Clarify requirements for generating the IDPF binder string

We require the binder string to be generated at random, but we don't prescribe its length or say why it needs to be random:

draft-irtf-cfrg-vdaf/draft-irtf-cfrg-vdaf.md

Lines 3710 to 3714 in 3ac0362

    
           * `binder` MUST be chosen uniformly at random by the Client (see 
        
             {{nonce-requirements}}). 
        
             > TODO If the binder needs to be random, then we need to specify its 
        
             > length so that the user knows how many bytes to sample.

I believe this has to do with how XofFixedKeyAes128 affects the concrete security of Poplar1, but I don't remember the details. Let's make sure this is documented. Furthermore, we need to define the length so that the user knows how many bytes to sample. I'd suggest renaming the binder to nonce and adding Idpf.NONCE_SIZE as a constraint on Idpf. (Poplar1 may need to be modified accordingly.)

This was decided in #32 (comment) and you are correct, it is needed for the concrete security of the fixed-key AES construction. I'll send a PR to clarify this.

	* `binder` MUST be chosen uniformly at random by the Client (see
	{{nonce-requirements}}).

	> TODO If the binder needs to be random, then we need to specify its
	> length so that the user knows how many bytes to sample.