bip-340: reduce size of randomizers to 128 bit and provide argument

[jonasnick]

This speeds up batch verification in libsecp by up to 9%.

I can open this upstream if people are happy with this PR.

CC @real-or-random

[real-or-random]

@jonasnick Oh there's also #204, which anyway will require touching those sentences again...

Maybe it's better to convert the "generate random integers" paragraph also more to pseudocode-like thing. The text is already complex now and #204 won't make it simpler. I'd volunteer to give it a try when resolving #204.

Having said that, do you think it makes sense to batch some of open issues, i.e., solve them here in this repo and then open a PR to the official BIPs repo? I know I haven't worked on this for a while but maybe now is a good time to focus on this again and then we can solve all or at least most of the changes quickly. None of the issues here should require a lengthy discussion. The discussions already happened, we just need to write down the results.

[jonasnick]

I'm fine with batching as long as completing the batch doesn't takevery long. We should try avoiding blocking our own implementation work with batching.

[real-or-random]

Note (sorry for abusing this PR but this is the best place to note):

• We should also clarify what we except from Verify and Batch Verify: The property that single and batch verification agree i) simply holds for all inputs of batch verification when using fully random multipliers ii) holds for inputs generated by a ppt adversary when using the deterministic method.
• We should clarify whether the empty batch is allowed. (It should be, e.g., think of empty blocks.)