Support caching preprocesses in FROST (#190)

* Remove the explicit included participants from FROST

Now, whoever submits preprocesses becomes the signing set. Better separates
preprocess from sign, at the cost of slightly more annoying integrations
(Monero needs to now independently lagrange/offset its key images).

* Support caching preprocesses

Closes https://github.com/serai-dex/serai/issues/40.

I *could* have added a serialization trait to Algorithm and written a ton of
data to disk, while requiring Algorithm implementors also accept such work.
Instead, I moved preprocess to a seeded RNG (Chacha20) which should be as
secure as the regular RNG. Rebuilding from cache simply loads the previously
used Chacha seed, making the Algorithm oblivious to the fact it's being
rebuilt from a cache. This removes any requirements for it to be modified
while guaranteeing equivalency.

This builds on the last commit which delayed determining the signing set till
post-preprocess acquisition. Unfortunately, that commit did force preprocess
from ThresholdView to ThresholdKeys which had visible effects on Monero.

Serai will actually need delayed set determination for #163, and overall,
it remains better, hence it's inclusion.

* Document FROST preprocess caching

* Update ethereum to new FROST

* Fix bug in Monero offset calculation and update processor

crypto/frost/src/tests/mod.rs

@@ -53,10 +53,7 @@ pub fn algorithm_machines<R: RngCore, C: Curve, A: Algorithm<C>>(
     .iter()
     .filter_map(|(i, keys)| {
       if included.contains(i) {
-        Some((
-          *i,
-          AlgorithmMachine::new(algorithm.clone(), keys.clone(), &included.clone()).unwrap(),
-        ))
+        Some((*i, AlgorithmMachine::new(algorithm.clone(), keys.clone()).unwrap()))
       } else {
         None
       }
@@ -64,10 +61,14 @@ pub fn algorithm_machines<R: RngCore, C: Curve, A: Algorithm<C>>(
     .collect()
 }
 
-/// Execute the signing protocol.
-pub fn sign<R: RngCore + CryptoRng, M: PreprocessMachine>(
+fn sign_internal<
+  R: RngCore + CryptoRng,
+  M: PreprocessMachine,
+  F: FnMut(&mut R, &mut HashMap<u16, M::SignMachine>),
+>(
   rng: &mut R,
   mut machines: HashMap<u16, M>,
+  mut cache: F,
   msg: &[u8],
 ) -> M::Signature {
   let mut commitments = HashMap::new();
@@ -84,6 +85,8 @@ pub fn sign<R: RngCore + CryptoRng, M: PreprocessMachine>(
     })
     .collect::<HashMap<_, _>>();
 
+  cache(rng, &mut machines);
+
   let mut shares = HashMap::new();
   let mut machines = machines
     .drain()
@@ -108,3 +111,43 @@ pub fn sign<R: RngCore + CryptoRng, M: PreprocessMachine>(
   }
   signature.unwrap()
 }
+
+/// Execute the signing protocol, without caching any machines. This isn't as comprehensive at
+/// testing as sign, and accordingly isn't preferred, yet is usable for machines not supporting
+/// caching.
+pub fn sign_without_caching<R: RngCore + CryptoRng, M: PreprocessMachine>(
+  rng: &mut R,
+  machines: HashMap<u16, M>,
+  msg: &[u8],
+) -> M::Signature {
+  sign_internal(rng, machines, |_, _| {}, msg)
+}
+
+/// Execute the signing protocol, randomly caching various machines to ensure they can cache
+/// successfully.
+pub fn sign<R: RngCore + CryptoRng, M: PreprocessMachine>(
+  rng: &mut R,
+  params: <M::SignMachine as SignMachine<M::Signature>>::Params,
+  mut keys: HashMap<u16, <M::SignMachine as SignMachine<M::Signature>>::Keys>,
+  machines: HashMap<u16, M>,
+  msg: &[u8],
+) -> M::Signature {
+  sign_internal(
+    rng,
+    machines,
+    |rng, machines| {
+      // Cache and rebuild half of the machines
+      let mut included = machines.keys().into_iter().cloned().collect::<Vec<_>>();
+      for i in included.drain(..) {
+        if (rng.next_u64() % 2) == 0 {
+          let cache = machines.remove(&i).unwrap().cache();
+          machines.insert(
+            i,
+            M::SignMachine::from_cache(params.clone(), keys.remove(&i).unwrap(), cache).unwrap(),
+          );
+        }
+      }
+    },
+    msg,
+  )
+}