We re-introduce the Tonelli-Shank square root algoritm that was removed
in zcash/halo2#120, to use in no-std mode (the table-based impl requires
allocations, and also uses 29kiB of memory which is a problem for
constrained environments that typically need no-std).
They already implement CofactorGroup (trivially, with the prime-order
subgroup being Self); this just enables Pallas and Vesta to be used in
cofactor-aware protocols that also want to leverage the affine point
representation.
The previous `CurveAffine::get_xy` method returned the coordinates as
`CtOption<(C::Base, C::Base)>`. However, `ConditionallySelectable` is
not implemented for any tuple or array types, making it impossible to
use any of the useful `CtOption` methods like `and_then`. We replace it
with `CurveAffine::coordinates -> CtOption<Coordinates<Self>>` and
`impl ConditionallySelectable for Coordinates` to enable operating over
coordinates in constant time.
Jack Grigg