PQC: Implement draft RFC for ML-DSA with Ed25519

[larabr]

Split from #10 .

ML-DSA implementation of draft-wussler-openpgp-pqc.

TODO:

• OpenPGP: update algo IDs to use experimental values?
• OpenPGP: add ML-DSA key validation code
• Core: use/implement NIST spec for algos, instead of round 3 implementations
• Core: pick/confirm PQC lib
  • benchmarks? (+ performance/size ratio?)
  • Noble
  • for AgustinSRG/crystals-dilithium-js (written for Node only):
    • remove Buffer code
    • remove "duplicate" SHA3/SHAKE code (use noble-hashes, or wasm)
    • test the random poly generator(s)
  • other existing WASM-compiled libs:
    • take message as input instead of digest
• Core: would use WASM for selected ops provide considerable speedup?
  • Dilithium has 64-bit multiplications
  • Can we take advantage of SSE (also for the underlying SHAKE)? AVX2 is not supported by WASM yet
    • Yes for AES256ctr (irrelevant, only used in AES variant)
    • Reference code only has AVX2 code for the rest
• Testing: add test vectors for keys/signature/messages when available
• Testing: cross test with gopenpgp (sop?)
• Future: add SHOULD algorithms? (Ed448 and SH-DSA)
• Merge after PQC: Implement draft RFC for ML-KEM with X25519 #10