ed25519: double scalarmult fix - return full point

[ph4r05]

Double scalar multiplication returns fully valid ED point (Just one more multiplication).

• Makes further operations easier because many operations expect full point (with valid T coordinate), not the partial.
• ge25519_scalarmult_base_niels already returns full point so it would make it more consistent
• Scalar multiplications perform a large number of curve25519_mul, typically (64*const), one more before returning from the function is IMO small overhead.
• if ge25519_scalarmult returns partial point one cannot easily make it the full point because after ge25519_scalarmult returns, the temporary point is not accessible. To make it full point much more expensive inversion would be needed.

If you prefer not to add multiplication there is another alternative - a bit more difficult IMO. We would have to generalize scalarmult method to return ge25519_p1p1 point so we can make it both partial and full points. There would be then scalarmult method which is a simple wrapper for scalarmult returning ge25519_p1p1 and making a partial point from it.

I personally like the proposed idea more because it is backward compatible change with small overhead, is consistent with scalarmult base and does not make API more complex.

[ph4r05]

Similar to https://github.com/trezor/trezor-crypto/pull/171

[onvej-sl]

ACK

[prusnak]

Thx!