PQC: Implement draft RFC for ML-DSA with Ed25519

[larabr]

Split from #10 .

ML-DSA implementation of draft-wussler-openpgp-pqc.

TODO:

• [x] OpenPGP: update algo IDs to use experimental values?
• [x] OpenPGP: add ML-DSA key validation code
• [x] Core: use/implement NIST spec for algos, instead of round 3 implementations
  • [x] Use standard NIST version
• [x] Core: pick/confirm PQC lib
  • benchmarks? (+ performance/size ratio?)
  • Noble
  • for AgustinSRG/crystals-dilithium-js (written for Node only):
    • remove Buffer code
    • remove "duplicate" SHA3/SHAKE code (use noble-hashes, or wasm)
    • test the random poly generator(s)
  • other existing WASM-compiled libs:
    • take message as input instead of digest
• [ ] Core: would use WASM for selected ops provide considerable speedup?
  • Dilithium has 64-bit multiplications
  • Can we take advantage of SSE (also for the underlying SHAKE)? AVX2 is not supported by WASM yet
    • ~Yes for AES256ctr~ (irrelevant, only used in AES variant)
    • Reference code only has AVX2 code for the rest
• [x] Testing: add test vectors for keys/signature/messages when available
• [ ] Testing: update ML-DSA final test vectors from RFC when ready
• [ ] Future: add SHOULD algorithms? (Ed448 and SH-DSA)
• [ ] Merge after #10