This improves performance while also simplifying analysis. Ed25519
doubling needs more carrying, but the speedup is worth it.
The simpler Fp model is easier to reason about, but it introduces an
unsound bit that needs to be handwaved away with a comment. Range
checking has not yet been performed.
X25519c can be attacked by replying several times with invalid data.
This is hard to defend against in the API level without denying service
and using some hard-to-understand semantics.
Masked primitives are gone for now, some countermeasures have been moved
into their respective "regular" impls. I don't think that it's worth it
to care that much about side channels in CC. I haven't seen or managed
to mount any practical attacks myself. The further move away from Cobalt
will probably make them even harder to mount.
