Add ML-DSA test vectors.

[gendx]

This PR adds test vectors for ML-DSA, for two versions: the round 3 proposal (CRYSTALS-DILITHIUM) and the current draft of the FIPS 204 standard.

These tests aim to cover the following cases:

• Baseline (signing a "Hello world" message).
• Keys and signatures of the wrong length.
• Signature with bit flips.
• Signature hints with a non-canonical encoding:
  • hints that aren't sorted,
  • hints are not strictly sorted (i.e. the same hint is repeated),
  • too many hints (potentially causing a buffer overflow),
  • non-zero padding after the hints.
• Secret keys with the s1 or s2 vectors out of the [-eta, eta] range.
• Public key with the t1 component set to zero (allowing trivial forgeries, but the verification algorithm should still accept signatures for this key).
• Boundary conditions in the signature rejection loop (aiming to detect incorrect comparisons):
  • z_max equals gamma1 - beta - 1 and gamma1 - beta,
  • r0_max equals gamma2 - beta - 1 and gamma2 - beta,
  • h_ones equals omega and omega + 1,
  • in the case of ML-DSA-44 (a.k.a. Dilithium 2), |ct0|_max equals gamma2 - 1 and gamma2.
• A "large" number of SHAKE bytes and of SHAKE blocks generated in the expand_a, expand_s, rej_ntt_poly and rej_bounded_poly functions.
• Boundary conditions in arithmetic functions:
  • power_2_round function: when the remainder (found in t0) is equal to 4096 or -4095,
  • decompose (via high_bits or low_bits): when the condition r_plus - r_0 = q - 1 happens.

Since the FIPS 204 standard is still a draft, I'm leaving this pull request as a draft for now.