Implement anti-klepto protocol to protect against covert nonces

[paulmillr]

Not sure if the low-level library is the best place for such API, but at least some primitives need to be implemented for the anti-klepto protocol.

hot->cold: sha(k_hot)
cold->hot: kP_cold = hash(tx, privkey, sha(k_hot)) * G
hot->cold: k_hot
cold->hot: signed_tx
hot:       verify tx.R == kP_cold + k_hot*G

https://shiftcrypto.ch/blog/anti-klepto-explained-protection-against-leaking-private-keys/, https://github.com/bitcoin-core/secp256k1/pull/637