include more public values for secure FS transform

[p0n1]

Trail of Bits found that insecure implementations of the Fiat-Shamir transformation in bulletproofs could allow malicious users to forge proofs for random statements.

• https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/
• https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/

The bulletproofs paper has also been updated to emphasize the description of secure Fiat-Shamir transformation for the protocol.

Our implementation does not include the range proofs section of bulletproofs as discussed in Trail of Bits's posts. In fact, our implementation of bulletproofs is a variant of the original version with direct support of R1CS. But we did miss some public values from the statement.

In this pull request, we add public assignment (s), the circuit description (cL, cR, cO), and generators (g, h) to the transcript of circuit proof and add n, u, P, and generators (g, h) to the transcript of inner product proof.