Add DKG Ack states and fix signer state machine

[xoloki]

The state machine code in this repository is an artifact of the first attempt to implement sBTC, a wrapped BTC token on the Stacks blockchain, in a repository called sbtc-alpha.

The signer state machine was missing many elements of a typical state machine, all of which were present in the coordinator state machines. For example, it did not gate the handling of particular message types on certain states, nor did it effectively prevent improper state changes. This allowed protocol attacks, such as attempts to reuse nonces during signing.

One reason why this was never fixed is because the protocol as originally envisioned did not deal well with out-of-order message delivery, which happens frequently in a p2p network. So a coordinator might have received all DkgPublicShares from all signers, and thus signal that the signers should start sending DkgPrivateShares, triggering a state change on the signers. But if one signer received this coordinator message before receiving DkgPublicShares from one of the signers, strictness in handling messages based on state would cause that signer to ignore the late DkgPublicShares message.

To fix this, we add Ack/Done states to the protocol. This way state changes are gated on everyone having received all necessary information before progressing to the next state.

With this protocol change in place, we are now able to implement a proper state machine, and do so in this PR.

[djordon]

I had one question which I think I answered myself, and some suggestions. Also, I ignored the FROST coordinator, the changes to process_timeout, and a some other things too.

[xoloki]

Good catch on the late dkg message handling @djordon, I wasn't waiting on receiving everything to Ack. Fixed now

[xoloki]

Added a check for DKG messages the coordinator didn't see, much tighter now

[jferrant]

Just have a couple comments. I can't quite remember exactly how WSTS coordinator/signer logic works so not 100% sure its a problem, but I would have expected all the signers to wait for the public shares from all other sgner ids in the done message before acking. But maybe that doesn't matter because the coordinator has them all at this point and ultimately signer doesn't care?

[xoloki]

Just have a couple comments. I can't quite remember exactly how WSTS coordinator/signer logic works so not 100% sure its a problem, but I would have expected all the signers to wait for the public shares from all other sgner ids in the done message before acking. But maybe that doesn't matter because the coordinator has them all at this point and ultimately signer doesn't care?

You are correct, that was missing in the initial code. It's there now.

[xoloki]

Added missing dkg_id checks in signer state machine, since this PR is about fixing that state machine and those missing checks were kinda crucial to prevent replay attacks

[xoloki]

Added sanity checks on the passed signer_ids in the Done packets, dropping them if any are bad. Deferring checking dkg_threshold until dkg_end since we already report that as DkgFailure::Threshold

[xoloki]

We weren't checking dkg_id in the signing parts of the signer state machine, fixed now

[xoloki]

We weren't checking to see if a signer had completed DKG before taking part in signing rounds. Now that's addressed on both the signer and coordinator sides.