Require cofactorless (unbatched) verification equation (#25)

Mandate the use of the cofactorless (unbatched) verification equation in
Ed25519 and Ed448.

This is already the current behavior of OpenSSL, BoringSSL, and Apple's
CryptoKit, among other implementations.

Additionally, since Web Crypto does not have an API for batch signature
verification, there seems to be no reason to use the cofactored
(batched) equation.

By mandating one of the two equations, we reduce the risk of
interoperability failures, as well as the risk of this
(potential) difference being used to fingerprint implementations.

index.html

@@ -1883,7 +1883,8 @@ <h4>Operations</h4>
             <li>
               <p>
                 Perform the Ed25519 verification steps, as specified in [[RFC8032]],
-                Section 5.1.7, on the |signature|, with |message| as |M|,
+                Section 5.1.7, using the cofactorless (unbatched) equation,
+                `[S]B = R + [k]A'`, on the |signature|, with |message| as |M|,
                 using the Ed25519 public key associated with |key|.
               </p>
             </li>
@@ -2775,7 +2776,8 @@ <h4>Operations</h4>
             <li>
               <p>
                 Perform the Ed448 verification steps, as specified in [[RFC8032]],
-                Section 5.2.7, on the |signature|, with |message| as |M|
+                Section 5.2.7, using the cofactorless (unbatched) equation,
+                `[S]B = R + [k]A'`, on the |signature|, with |message| as |M|
                 and |context| as |C|,
                 using the Ed448 public key associated with |key|.
               </p>