ecdsa: Implementation of recoverable signatures

[aumetra]

Adds an initial implementation of Ethereum-style recoverable signatures that's generic over the underlying curve.
This is mostly a port of the code in the k256 crate adapted to work generically.

"Marked ready for review" checklist:

• Implementation of the algorithm to recover verifying keys
• Implementation of SignatureEncoding for the recoverable signature
• More granular cfg flags
• Implementation of the signer and verifier traits on the key types for the new RecoverySignature
• Update the internal ECDSA logic to actually emit a RecoveryId (instead of always returning None)

Trial recovery was tested with P256 and P384 and their respective preferred digest

Closes #525

[tarcieri]

@aumetra I was just about to take a look at implementing something like this

I'd prefer not to define a separate Signature type, but adding the relevant methods to Signature and VerifyingKey itself

[aumetra]

Sure, the implementation shouldn't be too difficult to move to the existing Signature type. How would we handle serialisation?

Should the SignatureEncoding implementation just emit the recovery ID byte or should it only be included via a special associated method like a theoretical to_bytes_recoverable?

[tarcieri]

@aumetra that was my plan, yes.

I was planning on working on it this weekend, as part of a larger effort to move to signature 2.0

[aumetra]

Oh I see, if you feel more comfortable doing it yourself you can just take whatever I implemented so far (if it's of any use to you) and base it off of that, I don't mind

[tarcieri]

Closing in favor of #576