keyCeremonyExchange: KeyShare should include ξi,ℓ

[JohnLCaron]

spec 2.0.0, p 24

Share verification. Having decrypted each Pi (ℓ), guardian Gℓ can now verify its validity against
the commitments Ki,0 , Ki,1 , . . . , Ki,k−1 made by Gi to its coefficients by confirming that the fol-
lowing equation holds:

g^Pi (ℓ) mod p = Sum (Ki,j )^ℓ^j mod p.

"Guardians then publicly report having confirmed or failed to confirm this computation. If the
recipient guardian Gℓ reports not receiving a suitable value Pi (ℓ), it becomes incumbent on the
sending guardian Gi to publish this Pi (ℓ) together with the nonce ξi,ℓ it used to encrypt Pi (ℓ)
under the public key Kℓ of recipient guardian Gℓ . If guardian Gi fails to produce a suitable Pi (ℓ)
and nonce ξi,ℓ that match both the published encryption and the above equation, it should be
excluded from the election and the key generation process should be restarted with an alternate
guardian. If, however, the published Pi (ℓ) and ξi,ℓ satisfy both the published encryption and the
equation above, the claim of malfeasance is dismissed, and the key generation process continues
undeterred.

It is also permissible to dismiss any guardian that makes a false claim of malfeasance. However, this is not
required as the sensitive information that is released as a result of the claim could have been released by the claimant
in any case."

[JohnLCaron]

We dont really have tests for the case where the the encrypted key share fails.