Idea: Choices for `ONEHOT_PROOF_INIT`

[cjpatton]

ONEHOT_PROOF_INIT is used as the initial proof, which is updated with node proof computed by each call to eval_next(). It appears we're free to set this to any public value:

• The original de Castro and Polychroniadou paper sets this to the "correction seed" ($\mathsf{cs}$ in Algorithm 3).
• The PLASMA paper sets this to to "0" (the all zero string).
• We currently set it to a salt.

I had the thought that we could also derive this from the VDAF verification key so that it is pseudorandom from the point of view of the adversary (i.e., the malicious client). I wonder if this could provide some benefit in terms of security.

[cjpatton]

Per 2024/10/4 call: It would be nice if PROOF_SIZE could be reduced to 16 (smaller correction words).