Switch to RFC 8032 for signatures

[dchest]

Currently tweetnacl.js is a port of the original djb's tweetnacl. The original Ed25519 has some footguns when the signatures are used in protocols that expect other properties than unforgeability under chosen-message attacks:

• ed25519 verification is malleable and accepts forged signatures #253 ed25519 verification is malleable and accepts forged signatures
• Ed25519 verify accepts non-canonical public key encoding #270 Ed25519 verify accepts non-canonical public key encoding

RFC 8032 fixes them, and most implementations switched to it. This would be a breaking change, thus 2.0.

[dchest]

I'm reluctant to work on 2.0, since we now have native Ed25519 in WebCrypto in browsers and Node.js/Bun/Deno. We also have WASM now, which can be used to directly run tweetnacl.c. Native implementations are safer (due to being constant-time, which we can't guarantee in JS) and faster.

Is there a use for the pure JavaScript library still? If so, comment here.