This allows different backends to store additional state information
in the secret key while the rest of the codebase remains agnostic.

In particular, this prepares for a common xmss_core.h API for both
the standard and the BDS-traversal-based implementations.

This removes a lot of code duplication.

This produced repeated indices when reaching 2^32 signatures.
This was introduced in 9b35b00d98
with the re-introduction of runtime parameters. Compile-time parameters
did not contain this error.

As a result, performs various refactors that also impact the verification
function, since cleaner signing functions exposed more overlap.

This greatly reduces the memory comsumption of the auth path
computation, since it now also uses treehash. It prevents
duplicate code by re-using the treehash function.

A downside is that it does also pick out the authentication path
during key generation (while it is not used), but this cost is
negligible.

This is the same fix as 998137622a

Wrote this to find what turned out to be an external error when
using the interfacing programs, but felt like it might as well be added.

Under the same key and message, the signature is expected to be identical.
However, as the index changes, this case will not happen in real use.

This caused secret key files to become close to MAXINT bytes, as
the unsigned int that is the private key size would be subtracted
from MAXINT when its negative was used as offset.

The current code results in the same output regardless of endianness.
Verified using a QEMU VM to emulate MIPS.

The variable sm should contain the signature and the message,
not the message and the signature (i.e. the order is crucial).

By prefixing with XMSS_, we hopefully prevent conflicts

This makes it easier to mix and match with other implementations
for compatibility testing.

Previously this was generated and thus gitignored

Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.

The defined-parameters branch should be the new leading branch,
as it supersedes master. This merge is performed using --strategy ours
as there are numerous conflicting changes regarding the different ways
in which SHA3 was added. The master branch is considered to not contain
anything of value that is not contained in the defined-parameters branch.

Prior to merging, the defined-parameters branch was rebased to prevent
the cherry-picked commits from showing up twice.

This also performs numerous consistency fixes

A large number of functions was repeated in xmss_fast; these are now
shared between the two implementations via the xmss_commons file.
Notably, we ensure compatability by sharing the verification functions.