Harden arithmetic and crypto boundary checks across u64::shr, ilog2, u32clz, and Falcon mod_12289

[huitseeker]

• Tightens boundary/overflow verification logic in four sensitive paths:

  1. u64::shr: fixes behavior for shifts >= 32 by correctly zeroing the high limb in that branch.
  2. ilog2: replaces half-word-style validation with explicit full-width lower/upper bound checks (2^ilog2 <= n < 2^(ilog2+1), with ilog2 == 63 special-case handling).
  3. u32clz: enforces exact zero boundary (n == 0 iff clz == 32) and strengthens mask consistency checks.
  4. Falcon mod_12289: converts previously dropped overflow flags into explicit assertions for quotient/addition overflow safety.

• Adds focused regression/security-style tests for each fix:

  1. u64::shr edge cases at 32, >32, and boundary sweeps.
  2. ilog2 forged advice and boundary-claim rejection/acceptance tests.
  3. u32clz zero/non-zero boundary correctness tests.
  4. Falcon malicious advice/overflow rejection tests.

• Updates cycle-count documentation/comments where instruction costs changed (u64::shr, u32clz, ilog2).

Per-commit review recommended

[plafer]

I think these should be MASM-based tests, since the ultimate goal is to test the regression with the assembler-generated code for u32clz. Instead, we're testing here the hardcoded run_verify_clz_gadget(), which might get out of date with what the assembler is doing.

[huitseeker]

I've added MASM tests, but MASM tests validate observed output under normal system behavior, not
explicit rejection of malicious/wrong CLZ witnesses, so I've kept those.

[plafer]

LGTM