keyCeremonyExchange: KeyShare should include ξi,ℓ

[JohnLCaron]

spec 2.0.0, p 24

Share verification. Having decrypted each Pi (ℓ), guardian Gℓ can now verify its validity against the commitments Ki,0 , Ki,1 , . . . , Ki,k−1 made by Gi to its coefficients by confirming that the fol- lowing equation holds:

g^Pi (ℓ) mod p = Sum (Ki,j )^ℓ^j mod p.

"Guardians then publicly report having confirmed or failed to confirm this computation. If the recipient guardian Gℓ reports not receiving a suitable value Pi (ℓ), it becomes incumbent on the sending guardian Gi to publish this Pi (ℓ) together with the nonce ξi,ℓ it used to encrypt Pi (ℓ) under the public key Kℓ of recipient guardian Gℓ . If guardian Gi fails to produce a suitable Pi (ℓ) and nonce ξi,ℓ that match both the published encryption and the above equation, it should be excluded from the election and the key generation process should be restarted with an alternate guardian. If, however, the published Pi (ℓ) and ξi,ℓ satisfy both the published encryption and the equation above, the claim of malfeasance is dismissed, and the key generation process continues undeterred.

It is also permissible to dismiss any guardian that makes a false claim of malfeasance. However, this is not required as the sensitive information that is released as a result of the claim could have been released by the claimant in any case."

[JohnLCaron]

We dont really have tests for the case where the the encrypted key share fails.