Currently, our foreign EC add gadget allows the case that the two input points are equal, and that case leaves the output entirely unconstrained and tweak-able by the prover. This was on purpose, to save constraints, with the thinking being that we can navigate around that case when using the gadget.

For scalar multiplication, we use an "initial aggregator point", which was thought to make sure intermediate scalar mul results can't exhibit the degenerate case. However, the reasoning for why this prevents the degenerate case was never tight and essentially circular.

The solution is simple: just assert that $x_1 \ne x_2$ in the addition gadget, so the multiplication which defines the slope is fully constrained even if $y_1 = y_2$. With the efficient vector non-zero assertion gadget from #1282, this should only add ~4 rows to the ~50-row addition gadget, an easy trade-off to make for tightening security.

TODO: for doubling, do we need to prove that the denominator $2y$ can't be 0? Or can we prove that this special case is either not possible, or implies a non-zero numerator $3x^2 + a$ for all valid curve points?