Review for timing attacks

[alex]

My understanding is that we're concerned that any function over the secret-key (or something derived from it), must take time independent of the input value. Here are possible issues I see

• scalarmult takes time in e, and in publickey() e is a function of sk, not sure if this is a concern (it's a function of the magnitude of e, which may not correlate with an individual value)
• In encodepoint (as called from publickey()), y >> i is probably not timing independent, it's time is a function of the magnitude of y.
• In publickey and signature 2 ** i * bit(h, i) takes time in the magnitude of the bit from h (h is computed from the sha256 of sk, so perhaps it can't be reversed?)

Those are what I have for now, more review is definitely needed.

[Ivoz]

Hopefully the third might be solved by #17

The second would include both encodepoint and encodeint

[gnprice]

This should be closeable after #19.