Add HS1-SIV

[Demindiro]

HS1-SIV uses ChaCha and a new hash algorithm. This implementation is based on the paper and the reference implementation.

I generated custom test vectors since none seem to be provided. I've included the reference implementation to show how they've been generated.

Hs1Params is quite ugly, but I'm unsure if I can make it any cleaner. It could be hidden by using newtypes for the 3 parameter sets instead.

trait ChaChaImpl is necessary because chacha20::variants::Variant and in particular chacha20::variants::Ietf isn't exposed, so chacha20::ChaChaCore is unusable.

I've spent some time optimizing it. It certainly can be optimized more, though so far further attempts have failed.

It should be free of any data-dependent branches, though I haven't looked at the generated assembly very closely.