slh-dsa: sha2: PK.Seed state caching

[NicsTr]

This PR is meant to address issue #1035. It introduces an optimisation mentioned in section 8.1.6. of SPHINCS+ specification: caching the intermediate state during SHA-2 computations.

On my laptop, I observe an improvement in signing/verification time in the range of ~15-25% (using the criterion benchmark provided).

---

In order to keep a unified interface between SLH-DSA instantiated with SHAKE or with SHA-2, the same cache mechanism is introduced for SHAKE256 computations. However, it is not expected to have any impact on the performance of SLH-DSA-SHAKE*.

The biggest change is that types implementing HashSuite are no longer zero-sized types and that some functions (the one benefitting from state caching) of the trait HashSuite are now methods instead of just associated functions. This in turn means that all functions of subtraits (eg. HypertreeParams or ForsParams) using those methods are now also methods.

Types implementing HashSuite must now implement a constructor, new_from_pk_seed, that is responsible for computing the cached state from the public seed. The public seed is no longer a parameter of cache-using methods (since they have access to the cached state through &self).

As a side-effect of having a cached state, types implementing HashSuite can no longer use the derived macro for PartialEq and Eq. Due to those macros not being "perfect derive", we still need them to implement those traits, even though they will never be actually used. I used the unreachable! macro in their implementations to avoid any potential use.

---

Let me know if you have any remarks or suggestions.

[tarcieri]

This looks great overall, thanks for doing it! Definitely a missing optimization we've needed