Verifies a signature against message hash and public key. Rejects non-canonical / high-s signatures by default: to override, specify option {strict: false}. Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:

verify(r, s, h, P) where
  U1 = hs^-1 mod n
  U2 = rs^-1 mod n
  R = U1⋅G - U2⋅P
  mod(R.x, n) == r