Merge of branch 2021.19.GDH_PDistRerandom

- GDH/square GDH: add PRerandomDist even without RSR
(because when exponents are chosen according to the spec of
Curve25519/448, there may be several exponents for the same
public key, making the DDH oracle ambiguous; I need to choose
exponents in k[(p+1)/2,p-1] to make sure that the correspondence
between exponents and public keys is bijective).
- Mentioned in the manual that when the underlying group is
curve25519/448, PRF-ODH2 must be applied with the detailed model
of curve25519/448 (because the existence of equivalent public
keys breaks the property).