Replace `subtle` with `ctutils`?

[tarcieri]

I've written a modern replacement for subtle which uses the cmov crate to support constant-time predication instructions (cmov/csel families) via asm!, along with a portable "best effort" fallback similar to what subtle was doing before:

https://github.com/RustCrypto/utils/tree/master/ctutils

It's also an extraction of what we had built in crypto-bigint as a sort of half-baked subtle replacement to work around many issues we were having with subtle, including lack of const fn support, and the inability to support heap-allocated types due to copy bounds. I am in the process of completely switching crypto-bigint over to ctutils (while maintaining optional backwards compatibility with subtle, in part through the subtle interop built into ctutils). Preliminary benchmarking in crypto-bigint has not shown notable performance changes, either.

I've tried making some of these changes upstream to subtle, but it seems somewhat unmaintained at this point, and with an entrenched userbase making breaking changes seems difficult:

• Add ConstantTimeSelect and ConstantTimeClone traits dalek-cryptography/subtle#118
• [WIP] subtle: breaking changes for a hypothetical v3.0 dalek-cryptography/subtle#136
• Change ConditionallySelectable supertrait dalek-cryptography/subtle#137

ctutils is otherwise mostly an easy drop-in replacement for subtle, and I think we could potentially adopt it in the places we are currently using subtle so as to have a maintained, in-org crate which should theoretically provide better guarantees on most modern platforms. I've just released v0.2.0 and I think it's ready to begin adopting.

[newpavlov]

I will need to take a closer look at ctutils, but otherwise sounds good to me.

[tarcieri]

Of course the moment I suggest it might be ready I find a bug (on PPC32, but still): RustCrypto/utils#1298

Seems there may be some gaps in the current test suite, but I'm working on shoring them up.