[otbn] Implement P384 in current ISA

[imphil]

Profile implementation of P256 and P384 sign/very operations, and evaluate performance degradation due to lack of extensible modular instructions for P384.

(Split out from https://github.com/lowRISC/opentitan/issues/2856)

Sub-tasks

• [ ] Implement/evaluate modular add/sub for p384 #3191 (see issue, probably won't do this)
• [x] Implement/evaluate modular multiplication for p384 #3192.
• [x] implement p384 specific things (like domain parameter setup)
• [x] implement point doubling
• [x] implement point addition #5336
• [x] implement scalar multiplication #5337
• [x] implement coordinate transformation (projective <-> affine): https://github.com/lowRISC/opentitan/issues/5732
• [x] implement curve point verification
• [x] implement ECDSA sign #5940
• [x] implement ECDSA verify #6187
• [x] implement Stein's algorithm
• [x] document loading of curve domain parameters and constants #6177

Evaluation results for p384 multiplication

(copied from the #3192) Currently it is 152 cycles for 384 bit vs. 37 cycles for 256 bit. This is with using the fully unrolled multiplication.

There is room for optimization here:

• For a generic implementation (no specific curve) we would implement Karatsuba for the multiplication kernel
• For the p384 specific implementation we would either move to Solinas or use an optimized Barret implementation (using the special form of the pre-computed barrett parameter for p384). This could use Karatsuba on top. Using Solinas should be faster but I am not sure yet how efficiently it can be implemented on OTBN.

[felixmiller]

Edited original issue to track implementation of all the p384 building blocks. Like we did with p256