fix: non-Paillier-related NCC findings

[ggutoski]

This PR addresses all remaining findings from the NCC audit (including appendix) except those related to Paillier---namely, finding numbers 003, 004, 005. Those findings will be handled in a separate PR along with Paillier improvements.

That leaves only the following items covered by this PR: findings 001, 006, and an un-numbered note from the appendix on session nonce length range checks.

As of this PR, all notes from the appendix are complete and the status of numbered findings is as follows:

• 001: this PR
• 002: nothing to fix
• 003: TODO later, Paillier
• 004: TODO later, Paillier
• 005: TODO later, Paillier
• 006: this PR
• 007: already done

Draft status

Need to verify that the new length restrictions on session nonce do not break existing usage in axelar-core. Until then, this PR is stuck in draft mode.

Currently, the only use of the affected session nonce by axelar-core is for the new_key_uid in keygen: https://github.com/axelarnetwork/grpc-protobuf/blob/afb7358f2051370950881220be6ae51f4dbafdb9/grpc.proto#L109 On the axelar-core side, this uid is provided by the end user via CLI command: https://github.com/axelarnetwork/axelar-core/blob/0cd3073bd4745c97112f2a7948fed19c9c1e4359/x/tss/client/cli/tx.go#L40 As such, the only restriction on uid length is that it be nonzero.

How to proceed?

Options:

• Add length checks to axelar-core to match those of tofn.
  • Ideally, universal constants would be defined in one spot, but that's not really practical for grpc---see java - Can I define a constant string in protobuf? - Stack Overflow
• Don't bother with length checks in axelar-core and just rely on tofn/tofnd to throw an error.
  • I don't like this idea. It's much better to have the CLI command throw an error immediately with usage info.

@cgorenflo any opinions?

[ggutoski]

The corresponding axelar-core PR axelarnetwork/axelar-core#815 has now been merged.