pine: Compute the squared norm just once

[cjpatton]

Based on #648 (merge that first). Partially addresses #618.

Split the existing FLP circuit into two:

1. One that computes the squared norm bound and checks that it is equal to the claimed value

2. Another for everything else, including checking that the claimed norm bound is in range and that the wraparound tests succeeded

The first circuit does not require joint randomness to compute, which means we can safely run it once without opening ourselves to offline attacks. It is also the most expensive part of the computation.

This change aligns our implementation with a planned change for the next version of PINE: https://github.com/junyechen1996/draft-chen-cfrg-vdaf-pine/pull/92 https://github.com/junyechen1996/draft-chen-cfrg-vdaf-pine/pull/94

[cjpatton]

I'm going to approve to unblock, but maybe prio should change to have more smaller traits to avoid situations like this? I'm not super familiar with prio but methods like

    fn encode_measurement(&self, _measurement: &()) -> Result<Vec<F>, FlpError>
    fn decode_result(&self, _data: &[F], _num_measurements: usize) -> Result<(), FlpError> 
    fn truncate(&self, _input: Vec<F>) -> Result<Vec<F>, FlpError>
    fn output_len(&self) -> usize

seem to be concerned with the domain of serialization(?) whereas the other methods of the trait seem concerned cryptography itself. Maybe these could be split into two traits?

I agree, see https://github.com/cloudflare/daphne/pull/649#discussion_r1717034029.

Before merging this I want @armfazh to review :)