Trusted-Party (TP) threshold OPRF key update Protocol

This document specifies a proposal for a non-robust threshold OPRF key
update protocol that can work for small deployments with a small
number of parties and infrequent DKG executions. Non-robust means that
the protocol succeeds only if no party aborts. If someone aborts then
the protocol needs to run again, possibly after kicking out
misbehaving parties. This protocol does support maximum 127
peers. This is probably already too much for a non-robust protocol,
but it might work in very special circumstances.

Broadcast is implemented by the trusted party (TP) opening a channel
to each peer secured by the peers long-term encryption key. Every
message is routed through the TP.

Peer long-term encryption keys can be either TLS-based, or
Noise_XK-based (https://noiseexplorer.com/patterns/XK/). In the latter
case the long-term public keys must be known and validated in advance
by the TP.

The basis for this protocol is the TP-DKG protocol as specified at
https://github.com/stef/liboprf/blob/master/docs/tp-dkg.txt, and a
Distributed Multiplication protocol which given the sharings of secret
a and secret b generates a sharing of the product a·b without learning
anything about either secret.

The multi-party multiplication is based on Fig. 2 from R. Gennaro,
M. O. Rabin, and T. Rabin. "Simplified VSS and fact-track multiparty
computations with applications to threshold cryptography" In
B. A. Coan and Y. Afek, editors, 17th ACM PODC, pages 101–111. ACM,
June / July 1998.

0. TP ensures that n >= 2t+1, otherwise abort.
1. execute TP-DKG for all dealers, if DKG fails, abort
2. dealers (exactly 2t+1 peers) run multiparty multiplication step
   one, send the results to the corresponding peers
3. TP pre-computes the inverted Van der Monde matrix, and broadcasts the first row.
4. all peers run multiparty multiplication step 2 on inputs from TP and the dealers.
5. all dealers report their shares generated during the DKG, to calculate delta
