Investigate making J-PAKE API more convenient for applications and drivers

[davidhorstmann-arm]

We would like to change the PSA J-PAKE API to remove the restrictions on the order in which psa_pake_output() and psa_pake_input() are called. This makes the API much more convenient for application developers.

However, we would also like to retain the ordering restriction for the order in which driver functions are called. This simplifies the writing of J-PAKE drivers.

We may do this by caching the required values in the driver dispatch layer and passing them to the driver at the end.

Goals of this task:

• Prototype the implementation of this caching in the driver dispatch layer
• Measure the effect on code size and performance
• Discover any problems with this approach

Extra considerations

If we are already caching values, we might want to simplify the J-PAKE driver API, for example to be more similar to the legacy Mbed TLS EC J-PAKE API, which takes / provides all values at once at the end of a round.

However, in doing this we will need to consider cases where PSA implementations are "stacked" on top of one another, e.g. where a secure element uses the PSA API to call its internal Mbed TLS and implements a driver on top of that. It should be easy to implement a PSA driver on top of the corresponding PSA API.

[davidhorstmann-arm]

See also #7709.

[davidhorstmann-arm]

PSA API changes being discussed upstream: ARM-software/psa-api#157