perf: merging Groth16 commitment PoK verification pairing check / supporting multiple Groth16 commitments

[ivokub]

Related to #1063 and in-circuit Groth16 proof verifier. Currently we check the Pedersen vector commitment correctness separately from Groth16 pairing checks, but these pairing checks could be merged for added efficiency. As Solidity verifier and Groth16 verifier do not have randomness for computing random linear combinations, then we need to perform Fiat-Shamir challenge computation and need to fix what variables we need to bind.

See the discussions #1063 (comment), https://xn--2-umb.com/23/groth16-batch/#poor-man-s-snarkpack.

And I think that with this improvement we could also tackle supporting multiple commitments for in-circuit and Solidity verifier, previously we didn't bother adding them due to the pairing cost, but now it would become feasible. Multiple commitments could be extremely useful for more complicated circuits using GKR as otherwise we are really bounded by Fiat-Shamir cost for those circuits to be efficient.