The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli. The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.
Important canges:
1. even/odd distinction so that we need to test only one of the numbers
for being even. This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus. The modulus must be close to 2^256.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).
Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.
To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
This makes the pointers to the words constant. It moves 8kb from ram
to flash. It changes the return type of mnemonic_wordlist() to reflect
this change. Everyone calling it should also change the type to
`const char * const *`.
The standard says:
step h:
Set T to the empty sequence.
while tlen < qlen
V = HMAC_K(V)
T = T || V
k = bits2int(T)
in this case (HMAC-SHA256, qlen=256bit) this simplifies to
V = HMAC_K(V)
T = V
k = bits2int(T)
and T can be omitted.
The old code (wrong) did:
T = HMAC_K(V)
k = bits2int(T)
Note that V will only be used again if the first k is out of range.
Thus, the old code produced the right result with a very high probability.
