Add batch-compatible ECVRF (ECVRF_bc)

[davxy]

• Implement the batch-compatible ECVRF scheme (ietf_bc) from ePrint 2022/1045
• Standard IETF ECVRF proofs use (c, s) where the verifier must reconstruct nonce commitments before recomputing c. ECVRF_bc replaces this with (U, V, s) where U and V are the nonce commitments directly, turning verification into explicit equality checks that can be batched via a single multi-scalar multiplication across n proofs
• Proof size increases (e.g. 48 -> 96 bytes for ed25519) but batch verification of many proofs is significantly faster

[burdges]

RFC-9381 always seemed ridiculous. I trolled them a couple times during the RFC but nothing improved..

• You save CPU time from the short challenge, but you'd save more by merging everything into one MSM, which breaks the short challenge.
• Applications would benefit more from batching anyways. And other applications have so few VRF evaluations nobody cares.
• Thin VRF was 64 bytes for Ristretto/Ed25519, while still being batch verifiable. I suppose that optimisation breaks down for Pederson VRFs and some other things, but good for the simple stuff.