Scalar field arithmetic

[cathieyun]

See curve25519 scalar field arithmetic for reference: https://github.com/dalek-cryptography/curve25519-dalek/blob/master/src/backend/serial/u64/scalar.rs

[hdevalence]

I'll do this this afternoon; I think it would be good to rework the field arithmetic a little bit.

The reason is that the scalar arithmetic in curve25519-dalek is one of the most awkward parts of the implementation, since there's a bunch of slightly different semantic uses that are all kind of smushed together into a few different types with overlapping meanings -- for instance, Scalars are used for ristretto255 and curve25519, sometimes in montgomery form, sometimes not.... so it would be good to aim for "conceptual recoherence" for this use case.

Probably we want:

• a typedef (RistrettoScalar, Ristretto255Scalar?) for the curve25519-dalek Scalar type (since we need to interoperate with it for Bulletproofs);
• a FieldElement type which holds a field element mod l in Montgomery form;
• conversions between Ristretto255Scalars and FieldElements.

My guess is that we'll want to hide the FieldElement type from the public API and expose only the Ristretto255Scalars (or maybe hide both, depending on how the gadgets work out?)