fix v3 Proof.Y hash-to-curve and BlindedSignature dleq=None

[robwoodgate]

Stacked on #999

This PR is a fix for BLS implementation PR #999.

Summary

Two small but blocking gaps in the v3 (BLS12-381) wiring, both in cashu/core/base.py, surfaced while planning the BLS Cashu-TS implementation.

1. Proof.Y always uses secp256k1 hash-to-curve

Proof.__init__ unconditionally calls b_dhke.hash_to_curve even for v3 (02…) keyset IDs. Y is the index used by proofs_used, /v1/checkstate, and websocket proof-state subscriptions; v3 wallets would presumably compute Y on G1, so lookups would not match: checkstate would always return UNSPENT for v3 proofs that were just spent, and websocket subscriptions never fire.

2. BlindedSignature.from_row crashes on v3 promises

step2_bob in bls_dhke.py returns (C_, None, None) as DLEQ proofs are redundant under pairings, so v3 promises are stored with NULL dleq_e / dleq_s. But BlindedSignature.from_row unconditionally constructs a DLEQ(e=..., s=...), which Pydantic rejects since the model declares e: str / s: str.

Symptom: POST /v1/restore returns 500 against a v3 mint with 2 validation errors for DLEQ: Input should be a valid string [input_value=None].

Patch constructs the DLEQ only when both fields are non-null — matches the existing dleq: Optional[DLEQ] = None model declaration.