Hinted scalar decomposition in a gadget

[yelhousni]

In SW and tEd gadgets, when using the hinted scalar decomposition for GLV, we only check that s1 + λ * s2 == s + k*o but this is done mod r (where o is the order of SW/tEd curve prime subgroup and r the order of the SNARK curve prime subgroup).

It means that in Z: s1 + λ * s2 - s - k*o = c * r but with no guarantee that c is always 0. We should look for edge cases if any and constrain them or look for a better constrained decomposition.

[gbotrel]

@yelhousni status?