Very experimental Ed480-Ridinghood support is now in.  It's not fully optimized,
but in general the current build is 8-15% slower than Goldilocks.  It only works on
arch_x86_64, though arch_ref64 support ought to be easy.  Support on other arches
will be trickier, which is of course why I chose Goldilocks over Ridinghood in the
first place.

Next up, E-521.  Hopefully.

The code is starting to get spread out over a lot of files.  Some are per field*arch,
some per field, some per curve, some global.  It's hard to do much about this, though,
with a rather ugly .c.inc system.

There's currently no way to make a Ridinghood eBAT.  In fact, I haven't tested eBAT
support in this commit.  I also haven't tested NEON, but at least ARCH_32 works on
Intel.

Undo the INTRINSIC changes from David Leon Gil.

Turn precomputed keys back on by default.  Change #ifdef to #if for checking sigs.

src/include/barrett_field.h:

- Requires review: corrected failure to cast to (mask_t) prior to negation. (Or, if this is wrong; should cast to needed bitwidth explicitly.)
- Changed type of nwords_out to uint32_t to agree with header.

src/include/intrinsics.h:

- Fixed up various preprocessor statements to check for definition rather than value of built-ins.
- Added macro to use Clang’s __builtin_readcyclecounter on platforms on which it’s available. (Which is most platforms these days.)

src/include/magic.h: Preprocessor “if” versus “if defined”.

src/include/word.h: Fixed ifdefs; enabled support for memset_s on Darwin. Added explicit cast to mask_t.

Added void to function definitions and declarations in the following files (not including void is okay in modern C++, but not modern C, IIRC):

include/goldilocks.h, src/crandom.c, src/goldilocks.c, src/include/api.h, src/include/intrinsics.h, test/bench.c, test/test.c, test/test.h, test/test_arithmetic.c, test/test_goldilocks.c, test/test_pointops.c, test/test_scalarmul.c, test/test_sha512.c

(you knew this would happen).

Added ARM NEON support.

Added support for precomputation on public keys, which speeds up
later signatures and ECDH calls.  See history.txt or the doc for
details.

Reworked internals so that private keys can be derived from any
32-byte secret random value.  This also means that secret keys
can be "compressed" for cold storage.

Added more tests.  Running the tests now requires GMP, though
Goldilocks itself does not.

Linking now uses visibility instead of exported.sym.

Rework the directory structure into something saner, with src/ test/ include/ and build/

Beginning some tests.  Also, now support scan-build.

Now support 32-bit including vectorless ARM.  NEON is not yet supported, because I don't
have a test machine.

Many internal changes, improvements, and bug fixes.