crypto/elliptic: normalize behavior of invalid curve points #50975
Description
See #50974 for background. tl;dr is that Marshal, Add, Double, and ScalarMult take a pair of big.Ints as inputs, which might not represent a valid point on the curve, and don't return an error value. The behavior is documented to be undefined.
I am fond of the idea of returning random points, like P-224, P-384, and P-521 do in Go 1.18, but it feels like it would be a pain to debug, and doesn't feel like the right answer for Marshal. Returning nil is definitely not the answer for Marshal, as that will get encoded as the empty string, which would be catastrophic for e.g. an ECDH shared secret, and anyway is likely to cause a panic. A panic is a DoS risk, but it would only occur where before there was a key leak risk.
The @golang/security team consensus is to move to triggering an explicit panic in Go 1.19. (Hopefully, we'll soon provide a better and safer API, too.)
