Signing without revealing the signature to all nodes

[fjarri]

In some applications it may be useful to not allow the nodes to see the final signature. To do that, we may cut short the Signing protocol, and instead of each node broadcasting sigma_i, just return them as a protocol result, along with the nonce.

Open questions:

• Is that safe to do so? If we are broadcasting these values anyway, probably yes?
• What is the best way to describe that in the current framework? A wrapper for the Presigning protocol returning a different result? Or a method on PresigningData (which will mean that we will need to expose the Presigning protocol iself)?
• What is the course of action in case the summed-up signature is invalid? The paper prescribes generating a number of ZK proofs to identify the culprit, so we will need to return all the required randomness and execution transcript along with the result, so that the nodes could hold on to it, and build a proof later on user request.