Handling of all-zero public keys

[tarcieri]

X25519 has a degenerate case where the Montgomery-u coordinate is zero: the resulting point is always zero, regardless of the scalar:

[1] pry(main)> degenerate_key = X25519::MontgomeryU.new("\0" * X25519::KEY_SIZE)
=> #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000>
[2] pry(main)> X25519::Scalar.generate.multiply(degenerate_key)
=> #<X25519::MontgomeryU:0000000000000000000000000000000000000000000000000000000000000000>

How to handle this is a bit contentious depending on which cryptographer you ask, but checking for this case and raising an exception might be a good idea.