Multisignature implementation

[SarangNoether]

The threshold ring signature paper by @b-g-goodell and I describes a provably-secure construction requiring a commit-and-reveal phase. The current multisignature implementation should be updated to reflect this construction properly.

[UkoeHB]

The implementation would also benefit from (based on the paper): robust key aggregation, and domain separated hashing with prefixes depending on application. It would also benefit from: aggregation signing instead of round-robin to reduce message rounds, and randomly sorting the output indices (currently disabled in code to ensure each participant uses the same indices [EDIT: this should be done by the transaction initiator, randomly shuffling the destinations before sending them out in a tx file to be signed, or maybe the shuffle_outs flag should be activated when it's the initiator] [EDIT2: based on my research, the destination list actually is randomly sorted by the original tx initiator, and then all other signers use that same randomly sorted list]).

[UkoeHB]

From what I can tell in the current version partial key images are unsigned (see export_multisig() in wallet2.cpp), which means a cosigner could send a fake partial key image to another cosigner, then (e.g. in a 2-of-3) cooperate with a third signer to spend funds in the multisig wallet. The cosigner with doctored key image would not be aware those funds were spent, while believing he has the power to see when it happens.

UPDATE: There appears to be precedent for signing key images, namely in ReserveProofV1 where key images are signed with a 1-member ring signature. Applying this for partial key images would, I imagine, not be an extreme burden. See this line of code.