Add support for the Hybrid Forward Secrecy extension.
This commit adds support for the experimental Hybrid Forward Secrecy extension, using NewHope-Simple as the HFS primitive. Limitations: * Only `Noise_XXhfs` is implemented because that's the only one that Katzenpost will use. Supporting the other variants is mostly a matter of adding additional `HandshakePattern` definitions. * Kyber is the new hotness in terms of lattice based DH like primitives, so that should probably be used instead of NewHope-Simple, but I already have a NewHope-Simple implementation. (Then again, ISTR that Kyber uses the same NTT that NewHope does, and Peter writes clean code so implementing it should be trivial.) * Pre-message `f`/`rf` patterns are supposed to be handled, but aren't, because I don't use them. * This should probably enforce `5.2 Pattern Validity`, in `ReadMessage()`/`WriteMessage()`, but, "Don't define invalid patterns". * I was lazy and didn't generate test vectors. Fixes #1.
Showing with 231 additions and 0 deletions