Fold in more planned upstream changes

[Yawning]

In keeping with the "drop-in replacement" design goal, there are additional forthcoming upstream changes that need to be folded in.

• proposal: x/crypto/curve25519: new X25519 API (proposal: x/crypto/curve25519: new X25519 API golang/go#32670)
• crypto/ed25519: reject low order points (x/crypto/curve25519,crypto/ed25519: reject low order points golang/go#31846)
• crypto/ed25519: Implement Ed25519ph (crypto/ed25519: Implement Ed25519ph golang/go#31804)
• crypto: add Equal(PublicKey) bool method to PublicKey implementations (crypto: add Equal(PublicKey) bool method to PublicKey implementations golang/go#21704)

32670 includes the RFC 8422 check for contributory behavior. There's some dissenting opinions about how useful this is (See section 12 of the Noise protocol spec for one).

The second issue, despite it's title at the time of this writing, applies to doing the appropriate checks in the ed25519 code.

These should wait till the relevant changes are merged upstream, support for ed25519ctx/ph was merged early because we were thinking about using it.

[Yawning]

We now reject low order points at verification time unless configured otherwise. Calling this done.