Dual-row Optimizations on top of KeccakRound gate

[querolita]

These optimizations split the KeccakRound gate into two rows: KeccakRound0 and KeccakRound1. The main changes with respect to #1301 follow:

• Split permutation function across two rows to obtain half the width.
• The split, amount and ordering of the constraints are non-obvious due to the limited scope of gates to access only Curr and Next, so some copy constraints need to be added wrt Single-row Optimizations on top of KeccakRound gate #1301.
• As a result, state_f which had been removed needs to be back into the layout.

RFC column count: 2344
1-row column count: 1965
2-row column count: 1045 (actually, 1045+1020=2065 witness cells, the 100 diff corresponds to state_f).

RFC constraint count: 754
1-row constraint count: 389
2-row constraint count: 425 + 64 = 489

RFC lookup count: 1760
1-row lookup count: 1620
2-row lookup count: 920+700=1620

(For single block hashes, lookups disabled):

RFC prover time: 23s x 1 hash | 1871s x 1000 hash
1-row prover time: 19s x 1 hash | 1691s x 1000 hash
2-row prover time: 15s x 1 hash | 1344 x 1000 hash

RFC setup time: 57s x 1 hash | 517s x 1000 hash
1-row setup time: 57s x 1 hash | 479s x 1000 hash
2-row setup time: 58s x 1 hash | 511 x 1000 hash