Rip out non-endomorphism code + dependencies

[sipa]

This is a rebased/combined version of the following pull requests/commits with minor changes:

• Switch to our own memcmp function #825 Switch to our own memcmp function
  • Modification: secp256k1_memcmp_var is marked static inline
  • Modification: also replace memcmp with secp256k1_memcmp_var in exhaustive tests
  • Modification: add reference to GCC bug 95189
• Increase precision of g1 and g2. #822 Increase precision of g1 and g2
  • Modification: use the new secp256k1_memcmp_var function instead of memcmp (see Increase precision of g1 and g2. #822 (comment))
  • Modification: drop the " Allow secp256k1_split_lambda_verify to pass even in the presence of GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189." commit, as it's dealt with using secp256k1_memcmp_var.
  • Modification: rename secp256k1_gej_mul_lambda -> secp256k1_ge_mul_lambda
• A new commit that moves the lambda constant out of secp256k1_scalar_split_lambda and (_verify).
• The test commit suggested here: Increase precision of g1 and g2. #822 (comment)
  • Modification: use the new accessible secp256k1_const_lambda instead of duplicating it.
• Rip out non-endomorphism code #826 Rip out non-endomorphism code
• A new commit that reduces the size of the WNAF output to 129, as we now have proof that the split output is always 128 bits or less.
• A new commit to more consistently use input:k, integer outputs:k1,k2, modulo n outputs:r1,r2

[gmaxwell]

ACK

[sipa]

Comment by @real-or-random, putting it here so I don't forget:

here’s a nit: the comment for split_lambda is now confusingly far from the actual function. this bit me when looking at it today. the current order is:

• huge comment
• lambda constant
• split_lambda_verify
• split_lambda

we could make it

• lambda constant
• huge comment
• split_lambda
• split_lambda_verify

feel free to either fix or ignore

[gmaxwell]

putting verify last puts things out of calling order (split_lambda calls _verify). maybe instead just split up the comment and put the range validation proof stuff on the verify part.

[sipa]

I reordered the comments and functions bit, and addressed @jonasnick' nits.

[luke-jr]

IMO if GCC bug 95189 is the only problem with normal memcmp, I don't think implementing a new one here is the right solution. At most, check for it in configure and add --no-builtin-memcmp ?

[sipa]

@luke-jr I tried writing a test for the bug in autoconfese, but it was more effort than it's worth I think, especially since none of the uses of memcmp in libsecp256k1 are performance critical. This approach also protects non-autoconf builds.

[luke-jr]

Moving memcmp discussion to #832

[real-or-random]

@luke-jr I tried writing a test for the bug in autoconfese, but it was more effort than it's worth I think, especially since none of the uses of memcmp in libsecp256k1 are performance critical. This approach also protects non-autoconf builds.

Agreed, just adding our memcmp is simpler.

@luke-jr Also see more discussion in #823 .

[real-or-random]

ACK c582aba code inspection, some tests, verified the new g1/g2 constants

(mod the decision how we want to solve #823 )

[jonasnick]

ACK c582aba didn't verify the proof