add generic constant time multi-exp for ECDH

[gmaxwell]

There should be a public interface offering a constant-time generic multiexp, e.g. out_point = s1_P1 + s2_P2 + ... + sn*Pn, for use in ECDH and ECDH with forward secrecy. (unless there is some speedup I'm not thinking of which only works for the non-multiexp case).

Maybe API wise it could split precomputation and the multiply, for applications where points are reused? e.g. pass in a set of precomputed tables?

[Kagami]

👍 It would be very nice to have ECDH.

[sipa]

Fixed by #252.