pub fn x25519(scalar: &[u8; 32], u: &[u8; 32]) -> [u8; 32]Expand description
RFC 7748 §5 X25519(scalar, u).
Takes a 32-byte little-endian scalar and a 32-byte little-endian
u-coordinate, and returns the 32-byte little-endian u-coordinate
of scalar * (u, v) on Curve25519 (where v is uniquely
determined by u up to sign — we never need it).
The ladder operates on projective (X, Z) pairs where the affine
u-coordinate is X/Z. 255 ladder steps are performed (bits 254..0
of the clamped scalar); the high bit 254 is always 1 after
clamping, so the first iteration deterministically initialises
(x_2, x_3) = (u, 1), (z_2, z_3) = (1, u) via the cswap.