Besides reducing the number of arguments, this also removes the R argument from
PartialSigAgg which was not defined precisely:
* The final nonce ''R'' as created during ''Sign'' or ''PartialSigVerify'': a point
Moreover, this paves the way for adding the tweaking, which requires
PartialSigAgg to also have access to challenge e and can now be easily computed
from the Session Context.
We will need more of these explanations and it's better if they do not interfere
the specification section. The remarks section is intended for content that's
not required for implementing the spec.
Instead of using eta=-delta, use zeta=-(delta+1/2) to represent
delta. This variant only needs at most 590 iterations for 256-bit
inputs rather than 724 (by convex hull bounds analysis).
This adds a long comment explaining the algorithm and implementation choices by building
it up step by step in Python.
Comments in the code are also reworked/added, with references to the long explanation.
