Helpful to test other implementations.

Used for instance for go-xmssmt.

Issue #5

This commit adds support for the parameter sets in the draft version of NIST SP 800-208.

This is relevant because of the enormous difference in signing
speed between the regular and BDS-traversal-based xmss core.

This ensures that xmss_core and xmss_core_fast offer the same API.
Note that xmss_core_fast still needs a major refactor, and this
wrapper is not exactly very clean. There is a considerable chance
this refactor will change the format of the state in the secret key.

Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.

This is the same fix as 998137622a

Wrote this to find what turned out to be an external error when
using the interfacing programs, but felt like it might as well be added.

Under the same key and message, the signature is expected to be identical.
However, as the index changes, this case will not happen in real use.

This caused secret key files to become close to MAXINT bytes, as
the unsigned int that is the private key size would be subtracted
from MAXINT when its negative was used as offset.

The variable sm should contain the signature and the message,
not the message and the signature (i.e. the order is crucial).

This makes it easier to mix and match with other implementations
for compatibility testing.

Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.

This also performs numerous consistency fixes

This starts a cleanup / refactor, but there is still some low-hanging fruit.

Versions are incompatible due to different address formats and differing message compression!