Vectorized WOTS+ signing & verification by sorting chains

Speeds up verification by ~25%.

Use GitHub workflows to test all implementations

Initialize seed state in thashx8 test.

When the state is left uninitialized, the test may fail.

As SHA2 now also operates on a precomputed state, these tests
would fail when the hash state is ...

Only absorb root part of pk in haraka message hashing.

Constant time implementation of Haraka

Replaces the default implementation of Haraka with a
bitsliced implementation of the AES round f...

This makes it easier to link in openssl for the NIST rng.c

This ensures we do not require a buffer with an empty prefix
in front of the message. This is a ...

In some cases this decreases the number of compression calls, in
particular where the SHA2 paddi...

This does not functionally change anything, but is a step towards
different implementations of t...

This allows us to precompute the SHA2 state after absorbing PK.seed,
which saves an online compr...

This is equivalent, but requires less copying of data.

It is not necessary to restrict the tree height to 64 bits;
it is sufficient (and necessary for ...

While the field supports 96 bits in the spec, the code only
supports 64 bits (as a consequence o...

This previously inverted the bit order within a byte, going
from most significant to least signi...

This is useful when compiling a shared object that requires
runtime access to these values (as o...

This conflicted with the naming scheme of hash_[function].{c,h}

This is important in particular to allow inlining the utils functions
that convert between bytes...

Thanks to @mjosaarinen for pointing this out

This prepares for 8-way parallel SHA2, but does not actually
add the 8-way parallel hashing core.

This reverts commit a73528517d395262c45ac87162aa60a35174479f.

Turns out it's necessary for rng....

This addresses the bug that was pointed out to us by Dorian Amiet;
it also affects the index sel...

The values from r to 64 (resp 200) would never be used anyway.