Updated curve parameters with a=-1

[HarryR]

As implemented by Matter Inc. which changes the curve parameters to be able to use the unmodified sapling-crypto repository: https://github.com/matterinc/sapling-crypto

The C++ implementation is parameterised, the Python and Solidity implementations aren't.

Related to #103 (to match the number of constraints as the zcash/bellman implementation)

They have scaled the parameters so the Bellman implementation of Jubjub can be used without modifying the constraints, this means the security proof from ZCash with their specific constraints can be more directly translated / be applicable.

//! scaling = 1911982854305225074381251344103329931637610209014896889891168275855466657090 
//! a' = 21888242871839275222246405745257275088548364400416034343698204186575808495616 == -1 = a*scale^2 mod P
//! d' = 12181644023421730124874158521699555681764249180949974110617291017600649128846 == -(168696/168700) = d*scale^2

For the Python and Solidity implementations this requires the addition of the Scale parameter.

Additionally, need to update the ejubjub.sage file to demonstrate that we can transform from the existing curve parameters to the modified ones.

Additionally need to verify that the jubjub tests defined by zcash are implemented:

• (1 / d) is nonsquare
• -d is nonsquare
• (1 / -d) is nonsquare
• Check that A^2 - 4 is nonsquare
• Check that A - 2 is nonsquare

Additionally, there is a test to verify that the number of windows per generator in the Pedersen hash does not allow for collisions:

• https://github.com/matterinc/sapling-crypto/blob/master/src/alt_babyjubjub/tests.rs#L372