Make Mastic feature complete (#1178)

* mastic: Fix onehot check, add payload check

Compute the onehot proof following a breadth-first traversal of the
prefix tree. While at it, piggy-back the payload check computation on
the same traversal.

* mastic: Add prefix counter

Add a counter to the output programmed by the VIDPF so that we can pass
the right value to `decode_result()` during unsharding. Add the counter
check to preparation.

While at it, align some terminology with the spec.

* mastic: Construct `Mastic` with a `Type`

The current constructor takes an `Szk` and a `Vidpf`, which may have
incompatible parameters. To Fix this, pass `Type` to the constructor and
construct `Szk` and `Vidpf` ourselves.

* vidpf: Remove `eval_with_cache()`, modify `eval()`

Mastic uses `eval_prefix_tree_with_siblings()`. This method caches the
prefix tree just like `eval_with_cache()` does, but it doesn't try to
compute the onehot proof. It also concatenates the weight shares into
the output shares for us.

The only other use case for `eval_with_cache()` is for computing the
shares of beta during sharding. Replace this code with a simpler
implementation and remove `eval_with_cache()`.

Finally, `eval()` can't be used to correctly compute the onehot check
for Mastic. Instead, simply hash the node proofs together so that the
user can check that the DPF invariant holds. This is useful primarily for
testing.