Use optimized algorithm to check for Edwards torsion-freeness

[daxpedda]

The check if an Edwards point is torsion-free involves a scalar multiplication and is therefor quite expensive. This PR implements the algorithm from "Point-Halving and Subgroup Membership in Twisted Edwards Curves" to significantly reduce the computational requirements.

Ed448/decompress        time:   [116.51 µs 116.72 µs 116.90 µs]
                        change: [−76.218% −76.179% −76.147%] (p = 0.00 < 0.05)
                        Performance has improved.

[daxpedda]

I'm not sure what the is_on_curve() here really does. We reduce the y-coordinate and derive the x-coordinate, so I believe we always end up with a point that is on the curve.

Additionally, why do we require torsion-freeness on points in the first place? I think this should be optional and not enforced by the default decompress() function.