Address residual review items from BNB hardening stack

[mswilkison]

Summary

Stacked on #5. Doc + small defensive-code follow-ups closing out the cosmetic and pre-existing items raised in the #2/#4/#5 review thread. None are security-blocking; they did not warrant individual PRs but are worth landing alongside the main hardening stack.

• common/hash_utils.go — strengthen RejectionSample doc: the function is modular reduction, not true rejection sampling, and the bias bound depends on q vs the hash width.
• crypto/paillier/factor_proof.go — document that the tagged path emits e ∈ [0, 2^256) while the legacy path emits e ∈ [-(2^256-1), 2^256), and note that FactorVerify's CmpAbs bounds exist to accommodate the legacy signed encoding.
• tss/params.go — expand SetSessionNonceBytes docstring with the per-ceremony-uniqueness and high-entropy guidance reviewers asked for.
• ecdsa/{keygen,signing}/rounds.go — document the round-1-capture invariant for getSSID so future refactors do not silently drift the hashed round.number domain separator.
• crypto/ecpoint.go — flag SetCurve's in-place mutation in its doc comment; the chained-call style is a footgun on shared points.
• crypto/vss/feldman_vss.go — reject nil shares, nil/zero share IDs, and duplicate IDs in ReConstruct before the Lagrange loop, so malformed inputs return an error instead of panicking through ModInverse(0) → nil → nil-deref. Pre-existing hazard; not introduced by the hardening stack. Adds focused test coverage for each rejection path.

Validation

• go build ./... clean
• go vet ./... clean
• go test -count=1 ./common ./crypto ./crypto/vss passed
• go test -count=1 -timeout 600s ./crypto/paillier ./tss passed
• git diff --check passed

Test plan

• VSS ReConstruct rejection-path tests (nil share, nil ID/Share, zero-mod-q ID, duplicate ID) all assert NotPanics + error return
• Existing VSS, common, crypto, tss test suites still green
• CI on the stacked branch