 witnesses + 2 constraints per spread table instance.

Updated cost model:
2 × 2^w + 4 → 2 × 2^w + 2

---

decompose_constant_to_spread_word — Constant-Path Spread Decomposition

Previously, spread decomposition panicked for constant witnesses.
Now constants (e.g. SHA256 IV H[0]..H[7]) are handled via a dedicated compile-time path:

• Chunk values + spreads precomputed at compile time
• Each spread witness pinned via an R1CS equality constraint
• No spread table lookups required

Saves ~3 spread table lookups per constant
(no multiplicity / inverse / quotient witnesses)

Soundness

• Compile-time assert verifies decomposition round-trip
• R1CS constraint pins packed_witness = constant_value inside the function, preventing under-constrained usage

---