Verified Bedrock2 code for Number-Theoretic Transform

[atrieu]

The PR is still in a bit of a rough state, but I'm opening it to see if there is interest in adding it.

The Number-Theoretic Transform is a technique to accelerate polynomial multiplications used in recent lattice-based cryptography for PQC.

This PR defines:

• a theory of polynomials and its Chinese Remainder Theorem in Polynomial.v
• definition of the NTT in CyclotomicDecomposition.v which defines an homomorphism from a type Pquotl (cyclotomic_decomposition n 0) to Pquotl (cyclotomic_decomposition n k) where Pquotl ql is defined as Pquotl (ql: list P): Type := { pl: list P | List.Forall2 (fun p q => Peq p (Pmod p q)) pl ql }, and cyclotomic_decomposition n i is the i-th layer decomposition of X^n + 1. It also defines various optimizations for the NTT.
• lower-level Gallina code of the NTT in RupicolaNTT.v
• verified Bedrock2 code in BedrockNTT.v, I initially tried to automatically synthesize the code using Rupicola, but ended up doing the proof manually
• Bedrock2 code for Barrett and Montgomery Reduction when the field element fits in one word in RupicolaBarrettReduction.v and RupicolaMontgomeryArithmetic.v
• examples using all the above to synthesize C code of the (inverse) NTT for MLKEM and MLDSA in MLKEM.v and MLDSA.v.

I believe the C code should look like what someone would write after reading the NIST standards with no other reference. In terms of performance, this is slower than the handwritten C reference implementations for Kyber/Dilithium which use a so-called centered signed representation for field elements, and delay reduction of the coefficients to the end of the NTT instead of systematically doing it at each step like the synthesised code.