Detect unsafe coefficients in fast BLS verification

[veorq]

In the implementation of https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407, a zero coefficient would allow the verification of signatures including an invalid one (if assigned a zero r_i).

If the PRNG behaves correctly, the chance of this happening is negligible, but since a non-crypto PRNG is used, and as defense-in-depth measure (along the same lines as ECDSA checks), I would recommend to enforce non-zeroness in:

https://github.com/ConsenSys/teku/blob/a0270026d4e70db13b0042eb057ffbdb5709e4ca/bls/src/main/java/tech/pegasys/teku/bls/impl/blst/BlstBLS12381.java#L185-L189

[benjaminion]

Good find! I'll take a look at this.

[veorq]

Looks like non-zeroness is enforced there, but I don't fully understand what they're doing:

https://github.com/status-im/nim-blscurve/blob/e1b9392b802ef53407035bf78a1d2a3f3067d7d7/blscurve/blst/blst_min_pubkey_sig_core.nim#L518-L521