feat: replace rolling-hash transcript with Spongefish Fiat-Shamir

[shreyas-londhe]

Summary

Migrates Dory's Fiat-Shamir transcript from a custom Blake2b rolling-hash implementation to Spongefish 0.2.0-alpha's NARG transcript model.

Why: The old transcript required maintaining a separate DoryProof struct for serialization alongside the hash-based Fiat-Shamir state. Spongefish unifies these — the proof is the transcript. This eliminates an entire class of bugs where proof data could be absorbed into the hash in a different order than it appears in the serialized proof, and gives us domain separation for free via Spongefish's DomainSeparator.

What changed:

• Proofs are now opaque NARG byte strings (Vec<u8>) instead of a typed DoryProof struct. Prover writes to ProverState, verifier reads from VerifierState.
• dory_domain_separator(sigma) dynamically builds the protocol's domain separator, declaring every absorb/squeeze operation upfront.
• expected_proof_size(sigma) enables anti-malleability — callers can reject proofs with unexpected length since Spongefish silently ignores trailing bytes.
• verify() now borrows &VerifierSetup instead of taking ownership, avoiding expensive GT-element clones in batched verification.
• Challenge inversions in reduce_and_fold return Result instead of panicking.
• Dropped blake2, digest, bincode, serde dependencies.
• Soundness tests rewritten for byte-level proof tampering (bit-flip, truncation, zeroed, cross-proof mixing) since proof internals are no longer accessible.

Test plan

• All 46 tests pass
• Soundness tests cover byte-level tampering + wrong public inputs
• Anti-malleability enforced via proof length check in test helper
• Examples and benchmarks updated and verified