Padding_len was introduced in 7793c40c07483dd3efed0a27a85922ed5c7f0cee,
but not fixed in the calls hash_message.

Resolves #12

Helpful to test other implementations.

Used for instance for go-xmssmt.

Issue #5

In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).

The RFC suggests root||pubseed (in algorithm 10); note that
this choice does not influence interoperability.

Thanks go to Rafael Misoczki for bringing this up.

This also reduces some duplication between XMSS and XMSSMT

Since there's a tweak being introduced, this should be reflected
in the name of the functions.

Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.

This allows different backends to store additional state information
in the secret key while the rest of the codebase remains agnostic.

In particular, this prepares for a common xmss_core.h API for both
the standard and the BDS-traversal-based implementations.

This removes a lot of code duplication.

This produced repeated indices when reaching 2^32 signatures.
This was introduced in 9b35b00d98
with the re-introduction of runtime parameters. Compile-time parameters
did not contain this error.

As a result, performs various refactors that also impact the verification
function, since cleaner signing functions exposed more overlap.

This greatly reduces the memory comsumption of the auth path
computation, since it now also uses treehash. It prevents
duplicate code by re-using the treehash function.

A downside is that it does also pick out the authentication path
during key generation (while it is not used), but this cost is
negligible.

Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.

This also performs numerous consistency fixes

A large number of functions was repeated in xmss_fast; these are now
shared between the two implementations via the xmss_commons file.
Notably, we ensure compatability by sharing the verification functions.

This starts a cleanup / refactor, but there is still some low-hanging fruit.

Versions are incompatible due to different address formats and differing message compression!