secp256k1: Optimize field inverse calc.

[davecgh]

This optimizes the field multiplicative inverse calculation to use a more optimal addition chain which reduces the number of field squarings from 258 to 255 and the number field multiplications from 33 to 15.

This calculation is primarily involved when converting back to affine space which is done for various things such as:

• Calculating public keys
• ECDSA signing
• Generating shared secrets via ECDHE
• Public key recovery from a compact signature
• Schnorr signing and signature verification
• Calculating hierarchical deterministic extended keys

The following benchmarks show a before and after comparison of field inversion as well as how it that translates to public key calculation, Schnorr signature verification, and recovery from compact signatures:

name               old time/op   new time/op   delta
------------------------------------------------------------------------
FieldInverse       12.0µs ± 0%   10.9µs ± 1%   -8.96%  (p=0.008 n=10+10)
PrivateKeyPubKey   35.0µs ± 1%   33.9µs ± 2%   -3.18%  (p=0.008 n=10+10)
SchnorrSigVerify    122µs ± 1%    121µs ± 1%   -0.82%  (p=0.015 n=10+10)
RecoverCompact      137µs ± 1%    135µs ± 1%   -1.35%  (p=0.002 n=10+10)

[davecgh]

Equation verification via Wolfram Alpha:

[a3] a^(2^3-1) = (a^(2^2-1))^2 * a

[a6] a^(2^6-1) = (a^(2^3-1))^(2^3) * a^(2^3-1)

[a9] a^(2^9-1) = (a^(2^6-1))^(2^3) * a^(2^3-1)

[a11] a^(2^11-1) = (a^(2^9-1))^(2^2) * a^(2^2-1)

[a22] a^(2^22-1) = (a^(2^11-1))^(2^11) * a^(2^11-1)

[a44] a^(2^44-1) = (a^(2^22-1))^(2^22) * a^(2^22-1)

[a88] a^(2^88-1) = (a^(2^44-1))^(2^44) * a^(2^44-1)

[a176] a^(2^176-1) = (a^(2^88-1))^(2^88) * a^(2^88-1)

[a220] a^(2^220-1) = (a^(2^176-1))^(2^44) * a^(2^44-1)

[a223] a^(2^223-1) = (a^(2^220-1))^(2^3) * a^(2^3-1)

[a(p-2)] a^(2^256-4294968275) = a^(2^256-4294968275) = ((((((a^(2^223-1))^(2^23) * a^(2^22-1))^(2^5)) * a)^(2^3) * a^(2^2-1))^(2^2)) * a

[davecgh]

Rebased to latest master.