Elligator: take cofactor from secret key instead of tweak

Elligator: take cofactor from secret key instead of tweak

This allows the simplification of the implementation of higher level
interfaces.

The idea is, only the scalar and cofactor have any influence over
whether the inverse map succeeds or fail. This means that when it fails,
the padding & sign have not be used at all, and can be "reused" to
generate another random seed.

In practice, this means we can use Chacha20 or Blake2, or any hash that
outputs 64 random bytes from 32 random bytes, use 32 bytes to make an
attempt, then use the *other* 32 bytes to either generate more random
bytes (if we failed), or to use the tweak (if we succeed).

The tweak has also been modified to simplify the implementation. The
sign bit is now the least significant bit, and the padding bits are the
most significant bits. The computational savings are negligible, but
this allows neat micro-simplifications.